Mobile security “a tidal wave” of challenges, says security expert

“Expect more trouble,” a mobile security expert has told the 2013 EuroCACS security and risk management conference in London

“Expect more trouble,” a former international vice-president of Isaca has told information security professionals at the 2013 EuroCACS information security and risk management conference in London.

Rolf von Roessing said the security challenges will only multiply as wireless data speeds increase and a growing number of devices become connected and interdependent in the “internet of things”.

He warned that, while the vulnerabilities and threats associated with the Android operating system are multiplying “almost exponentially”, users of Apple’s iOS can no longer be complacent.

“Android is currently more of a target than iOS, but attacks are happening against Apple mobile devices and, when they are breached, it is usually fairly serious,” said Rolf von Roessing.

Connected clusters

However, von Roessing sees even bigger challenges for security professionals in attacks that compromise a cluster of connected devices and exploit interactions between the devices.

In the latest models of BMW cars, for example, navigation systems, locking systems, starting systems and mobile phones are all connected, he said. Any of these systems could be infected and compromised.

Read more about mobile security

“Where there are clusters of wirelessly connected devices, it will become increasingly difficult to identify infections or where they have come from,” said von Roessing.

This means even cars have become another mobile device that information security professionals will have to secure and include in the Cobit 5 framework for IT governance and management.

“Forgetting to include a car key fob in Cobit could open up a potential area of vulnerability,” said von Roessing.

The problem is magnified when you consider the increasing number of connected device clusters emerging, such as those around point of sale devices.

Mobile challenge

In the enterprise, mobile phones present a significant challenge to security professionals, especially where phones are brand-locked and prevent the use of mobile device management systems.

“For effective protection, security professionals need access to mobile operating systems, but this is not always possible and consequently 30% to 40% of devices are under the radar,” said von Roessing.

There is also the challenge of enterprise mobile users being unwilling to surrender their devices on a regular basis for security maintenance.

The increasing number and complexity of wireless protocols is yet another challenge, especially when devices are designed to fall back to older, less secure technologies when network capacity is low.

At the application level, particularly in Android, the challenge is the excessive permissions that apps require users to agree to when downloading them, said Von Roessing.

“K-9 Mail, for example, demands 17 permissions, including the ability to manipulate contacts and create its own network sockets or side channels,” he said.

Von Roessing advises that security professionals should weigh up the potential back doors in commonly used apps and encourage users to find less risky alternatives to the worst offenders.

Risk-aware users

“In the light of bring your own device (BYOD) programmes, it is more important than ever for end users to be aware of the risks involved,” he said.

Considering the “tidal wave” of new and emerging risks associated with mobile devices, von Roessing said security structure and planning is essential.

“Organisations need to set aside adequate budgets to deal with these challenges comprehensively, otherwise all efforts will simply be a waste of money because of all the security gaps,” he said.

In addition to an adequate budget for technical security controls, von Roessing said organisations should ensure they either have adequate internal skills or access to trusted external parties that can be integrated into the organisation to deal with mobile security.

Von Roessing re-iterated the importance of risk-aware users. “Reasonable and responsible use is essential, otherwise you can forget about technical security. Rules must back technical controls,” he said.

Read more on Endpoint security