Mobile Security – there is a lot of conversation going around on this topic all around us, Bring Your Own Device (BYOD) and Mobile Device Management (MDM) etc. Is this something new? Why is it becoming so important?
Mobile devices have been around in corporate environment for years providing access to corporate information to executives and employees i.e. Blackberry mobile solution. Initially, Blackberry solutions were only available to members of Executive team. There was a lot of scrutiny around offering Blackberry devices, because these were expensive and every request for a Blackberry had to be supported by business needed approvals from multiple levels within organisation. However, over the last few years cost came down and organisations invested in Blackberry Enterprise solution to offer Blackberry services to their mobile workforce. It was not restricted to senior executives any more.
However, Blackberry solution was an easy option. The device was encrypted, it was considered a robust and secure platform with ability to enforce global policies. If a Blackberry device is lost or stolen, remote wipe command is issued and user’s device was replaced with a new device. Job done, no major security concerns. It became a standard, well tested and reliable service without any significant concern.
However, Mobile Security has become a hot topic and has been getting increased attention over last 2 years. This dynamics changed on 27th January 2010 when Mr. Steve Jobs announced launch of iPad. There was a sudden demand from Senior Executives and Board Members to be able to use iPad for official purposes. Then it started spreading beyond senior executives. The discussion changed from company issued iPad and Smartphones to Bring Your Own Device (BYOD). Suddenly, everyone started talking about how use of iPad and Smartphones can lead to a much more productive workforce and BYOD and MDM became hot topics.
The whole landscape is changing now as numbers of organisations are providing corporate issued tablets and smartphones. On the other side, number of organisation are going one step ahead and embracing use of personal tablets and smartphones for official use. Recent surveys have highlighted that in next 2-3 years, most of knowledge workers will have both PC and Tablet or Smartphone at work.
In November 2012, Barclays Bank placed an order of 8,500 iPads. Barclays spokeswoman went on to say that the iPads will be used in Barclays Bank branches all over the country, to help the employees in the branches to interact better with customers.
Why it matters? What does it mean for Information Security?
The evolution of smartphones and tablets is similar to PC revolution when computer was made accessible to everyone’s desk. PC empowered a normal person and opened doors to a completely new world. We are seeing a similar revolution with the introduction of smartphones and tablets. Now we have similar powerful machine with amazing computing power, however, this time, it is not on our desks but it is in our pockets. It is enabling us to do things which were unthinkable 10 years back.
With popularity, it is becoming attractive target and also getting attention from attackers with malicious intentions. It has opened up new avenues for attackers to exploit this new technology for malicious purposes.
Android seems to be leading the race. It’s repeating history like Windows. The platform’s growing dominance in the mobile landscape is similar to what happened with Windows in the desktop and laptop space. Just like Windows, Android’s popularity is making it a prime target for cyber-criminals and attackers, albeit at a much faster pace. It’s all Effort versus Return conversation for attackers.
According to TrendLabs 2012 Mobile Threat and Security Roundup Report, top mobile threat was related to Premium service abuse, which charge users for sending text messages to a premium-rate number, comprised the top mobile threat type. It’s a lucrative business as one research has estimated that transactions typically costing users US$9.99 a month.
Most important point is that victims of mobile threats don’t just lose money, they also lose their privacy. The issue of data leakage continued to grow as more ad networks accessed and gathered personal information via Aggressive Adware. Aggressive adware in mobile devices are now similar to the notorious spyware, adware, and click-fraud malware popular in the early days of the PC malware era. They generate profit by selling user data.
In 2012, 350,000 more malicious and high-risk Android app samples were detected, showing a significant increase from the 10,000 samples seen in 2011. It took less than three years for malicious and high-risk Android apps to reach this number while it took Windows malware 14 years to reach that number. Isn’t that interesting?
It’s not the case that Android is bad and other platforms are better. It’s very simple, today Android is the most popular and dominating platform just like Windows in old days. It also offers open architecture so for attackers it’s an easy choice. Attackers will go where users go, and in this case it continues to be mobile platforms.
The rapid rise of Android malware in 2012 highlights the fact that Mobile Security is going to be a difficult problem to solve. Earlier we only had one platform, Windows, for desktops and we have not yet managed to get our arms around it. Now, we are talking about heterogeneous unmanaged devices that are entering and exiting corporate networks and processing corporate data. This provides lucrative opportunity for attackers to attacks an organisation via mobile devices.
Considering what lies ahead and where emerging threat landscape is pointing, I believe that every organisation needs to have a well-defined Mobile Security Strategy that covers following, including but not limited to, key points
- Security Architecture
- Platform Support
- User Experience
- Legal and Privacy Implications
- User Agreement i.e. Corporate versus Personal Data
- Policies & Standards
- User Education
- Mobile Device Management (MDM)
- Forensics Investigation
- Customer Support
Attackers will go where users go, and in this case it continues to be mobile platform. That’s why every organisation needs to reassess their Mobile Security Strategy. I believe that it will remain a hot topic for many years to come.
Recently, I gave a talk on a similar topic “New Mobile Threats: a reality check” at The European Information Security Summit 2013 in London. You can access presentation for my talk on my slideshare site.