Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Control: The Scariest Thing about Securing Mobile Devices

Due to the Lack of Control over Mobile Clients, Users Will be Relied on More than Ever.

Due to the Lack of Control over Mobile Clients, Users Will be Relied on More than Ever.

Huge was the outcry from antivirus vendors after Google’s Open Source Program Manager, Chris DiBona, called them charlatans, chiding them and anyone involved to “feel ashamed of themselves”, saying “No major cell phone has a ‘virus’ problem in the traditional sense that Windows and some Mac machines have seen. There have been some little things, but they haven’t gotten very far due to the user sand-boxing models and the nature of the underlying kernels.”

Kaspersky Lab immediately jumped to the defense, stating “Unlike on iOS and RIM, Android malware continues to grow at a rapid rate …This exponential growth curve of malware for Android is extremely similar to that which we’ve seen for Windows malware, and while Android anti-malware products are still not a necessity like they are on PCs, users should strongly consider using them if they’re concerned about the information they store on their devices and the security transactions they perform with it.”

Leaving aside the fact that Kaspersky Lab sells Mobile Antivirus Protection and the resulting conflict of interest, do they have a point? Or is DiBona on the mark?

There definitely seems to be three firm camps today regarding this question: The camp that believes that the next digital apocalypse will be ushered in by horsemen wielding android gadgets instead of scythes, the camp that believes that smart devices are just another device to integrate into the policy, and lastly the “What’s a smart phone?” camp.

I can’t really say much about the last camp aside from recommending they possibly consider moving from their cave, to somewhere nearer to 2011, but regarding the first two, I have a thought or two.

Mobile Malware ThreatsVentureBeat’s Nicolas Perpoco wrote a piece that is worth considering, because it really describes the crux of the problem; that mobile devices are not just mini-pc’s. There is absolutely no arguing that they have all of the basic components that a personal computer has, but that is truly where the similarities end. The differences are far more important than the shared points, and will scupper most traditional security approaches, which all hinge on one really simple idea.

Control.

More importantly, that YOU have control.

Advertisement. Scroll to continue reading.

Control of who can access what from where with which devices using software and hardware as designated by you. A mobile device on the other hand:

• Can be used anywhere; anytime; by anyone

• Anything can be installed; by anyone.

• You often cannot patch it, control it remotely, or reliably monitor it.

• Users can choose different models; with different versions and distributions and varying different app store sources.

• With the trend of consumerization, it’s possible the device may not even belong to the company.

Now let that sink in a second. Let it roll around your mind, and hopefully fire the neural pathways that used to contain the security best practices from days gone yore, before the cloud, before mobile dominance. Like 2008. Yes. It is indeed insane.

Under any other circumstances, if anyone came to you asking if they could hook up any other device with a security concern list like that, you would think them mad and usher them to the nearest sanatorium.

Looking at it from that angle, Mobile devices in most circumstances are the antithesis of control. And thus, the antithesis of Security.

Most of today’s mobile security do not mitigate these concerns. They address the risk that individual users face, but often not enough to alleviate the threat to enterprise and government adopters. Considering the fact that most of these devices are privately owned, control will always be severely limited. Whatever high-tech, expensive security infrastructure you have lovingly and painfully built up, you just made as redundant as castle walls after the invention of the siege cannon.

Google’s DiBona does not have to worry about cleaning up after a security breach, and as such his blind faith in the security model of android seems naive and misplaced. It is also the security professionals role to guard and secure against potential future threats, even if currently only hypothetical. Many a noble wasted money on castle walls thinking those inaccurate, self-exploding bronze cylinders would never really take off.

If you do allow mobile devices though, you should take the same approach as for any potentially hostile 3rd party network participant. Here are some measures to consider in terms of these mobile devices:

• Lock them up, restrict their access, sandbox them in. Really. Guest networks are long a staple of the security toolbox, and access control should be applied on a white-list, rather than a black-list basis

• Develop a Mobile Portal – You may consider providing access to specialised mobile services, instead of letting users roam the holy of holies, the inner sanctum of the intranet. Web-based email services can be configured to prevent local storage of messages and files for example

• Limit functionality – Access to Email is definitely an understandable need for a mobile user, but enabling mobile access to billing applications for users who don’t require it is just asking for trouble.

• Create a concise Usage Policy and implement it – Ensure that your users are made aware not to store company files or data on their phones without proper security controls and measures in place.

Aside from banning them outright, due to the utter lack of control over mobile clients, the user will be relied on more than ever. You will have to rely on their good judgement, their security awareness and their ability to follow security guidelines.

That’s the scariest about securing mobile devices.

Written By

Oliver has worked as a penetration tester, consultant, researcher, and industry analyst. He has been interviewed, cited, and quoted by media, think tanks, and academia for his research. Oliver has worked for companies such as Qualys, Verizon, Tenable, and Gartner. At Gartner he covered Security Operations topics like SIEM, and co-named SOAR. He is the Chief Futurist for Tenzir, working on the next generation of data engineering tools for security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.