Why mobile security is a systemic problem

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

There has been considerable hype around each mobile threat vector that has emerged in the last year, but what's often overlooked is how mobile security is currently approached. What's particularly troubling is how reactionary responses have been to these threats, whether it be from Android apps with major flaws in their SSL implementations or the recent airport VPN Trojan.

One simple truth: the only secure way of handling mobile devices is in a managed way.

[RELATED: The 10 most common mobile security problems and how you can fight them]

But corporate breaches from mobile devices will continue as long as the management warning is considered optional and the likes of Google and Apple are slow to open up their operating systems. As an industry, we must realize that mobile security is a systemic problem. Unfortunately, many mobile technology companies have their initial focus on the consumer market, not the enterprise market.

Simply put, endpoints like personal laptops, PDAs or smartphones remain the weakest points within a security infrastructure. This is precisely why it's downright mind-boggling that organizations allow unmanaged devices on their networks especially considering how many basic security protocols have failed to appear on today's mobile devices.

Consider Android. For a long time it lacked an API for vendors to make calls to the kernel for IPsec VPN clients. This is just one example of how the protocols of secure usage have been ignored. Another concern with Android, in particular, is that different devices are running different versions of the OS. This can cause problems in managing the devices as there are sure to be discrepancies in how certain security functions are implemented or supported. But, many of the mobile vectors that have emerged, or are predicted to hit, could pertain to any and every OS.

After all, it's possible to distribute malicious software on any system, as this malware is typically delivered via social engineering or within a corrupt software package or active web code like Java or ActiveX. On top of this, stealthy exploits, such as session hijacking and identity attacks, easily pave quick paths to gain access to mobile devices. Ultimately, this means there is no substitute for fundamentally robust network security components. Ideally, this should include everything from client device firewalls to IPsec VPNs.

Of course, an important caveat to include here is, even these rigorous security mechanisms aren't failsafe against users ignoring common safety precautions, such as blindly clicking on links or opening suspicious e-mail attachments. This means companies should not take for granted that everyone within the organization is equally savvy about basic technology and security protocols they must continuously educate and reinforce best practices.

[TECH DEBATE: Security training: requirement or boondoggle?]

We're in a period of significant mobile device proliferation at all levels. Yet, the security solutions designed to combat threat vectors can, at best, be described as siloed solutions that fall short of necessary intelligent threat defense not to mention critical security function integration and management functionality. This is not to say these solutions lack sophistication because, in many cases, they are built with superior engineering and the latest technologies. Rather, the issue is that threat detection, mitigation and response requires an integrated and managed approach that is often difficult to obtain, considering the way we currently tackle mobile threats.

For instance, because mobile devices are constantly exposed to different and often hostile public networks, the best of security technologies are barely just enough to deliver a security baseline. Therefore, in the absence of a one-size-fits-all security product, the better approach is to interconnect the siloed, best-of-breed security products and technologies in intelligent ways, focusing on defense-in-depth strategies and powerful threat responses.

IF-MAP, for example, is an open standard that is well-positioned to deliver in this area. IF-MAP provides the possibility to interconnect different IT security systems for an accurate representation of the health status of an IT network. In fact, several security vendors are currently involved in the ESUKOM research project that aims to use IF-MAP to automate security responses to network threats and enforce security policies without human intervention.

Taking a broader view, however, the problem with mobile devices remains a systemic one. In turn, this means everyone needs to be involved in shoring up the security of these devices, all the way from the moment of conceptual design to its implementation, and finally, its use. This shifts the sole burden from IT administrators and shares the responsibility with everyone, from designers, software architects, company management and end users. But more importantly, this prioritizes security in every step of the way, rather than relegating it to a reactionary, retroactive add-on.

Read more about anti-malware in Network World's Anti-malware section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MDMAppleGoogleNetworkingsecuritywirelessanti-malware

More about AppleGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rainer Enders, CTO, Americas, NCP engineering

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts