It's an unstoppable trend: Employees are bringing their own iPhones, iPads, and Android devices to work and using them for business purposes. While that may be great for productivity, the influx of personal smartphones and tablets in the workplace can pose a significant risk to your organization's security if you don't have a strategy for dealing with these new threat vectors.
For most companies, simply banning personal mobile devices is not a realistic option. Today's business realities compel IT departments to accommodate personal mobile devices, despite the risk they introduce – but that risk needs to be managed effectively.
Mobile security risks tend to fall into two broad categories: Device Risks and App Risks.
- Device Risks stem from the fact that mobile devices are a new class of powerful computer with massive local and cloud storage capabilities, over which organizations typically have far less control than traditional desktop PCs or corporate-managed laptops.
- App Risks arise from employees installing third-party mobile apps that interact with corporate data stored on the devices, or with your back-end systems. Risks can also arise from mobile apps that your own company develops for employees or customers, as security vulnerabilities may cause these apps to compromise your network or data.
Step 1: Minimize Device Risks with Mobile Device Management Solutions
For a simple yet vivid example of the device risks introduced by an employee-owned phone, just consider the likely scenario of an employee upgrading from an iPhone 4 to a 4S, says Michael Davis, CEO of IT security consulting firm Savid Technologies:
"There will almost certainly be corporate information on the old phone, and the person who that phone is handed to is not trusted," Davis says. "There is no corporate control over the change whatsoever, and that is certainly not what most organizations are used to dealing with."
Think about it: When employees are given free rein on the corporate network with their mobile devices, there is a significant potential for corporate data loss any time a phone is lost, stolen, or even simply sold or exchanged.
What this means is that the very first step any company should be taking is deciding not whether but the extent to which mobile devices will be permitted.
"You need to classify your data, and decide what mobile devices should be allowed to access," says Michael Smith, a senior manager in Symantec's security business practice. "You can't ignore this kind of attack surface and allow it to go unmanaged."
Bill Hau, VP of worldwide professional services at McAfee, agrees. "Employee-owned smartphone access to the network is probably inevitable, so the question is how do you take a risk-based approach to it? You have to ask yourself what you are going to allow. Just email? What other applications?"
As soon as organizations begin to consider limiting access to some applications and controlling what happens to the data that is stored on mobile devices, the need to bring those devices under some form of corporate control becomes clear. Inevitably, that means investing in a Mobile Device Management (MDM) platform that can control which devices can access specific applications on your network. An MDM solution can also carry out activities such as:
- device provisioning and configuration
- software distribution
- encryption and password management
- remote wipe and lock
In practical terms, that means employees can continue to use their personal or corporate-provided devices for business purposes, provided they agree to allow their device to be managed by the MDM solution.
"An MDM will certainly help you manage risk," says Davis of Savid Technologies. "There is no way to do risk management of mobile devices by hand. There are simply too many different security knobs to turn and different users to deal with in most organizations."
Symantec's Smith concurs: "This is like the problem that laptops posed ten years ago – only ten times worse. The only solution is to configure mobile devices automatically," he says.
Some of the most well-known MDM vendors and products include:
- Good for Enterprise
- McAfee Enterprise Mobility Management
- Mobile Active Defense
- Sybase Afaria
- Symantec Mobile Management
- Trend Micro Mobile Security
Next page: How to reduce security risks introduced by app downloads.
(Continued from Page 1)
Step 2: Reduce App Download Risks through Policy and Training
When it comes to risks introduced by downloaded apps, it's important to understand the potential for damage.
"I think the challenge of mobile apps is that it really is the Wild West out there," says Rudolph Araujo, director of professional services at McAfee. "They are hard to control, and lots of apps are malicious."
Part of the problem is that mobile operating systems don't consistently enforce controls on what apps can and cannot do. In February, the Path social app for iOS was found to upload the user's address book to Path servers without asking permission – a practice that was subsequently found to be a common practice among many legitimate apps. Then, in March, it was revealed that granting an iOS app access to location data also inadvertently gives the app access to upload the user's photo library, should the app developer choose to exploit that privelige.
