Skip to main content
banner image
venafi logo

5 Ways to Prevent Unauthorized Access of Misused Mobile Certificates

5 Ways to Prevent Unauthorized Access of Misused Mobile Certificates

man putting his hand in the middle of a row of falling dominos to prevent the other half from falling
June 23, 2020 | Scott Carter


Mobile devices have changed the way business is conducted, giving enterprises and employees flexibility to stay connected, whether in the office or on the road. As mobile devices continue to play a greater role in enterprises, greater amounts of data will flow through these devices and applications. As a result, we can expect a surge in mobile traffic over the next few years. In fact, Cisco's Visual Networking Index anticipates that mobile traffic will grow at a compound annual growth rate (CAGR) of 47 percent between 2016 and 2021.
 

The ever-increasing use of mobile devices expands the corporate attack surface and creates serious security risks, privacy concerns and vulnerabilities, which malicious actors can exploit to steal sensitive and personal information, and impersonate unknowing victims. As the use of mobile devices and applications continues to grow, the rate and sophistication of attacks on popular mobile platforms also grows, and the need for mobile authentication becomes more prevalent.
 

Mobile devices and mobile applications are becoming more dangerous threat vectors against the corporate network. Indeed, the instances of mobile threats is increasing. Kaspersky mobile products and technologies detected in 2019:

  • 3,503,952 malicious installation packages.
  • 69,777 new mobile banking Trojans.
  • 68,362 new mobile ransomware Trojans
     

To counter these threats, enterprises are turning to certificates to secure mobile devices, applications, and users. Digital certificates authenticate mobile users to applications, VPNs, and WiFi networks. However, many organizations have little to no control or visibility into their mobile certificate inventory and they’re unaware to which mobile certificates their users have access. And this lack of visibility results in lack of control, which means that organizations cannot fully control the access granted by certificates, risking unauthorized access.
 

A number of security risks from misused or orphaned mobile VPN certificates to unauthorized access by terminated employees or contractors can be easily exploited. Plus, with several different IT teams managing different parts of the mobility stack, there may often be gaps in management and security that can be exploited. These gaps will hamper your ability to detect misuse—especially if you are not equipped to detect mobile certificate anomalies, including incorrectly issued certificates. Cybercriminals take advantage of mobile certificates and pose as trusted users, thereby infiltrating your network and stealing intellectual property.
 

Remember that mobile certificates issued to users serve as trusted credentials for secure access to your critical networks, applications, and data. So the biggest threat to your enterprise isn’t necessarily the mobile malware, but rather the unauthorized users who may access your information.
 

 

Here are 5 ways you can prevent unauthorized access of misused mobile certificates.
  1. Get visibility into your entire mobile and user certificate inventory
    With clear insight into your full mobile and user certificate inventory, you can identify duplicate, orphaned, and unneeded certificates. By mapping users to the certificates they are issued, you can identify certificates that are exposed to unauthorized user access. This will enable you to establish a baseline of known certificates and normal usage.

     
  2. Automatically enforce policies for mobile certificate issuance
    Issuing certificates to mobile devices and mobile applications according to centralized IT security policies is paramount. By enforcing cryptographic policies that control attributes such as key length, validity period, and approved CAs and by applying workflow processes to mobile certificate issuance, you can reduce your organization’s attack surface.

     
  3. Go beyond Mobile Device Management capabilities for certificates
    Although Mobile Device Management (MDM) solutions can provide capabilities such as deploying applications, remotely wiping devices, or deploying certificates for mobile devices, protecting mobile certificates and keys extends beyond the scope of MDMs. MDMs alone cannot remove potentially orphaned or compromised mobile certificates. As organization adopt new mobile applications, they must have the ability to enforce IT security policies to establish norms and detect mobile certificate-based anomalies such as orphaned or duplicate certificates. They must also respond quickly by revoking a user’s certificates across multiple CAs. Furthermore, users do not always receive mobile certificates through MDMs. They may request certificates using other tools or even multiple CAs. Therefore you must implement a solution that is capable of enforcing certificate and key policies consistently across your entire environment.

     
  4. Immediately revoke mobile certificates when authorized use is concluded
    In the event that an employee is terminated, leaves the company without notice, or reassigns, you should immediately revoke all mobile and user certificates associated with that employee in order to prevent unauthorized access to your network. Also, keep in mind that wiping a mobile device using your MDM solution is not sufficient, because the employee could have made a copy of the certificate and key before leaving the company. Rapid revocation of all certificates, whether deployed through an MDM solution or some other means, is critical in these situations.

     
  5. Ensure secure end-user self service 
    If your organization enables users to request certificates using enrolment portals, you must provide a secure self-service portal that enables your end users to quickly request certificates for WiFi, VPN, email, browser, or other applications. You need a mechanism that governs user certificate issuance to ensure certificates comply with security policies, to eliminate guesswork on the part of inexperienced users, and to prevent errors.
     

As mobile devices continue to become more prevalent, it is important for you to take a strategic approach to securing your organization’s mobile device certificates. Following these 5 steps will help you to avoid misuse of these certificates and protect your organization against trust-based attacks that use mobile devices as an attack vector. But you don’t have to do it alone. Venafi offers a solution that can help you develop an approach to securing your mobile certificates.
 

This blog was originally posted by Patriz Regalado on May 27, 2014.

 

 

 


 

Related posts

 

Like this blog? We think you will love this.
mobile device banking security
Featured Blog

Would You Borrow Money Using Your Mobile Device?

For those who don’t use mobile banking, here are some capabilities that mobile banking apps offer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat