Most people are aware that mobile systems create business risks. Knowing this, some network managers take every measure to ban mobile computing. No laptops, no wireless networks, no handhelds, nothing. On the other hand, many allow mobility openly, with very limited controls, to the extent where it becomes an employee "right." Both are extremes in the classic struggle of trying to balance security with usability, but I see both frequently. Whether you support mobility in one of these fashions or fall somewhere in between, it's almost guaranteed that mobile security problems still exist.
Here's what I'm seeing as critical mobile security mistakes -- things to look out for and gain control of going forward.
- Not knowing what is really at risk
Most employees and managers haven't really thought about what there is to lose -- especially when it comes to the lack of physical security controls with mobile devices. Simply put, people aren't valuing business assets and treating the threats and vulnerabilities seriously enough. Making matters worse, many in business don't know what information they have, where it is located, or even what it is worth. In most cases, this stems from management's failure to instill a culture of privacy and security -- often leading to security oversights and unfortunate breaches that create business-level problems.
- Not taking the complexities involved seriously enough
It is easy to assume that mobile security is simply achieved. You just encrypt wireless traffic and laptop hard drives and all's well, right? Not really. For starters, it's all in how encryption is used and when it's used. Time and time again, I see and hear of network managers implementing these types of controls in all the wrong ways -- often in the name of getting it done quickly to make users happy. There is also this problem of islands of unstructured files scattered about laptops and handhelds. It's everywhere and then means a literally unlimited attack surface against sensitive information.
With the lack of physical controls, unauthorized usage is very difficult to prevent or trace back. Finally, I strongly believe that the whole problem of policies and people is underestimated -- that is, the security policies, processes and user buy-in required to keep mobile systems secure. The software side of mobile security is a complex beast, and it cannot be taken lightly.
- Being too trusting of people
Speaking of people, many in IT and upper management are too trusting of employees and even outside contractors and other visitors. They are often given a lot of privileges with mobile devices, both on and off the network, but no one really knows how they're using them. Quite often, we're depending on these users to do the right thing and help limit mobile security weaknesses, but that is not likely to happen, considering that this is the last thing on the minds of people who have a hundred other things to worry about during their workday.
- Not using technology for help
There is a great over-reliance on policies to keep information safe -- especially at the management level. The assumption is that a policy is in place, so everything is safe and sound. There are lots of security controls that come free with most computers, handhelds and wireless LAN systems. From power-on passwords to BitLocker drive encryption in Windows Vista, from WPA encryption to the Microsoft PPTP VPN (among other freebies), many solutions exist. The key is making the choice to use them. If the controls you need are not there by default, there are solutions available (at reasonable prices relative to the consequences) to keep mobile systems secure from the elements.
- Not understanding how the bad guys work
One of my biggest pet peeves -- it is near and dear to my heart -- is the fact that a lot of mobile systems (wireless LANs included) aren't being properly tested for security exploits. In fact, mobile systems are often outside the scope of security assessments. We look at firewalls, operating systems, Web apps and databases but tend to ignore mobile systems because some basic controls are in place. Of the testing that is being done, it is often checklist audit with no in-depth testing ethical hacking to find out just what controls can be bypassed and exploited. Looking at mobile systems with a malicious attitude and good tools is absolutely necessary to find the real problems.
Mobile security problems aren't going away. Whether or not mobility is supported by management, it is probably still present in some form. Most mobile weaknesses are out of sight and out of mind. But don't be fooled -- they're still there.
In the end, there are two options:
- Action to prevent mobile security breaches
- Reaction after a breach
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin has authored/co-authored six books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He is also the creator of the Security on Wheels information security audio books, providing security learning for IT professionals on the go. Kevin can be reached at firstname.lastname@example.org.