Risk
5/2/2012
11:25 PM
50%
50%

How To Fix The Gaping Holes In Mobile Security

IT's juggling laptop policies and Wi-Fi policies and BYOD policies--and the result is unacceptable security gaps.

Remember the TJX security debacle stemming from a poorly protected Wi-Fi network at one of the retailer's stores? Given the result--45 million credit and debit card numbers compromised over an 18-month period and fines and settlements of at least $50 million--you'd think the flawed security mechanism that enabled the attack would be stomped out by now, a full five years after the story broke.

You would, however, be mistaken. Our InformationWeek 2012 Mobile Security Survey shows that 24% of respondents' companies are still using WEP, the technology at the root of T.J. Maxx's problems. And these are people who should know better--every one of the 322 business technology professionals responding to our survey is involved with mobile device management, policy development, and/or security.

The good news is that bring-your-own-device programs have helped push this topic to the fore: 90% of the 946 respondents to a separate survey, our InformationWeek 2012 Strategic Security Survey, believe mobile devices pose a threat to their companies' security now (69%) or that they will (21%). The No. 1 and No. 2 concerns: loss of a device containing sensitive data or an infected personal device connecting to the corporate network.

Mobile security as a focus area is here to stay. But what if we're going about it the wrong way? Smartphones are just computers that fit in our pockets, and ultrabooks are poised to blur the line between tablet and laptop. Most end users don't differentiate between Wi-Fi and 3G/4G access, and carriers want it that way because they see Wi-Fi as critical to combating spectrum shortages. Today, mobile security is end user security is data security. Maintaining two or three separate policies is a recipe for confusion and noncompliance.

Let's delve into the (sometimes disturbing) findings from our survey, then look briefly at how to mesh the realities of mobility today into a unified policy and threat management strategy that will serve us into the future; we go into much more detail on that front in our full report.

BYOD In Full Swing

While 86% of respondents to our Mobile Security Survey either allow or plan to allow personally owned devices, the policies governing them vary widely. Just 40% limit the range of devices supported and require that users connect to a mobile device management (MDM) system, compared with 42% who let all comers on the network as long as the device owner agrees to certain policies--in our experience, that often translates to "trust the user to do the right thing." Ten percent allow user-owned devices with no restrictions whatsoever.

Among company-owned smartphones, BlackBerry still leads the pack, but not likely for long. It's embraced by 70% of responding companies today. However, while our January InformationWeek Research In Motion Survey of 536 IT pros also showed BlackBerry representing a median of 70% of company-purchased devices in use now, that number plummets to 35% when respondents look ahead 24 months. A mere 7% plan to increase their use of RIM products.

So much for that BlackBerry security blanket.

How can we square an ever-expanding range of smartphones and tablets, many of them user-owned, accessing and storing all types of sensitive corporate information with the fact that just 14% of our Mobile Security Survey respondents mandate hardware encryption for corporate data? Especially since 48% say mobile devices have gone missing in the previous 12 months?

We can't--and the problem could potentially be far worse than it seems, since lost and stolen devices dominate our list of 10 mobile security worries. "Since replacing the device itself is relatively cheap, those concerns must be over possibly compromised data," says Craig Mathias, principal at mobile advisory firm Farpoint Group.

IT security pros aren't sitting still. In fact, 60% report that, in a given year, security incidents affected less than 10% of all the mobile systems they manage. But let's not get too cocky: We have many years of experience locking down laptops, which run overwhelmingly on a single operating system. In fact, 33% of respondents say 51% or more of their companies' employees are issued laptops versus 24% saying the same about smartphones and 6% issuing tablets to most workers.

Our advice is to build on what we've learned. There are some basics critical to securing data in use by mobile end users no matter how they're accessing it, and the more unified the policy, the easier it is to enforce.

chart: What's the main reason you don't require encryption?

Mobile Security A Work In Progress

Our full report on mobile security is available free with registration.

This report includes 44 pages of action-oriented analysis, packed with 37 charts. What you'll find:
  • 10 top security concerns rated
  • Guidelines on building a unified policy covering mobile devices, laoptops and ultrabooks, Wi-Fi/3G security, and more
Get This And All Our Reports


Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?