With the number of mobile devices used within businesses growing by the day, ensuring they remain secure is becoming an increasing challenge for IT teams.
Where once having a secure perimeter around centralised data and applications was sufficient, now a new approach is required to ensure protection at all times regardless of each device's location and the network to which it is connected.
The need for strong security on mobile devices is urgent because of the increasing number of activities for which they are being used. For example, many staff are accessing corporate Software-as-a-Service (SaaS) platforms and using their device as their means of identification.
They are also being used regularly to complete mobile payments. This could be a simple tap-and-go payment at a cafe or a large cash transfer from a bank account. Staff are also relying on their mobile devices to access centralised corporate resources such as CRM and ERP systems to check customer records, lodge orders or create invoices for work completed.
As a result of these activities, security concerns have expanded from the possibility of devices being lost or stolen to the issues raised by a criminal using a device to gain unfettered access to corporate systems and data.
Industry research shows there is a lot of work to be done in the area of mobile security. According an IDC survey, 19.3% of organisations do not encrypt data transmitted from staff mobile devices.
Of those surveyed, 22.4% admitted they do not authenticate a device before transmitting data to it while 36.7% believe they lack strong integration between their mobile device security tools and their existing wider security infrastructure.
Attention is also focusing on mobile applications and how these can be made more secure. According to recent IDC research, security is now the most important factor taken into account by organisations when evaluating mobile enterprise applications, coming in ahead of performance, ease of use and even interoperability.
Types of threats
The key threats faced by organisations when it comes to mobile devices include mobile malware, malicious applications, and insecure security settings on the devices themselves. Threats are also caused by usage of insecure networks such as public Wi-Fi services that have little or no inbuilt security and offer the potential for man-in-the-middle attacks.
There are also increasing numbers of attacks where criminals exploit underlying flaws in mobile device operating systems and web browsers. Because some devices are not updated regularly, these flaws can remain open for extended periods.
Examples of some recent exploits include Stagefright which exploits an Android video processing vulnerability, Mobile Remote Access Trojans (mRATs) which are spying apps that affect Android and iOS devices, and iOS SideStepper which enables a criminal to hijack a device tied to a mobile device management platform.
Recent malware examples include Viking Horde, which was found within the Google Play Store and causes a device to join a botnet. Another is HummingBad which roots a targeted device and installs fraudulent applications which give an attacker remote access.
Examples have also been found of malicious code that, once installed on a device, can provide remote access to its camera and microphone. This could allow an attacker to eves drop on corporate meetings without the knowledge of anyone in the room.
A more secure approach
This variety of threats to mobile devices requires a new approach to security. Firstly, organisations have to recognise that the overall objective is to maintain the confidentiality, integrity and availability of applications and data at all times and regardless of the device being used.
A second step is to tie these three key objectives to the opportunities attackers may have available. Systems need to be examined to determine where they could potentially intercept traffic, modify data and corrupt infrastructure components. Could this happen on the devices being used by staff? Could it occur as the result of the usage of insecure public networks for connectivity?
Step three is to assess the probability that an attack might be successful and the impact it would have on day-to-day operations of the organisation. Are devices regularly used on insecure networks? What core applications and data stores are being accessed? If systems were compromised, what effect would this have on customer service?
Finally, the organisation must assess establish the steps that need to be taken to reduce the risk of successful attack. This should include everything from ongoing staff training to the deployment of security tools both on the mobile devices themselves as well as in the wider IT infrastructure.
A comprehensive mobile security approach needs to comprise a number of key building blocks. They include:
- Antivirus: All mobile devices used by an organisation need to have effective anti-virus and app reputation tools installed. This will ensure any known threats that occur can be quickly identified and removed.
- Mobile Threat Prevention: MTP tools should also be deployed across the device fleet. These will deal with unknown threats and any zero day exploits that emerge.
- Mobile Device Management: An MDM platform is critical to ensure security policies are enforced and that users cannot circumvent the protective tools that have been put in place.
- Secure containers: As an additional layer of security, devices (particularly BYOD devices) should have a secure container installed in which all corporate data and applications are stored and run. This ensures they remain quarantined from another software and activities undertaken on the device.
By following this strategy, organisations can be confident the mobile devices being used by their staff can withstand the growing number of threats that are appearing in the wild. The benefits of mobility can be enjoyed while the potential disruption and losses from attacks is avoided.