Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Mobile Disruption: A New Dimension of Risk

Until the first smartphone hit the shelves, enterprise security was primarily focused on protecting an organization’s perimeter, since business processes and data resided primarily inside the corporate network. However, the mobile revolution completely changed the way employees interact with, access, and share information.

Until the first smartphone hit the shelves, enterprise security was primarily focused on protecting an organization’s perimeter, since business processes and data resided primarily inside the corporate network. However, the mobile revolution completely changed the way employees interact with, access, and share information. As organizations improved their defenses against direct network attacks, hackers have started shifting their focus further to the edge by exploiting mobile devices to gain “backdoor” access to enterprises.

In turn, security experts believe the next wave of enterprise hacking will be carried out via the mobile channel. According to a report by the Anti-Phishing Working Group (APWG) mobile devices have become enticing targets for criminals around the world, with mobile fraud growing five times faster than PC fraud did. Thus, it becomes essential for organizations to manage mobile application and device risks, and control their access to trusted networks. So what are the threats mobile/ BYOD devices pose for organizations?

Addressing Mobile Security RisksAccording to the ISACA 2012 IT Risk / Reward Barometer (PDF), 72% of organizations in the U.S. are allowing (in one way or another) BYOD in the work environment. This new computing practice exposes businesses to unique risks that can threaten corporate security and reverse the productivity gains they were originally intended to deliver. Due to their portable nature and integration with public cloud applications, mobile/ BYOD devices greatly increase the risk of data theft or leakage. In fact, a study by Decisive Analytics revealed (PDF) that nearly half of the enterprises that allow BYOD to connect to their network have experienced a data breach.

Indeed, mobile/ BYOD devices open up a whole new attack surface that hackers can use to target enterprise networks and the sensitive data they contain. They can be exploited by attackers in several ways:

Hackers use different techniques to launch malicious attacks against mobile/ BYOD devices ranging from deployment of malicious software (viruses, worms, Trojan horses, and spyware) via a variety of infection methods (e.g., MMS, SMS, email, Bluetooth, Wi-Fi, user installation, self-installation, distribution via memory cards and USB), denial of services attacks (e.g., BlueSmacking, Bluejacking, SMS DoS, malformed OEBX message, malformed format strings, malformed SMS messages), to mobile messaging attacks (e.g., SMS spoofing, SMS spamming, SMIShing, malicious contents messaging, SMS/ MMS exploits).

Any of these can be used to carry out activity monitoring and data retrieval; unauthorized dialing, SMS, and payments; unauthorized network connectivity; data retrieval; system modifications; and user interface impersonation with subsequent data exfiltration. All of these activities pose a real threat for any organization; especially if end users maintain their enterprise passwords on their mobile device.

Mobile device manufacturers are responding to these threats by equipping their platforms with anti-virus software. For instance, Samsung announced just a few days ago that they have added an enterprise security package for Android-based smartphones.

Nonetheless, vulnerabilities in the design or implementation of mobile operating systems and mobile applications exist that could expose a mobile/ BYOD device’s data to interception by hackers. With millions of mobile applications being marketed to end users, the risk of application vulnerabilities is exponentially high compared with other threat vectors. While the number of business application vendors is oversee-able, mobile application developers and sources are enormous and growing by the minute, prohibiting any type of trust or reputation assessment.

Vulnerabilities can lead to, but are not limited, to the following threats: Sensitive data leakage (inadvertent or deliberate), unsafe sensitive data storage (e.g., banking and payment system PIN numbers, credit card numbers, or online service passwords), unsafe data transmission (e.g., automatic connection to public Wi-Fi), and unauthorized permission requests.

Advertisement. Scroll to continue reading.

In addition to vulnerabilities, a large number of applications exhibit privacy practices that are concerning with respect to the manner in which they collect phone or location data as well as request data outside of the application sandbox.

The fact that end user behavior is often based on the misconceptions that applications can’t access their sensitive data or that they won’t be hacked, only increases mobile risks. Finally, since still very few mobile devices are protected by anti-virus software, Bluetooth and Wi-Fi are constantly being used, and sensitive information and files are stored in the mobile device memory, the job of protecting organizations against mobile security threats is only becoming more difficult.

Mobile Security Risks in the Enterprise

Given these challenges, what steps can be taken to maintain the productivity gains and cost-savings associated with BYOD, while proactively managing and mitigating security risks associated with this practice?

The first and simplest practice is to implement an awareness program, educating mobile/ BYOD end users about security threats and what actions to avoid. For instance, mobile devices contain lots of data but not all of it is sensitive. However, all an attacker needs is the right data to penetrate a secure network, such as email account credentials, user passwords, and corporate VPN login data. Furthermore, devices themselves can serve as a conduit directly into an enterprise network. For example, if a hacker infects a mobile device with malware, they could use the software to connect through the VPN to the internal network. Since many users connect their mobile devices via USB to their workstation, this could infect the network as well.

The second step is to establish rigorous policies around the usage of mobile devices – be they employer- or employee-owned. A good reference framework for this process are the “Guidelines for Managing the Security of Mobile Devices in the Enterprise”, as propagated by the National Institute of Standards and Technology (NIST) in its Special Publication (SP) 800-124 Revision 1. Establishing a mobile usage policy is the easy part. The hard part is gathering predictive risk information to determine if, when, and how mobile devices should be able to connect to an organization’s trusted network. In this context, many organizations rely on tools such as Mobile Device Management or Mobile Application Management.

While these tools offer rudimentary risk assessment and policy enforcement capabilities, they lack a comprehensive, real-time view of an enterprise’s mobile and BYOD risk posture. Fortunately, new mobile trust services are emerging that can identify vulnerabilities at each layer of the mobile stack (infrastructure, hardware, operating system, and applications), correlate this data with existing threats and score risks within the context of an organization’s security ecosystem (e.g., use of security controls such as encryption, role-based access control, etc.). In turn, these risk scores can be used to determine whether or not to grant a device access to the network, and what, if any, limitations should be imposed. Once mobile access is granted, continuous monitoring can be used to maintain updated risk scores.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.