Any organization that has not already started to think about the impact mobility has on IT security should start doing so this year. 63% of businesses provide formal access to some of their business applications to mobile users, a Quocirca research report “Digital Identities and the Open Business,” showed.
Furthermore, the sheer ubiquity of mobile devices and the informal attempts to access IT systems that this encourages, underlines the urgent need to understand the way the threat landscape is changing.
The problem needs to be considered in two parts; the way mobility changes the approach that needs to be taken to an organization’s core IT infrastructure and the security challenges of mobility itself.
At the core – however it is provisioned – mobility simply scales up exiting problems. As Bergman et al state in their book published last year titled, Hacking Exposed Mobile Security Secrets & Solutions:
“What do we do now? Here’s what may be a shocking answer: the same thing we’ve done before! Despite all the hype, we submit that mobile is “the same problem, different day.” Fundamentally, we are still talking about a client-server architecture: OK, we may have exaggerated a bit, but not much.”
The techniques and aims of the black hats remain pretty much the same. Find a way in to your infrastructure to steal data and/or identities, disrupt business etc. A paper titled, Systems Security Research, by Lorenzo Cavallaro of the Information Security Group at Royal Holloway University of London looks at the behaviour of mobile specific malware samples.
Out of 1,356 unique samples that were stimulated to act in some way, 67% attempted data theft through file system access and 66% attempted to access personal info to identity information. Just 3% attempted to send an SMS and 4% to make or alter a phone call; both of which may be considered mobile specific threats.
Mobility simply extends the attack surface of an organization’s IT core and therefore its vulnerability.
Mobility means more devices, more users (especially external ones as reach is extended) and more network traffic (as a recent Quocirca presentation explains IT security in the “Superfast Mobile Age”).
Mobility also means more software as more on-demand applications are put in place to support business processes that are now reliant on mobility, which are by their very nature more open and, of course, more and more of those mobile apps.
In most cases, dealing with these changes is simply a matter of scale. Understanding who users are needs better identity and access management that can provide a federated view of all users and describe access rights. More network traffic needs faster content filtering to search for malware and spot exfiltration. More devices may need network access control (NAC) which can ultimately be used to keep mobile devices away from you network (see report Next-generation Network Access Control).
However, if as most do, you allow some level of access to your network and applications by mobile users, you will increasing need to face up to some new challenges that are specific to mobile use. These include the obvious, such as devices are more easily lost and stolen (so need to be disabled and wiped remotely), users are more vulnerable as they deal with more fiddly interfaces in distracting environments (i.e. they are easier to dupe) and app stores open new ways for malware to be loaded on to devices.
That said, despite much comment about the security of the Android operating system in particular, the configuration of mobile devices is generally more secure in the first place than the Windows environment many are familiar with on PCs. Android apps run in their own containers and this can be with least privilege (depending on how well the app has been written). Compare this to the way many Windows PCs are configured where each application runs with admin access and, therefore, access to almost any resource it requests.
This may be why, as the Economist reports, in a Nov 30th article Thief in your pocket? “When it comes to mobile devices, viruses are not the problem they are made out to be – at least, not yet. Instead, the biggest risk for organisations comes from absent-minded or nefarious employees.”
Nevertheless, black hats, white hats, IT security vendors, journalists and analysts will all continue to show an interest in the growing number of mobile users, devices and software as a means of attacking organizations in the coming year. Those responsible for the protection of data and users need to keep their eye on the ball too.