It's no secret that mobile devices -- from smartphones to Apple iPads to Android tablets -- are appearing in the enterprise in record numbers. Some reports already indicate that more smartphones than PCs were shipped in 2011, and that trend will undoubtedly continue. The PC isn't going away, but it's being joined by a large assortment of new mobile devices in a variety of form factors.
Although all these new and powerful devices are boosting worker productivity to even higher levels, they're also introducing some thorny security problems for IT managers and security professionals. Your VP of human resources might be more effective on the road with her smartphone, but what if she leaves her unlocked BlackBerry -- along with a Microsoft Excel spreadsheet listing executive salaries -- in the lunch room at an HR conference? Or what about the engineer who has the detailed specs for your new product on his iPad, which he inadvertently left on the subway on the way to work? Then there are the programming interns who regularly download apps for their Android devices outside the Android market -- including apps that are infected with malware and viruses.
These scenarios are all security issues, and I haven't even touched on the compliance and auditing demands that are placed on businesses and organizations that must abide by such regulations. "All of these factors are putting more pressure than ever on IT professionals, who are being pressured into allowing the use of social media tools like Facebook, who are dealing with the consumerization of IT, and who now have additional mobile devices to secure and keep track of," says Don DeBolt, director of threat research for Total Defense, which was spun off from CA earlier this year and which serves as an independent business focusing on mobile security.
The State of Mobile Security
Judging by the mobile-security headlines of 2011, malware authors are being attracted to mobile devices in record numbers -- and to the Android platform in particular. Android has emerged as the dominant smartphone OS, and with that distinction comes the attention of malware authors. There have been plenty of news reports about Android malware, ranging from infected apps in the official Android Market ("Up to 120,000 users download infected apps from Android Market," ) to key-logger applications masquerading as legitimate apps ("Bogus Netflix Android App Attempts to Steal User Information," October 2011, InstantDoc ID 140886).
"Android has been a victim of its own success partly by becoming the most popular smartphone OS," says Kevin Mahaffey, CTO of mobile-security software provider Lookout. "That one argument [is] why Android is afflicted with more malware than other mobile OSs. It's also a much more popular OS in countries like China and Russia, where most malware seems to be written." Mahaffey also suggests that the ubiquity of the Java programming language makes it widely available to programmers who might consider creating malware to attack the Android OS.
Both Mahaffey and Eric Sites, chief scientist for GFI Software, draw parallels between the dominant market shares of Windows and Android as significant reasons for malware authors to target those platforms. Today's cybercriminals are just as concerned about return on investment (ROI) as any business manager would be. Why shouldn't they direct their efforts toward the mobile OS that has the most users and, logically, the best possibility of a return on their malware-coding investment?
"A lot of the trends we're following for mobile malware mirror that of the PC market," Sites says. "Ten years ago hackers were doing things for fame or the thrill of it, but now there are organized networks of criminals out there who are attempting to control devices for more nefarious reasons, like obtaining credit card numbers, stealing corporate information, and gaining access to other sensitive data."
Sites points out that cyberattacks from groups that are funded by nation-states are on the rise. He uses an aerospace-component manufacturer as a hypothetical example: If a nation that's hostile to the United States wants to find out the specifics of a component that is used on a B-2 bomber, it can make a targeted attack -- involving phishing, malware, and vulnerability exploits -- to try to access that information. (This type of maintained attack is sometimes referred to as an advanced persistent threat [APT].) Sites contends that mobile devices open up even more avenues for attacker exploits, ranging from obtaining misplaced devices and using malware to redirecting email and text messages or recording and forwarding spoken conversations.
The Social Engineering Threat
Despite spending billions on endpoint security -- firewalls, antivirus software, blacklisting and whitelisting solutions, and so on -- cybercriminals are still able to gain access to the most sensitive information. The culprit is social engineering, which criminals use to fool people into thinking they're replying to an email message or clicking a link from a trusted source. Social engineering is too broad a topic to go into here (see "Protecting Yourself Against Social Engineering," for an excellent treatise on the subject), but many experts believe that social engineering tactics are being used with greater frequency than ever before. The highly publicized attack on RSA ("RSA Reveals Details of Phishing Attack," ) was caused directly by an RSA employee clicking on a file attachment in an email message that the employee believed was from a legitimate source.
Steps to Secure Mobile Devices
Considering the growth rates in the adoption of smartphones and tablets in businesses of all sizes, any IT pros that are tasked with managing mobile-device security have their work cut out for them. To help you get the most out of your efforts, here is a list of tips and techniques that can help you improve security for all your mobile devices.
1. Embrace clear and direct security policies. If your company or organization has specific security, auditing, or compliance needs that need to be taken into account when managing mobile devices, be sure to carefully (and concisely) document the corporate security policy. It's amazing how many companies don't have a clearly communicated security policy when it comes to mobile devices, so this is a good place to start.
2. Make employee training a must. With a majority of mobile cyberattacks leveraging social engineering tactics, regularly training your employees to know how to spot fraudulent apps and email messages is vital. Eric Sites also castigates app designers for contributing to the current security problems. "There needs to be more usability testing [for Android apps]," Sites says. "Many of these apps aren't the easiest for the average user to figure out, and many users may click randomly on things in order to make something happen."
3. Quickly find or wipe lost or stolen devices. Several brands and models of mobile phones include support for finding lost phones or performing remote wipes. Improved tools for managing mobile devices are also available, including Odyssey Software's Athena. Athena works with Microsoft System Center Configuration Manager (SCCM) and Research In Motion's (RIM's) BlackBerry Enterprise Server (BES) to help you manage mobile devices for those platforms.
4. Enforce good password policy. Good password policy is just as necessary for mobile devices as it is for desktops and laptops, so having a common-sense (and consistently enforced) password policy that applies to mobile devices is a must. A good policy enforces minimum limits for password length, character-string complexity, password expiration, and more. (For more password tips, see my blog post "Password Security Tips," December 2010.)
5. Research apps before downloading. Smartphone users should be trained to carefully read about the apps that they intend to install and the permissions that those apps will require. Mobile apps that ask for access to an unusually large number of smartphone features should be suspect; extraordinary requests for features can be a telltale sign that the app isn't what it appears to be. "Users should really spend more time reading about their apps before downloading them, rather than mashing their finger down on the first thing they see," says Sites.
6. Leverage mobile-security solutions. A number of security vendors -- including McAfee, Symantec, Lookout, ESET, and Total Defense -- have started providing security software for mobile devices. All these vendors provide differing sets of features and functionality, so your best bet is to do some research and find the solution that works best for you and the assortment of devices and OSs that you're deploying and supporting.
7. Beware vendor FUD marketing. With so much ink being spilled on the security risk of mobile devices -- particularly Android OS security issues -- it's also clear that many security vendors have jumped on the bandwagon, using fear of malware or viruses on mobile devices to drive product downloads and sales. "My reaction to this is 'sigh,'" says Mahaffey. "You can't fault them for using an extremely successful business model, but we took a different approach. We wanted to make people happy and confident about using their mobile devices without all the fear tactics." Other security software vendors that provide phone location and file backup services are also duplicating functionality that already exists in some smartphones, such as the Apple iPhone's Find My iPhone, remote wipe, and regular iCloud backup features.