Beyond BYOD: Securing the Mobile Workforce

Craig Sprosts, Vice President of Platforms and Applications at Nominum

Mobility is having a profound impact on how people live and work.  The modern workforce expects to be able to work anytime, anywhere from any device on any application.  The number of mobile-connected devices will exceed the world’s population this year. While most companies realise that Bring Your Own Device “BYOD” policies creates new risks, the plethora of challenges brought by mobility go far beyond BYOD.  In fact, most organizations are still lagging behind on making the changes necessary to adequately address these challenges. 

Mobility is increasing productivity by not only connecting workers but devices, themselves, to the Internet.  The “Internet of Things” has the potential to dramatically increase the productivity of industries as diverse at healthcare, transportation and agriculture.  The Internet of Things isn’t just a futuristic notion when you’ll be able to monitor your refrigerator, it is here today.  More and more point-of-sale terminals are Internet-enabled to allow better tracking and inventory management, while trucks are now connected to the Internet to allow for more sophisticated fleet management, etc.  Connecting an increasing number of systems to the Internet unlocks productivity but at the same time, dramatically increases the “attack surface” and creates new risks to the enterprise.  

Facing limited resources and a seemingly unlimited number of threats, security teams need to prioritize protecting their assets against the biggest security risks.  But what are the biggest mobile security threats?  This will inevitably vary by company but arguably the biggest risk most enterprises face is the loss of confidential company or customer data. Hundreds of millions of customer records are stolen each year while the average cost per record breached is over $200 . Data theft costs enterprises at least 10’s of billions annually in spite of heavy security investment and current protection measures. 

How is this data stolen?  A Verizon study found that 98% of these incidents involved outside attackers while 69% involved some form of malware .  Often this type of malicious attack involves tricking an employee to install malware on their device,  then monitoring activity on that device through techniques such as keystroke logging to ID usernames and passwords, and finally, using that data to gain access to customer databases or other sensitive systems for data extraction.  Often times, the compromised devices don’t belong to the end users at all, but are things like point of sale devices that hackers were able to access remotely.

Data theft directly attributed to end-user mobile devices still represents the minority of cases today, although this is starting to change as malware writers recognize the unique capabilities of mobile malware.  Today’s mobile malware has advanced capabilities, not seen before with traditional malware.  These capabilities include tracking a user’s exact location, accessing various forms of communication (SMS, MMS, email, instant messaging, etc), access to detailed contact information, listening to a user’s messages, making unauthorized calls and more. 

To understand the actual prevalence of mobile-specific malware that is rampant today, Nominum sampled several billion DNS queries and analyzed patterns in the DNS traffic to determine which mobile devices were infected and  the most common infection types.  While Nominum found infected devices across multiple mobile operating systems, including Apples iOS, our data indicated that Android devices presented the greatest risk.  All of the top 5 mobile malware variants targeted Android.  These were: 

• NONCOMPATIBLE - a drive-by trojan malware which can infect Android phones via their mobile web browsers. When browser’s download is completed, it will ask for user permission for installation. After infection, the android phone works as a proxy.

• SMSPACEM- another malware for Android phones, it will change phone’s wallpaper and send SMS messages to all the phone contacts.

• LENA – capable of rooting an Android phone device without asking user uses exploits such as gingerbreak or appears as a VPN app trojan malware.  Once gaining a root access, LENA can start to communicate with its command site, download additional components and update binaries once installed. 

• NETISEND – An information stealer malware, it can retrieve infected Android phone information like IMEI, IMSI, model, and installed apps. After downloading, the malware will ask permission to connect to the Internet and to open a backdoor with its command domain site.

• BASEBRIDGE – Exploiting the netlink message validation to get Android phone root access, Basebridge can disable installed AV software, download additional malware components, and open a backdoor with its command site.

Today, most of the malware written specifically for mobile devices is targeted at profiting from the infected individuals.  For example, the attacker often uses infected smart-phones to dial toll numbers that generate revenue.  As Nominum research shows, mobile malware already contains sophisticated capabilities that present significant risk to enterprises and it is only a matter of time before these unique capabilities are used more widely against enterprises as well as consumer individuals.

Security professionals should implement a protection strategy that does more than just stopping malware on end-user’s mobile phones.   Even if mobile operating systems were 100% secure, the people who use them are not and human error often rears its ugly head.  Employees receiving targeted phishing messages that falsely appear to be messages from a customer or business partner, can easily be tricked into disclosing sensitive user names and passwords that enable unauthorized access to company systems.  Users may also lose their devices or have them stolen, putting access to critical data in criminal hands. 

Implementing a mobile security strategy requires far more than protecting smartphones from malware, it also requires providing similar levels of security to employees working remotely on their laptops from airports or coffee houses as if that person was working from the home office.  Likewise, companies need to think about how they can adequately protect mobile users directly accessing 3G or 4G networks and bypassing traditional network-based technologies.  Finally, security professionals should inventory all the connected devices they have across their enterprise including those carrying “machine to machine” traffic to ensure they are secure. 

A proper inventory requires re-evaluating the network security architecture and implementing smarter network-based defenses.  Anti-virus protection at the mobile device-level is still immature and inadequate.  Signature-based anti-virus is also problematic as is drains precious battery life and can cause an unacceptable slowdown in the performance of the device.  A solid security approach for enterprises is to carefully monitor outbound traffic for signs that a device is infected.  This is especially critical since devices can be compromised outside the enterprise and then brought into the enterprise infected.  Detecting and mitigating these compromised devices quickly is critical to minimizing irreparable damage.

Enterprises should also seriously evaluate managed security offerings from their Internet Service Providers.  As described above, desktop security has significant limitations when applied to mobile devices, yet significant threat traffic also bypasses traditional enterprise network security technologies (for example, when someone uses their laptop to work from home or that person communicates from the home or office using a 3G or 4G wireless network).  Protecting these types of users requires better security embedded into the network, itself, and many network operators have acknowledged this by offering more sophisticated managed security services to enterprises. 

In summary, productivity and protection go hand in hand. Mobility has transformed how people work and has the potential to substantially increase productivity across industries but enterprises need to think beyond the impact of infected mobile phones and look holistically at protecting all the connected devices on their network.  Doing this requires building more security into communications networks beyond the enterprise firewall and communications Service Providers are in a unique position to help fill this void.

Join the CSO newsletter!

Error: Please check your email address.

Tags BYODNominumsecurity

More about IMSINominumVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Craig Sprosts, VP, platform and applications, Nominum

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place