Beyond BYOD: Securing the Mobile Workforce

Craig Sprosts, Vice President of Platforms and Applications at Nominum

Mobility is having a profound impact on how people live and work.  The modern workforce expects to be able to work anytime, anywhere from any device on any application.  The number of mobile-connected devices will exceed the world’s population this year. While most companies realise that Bring Your Own Device “BYOD” policies creates new risks, the plethora of challenges brought by mobility go far beyond BYOD.  In fact, most organizations are still lagging behind on making the changes necessary to adequately address these challenges. 

Mobility is increasing productivity by not only connecting workers but devices, themselves, to the Internet.  The “Internet of Things” has the potential to dramatically increase the productivity of industries as diverse at healthcare, transportation and agriculture.  The Internet of Things isn’t just a futuristic notion when you’ll be able to monitor your refrigerator, it is here today.  More and more point-of-sale terminals are Internet-enabled to allow better tracking and inventory management, while trucks are now connected to the Internet to allow for more sophisticated fleet management, etc.  Connecting an increasing number of systems to the Internet unlocks productivity but at the same time, dramatically increases the “attack surface” and creates new risks to the enterprise.  

Facing limited resources and a seemingly unlimited number of threats, security teams need to prioritize protecting their assets against the biggest security risks.  But what are the biggest mobile security threats?  This will inevitably vary by company but arguably the biggest risk most enterprises face is the loss of confidential company or customer data. Hundreds of millions of customer records are stolen each year while the average cost per record breached is over $200 . Data theft costs enterprises at least 10’s of billions annually in spite of heavy security investment and current protection measures. 

How is this data stolen?  A Verizon study found that 98% of these incidents involved outside attackers while 69% involved some form of malware .  Often this type of malicious attack involves tricking an employee to install malware on their device,  then monitoring activity on that device through techniques such as keystroke logging to ID usernames and passwords, and finally, using that data to gain access to customer databases or other sensitive systems for data extraction.  Often times, the compromised devices don’t belong to the end users at all, but are things like point of sale devices that hackers were able to access remotely.

Data theft directly attributed to end-user mobile devices still represents the minority of cases today, although this is starting to change as malware writers recognize the unique capabilities of mobile malware.  Today’s mobile malware has advanced capabilities, not seen before with traditional malware.  These capabilities include tracking a user’s exact location, accessing various forms of communication (SMS, MMS, email, instant messaging, etc), access to detailed contact information, listening to a user’s messages, making unauthorized calls and more. 

To understand the actual prevalence of mobile-specific malware that is rampant today, Nominum sampled several billion DNS queries and analyzed patterns in the DNS traffic to determine which mobile devices were infected and  the most common infection types.  While Nominum found infected devices across multiple mobile operating systems, including Apples iOS, our data indicated that Android devices presented the greatest risk.  All of the top 5 mobile malware variants targeted Android.  These were: 

• NONCOMPATIBLE - a drive-by trojan malware which can infect Android phones via their mobile web browsers. When browser’s download is completed, it will ask for user permission for installation. After infection, the android phone works as a proxy.

• SMSPACEM- another malware for Android phones, it will change phone’s wallpaper and send SMS messages to all the phone contacts.

• LENA – capable of rooting an Android phone device without asking user permission.it uses exploits such as gingerbreak or appears as a VPN app trojan malware.  Once gaining a root access, LENA can start to communicate with its command site, download additional components and update binaries once installed. 

• NETISEND – An information stealer malware, it can retrieve infected Android phone information like IMEI, IMSI, model, and installed apps. After downloading, the malware will ask permission to connect to the Internet and to open a backdoor with its command domain site.

• BASEBRIDGE – Exploiting the netlink message validation to get Android phone root access, Basebridge can disable installed AV software, download additional malware components, and open a backdoor with its command site.

Today, most of the malware written specifically for mobile devices is targeted at profiting from the infected individuals.  For example, the attacker often uses infected smart-phones to dial toll numbers that generate revenue.  As Nominum research shows, mobile malware already contains sophisticated capabilities that present significant risk to enterprises and it is only a matter of time before these unique capabilities are used more widely against enterprises as well as consumer individuals.

Security professionals should implement a protection strategy that does more than just stopping malware on end-user’s mobile phones.   Even if mobile operating systems were 100% secure, the people who use them are not and human error often rears its ugly head.  Employees receiving targeted phishing messages that falsely appear to be messages from a customer or business partner, can easily be tricked into disclosing sensitive user names and passwords that enable unauthorized access to company systems.  Users may also lose their devices or have them stolen, putting access to critical data in criminal hands. 

Implementing a mobile security strategy requires far more than protecting smartphones from malware, it also requires providing similar levels of security to employees working remotely on their laptops from airports or coffee houses as if that person was working from the home office.  Likewise, companies need to think about how they can adequately protect mobile users directly accessing 3G or 4G networks and bypassing traditional network-based technologies.  Finally, security professionals should inventory all the connected devices they have across their enterprise including those carrying “machine to machine” traffic to ensure they are secure. 

A proper inventory requires re-evaluating the network security architecture and implementing smarter network-based defenses.  Anti-virus protection at the mobile device-level is still immature and inadequate.  Signature-based anti-virus is also problematic as is drains precious battery life and can cause an unacceptable slowdown in the performance of the device.  A solid security approach for enterprises is to carefully monitor outbound traffic for signs that a device is infected.  This is especially critical since devices can be compromised outside the enterprise and then brought into the enterprise infected.  Detecting and mitigating these compromised devices quickly is critical to minimizing irreparable damage.

Enterprises should also seriously evaluate managed security offerings from their Internet Service Providers.  As described above, desktop security has significant limitations when applied to mobile devices, yet significant threat traffic also bypasses traditional enterprise network security technologies (for example, when someone uses their laptop to work from home or that person communicates from the home or office using a 3G or 4G wireless network).  Protecting these types of users requires better security embedded into the network, itself, and many network operators have acknowledged this by offering more sophisticated managed security services to enterprises. 

In summary, productivity and protection go hand in hand. Mobility has transformed how people work and has the potential to substantially increase productivity across industries but enterprises need to think beyond the impact of infected mobile phones and look holistically at protecting all the connected devices on their network.  Doing this requires building more security into communications networks beyond the enterprise firewall and communications Service Providers are in a unique position to help fill this void.

Join the CSO newsletter!

Error: Please check your email address.

Tags BYODNominumsecurity

More about IMSINominumVerizonVerizon

Show Comments