Following up on my SANS 575: Mobile Device Ethical Hacking course review, below is my take on the current state of Mobile Devices security.
First, let me define what I mean by mobile devices: Smartphone and Tablets, not laptops. Although laptops are “mobile” the level of security available to them is more mature and not in scope for this article.
Then, let’s dive into the past and where mobile device security fits.
Right at the start, when computers where used and interconnected, the security element of it has always been the last “add-on” and security professionals had to play catch-up. This was true with Intranets, where no or poor defences meant companies were often heavily relying on physical security, i.e.: no hackers will be allowed within the premises to connect their portable desktops. The realisation that staff could also be hackers and the arrival of laptops meant better IT access controls were put in place.
When Internet started to pop-up in every houses and sometimes under office desks, companies soon realised they had to connect their corporate networks to the Internet and leverage that powerful communication revolution. But again, the rush and lack of security technology maturity meant this was often done with the wrong or mis-configured controls in place. Security controls’ configuration, update and monitoring were done in a reactive mode rather than having been carefully planned, implemented, budgeted and allowed to be cared for.
Then WIFI/Wireless technology started it all over again, WIFI hotspots started to pop-up everywhere, uncontrolled, mis-understood and mis-configured. Even now, many companies are still trying to improve on their WIFI offering security or just running an insecure wireless infrastructure.
Today, we are seeing a similar trend to the consumer market, where companies are made to consume technology faster than they can digest it.
This is driven both by the consumerization of the work assets and by the promise of new technologies giving companies an edge.
The use of smartphones and tablets in being forced fed onto most companies. Forced, because this computing technology is no longer the exclusivity of a working environment, we are using it at home and have expectations. And also because the previous technology advance allowed for remote working and those mobile devices just leverage what is already there!
But history is repeating itself, and to use some famous DaftPunk Lyrics it is doing it “Harder, Faster, Stronger”… but not “Better”!
The impact is harder.
All corporate data is now digitalised and accessible somehow from the Internet, through VPN, Bastion hosts or web portals, from chat logs to financial market modelisations. Computer systems are now critical to companies, if they become unavailable, compromised or corrupted this would severely impact employees’ ability to work.
This is happening faster.
2G yesterday, 3G today, 4G/NFC tomorrow. All with their own weaknesses and vulnerabilities.
Every year sees new mobile device architectures. They are not just iterative improved updates, they often introduce new hardware, new firmware with new functions. This is true from the supporting mobile network infrastructure down to the handsets themselves. Let’s take iOS 6.0 for example, it allegedly fixed about 200 security issues but also introduced hundreds of new features! Not only those new features could have introduced new security vulnerabilities but it also means previous hardware that cannot upgrade to 6.0 are vulnerable to 200 security issues.
Other manufacturers are not better, with some Android phones having a shelf-life of just 6 months in terms of updates!
The drive is stronger.
As mentioned earlier, the use of smartphones and tablets are being forced-fed onto most companies.
This pressure to use new technology at work not only comes from the base but from the top of most organisations, this makes the matter worse. It usually means it has to happen yesterday and to happen anyway with very little time for careful planning, design and implementation. In fact, most of the time when security teams start to get involved it has already happened!
There are 3 ways for a technology to be securely implemented, all complementary to each other:
- The best is for it to be secure by design;
- A good approach is to take the time to review and understand it before designing its implementation through pilots and testing;
- The minimum is to review its implementation security through pent testing, on-going monitoring and the all so important care and feed (updates, roadmaps, etc).
When it comes to mobile device security, this is a very new and immature area. My advice is to act NOW and to start setting-up your mobile device security task force if you don’t want to play catch up for the years to come:
- Communicating/Educating your users to the risks associated with the use of mobile devices is a low cost, light and fast way to improve their awareness and behaviours.
- Implementing a Mobile Device Management solution is a must to gain some controls over what and how corporate data is accessed from mobile devices. At the very least it gives you a framework to move forward from.
- Having an Internal Apps review capability will allow for guidelines to be provided on how corporate data should be accessed and stored on such devices and it will help driving security by design. Also, being able to assess Apps’ security before they are being published will give this extra assurance that those guidelines were indeed understood and followed.
- Having a 3rd parties Apps review capability will allow assessing the most common used apps or those 3rd parties apps used to access corporate data. This will help limit the risk of data leakage or malware attacks.
- Monitoring your network and infrastructure for specific mobile malware activity will help detecting any on going attacks against your users mobile device.
The point is that mobile device security is an area that must be taken very seriously, it should not and does not stop with MDM.