The Android OS suffers from a similar photo vulnerability, but goes one step further: Any app that has rights to access the Internet (i.e. nearly every Android app ever made) can upload the user's photos to a remote server without detection, if the app has been coded to take advantage of that vulnerability.
Apple's app vetting system is supposed to provide a measure of protection, but at best it can only reduce the risk of malicious apps appearing on the iOS platform. And although Android apps do present users with a list of the permissions they want to be granted by the user, Araujo points out that most users will grant all kinds of permissions to almost any app they download, just so that they can get on and run it.
One way around this problem, Araujo suggests, is to impose app download restrictions on mobile devices in the workplace. If a device is used for business, company policy should only allow app downloads from a corporate app store, and not from public app stores such as the iTunes store or the Android Market (which was recently renamed Google Play).
Davis of Savid Technologies concurs that this is a sensible approach to adopt. "If an employee can add any app they like to a device they use for business purposes then they can certainly cause severe security problems," Davis says. "Restricting the apps an employee can install to those offered by a corporate app store is therefore a very good idea." He says that employees are more likely to accept a restriction like that when the security rationale is explained in detail – and especially if the alternative is not being allowed to use their mobile device at work at all.
McAfee's Hau also stresses the need for user education when it comes to mobile apps. "You need to make sure that users understand the potential dangers of randomly downloading apps onto their mobile devices," Hau says.
Davis also recommends creating a Mobility User Council with representatives from executives, the rank and file, and IT security. "It is vital to integrate the users into the security process, and mobile security has to move away from a yearly meeting into everyday parts of people's lives," he says.
Next page: How to scan for app vulnerabilities and conduct a company-wide mobile security audit.
(Continued from Page 2)
Step 3: Developing Your Own Apps? Scan the Code for Security Vulnerabilities
Many organizations are now developing and launching their own mobile apps as a new channel for acquiring, communicating with, and doing business with customers. These apps often provide an authenticated mechanism for accessing priveliged resources such as company databases. The risk here is that developers can inadvertently introduce security vulnerabilities when developing custom mobile apps for organizations – often because they are new to the platform, inexperienced with security issues, or unaware of the possible risks.
Even experienced mobile developers can make these kinds of mistakes. Just last week, it was discovered that Facebook's iOS and Android apps are neglecting to encrypt their users' login credentials, leaving usernames and passwords easily accessible on the device for hackers to harvest.
According to the Open Web Application Security Project (OWASP), the ten most common mobile security development risks and mistakes are:
- insecure data storage
- weak server-side controls
- insufficient transport layer protection
- client-side injection
- poor authorization and authentication
- improper session handling
- security decisions via untrusted inputs
- side channel data leakage
- broken cryptography
- sensitive information disclosure
Zach Lanier, principal consultant at Intrepidus Group and one of the researchers who worked on the OWASP study, says that almost every app that he reviews has something to be concerned about from a security perspective, and half have serious security problems.
"We see plenty of Fortune 100 companies with internal developers that make serious mistakes," Lanier says. "The problem is often that you have web developers making mobile apps, and they have a lack of training [on mobile platforms]."
Lanier says that all of the top 10 risks listed above are common. "For example, we often see things like broken crypto in an app. Developers often try to roll their own crypto, or they make a mistake like hard coding the key into the app so that it can be used offline."
To minimize these risks, companies that develop their own apps should engage a mobile security consultancy that was not involved in the development process – an "external pair of eyeballs," as Lanier puts it – to check for security vulnerabilities.
Mobile app security audits are offered by many security consulting firms, including:
- Aspect Security: Mobile Application Security Services
- Dell SecureWorks: Mobile Application Security Assessment
- Intrepidus Group: Assessment Services
- Nvisium Security: Mobile Application Security
- