Published on July 24th, 2015 | by admin
Best Practices and Strategies for Protecting Mobile Devices
It’s an unusual occurrence for a person not to have some sort of mobile device, be it a smart phone or tablet. We’ve even started to bring them into the workplace, blurring the lines between personal and corporate owned computing. This fuzziness has brought with it new opportunities for cybercriminals and, in turn, new challenges for security folks.
Attack of the Killer Mobiles
There are a number of new issues that have entered the security arena via the use of mobile devices. Before the advent of mobile, trust was implicit because it was held within the walls of the organization network and directory structure. But once we entered this new domain, trust changed. We’ve had to extend it and build new approaches to it. We’ve had to expand our network and allow people in using other methods, such as identity federation.
Trust is also becoming more fluid as users have more control over their new desktop. Previously, an organization could lock down a desktop, controlling exactly what went on the network endpoints. This tenet is more difficult now in many organizations as people use their own personal devices and install mobile apps that can potentially contain malware.
Mobile device use has created a messy environment and with it comes a much more complicated security landscape. And everyone is now at risk, no matter what size the organization.
Examples of Mobile Device Based Attacks
Malware laden mobile apps and software – A report by Alcatel-Lucent found that mobile malware infections increased by 20% in 2013 and by 25% in 2014. They also estimate that around 16 million devices have been infected by malware, with the latest data confirming that around 1.12% of devices being monitored by IBM’s Trusteer are infected with malware. This is a similar number to desktop infections – an indicator that cybercriminals are focusing in on mobile devices as vectors. Ways into a mobile device include through unverified mobiles apps, pop-up ads, or other software vulnerabilities such as those in the operating system.
Although Apple has been very good about checking the security status of apps listed in their store, Android has been less so, with a reported 97% ownership of the mobile malware space. This, however, is perhaps an over statement as much of that malware was not derived from Google’s official Play Store, but from smaller third party and unregulated app stores. As far as operating system vulnerabilities go, both Apple and Android mobile OS have seen vulnerabilities. A recent Apple IOS vulnerability sold on the hacker market for $250,000 to a U.S. government consultant. To make itself more attractive to the Enterprise market, Android has brought out a more secure product called, ‘Android for Work’ which allows users to create secure spaces on their mobile device for work purposes.
“Commjacking” mobile communications – This is a relatively new area of mobile security that is becoming more prevalent. It is where a third party sets up a malicious public Wi-Fi spot, often masquerading as a well-known free Wi-Fi brand and anyone who uses that free Wi-Fi will be subject to theft and manipulation of their mobile communications, including SMS text messages, email communications, phone calls, login credentials and so on.
Unencrypted Wi-Fi (sniffing) – Even if a commjacker isn’t fooling you through a spoofed Wi-Fi, if you use an open (unencrypted) Wi-Fi network your data transmission can be easily stolen.
Two factor authentication – Multiple authentication has been touted by the security community as the holy grail of security. It’s been believed that if you simply use a single factor, you can be easily hacked or phished; but, if you have two-factors, especially if one is out of band, you will up your security.
This, unfortunately, is no longer the case as more hackers use this potential vector to get access to the second factor and access online banking and other applications.
In 2012, a specialized mobile malware campaign, nicknamed Eurograbber, was used to steal the two factor authentication used by several corporate and private banks to secure their online banking login systems. It ended up grabbing around $47 million out of accounts. More recently, organizations have started to more aggressively combat the theft of SMS based second factors with more vendors bringing out alternatives that will hopefully more effectively secure second factor mobile based authentication methods.
Protecting Mobile Devices: Five Strategies to Better Security
Here are five ways that you can use to protect your communications and data on a mobile device from cyber-attack.
Strategy 1 –Education: Education among mobile device users is lagging behind in terms of being able to recognize threats. For example, there is an Android malware that produces a pop-up ad every time you unlock your device. It informs you that your device has a problem and you need to click on the ad to fix it. Of course what actually happens is that you’re taken to an app store where you’re encouraged to download a malicious app that then goes on to steal SMS messages and so on. It’s very similar to email phishing, but this type of attack isn’t yet on the radar of your average mobile device user. Educating users, that mobile devices are open to attacks like this, is a very important first step in device security. In addition, let your device users know that free open Wi-Fi may not be a good idea to use for logging into network resources and their own bank accounts.
Strategy 2 – Encryption: Using encryption on mobile devices is a viable security option and there are plenty of encryption products available for all mobile operating systems. Encryption can slow things down a little, but a good product should minimize this. If you lose your device, at least the data on it will be protected more so than if you just use a single factor like a passcode to control access.
Strategy 3 – Mobile Federated Login to the Enterprise: If your users need access to your resources from their mobile device, use a federated login solution that will allow user provisioning and de-provisioning multifactor authentication that is strong and attack resistant and will integrate with all your corporate applications.
Strategy 4 – Use a VPN: Using a Virtual Private Network (VPN) to access company resources is the best option to prevent any theft of mobile communications of incoming and outgoing company data. However, it won’t stop that of other communications such as text messages or voice calls. And it won’t prevent malware being installed.
Strategy 5 – Keep your Device Patched. Make sure you have the latest patches that will take care of some of the vulnerabilities in the OS and other software installed on the device.
It’s worth remembering that when you are building your security strategy, ensure you include mobile devices and any data that may reside on them as part of your security itinerary. Knowing where your resources are and having visibility of your extended network, will allow you to monitor and ultimately control your security environment.
One last thing – If you are going to exchange your mobile for an upgrade, don’t forget to wipe the data!