Risk
5/2/2012
11:25 PM
Connect Directly
RSS
E-Mail
50%
50%

How To Fix The Gaping Holes In Mobile Security

IT's juggling laptop policies and Wi-Fi policies and BYOD policies--and the result is unacceptable security gaps.

Remember the TJX security debacle stemming from a poorly protected Wi-Fi network at one of the retailer's stores? Given the result--45 million credit and debit card numbers compromised over an 18-month period and fines and settlements of at least $50 million--you'd think the flawed security mechanism that enabled the attack would be stomped out by now, a full five years after the story broke.

You would, however, be mistaken. Our InformationWeek 2012 Mobile Security Survey shows that 24% of respondents' companies are still using WEP, the technology at the root of T.J. Maxx's problems. And these are people who should know better--every one of the 322 business technology professionals responding to our survey is involved with mobile device management, policy development, and/or security.

The good news is that bring-your-own-device programs have helped push this topic to the fore: 90% of the 946 respondents to a separate survey, our InformationWeek 2012 Strategic Security Survey, believe mobile devices pose a threat to their companies' security now (69%) or that they will (21%). The No. 1 and No. 2 concerns: loss of a device containing sensitive data or an infected personal device connecting to the corporate network.

Mobile security as a focus area is here to stay. But what if we're going about it the wrong way? Smartphones are just computers that fit in our pockets, and ultrabooks are poised to blur the line between tablet and laptop. Most end users don't differentiate between Wi-Fi and 3G/4G access, and carriers want it that way because they see Wi-Fi as critical to combating spectrum shortages. Today, mobile security is end user security is data security. Maintaining two or three separate policies is a recipe for confusion and noncompliance.

Let's delve into the (sometimes disturbing) findings from our survey, then look briefly at how to mesh the realities of mobility today into a unified policy and threat management strategy that will serve us into the future; we go into much more detail on that front in our full report.

BYOD In Full Swing

While 86% of respondents to our Mobile Security Survey either allow or plan to allow personally owned devices, the policies governing them vary widely. Just 40% limit the range of devices supported and require that users connect to a mobile device management (MDM) system, compared with 42% who let all comers on the network as long as the device owner agrees to certain policies--in our experience, that often translates to "trust the user to do the right thing." Ten percent allow user-owned devices with no restrictions whatsoever.

Among company-owned smartphones, BlackBerry still leads the pack, but not likely for long. It's embraced by 70% of responding companies today. However, while our January InformationWeek Research In Motion Survey of 536 IT pros also showed BlackBerry representing a median of 70% of company-purchased devices in use now, that number plummets to 35% when respondents look ahead 24 months. A mere 7% plan to increase their use of RIM products.

So much for that BlackBerry security blanket.

How can we square an ever-expanding range of smartphones and tablets, many of them user-owned, accessing and storing all types of sensitive corporate information with the fact that just 14% of our Mobile Security Survey respondents mandate hardware encryption for corporate data? Especially since 48% say mobile devices have gone missing in the previous 12 months?

We can't--and the problem could potentially be far worse than it seems, since lost and stolen devices dominate our list of 10 mobile security worries. "Since replacing the device itself is relatively cheap, those concerns must be over possibly compromised data," says Craig Mathias, principal at mobile advisory firm Farpoint Group.

IT security pros aren't sitting still. In fact, 60% report that, in a given year, security incidents affected less than 10% of all the mobile systems they manage. But let's not get too cocky: We have many years of experience locking down laptops, which run overwhelmingly on a single operating system. In fact, 33% of respondents say 51% or more of their companies' employees are issued laptops versus 24% saying the same about smartphones and 6% issuing tablets to most workers.

Our advice is to build on what we've learned. There are some basics critical to securing data in use by mobile end users no matter how they're accessing it, and the more unified the policy, the easier it is to enforce.

chart: What's the main reason you don't require encryption?

Mobile Security A Work In Progress

Our full report on mobile security is available free with registration.

This report includes 44 pages of action-oriented analysis, packed with 37 charts. What you'll find:
  • 10 top security concerns rated
  • Guidelines on building a unified policy covering mobile devices, laoptops and ultrabooks, Wi-Fi/3G security, and more
Get This And All Our Reports


Previous
1 of 3
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio