Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/24/2011
05:41 PM
50%
50%

Pocket Guide To Securing Mobile Devices

With workers bringing their own smartphones and tablets into the company, IT security needs to focus on creating a more secure environment, not on securing each device

Smartphones, tablets, and other mobile devices are forcing enterprise IT managers to re-evaluate how they secure technology.

With workers more likely to use a personal device for work, companies are less likely to be able to specifically configure the mobile devices that have access to the corporate network. Add to that the fact the software ecosystem surrounding mobile devices is, to a large degree and depending on platform, closed. Less access means attackers have a harder time hacking the devices, but that also means third-party firms are harder pressed to provide solutions to the problems mobile devices do have.

For those reasons, the recommendations are that, rather than focus on securing each device, IT groups should look to educate users, set good security policies, secure access, and help manage the devices, says John Engels, principal product management for Symantec's enterprise mobility group.

"We are trying to surround the devices with security and protect and control what goes into the device and what comes out of it," Engels says.

A key component to the approach is mobile device management (MDM), which initially took off as a way to keep track of all the costs associated with a company's gaggle of cell phones, but increasingly has a security role as well.

The four major threats to mobile devices are device theft (or forgetful employees), wireless network sniffing of communications, malicious software, and the infrequent direct attack. Of those four major threats, however, MDM mainly solves only one: lost and stolen devices, says Dan Hoffman, chief mobile security analyst for Juniper Networks.

"When you look at mobile device management, it does nothing for malware, nothing for a direct attack, and nothing for data communication interception," Hoffman says.

For that reason, companies have to look beyond just adopting MDM solutions, he says. Here are four recommendations:

1. Know the threats.
As any carny knows, the easiest mark is one who is not paying attention.

Employees who do not understand the possible mobile attacks make far easier victims than workers educated about the threat. For that reason, education and good security policies are of paramount importance in dealing with consumer-owned mobile devices.

"Make your employees aware of the security risks: A smart user is more secure than a dumb user," says Brian Reed, vice president of products at mobile-device management firm BoxTone.

The education of users around selecting passwords, paired with a good remote wipe policy, is a good example.

Because the principal threat to smartphones are lost and stolen devices, a key feature of all device management platforms is the ability to remotely wipe a device. With a policy of wiping a device after, say, 10 wrong passwords, a company does not have to attempt to enforce a complex password requirement on users. A mere five- or six-digit password will likely suit the needs of security.

2. Only use approved app stores.
Because of the closed software ecosystems of many mobile devices -- notably Apple, Microsoft, and RIM's BlackBerry -- a significant amount of security relies on making sure that workers do not download apps from nonofficial sources.

Take a look at malware incidents to date: Almost every piece of malicious software that has infected a real phone has been a Trojan horse. DroidDream, the most successful malicious app, infected a quarter-million Android phones in March by posing as real applications.

While Apple, Google, and Microsoft have their official application marketplaces, other companies, such as Amazon, are providing alternatives. In addition, companies such as Apperian have software to allow enterprises to set up their own app stores.

3. Check the bills.
In his 1989 book, The Cuckoo's Egg, Cliff Stoll launched an investigation into his network's security because of a 75-cent accounting error.

While corporate spies intent on stealing data will never run up a large phone bill, cybercriminals are focused on profit. One current way to leech cash from a phone: billing the victim using premium numbers or premium SMS. Criminals who keep such charges small could escape notice if the company is footing the bill for the devices.

If an employee downloaded any of the applications, such as a tic-tac-toe game, then carrying the rogue GGTracker app, a $10 charge, would show up on the bill.

"These apps try to hide the charges, but it will always show up on the bill," says Kevin Mahaffey, chief technology officer of mobile security firm Lookout.

4. Antivirus, still a question mark.
What might not be necessary? Antivirus.

Because of mobile devices' own limitations on applications, security vendors cannot take over low-level control of a smartphone in the same way they can with personal computers. For that reason, security companies have focused on finding ways to manage security from the outside and create mobile applications that manage the configuration of the device for the user.

"A lot of security for devices will boil down to managing the settings on the device and linking into security of the environment," Symantec's Engels says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .