Mobile security: Top oversights

Here's what I'm seeing as critical mobile security mistakes -- things to look out for and gain control of going forward.

1. Not knowing what is really at risk
   Most employees and managers haven't really thought about what there is to lose -- especially when it comes to the lack of physical security controls with mobile devices. Simply put, people aren't valuing business assets and treating the threats and vulnerabilities seriously enough. Making matters worse, many in business don't know what information they have, where it is located, or even what it is worth. In most cases, this stems from management's failure to instill a culture of privacy and security -- often leading to security oversights and unfortunate breaches that create business-level problems.

2. Not taking the complexities involved seriously enough
   It is easy to assume that mobile security is simply achieved. You just encrypt wireless traffic and laptop hard drives and all's well, right? Not really. For starters, it's all in how encryption is used and when it's used. Time and time again, I see and hear of network managers implementing these types of controls in all the wrong ways -- often in the name of getting it done quickly to make users happy. There is also this problem of islands of unstructured files scattered about laptops and handhelds. It's everywhere and then means a literally ...
   
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchMobileComputing.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchMobileComputing.com

   As an existing member of the TechTarget network please activate your SearchMobileComputing.com account 

   By joining SearchMobileComputing.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   RELATED CONTENT Mobile Security Mobile security threats Two-factor authentication: Mobile security at your fingertips Securing your Windows Mobile devices In-the-cloud defenses for mobile malware On-device defenses for mobile malware Is malware coming to a smartphone near you? Protecting data on your BlackBerry Defining your mobile security policy Government regulations and mobile security policies Symbian: Protect your data, not just your device Hackers and Threats to your Mobile Enterprise Mobile security threats Securing corporate data on your laptops iPhone hacking: Lessons from the front line Trends in mobile computing Traditional security threats coming soon to mobile device near you Prevent mobile malware: Learn how to protect your enterprise and devices On-device defenses for mobile malware Is malware coming to a smartphone near you? New challenges in mobile device discovery Mobile security – Understanding and controlling risks Mobile Policies and Procedures Mobile device security policies: Asserting control over mobile devices Securing corporate data on your laptops Podcast: FAQs on mobile policies Developing and instituting corporate mobile device policies Mobile security culture starts at the top Detecting rogue mobile devices on your network Mobile security policies Defining your mobile security policy Government regulations and mobile security policies Mobile security policies: Why a policy is important

   RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bluesnarfing  (SearchMobileComputing.com) drive-by spamming  (SearchMobileComputing.com) mobile phone virus  (SearchMobileComputing.com) SMiShing  (SearchMobileComputing.com) war driving  (SearchMobileComputing.com) warchalking  (SearchMobileComputing.com)

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   unlimited attack surface against sensitive information.

   With the lack of physical controls, unauthorized usage is very difficult to prevent or trace back. Finally, I strongly believe that the whole problem of policies and people is underestimated -- that is, the security policies, processes and user buy-in required to keep mobile systems secure. The software side of mobile security is a complex beast, and it cannot be taken lightly.

3. Being too trusting of people
   Speaking of people, many in IT and upper management are too trusting of employees and even outside contractors and other visitors. They are often given a lot of privileges with mobile devices, both on and off the network, but no one really knows how they're using them. Quite often, we're depending on these users to do the right thing and help limit mobile security weaknesses, but that is not likely to happen, considering that this is the last thing on the minds of people who have a hundred other things to worry about during their workday.

4. Not using technology for help
   There is a great over-reliance on policies to keep information safe -- especially at the management level. The assumption is that a policy is in place, so everything is safe and sound. There are lots of security controls that come free with most computers, handhelds and wireless LAN systems. From power-on passwords to BitLocker drive encryption in Windows Vista, from WPA encryption to the Microsoft PPTP VPN (among other freebies), many solutions exist. The key is making the choice to use them. If the controls you need are not there by default, there are solutions available (at reasonable prices relative to the consequences) to keep mobile systems secure from the elements.

5. Not understanding how the bad guys work
   One of my biggest pet peeves -- it is near and dear to my heart -- is the fact that a lot of mobile systems (wireless LANs included) aren't being properly tested for security exploits. In fact, mobile systems are often outside the scope of security assessments. We look at firewalls, operating systems, Web apps and databases but tend to ignore mobile systems because some basic controls are in place. Of the testing that is being done, it is often checklist audit with no in-depth testing ethical hacking to find out just what controls can be bypassed and exploited. Looking at mobile systems with a malicious attitude and good tools is absolutely necessary to find the real problems.

Mobile security problems aren't going away. Whether or not mobility is supported by management, it is probably still present in some form. Most mobile weaknesses are out of sight and out of mind. But don't be fooled -- they're still there.

In the end, there are two options:

1. Action to prevent mobile security breaches
2. Reaction after a breach

About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He is also the creator of the Security on Wheels information security audio books, providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchMobileComputing.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.