“Expect more trouble,” a former international vice-president of Isaca has told information security professionals at the 2013 EuroCACS information security and risk management conference in London.
Rolf von Roessing said the security challenges will only multiply as wireless data speeds increase and a growing number of devices become connected and interdependent in the “internet of things”.
“Android is currently more of a target than iOS, but attacks are happening against Apple mobile devices and, when they are breached, it is usually fairly serious,” said Rolf von Roessing.
However, von Roessing sees even bigger challenges for security professionals in attacks that compromise a cluster of connected devices and exploit interactions between the devices.
In the latest models of BMW cars, for example, navigation systems, locking systems, starting systems and mobile phones are all connected, he said. Any of these systems could be infected and compromised.
Read more about mobile security
- Most businesses hit by mobile security incident, study shows
- How to secure mobile endpoints? Start with a mobile strategy
- Mobile Security Strategies
- Marble Security's cloud-based mobile security service augments MDM
- Mobile malware up 163% in 2012, says NQ Mobile
- Working with mobile application security management tools
- Best practices for improving mobile data security
“Where there are clusters of wirelessly connected devices, it will become increasingly difficult to identify infections or where they have come from,” said von Roessing.
This means even cars have become another mobile device that information security professionals will have to secure and include in the Cobit 5 framework for IT governance and management.
“Forgetting to include a car key fob in Cobit could open up a potential area of vulnerability,” said von Roessing.
The problem is magnified when you consider the increasing number of connected device clusters emerging, such as those around point of sale devices.
In the enterprise, mobile phones present a significant challenge to security professionals, especially where phones are brand-locked and prevent the use of mobile device management systems.
“For effective protection, security professionals need access to mobile operating systems, but this is not always possible and consequently 30% to 40% of devices are under the radar,” said von Roessing.
There is also the challenge of enterprise mobile users being unwilling to surrender their devices on a regular basis for security maintenance.
The increasing number and complexity of wireless protocols is yet another challenge, especially when devices are designed to fall back to older, less secure technologies when network capacity is low.
At the application level, particularly in Android, the challenge is the excessive permissions that apps require users to agree to when downloading them, said Von Roessing.
“K-9 Mail, for example, demands 17 permissions, including the ability to manipulate contacts and create its own network sockets or side channels,” he said.
Von Roessing advises that security professionals should weigh up the potential back doors in commonly used apps and encourage users to find less risky alternatives to the worst offenders.
“In the light of bring your own device (BYOD) programmes, it is more important than ever for end users to be aware of the risks involved,” he said.
Considering the “tidal wave” of new and emerging risks associated with mobile devices, von Roessing said security structure and planning is essential.
“Organisations need to set aside adequate budgets to deal with these challenges comprehensively, otherwise all efforts will simply be a waste of money because of all the security gaps,” he said.
In addition to an adequate budget for technical security controls, von Roessing said organisations should ensure they either have adequate internal skills or access to trusted external parties that can be integrated into the organisation to deal with mobile security.
Von Roessing re-iterated the importance of risk-aware users. “Reasonable and responsible use is essential, otherwise you can forget about technical security. Rules must back technical controls,” he said.