Mobile security: Top oversights

Here's what I'm seeing as critical mobile security mistakes -- things to look out for and gain control of going forward.

1. Not knowing what is really at risk
   Most employees and managers haven't really thought about what there is to lose -- especially when it comes to the lack of physical security controls with mobile devices. Simply put, people aren't valuing business assets and treating the threats and vulnerabilities seriously enough. Making matters worse, many in business don't know what information they have, where it is located, or even what it is worth. In most cases, this stems from management's failure to instill a culture of privacy and security -- often leading to security oversights and unfortunate breaches that create business-level problems.

2. Not taking the complexities involved seriously enough
   It is easy to assume that mobile security is simply achieved. You just encrypt wireless traffic and laptop hard drives and all's well, right? Not really. For starters, it's all in how encryption is used and when it's used. Time and time again, I see and hear of network managers implementing these types of controls in all the wrong ways -- often in the name of getting it done quickly to make users happy. There is also this problem of islands of unstructured files scattered about laptops and handhelds. It's everywhere and then means a literally unlimited attack surface against sensitive information.

   With the lack of physical controls, unauthorized usage is very difficult to prevent or trace back. Finally, I strongly believe that the whole problem of policies and people is underestimated -- that is, the security policies, processes and user buy-in required to keep mobile systems secure. The software side of mobile security is a complex beast, and it cannot be taken lightly.

3. Being too trusting of people
   Speaking of people, many in IT and upper management are too trusting of employees and even outside contractors and other visitors. They are often given a lot of privileges with mobile devices, both on and off the network, but no one really knows how they're using them. Quite often, we're depending on these users to do the right thing and help limit mobile security weaknesses, but that is not likely to happen, considering that this is the last thing on the minds of people who have a hundred other things to worry about during their workday.

4. Not using technology for help
   There is a great over-reliance on policies to keep information safe -- especially at the management level. The assumption is that a policy is in place, so everything is safe and sound. There are lots of security controls that come free with most computers, handhelds and wireless LAN systems. From power-on passwords to BitLocker drive encryption in Windows Vista, from WPA encryption to the Microsoft PPTP VPN (among other freebies), many solutions exist. The key is making the choice to use them. If the controls you need are not there by default, there are solutions available (at reasonable prices relative to the consequences) to keep mobile systems secure from the elements.

5. Not understanding how the bad guys work
   One of my biggest pet peeves -- it is near and dear to my heart -- is the fact that a lot of mobile systems (wireless LANs included) aren't being properly tested for security exploits. In fact, mobile systems are often outside the scope of security assessments. We look at firewalls, operating systems, Web apps and databases but tend to ignore mobile systems because some basic controls are in place. Of the testing that is being done, it is often checklist audit with no in-depth testing ethical hacking to find out just what controls can be bypassed and exploited. Looking at mobile systems with a malicious attitude and good tools is absolutely necessary to find the real problems.

Mobile security problems aren't going away. Whether or not mobility is supported by management, it is probably still present in some form. Most mobile weaknesses are out of sight and out of mind. But don't be fooled -- they're still there.

In the end, there are two options:

1. Action to prevent mobile security breaches
2. Reaction after a breach

About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He is also the creator of the Security on Wheels information security audio books, providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchMobileComputing.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Mobile Security Mobile security policies: Why a policy is important Avoiding data breaches through mobile encryption Mobile security: Setting responsible goals Mobile device management -- Controlling risks and costs for better security Using Exchange Server for mobile device security Mobile devices: Business or personal property? Mobile devices: Corporate security strategies Mobile security -- Are antivirus and firewalls enough? Mobile (in)security Securing Bluetooth Hackers and Threats to your Mobile Enterprise New challenges in mobile device discovery Mobile security – Understanding and controlling risks Mobile security is end user and IT responsibility Mobile viruses evolving beyond just 'nuisance' Dual mode vulnerabilities identified Top 10 mobile tips of 2006 Mobile phone spyware -- it's here Mobile (in)security Apple fixes Mac Wi-Fi flaws What to do when a laptop is lost or stolen Mobile Policies and Procedures Mobile security policies: Why a policy is important BlackBerry usage policy and agreement Mobile device security: Auditing the airwaves Mandate security training to safeguard your mobile fleet Google's Android platform could complicate security Mobile security: Setting responsible goals Mobile security tops concerns, but policy isn't enforced Mobile security – Understanding and controlling risks Mobile security breaches inevitable, study says Mobile security is end user and IT responsibility RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bluesnarfing  (SearchMobileComputing.com) drive-by spamming  (SearchMobileComputing.com) mobile phone virus  (SearchMobileComputing.com) SMiShing  (SearchMobileComputing.com) war driving  (SearchMobileComputing.com) warchalking  (SearchMobileComputing.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.