Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/24/2011
05:41 PM
50%
50%

Pocket Guide To Securing Mobile Devices

With workers bringing their own smartphones and tablets into the company, IT security needs to focus on creating a more secure environment, not on securing each device

Smartphones, tablets, and other mobile devices are forcing enterprise IT managers to re-evaluate how they secure technology.

With workers more likely to use a personal device for work, companies are less likely to be able to specifically configure the mobile devices that have access to the corporate network. Add to that the fact the software ecosystem surrounding mobile devices is, to a large degree and depending on platform, closed. Less access means attackers have a harder time hacking the devices, but that also means third-party firms are harder pressed to provide solutions to the problems mobile devices do have.

For those reasons, the recommendations are that, rather than focus on securing each device, IT groups should look to educate users, set good security policies, secure access, and help manage the devices, says John Engels, principal product management for Symantec's enterprise mobility group.

"We are trying to surround the devices with security and protect and control what goes into the device and what comes out of it," Engels says.

A key component to the approach is mobile device management (MDM), which initially took off as a way to keep track of all the costs associated with a company's gaggle of cell phones, but increasingly has a security role as well.

The four major threats to mobile devices are device theft (or forgetful employees), wireless network sniffing of communications, malicious software, and the infrequent direct attack. Of those four major threats, however, MDM mainly solves only one: lost and stolen devices, says Dan Hoffman, chief mobile security analyst for Juniper Networks.

"When you look at mobile device management, it does nothing for malware, nothing for a direct attack, and nothing for data communication interception," Hoffman says.

For that reason, companies have to look beyond just adopting MDM solutions, he says. Here are four recommendations:

1. Know the threats.
As any carny knows, the easiest mark is one who is not paying attention.

Employees who do not understand the possible mobile attacks make far easier victims than workers educated about the threat. For that reason, education and good security policies are of paramount importance in dealing with consumer-owned mobile devices.

"Make your employees aware of the security risks: A smart user is more secure than a dumb user," says Brian Reed, vice president of products at mobile-device management firm BoxTone.

The education of users around selecting passwords, paired with a good remote wipe policy, is a good example.

Because the principal threat to smartphones are lost and stolen devices, a key feature of all device management platforms is the ability to remotely wipe a device. With a policy of wiping a device after, say, 10 wrong passwords, a company does not have to attempt to enforce a complex password requirement on users. A mere five- or six-digit password will likely suit the needs of security.

2. Only use approved app stores.
Because of the closed software ecosystems of many mobile devices -- notably Apple, Microsoft, and RIM's BlackBerry -- a significant amount of security relies on making sure that workers do not download apps from nonofficial sources.

Take a look at malware incidents to date: Almost every piece of malicious software that has infected a real phone has been a Trojan horse. DroidDream, the most successful malicious app, infected a quarter-million Android phones in March by posing as real applications.

While Apple, Google, and Microsoft have their official application marketplaces, other companies, such as Amazon, are providing alternatives. In addition, companies such as Apperian have software to allow enterprises to set up their own app stores.

3. Check the bills.
In his 1989 book, The Cuckoo's Egg, Cliff Stoll launched an investigation into his network's security because of a 75-cent accounting error.

While corporate spies intent on stealing data will never run up a large phone bill, cybercriminals are focused on profit. One current way to leech cash from a phone: billing the victim using premium numbers or premium SMS. Criminals who keep such charges small could escape notice if the company is footing the bill for the devices.

If an employee downloaded any of the applications, such as a tic-tac-toe game, then carrying the rogue GGTracker app, a $10 charge, would show up on the bill.

"These apps try to hide the charges, but it will always show up on the bill," says Kevin Mahaffey, chief technology officer of mobile security firm Lookout.

4. Antivirus, still a question mark.
What might not be necessary? Antivirus.

Because of mobile devices' own limitations on applications, security vendors cannot take over low-level control of a smartphone in the same way they can with personal computers. For that reason, security companies have focused on finding ways to manage security from the outside and create mobile applications that manage the configuration of the device for the user.

"A lot of security for devices will boil down to managing the settings on the device and linking into security of the environment," Symantec's Engels says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
CVE-2020-9432
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9433
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9434
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-6383
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.