Mobility is changing the way we work. Organisations are driving increases in productivity as people conduct business from anywhere, at anytime, using corporate owned or personal devices. Meanwhile, mobile platforms are maturing and so are the types of malware being designed to attack them. This growing malware trend is not helped by the app revolution with thousands of apps flooding the app stores every day. It is now incredibly easy to download code (apps) directly onto their endpoint often without much consideration for the apps’ capabilities or vulnerabilities.
Mobility makes the challenges faced by Chief Security Officers numerous and hard to overcome. There are now multiple devices and operating systems to consider and the value of the corporate data on the device once accessed or stolen is considerable. Moreover, the vulnerability of in-the-clear communications to interception is widespread. The security solutions available to today’s CSOs such as Mobile Device Management (MDM), secure containers, app wrappers and mobile anti-virus (AV) solutions do not go far enough or deep enough to protect organisations from the emerging mobile threats facing enterprises today. A new approach is required.
Is The Perfect Mobile Security Achievable?
Historically, mobile devices in the enterprise were seen as personal equipment in comparison to work provided laptops. As a consequence companies have been less keen to monitor and apply policies to the usage of mobile devices, but for how long is this sustainable?
The very first thing you need to combat hackers and protect your assets is information on how these assets are being used, when, and by whom. No information is tantamount to no security. An approach to security that is based on data is the best strategy. When a company’s IT administrator knows which devices upload the most data, visit the most websites, download the most new apps, and sign in to the most public Wi-Fi hotspots then he or she then knows which devices are also most at risk and can make informed security decisions. Good security is based on good data.
The search for ideal security is epitomised by Goodhart’s Law, which stipulates that as soon as a good measure becomes a target it ceases to be a good measure. As applied to security, we could say that as soon as a good system is secure from hacking, it ceases to be secure. People migrate onto that secure platform e.g. mobile or iOS in growing volumes and therefore making it more attractive to hackers who will expend significant resource in discovering weaknesses in the platform and attacking it.
Despite its popularity, the wide perception is that iOS is impregnable. This is in stark contrast to the opinion of the NSA, which believes that “every attempt to implant iOS will always succeed”. In fact the majority of app database providers have been so blasé about the security of iOS that they provide very little research on iOS app risks focusing all their resources on Android instead. This is despite the fact that iOS is still the leader in smartphone penetration in most enterprises especially in the US.
The recent emergence of the WireLurker malware and other Apple vulnerability exploits are broadly publicised large scale attacks, however hidden attacks are happening every day, going undetected by companies, their employees, and the press.
When my team conducted even more in depth research we found that 1.8% of all the mobile traffic seen through our proxies in any weekly period is connecting to a blacklisted or malicious IP. This number is surprisingly large and a much more serious exposure than expected. Even if the malware is not executing its payload the fact that corporate assets are in close proximity to these shadow sites does not bode well and raises the risk profile for the enterprise significantly.
Are Mobiles More Vulnerable Than Laptops?
There are some fundamental attributes of mobile devices that make them rich targets for today’s hackers. Many devices now carry corporate data on them, but there are more subtle factors at play too. The smaller screen sizes of mobile devices make them more effective hunting grounds for phishing and social attacks where the full URL is not always visible to the device user. Passwords are requested constantly and employees are habitualised into entering them for the smallest action whether legitimate or not.
Rather worryingly, the high cost of cellular data also leads to risky behaviour as employees seek out free Wi-Fi connection to save on roaming. In normal day to day usage, employees are looking to find the nearest free public hotspot to reduce costs too and these happen to be the most infectious sources of man in the middle attacks, where the data from the employees mobile device is most at risk of attack.
How Do We Cope?
What should the concerned CSO do to combat these threats? Forrester Research recommends focusing on user adoption. We must encourage adoption of security solutions from staff. We cannot impose a top down solution and expect it to be widely used as it will suffer from non-compliance, BYOD, tampering, and shadow IT.
Instead we need to generate ‘pull’ by the employees getting them to demand the latest security which is easy to use and looks familiar to them. The consumerisation of IT suggests a different approach is required. An approach that’s not rigid, prescriptive and policy focused but rather engaging and clearly demonstrating value to the end user.
With the threat landscape rapidly changing the only sensible approach to mobile data security is to cover all bases with a defence in depth approach. This gives the CSOs flexibility and best of breed capabilities. The ‘layered’ approach to security, which we call ‘multi-level’, will continue to be the defining trend for the next generation of security services.