The ongoing consumerisation of IT has increased pressure on organisations to support mobile workers who demand the latest smartphones and tablets. These devices offer a convenient way to work when out of the office, whether it be for checking email or using the device as a sales tool. Because these devices are so different from working on a traditional laptop, it's often thought existing security practices are not required. This article will dispel that myth, review four key mobile device security threats and explain how you can defend against them.
The same threats that exist against traditional computing devices also apply to mobile devices. These include malware (such as the iPhoneOS.ikee.worm), social engineering attacks (where a mobile device user is tricked into visiting a malicious site that automatically installs malware), data loss and man-in-the-middle attacks.
Malware -- The standard security practice of applying antivirus to corporate machines should also be applied to mobile devices. Antivirus products exist for both BlackBerry and Android devices; these should be investigated by the security team and deployed as needed. Malicious apps can be a source of malware, so policies should be put in place to restrict which apps can be installed on a device. Policy should forbid users from using jailbreaking tools on mobile devices, since these bypass the built-in security features of the device and make it much more likely that malware can be installed.
Social engineering attacks -- Users are often educated about the threat of phishing emails on their laptops and desktops, but they may not apply the same caution to their mobile device. Users should be educated to avoid following email links, opening attachments, or visiting websites that are not confirmed as safe. MDM products can provide a whitelist of websites that are considered safe, automatically allowing access to these sites. Alternatively, a secure browser can be installed on the device, allowing access only to approved sites.
Data loss -- A significant threat to corporate data is the manual or automatic synchronisation of devices. In a typical implementation, mobile devices can be synchronised with multiple cloud services or a home or work PC, to provide a consolidated view of the user's email, calendar and contacts. However, this can potentially be abused by employees, and corporate data may be placed on a machine outside of the organisation's control, which will not be governed by approved security controls. Security policy should therefore forbid the synchronisation of devices with home PCs.
The reverse situation also poses a threat, where an employee connects an unsanctioned mobile device to the corporate network and synchronises the data on to their device. Thereafter the data is no longer under the control of corporate security policy and may be uploaded to private cloud services. The organisation's security policy should forbid users from connecting unapproved mobile devices to the corporate network.
Mobile devices, by their very nature, are more likely to be lost or stolen, putting the data stored on them at risk. Corporate policy should enforce a passcode or PIN on the device with a lockout after a small number of failed attempts. There are methods sophisticated attackers can use to bypass this restriction, but the password or PIN at least limits the risk. The organisation's data protection policy or data loss prevention (DLP) tool should also be extended to mobile devices. However, it should be noted that the isolation models employed by iOS and Android devices prevent DLP tools from scanning the whole device for sensitive information.
Man-in-the-middle attacks -- The most compelling reason to allow mobile devices is the productivity increase that can be gained from allowing users to connect anytime, anywhere. However, public wireless networks are usually unencrypted. If a user connects from a hotel, café or the guest network of another company, data passed over the connection can be seen and intercepted by third parties, and potentially even altered. To defend against this threat, connections into the corporate network must be conducted over a secure, encrypted VPN. Modern smartphones support VPN configurations, and your security policy should require users to connect via a VPN when outside the corporate network.
Mobile device security tools
In addition to the mobile device security policies guidelines described above, there are additional security technologies that help protect against all these threats. The first is called mobile device management (MDM). MDM can be used to enforce a consistent, approved security model across all enterprise-owned devices, and changes to the policy can automatically be pushed to the devices remotely. There are a variety of MDM products available for smartphone platforms. Security team should consider MDM technology as a means to enforce VPN settings, passcodes and screen-lock duration. MDM can even be used to block the installation of new apps, which mitigates the threat associated with malware delivered via malicious apps.
The second tool that can be employed is sandboxing. With sandboxing, the mobile device is separated into two sections. All corporate data is stored in and accessed via one of the sections, called a sandbox, which requires the user to login. This can be explicitly controlled by the security team and access can be granted and revoked at will. Thus, if the device is reported stolen, the secure login can be disabled and the sandboxed area of the device is safe.
Secure browsers are the third tool in a mobile device defense plan. A secure browser can be installed to replace the default browser on mobile devices. A secure browser can check against a blacklist of known malicious sites each time a website is requested. This can be a defence against social engineering and malware installation, but is only as effective as the blacklist in use. Vendors such as Symantec, McAfee, Trend Micro, F-Secure, Lookout and Webroot, offer secure browsers plus blacklists for various smartphone platforms.
Mobile devices bring many benefits to organisations. They have been designed to be more secure than traditional PCs, but mobile device security threats are real and need to be managed using the methods outlined in this article.
About the author:
Rob Shapland is a penetration tester at First Base Technologies. He can be contacted via Twitter @rdshapland.