bexxandbrain - Fotolia
IT should ask some key questions about its security infrastructure to be prepared in the event of a mobile security breach.
A number of scenarios can expose mobile users, data and entire mobile infrastructures. Yet, it's less common to hear about these types of security incidents than about those carried out by traditional computers against traditional networks.
This is likely due to a lack of visibility into mobile systems and their related data. Perhaps it's because of the assumption that mobile is secure if IT uses mobile device management (MDM), enterprise mobility management (EMM) or unified endpoint management (UEM). These technologies can certainly lead to a false sense of security.
Types of mobile attacks
Security events involving mobile can come in various forms. IT should understand the potential ways a mobile security breach can happen.
Lost or stolen devices. Even if IT has strong access controls, attackers can still access some mobile devices using legitimate forensics recovery tools, such as the Elcomsoft Mobile Forensic Bundle. Because end users often use mobile devices to access business applications, such as email, cloud file-sharing and remote access, as well as to store sensitive information on their devices, stolen devices can affect businesses.
Mobile app vulnerabilities. This is an area of exposure with its roots in the software development lifecycle and lax security testing. A malicious mobile app user can do as he pleases and IT would likely never know about it.
What are the sources of mobile security risks? And what is the likelihood and impact of those risks? O.C. Tanner CTO Niel Nickolaisen weighs in.
Malware infections. Although mobile malware infections are uncommon due to mobile devices' secure architectures, they still occur.
Man-in-the-middle attacks. These attacks carry out exploits to access communication sessions between mobile users and the services that they are using. All it takes for exposure is for a user to connect to a rogue wireless access point.
Web application or services attacks. On the other end of mobile devices are web applications and web services that hackers can attack directly. This is an often forgotten component of mobile security. Make sure that you look below the application layer.
Ask the right questions
IT pros may assume that they have the necessary control over mobile security, but that's not enough given all the avenues of attack and the lack of security visibility in the typical enterprise. If IT uses MDM, EMM or UEM, that's a great first step. However, IT must look at the bigger picture and how those tools tie into other security systems.
For example, does IT have full visibility in terms of malware protection? What about network-related anomalies? Will IT be alerted about problem traffic? Is it all tied together through a bigger system, such as a security information and event management tool? Are these controls just local, or does IT have visibility and control across the mobile infrastructure and out to the cloud? Most organizations are woefully deficient in terms of cohesiveness.
Most organizations are BYOD shops with little to no standardization. BYOD creates greater network complexity, so IT must ensure that security standards are in place.
For example, do mobile security standards for Apple iOS apply to Google Android? What other mobile operating systems do workers use? Are smartphones and tablets equally covered? What about laptops? Are MacBooks included? Is IT fully aware of the various mobile OSes and devices and how they interact with the mobile infrastructure? It's important to know how those devices may expose mobile assets.
Finally, IT should determine its incident response capabilities to prepare for a mobile security breach. Assuming IT can detect mobile security events, how will it respond? How is mobile different than a traditional computing environment? Will mobile security require different tools for response efforts? Does the organization have the internal skill and tool sets to do so? If IT has a documented incident response plan, does it include all of the pertinent areas for mobile?
Before IT pros do anything else, such as buy new mobile security tools, implement new policies or tweak their incident response plan, they should perform a detailed security assessment of their mobile environment.
IT must know its network, threats, vulnerabilities and business risks -- whether it obtains that information as part of an overall information risk assessment or from a more targeted look at mobile systems. It's not enough to simply document policies and deploy products.