Mobile device security was top of mind for folks at RSA Conference 2011 in San Francisco, where numerous sessions were held on the topic. Even sessions that didn’t focus on mobile device security alluded to the challenge of managing and securing the myriad devices that connect to corporate networks. Despite the level of concern expressed by attendees, there was a surprising lack of answers to the question, “How do I secure mobile devices?” But if anything is going to prevent the industry from staying a step ahead of attackers, it’s going to be the lack of a systematic and efficient process for mobile patching.
Experts agree that while mobile device attacks are not yet commonplace, they will be -- and soon. The industry’s awareness of the potential threat to mobile devices gives us the advantage of proactively protecting corporate networks against these threats. This is an opportunity to do security right. Rather than allowing security to “seep in” as Ed Amoroso, CSO of AT&T put it, the industry has an opportunity to “do better with mobility and bring security to the forefront.”
Clearly, IT staffs are ready and willing to do just that. Respondents to Frost & Sullivan’s 2011 (ISC)2 Global Information Security Workforce Study ranked mobile devices as their second highest security concern at 66%, behind only application vulnerabilities at 73%. (We can assume there is a bit of overlap here since the application threat largely stems from users introducing consumer-based apps via mobile devices.)
But IT organizations’ readiness to secure devices and protect their networks doesn’t guarantee that threats to mobile device security won’t gain a foothold similar to PC threats. In fact, there was little at the RSA Conference to indicate that the mobile device threats wouldn’t gain a foothold simply because the industry doesn’t know how to secure mobile devices. Case in point: When one delegate asked an expert panel what more he should do to secure mobile devices, he was told to think about what he’s not doing and to do that.
The root of mobile device security problems lies in patching. Mobile patching is a challenge for several reasons, starting with the number of parties involved. There’s the device manufacturer, the operating system developer, the service provider and, of course, the user. It must first be decided who is responsible for building the patch. Once that is determined, it can take several months for the patch to be built. Then it must be efficiently delivered to the end user. Again, the question of responsibility comes up. Who delivers the mobile device patch? Learn more about mobile patching in multi-platform environments.
The issue of mobile patching coincides with the challenge of the end user -- and the end-user challenge cannot be underestimated. Companies are increasingly allowing end users to connect their personal mobile devices to the corporate network. Any unpatched vulnerability on the end user’s device becomes the company’s vulnerability as well. If mobile patching is too difficult, the end user won’t do it. If it will render the device unusable for hours at a time, again, the end user won’t do it.
According to Amoroso, service providers can send mobile patches over the air in what is referred to as the “nuke option.” But service providers prefer not to do this because there’s no telling whether the patch will install correctly or bring down the device altogether.
End users aside, there is the pressing issue of securing the devices used by first responders. The mobile infrastructure is a critical infrastructure, as it is used by police, firefighters, medical personnel and other emergency response professionals. If applying patches creates enough network congestion, it can prevent first responders from being able to patch their mobile devices or, worse, use them. The industry needs to determine how these mobile devices will be patched, especially in the case of zero-day patches.
The bottom line: We are on the cusp of a new wave of threats that can impact businesses in new and dangerous ways. Mobile patching is a vital component of a mobile device security strategy, and as of right now there is no system in place for efficiently patching mobile devices. It’s not enough for IT professionals to be concerned about mobile device threats. As Amoroso pointed out, “Carriers are going to do what the consumers and enterprises want.” IT professionals need to get involved with standards groups and put pressure on providers to build secure devices and provide an efficient method for patching them.
About the author
Crystal Bedell is an award-winning writer and editor specializing in technology. She writes articles, tips and guides to help IT professionals evaluate technology, secure and modernize their IT infrastructure, solve business problems and prepare for IT certifications. She can be reached at [email protected]