There’s been a massive focus on mobile security recently as the proliferation of smartphones and tablets and advent of BYOD has forced IT and security professionals to completely rethink how mobile devices and data are managed. Gartner’s Rob Smith looked at some of the challenges around mobile security at the Security and Risk Management Summit held in Sydney in August 2015.
Mobile malware had had a lot of recent attention with some vendors claiming there are millions of malicious applications in the wild. Smith says the problem isn’t malware in app stores but delivering malware via devices that have been rooted and had users download malware themselves. He also noted mobile data breaches aren’t the preferred attack vector. There’s no Sony level event that was initiated via a mobile device.
According to Verizon, 15.3% of all incidents are due to physical theft or loss including mobile devices. And Gartner’s own data says about 75% of mobile security breaches will be the result of mobile application misconfigurations. One of the challenges was the number of different Android versions were in the wild. In a survey conducted in 2012, it was found there almost 4000. By 2013 that went up to 12000. Today it’s in excess of 30000.
Every device sold by different carriers has it’s own slightly different software version. This makes it difficult for IT admins to configure devices correctly. in some cases, detected issues are resolved by Google and phone makers but not deployed by carriers.
In some cases, applications make it difficult for data to be secured from devices. For example, Office 365 allows users to save data directly to personal cloud services such as a Dropbox or Box.net. This creates data leakage issues for businesses that are difficult to detect or prevent.
Smith highlighted how easy it can be conduct a man-in-the-middle attack by tricking users to install profiles that allow data to be intercepted. However, such issues can be avoided through user training - something IT often misses out on delivering.
Breach points and Windows 10
By 2017, the focus of endpoint breaches will shift to tablets and smartphones. Recent deals, such as the alliance between IBM and Apple, highlight that executives are abandoning their laptops and moving to smaller devices.
Interestingly, Smith noted Windows 10 offers some significant security benefits that don’t compromise usability. He noted BlackBerry had strong security cachet but usability had suffered over the years. Windows 10 offers BlackBerry-like security with Apple-like usability. Also, once a Windows Phone is put under device management, administrators have control over firmware versions - taking that control away from carriers.
The focus on device protection is misplaced says Smith. Highlighting a recent experiment undertaken at Cal Tech, it’s possible to publish a piece of malware through a certified app store that sends a tweet on behalf of a user without permission or visibility. The focus needs to be on data protection as it’s not possible, even when users do the right thing and stick to legitimate app stores, to secure data.
Smith says it’s important to treat mobile security as tactical and only deploy it where it’s needed. There may not be a need to secure every single user equally. This means risk managers need to profile and understand users and considering mobile devices as untrusted. The focus ought not be on not locking devices down - which only annoys users - but securing data.