Risk
5/2/2012
11:25 PM
Connect Directly
RSS
E-Mail
50%
50%

How To Fix The Gaping Holes In Mobile Security

IT's juggling laptop policies and Wi-Fi policies and BYOD policies--and the result is unacceptable security gaps.

Remember the TJX security debacle stemming from a poorly protected Wi-Fi network at one of the retailer's stores? Given the result--45 million credit and debit card numbers compromised over an 18-month period and fines and settlements of at least $50 million--you'd think the flawed security mechanism that enabled the attack would be stomped out by now, a full five years after the story broke.

You would, however, be mistaken. Our InformationWeek 2012 Mobile Security Survey shows that 24% of respondents' companies are still using WEP, the technology at the root of T.J. Maxx's problems. And these are people who should know better--every one of the 322 business technology professionals responding to our survey is involved with mobile device management, policy development, and/or security.

The good news is that bring-your-own-device programs have helped push this topic to the fore: 90% of the 946 respondents to a separate survey, our InformationWeek 2012 Strategic Security Survey, believe mobile devices pose a threat to their companies' security now (69%) or that they will (21%). The No. 1 and No. 2 concerns: loss of a device containing sensitive data or an infected personal device connecting to the corporate network.

Mobile security as a focus area is here to stay. But what if we're going about it the wrong way? Smartphones are just computers that fit in our pockets, and ultrabooks are poised to blur the line between tablet and laptop. Most end users don't differentiate between Wi-Fi and 3G/4G access, and carriers want it that way because they see Wi-Fi as critical to combating spectrum shortages. Today, mobile security is end user security is data security. Maintaining two or three separate policies is a recipe for confusion and noncompliance.

Let's delve into the (sometimes disturbing) findings from our survey, then look briefly at how to mesh the realities of mobility today into a unified policy and threat management strategy that will serve us into the future; we go into much more detail on that front in our full report.

BYOD In Full Swing

While 86% of respondents to our Mobile Security Survey either allow or plan to allow personally owned devices, the policies governing them vary widely. Just 40% limit the range of devices supported and require that users connect to a mobile device management (MDM) system, compared with 42% who let all comers on the network as long as the device owner agrees to certain policies--in our experience, that often translates to "trust the user to do the right thing." Ten percent allow user-owned devices with no restrictions whatsoever.

Among company-owned smartphones, BlackBerry still leads the pack, but not likely for long. It's embraced by 70% of responding companies today. However, while our January InformationWeek Research In Motion Survey of 536 IT pros also showed BlackBerry representing a median of 70% of company-purchased devices in use now, that number plummets to 35% when respondents look ahead 24 months. A mere 7% plan to increase their use of RIM products.

So much for that BlackBerry security blanket.

How can we square an ever-expanding range of smartphones and tablets, many of them user-owned, accessing and storing all types of sensitive corporate information with the fact that just 14% of our Mobile Security Survey respondents mandate hardware encryption for corporate data? Especially since 48% say mobile devices have gone missing in the previous 12 months?

We can't--and the problem could potentially be far worse than it seems, since lost and stolen devices dominate our list of 10 mobile security worries. "Since replacing the device itself is relatively cheap, those concerns must be over possibly compromised data," says Craig Mathias, principal at mobile advisory firm Farpoint Group.

IT security pros aren't sitting still. In fact, 60% report that, in a given year, security incidents affected less than 10% of all the mobile systems they manage. But let's not get too cocky: We have many years of experience locking down laptops, which run overwhelmingly on a single operating system. In fact, 33% of respondents say 51% or more of their companies' employees are issued laptops versus 24% saying the same about smartphones and 6% issuing tablets to most workers.

Our advice is to build on what we've learned. There are some basics critical to securing data in use by mobile end users no matter how they're accessing it, and the more unified the policy, the easier it is to enforce.

chart: What's the main reason you don't require encryption?

Mobile Security A Work In Progress

Our full report on mobile security is available free with registration.

This report includes 44 pages of action-oriented analysis, packed with 37 charts. What you'll find:
  • 10 top security concerns rated
  • Guidelines on building a unified policy covering mobile devices, laoptops and ultrabooks, Wi-Fi/3G security, and more
Get This And All Our Reports


Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.