Mobile devices are enabling customers to conduct business and manage their lives on the move, while enabling a host of new business models and services. James Lyne, director of technology strategy for Sophos, looks at the security implications of this linchpin of future economic growth
Mobile devices are becoming ever more powerful and more integrated into our personal and work lives, becoming an increasingly viable replacement for the conventional PC. And the boundaries between the PC and mobile are set to blur even further with further diversification of form factors.
While many of us worry about traditional attacks like malware and phishing on these new devices, new functionality also breeds fresh opportunities for the bad guys. Features like augmented reality, facial recognition and integrated social media could leave users open to new kinds of abuse. Augmented reality, for example, connects location information with a user’s social media ‘friends’, enabling them to identify digital contacts nearby. This opens up new prospects for social engineering, such as figuring out when you are away from your home for crime purposes (sites like PleaseRobMe.com raise this issue). Facial recognition technology and tagging of users in photos on social media sites blur the work-home boundaries even more and police officers have already come under attack after their identities were breached in this way.
The more data we make available on our mobiles, the more tools we provide the bad guys to weave creative attacks designed to compromise our personal lives, businesses and finances. Equally, the more applications and new capabilities we use, the more we increase the attack surface area.
Security is not the only victim, privacy will be challenged too and we can expect our lives to come under greater surveillance with mobiles becoming the combination of a passport, personal record store and social life.
Business expectations have also changed with companies now trying to embrace the technologies when only a few years ago they wanted to block social media sites and non-standard unmanaged devices.
These changes in technology and business expectations mean a new attitude to information security is needed: Embrace or die. This change of attitude also impacts the future of mobile security and applications with the default answer to new technology becoming yes rather than no.
Attacks and regulation
There have been examples of malicious code for a variety of platforms but this is minimal when compared to that targeting the conventional PC. Android, in particular, has suffered more attacks from malicious code due to its more open application market, although even those with a strong security reputation like BlackBerry have been victims. While malware attacks for mobile devices are undoubtedly different, they are still entirely possible.
Mobile malware we’ve seen to date includes fake internet banking applications which steal your credentials and your money, and in some cases your authentication token code sent by a bank via SMS.
Many assume these devices are secure as they’ve never experienced malware. But until recently most of us were not placing data worth stealing on these devices. Now they contain valuable assets, the bad guys are paying attention and we can expect a significant increase in the volume of malware targeting these devices over the coming years.
Regulators and compliance standards have been through reforms recently, increasing the powers of regulators and enhancing compliance requirements to be more explicit as to the requirement for controls like full disk encryption.
While somewhat targeted at the PC, the standards and laws are written generically and can be equally applied to mobile devices. And, as more data breaches occur via mobile devices, regulators will pay more attention to them and we are bound to see specific regulation for them. However, today, be aware that devices lacking basic compliance controls could pose just as much risk, if not more, to your data protection compliance as a PC.
Perhaps the most significant challenge is the pace of innovation and development on mobile platforms, which are undergoing significant change on a quarter by quarter basis. New applications and ways of sharing data will often be adopted by large numbers before the security community has a chance to vet it and understand privacy and security implications.
Devices and applications need to be re-evaluated regularly to identify new evolving risks and security solutions need to be designed to be agile and updated faster than ever as new issues come to light. That said, while applications and services on the device are often updated automatically, OS updates for the device sometimes require painful cable connections or user interaction. This is a significant risk as missing these updates can leave devices with open vulnerabilities.
People are used to buying applications, music or even banking online using their smartphones and it appears using a mobile device doesn’t raise the same security concerns for end users as a PC. I suspect this is primarily the result of users experiencing scams or malware on their PC but not on their mobile device. Once mobiles are more closely targeted there could be a significant lag time while uers are educated on the threats.
Many organisations I visit have an acceptable use policy and security training telling staff how to protect data and avoid compromise. It is, however, extremely common for mobile devices to be missed out of this training. Make sure you have modernised your awareness training and get customers thinking about security now to avoid this lag.
Future mobile security solutions will need to blend device, OS and vendor capabilities in an integrated solution. Some capabilities will be provided by the device in hardware (eg, full volume encryption) or the OS (eg, Sandboxing) but will be managed and reported on by security vendors. Anti-malware capabilities will be increasingly required, though they will not be the same as their PC counterpart. The most interesting area is perhaps data protection – DLP to avoid accidental e-mail forwards and continuous encryption of data as it flows between different devices.
The protection stack will expand over time much as with the PC but with the data, not the network being the new enforced perimeter.
The mobile security market today is relatively immature and there is a lot of work to do to develop the right security controls on mobile devices. It may be tempting to start with the concept of a comprehensive security offering with parity to the desktop, including AV, DLP, HIPS, Encryption and App Control, for the mobile, but in reality these capabilities are not yet broadly available or, in many cases, possible to deliver.
First priority is to get the basics under control – despite all the hype most data breaches occur due to basic configuration failure: poor passwords, lack of encryption, poor patching or social engineering.
Mobile security strategy
1. Mobile technology is going to evolve at an incredible rate and the evolution of this breadth of technologies is unpredictable. A conventional three to five year IT strategy is unwise. A six month strategy using an agile methodology and then constant re-evaluation of how the devices are changing and what new risks are being introduced is advised.
2. Ensure technology solutions you adopt or recommend to customers, such as device management, provide as much abstraction as possible to device type and OS. Popular devices will change quickly and security controls need to be future-proofed as much as possible. There is a risk that as you adopt increasing device types, you increase the cost and complexity of managing them by the same order – challenge vendors to solve this issue for you with broad platform support.
3. Look at the combination of work and personal data on mobile devices. These devices often blend contacts, email and data into one UI with little differentiation for the end user. Consider your strategy for this on an ongoing basis. Deploy processes, policies and practices to help users avoid making silly mistakes which compromise them and your customer’s business.
4. Invest in building mindshare with your customers on mobile security. They need to understand the value of the information, both personal and business, they are placing on their device and that these mobiles are not eminently secure.
5. Go broad. Don’t be overly clinical with your definition of mobile devices – different format factors are evolving every day and your strategy needs to encompass tablets, smartphones and potentially other embedded devices. However, it would be wise to specifically authorise a list of devices – many enterprises will allow specific versions of an OS which included the minimum required security capabilities. As the devices mature, your list will grow longer.