Security Experts:

Mobile Disruption: A New Dimension of Risk

Until the first smartphone hit the shelves, enterprise security was primarily focused on protecting an organization’s perimeter, since business processes and data resided primarily inside the corporate network. However, the mobile revolution completely changed the way employees interact with, access, and share information. As organizations improved their defenses against direct network attacks, hackers have started shifting their focus further to the edge by exploiting mobile devices to gain “backdoor” access to enterprises.

In turn, security experts believe the next wave of enterprise hacking will be carried out via the mobile channel. According to a report by the Anti-Phishing Working Group (APWG) mobile devices have become enticing targets for criminals around the world, with mobile fraud growing five times faster than PC fraud did. Thus, it becomes essential for organizations to manage mobile application and device risks, and control their access to trusted networks. So what are the threats mobile/ BYOD devices pose for organizations?

Addressing Mobile Security RisksAccording to the ISACA 2012 IT Risk / Reward Barometer (PDF), 72% of organizations in the U.S. are allowing (in one way or another) BYOD in the work environment. This new computing practice exposes businesses to unique risks that can threaten corporate security and reverse the productivity gains they were originally intended to deliver. Due to their portable nature and integration with public cloud applications, mobile/ BYOD devices greatly increase the risk of data theft or leakage. In fact, a study by Decisive Analytics revealed (PDF) that nearly half of the enterprises that allow BYOD to connect to their network have experienced a data breach.

Indeed, mobile/ BYOD devices open up a whole new attack surface that hackers can use to target enterprise networks and the sensitive data they contain. They can be exploited by attackers in several ways:

Hackers use different techniques to launch malicious attacks against mobile/ BYOD devices ranging from deployment of malicious software (viruses, worms, Trojan horses, and spyware) via a variety of infection methods (e.g., MMS, SMS, email, Bluetooth, Wi-Fi, user installation, self-installation, distribution via memory cards and USB), denial of services attacks (e.g., BlueSmacking, Bluejacking, SMS DoS, malformed OEBX message, malformed format strings, malformed SMS messages), to mobile messaging attacks (e.g., SMS spoofing, SMS spamming, SMIShing, malicious contents messaging, SMS/ MMS exploits).

Any of these can be used to carry out activity monitoring and data retrieval; unauthorized dialing, SMS, and payments; unauthorized network connectivity; data retrieval; system modifications; and user interface impersonation with subsequent data exfiltration. All of these activities pose a real threat for any organization; especially if end users maintain their enterprise passwords on their mobile device.

Mobile device manufacturers are responding to these threats by equipping their platforms with anti-virus software. For instance, Samsung announced just a few days ago that they have added an enterprise security package for Android-based smartphones.

Nonetheless, vulnerabilities in the design or implementation of mobile operating systems and mobile applications exist that could expose a mobile/ BYOD device’s data to interception by hackers. With millions of mobile applications being marketed to end users, the risk of application vulnerabilities is exponentially high compared with other threat vectors. While the number of business application vendors is oversee-able, mobile application developers and sources are enormous and growing by the minute, prohibiting any type of trust or reputation assessment.

Vulnerabilities can lead to, but are not limited, to the following threats: Sensitive data leakage (inadvertent or deliberate), unsafe sensitive data storage (e.g., banking and payment system PIN numbers, credit card numbers, or online service passwords), unsafe data transmission (e.g., automatic connection to public Wi-Fi), and unauthorized permission requests.

In addition to vulnerabilities, a large number of applications exhibit privacy practices that are concerning with respect to the manner in which they collect phone or location data as well as request data outside of the application sandbox.

The fact that end user behavior is often based on the misconceptions that applications can’t access their sensitive data or that they won’t be hacked, only increases mobile risks. Finally, since still very few mobile devices are protected by anti-virus software, Bluetooth and Wi-Fi are constantly being used, and sensitive information and files are stored in the mobile device memory, the job of protecting organizations against mobile security threats is only becoming more difficult.

Mobile Security Risks in the Enterprise

Given these challenges, what steps can be taken to maintain the productivity gains and cost-savings associated with BYOD, while proactively managing and mitigating security risks associated with this practice?

The first and simplest practice is to implement an awareness program, educating mobile/ BYOD end users about security threats and what actions to avoid. For instance, mobile devices contain lots of data but not all of it is sensitive. However, all an attacker needs is the right data to penetrate a secure network, such as email account credentials, user passwords, and corporate VPN login data. Furthermore, devices themselves can serve as a conduit directly into an enterprise network. For example, if a hacker infects a mobile device with malware, they could use the software to connect through the VPN to the internal network. Since many users connect their mobile devices via USB to their workstation, this could infect the network as well.

The second step is to establish rigorous policies around the usage of mobile devices – be they employer- or employee-owned. A good reference framework for this process are the “Guidelines for Managing the Security of Mobile Devices in the Enterprise”, as propagated by the National Institute of Standards and Technology (NIST) in its Special Publication (SP) 800-124 Revision 1. Establishing a mobile usage policy is the easy part. The hard part is gathering predictive risk information to determine if, when, and how mobile devices should be able to connect to an organization’s trusted network. In this context, many organizations rely on tools such as Mobile Device Management or Mobile Application Management.

While these tools offer rudimentary risk assessment and policy enforcement capabilities, they lack a comprehensive, real-time view of an enterprise’s mobile and BYOD risk posture. Fortunately, new mobile trust services are emerging that can identify vulnerabilities at each layer of the mobile stack (infrastructure, hardware, operating system, and applications), correlate this data with existing threats and score risks within the context of an organization’s security ecosystem (e.g., use of security controls such as encryption, role-based access control, etc.). In turn, these risk scores can be used to determine whether or not to grant a device access to the network, and what, if any, limitations should be imposed. Once mobile access is granted, continuous monitoring can be used to maintain updated risk scores.

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).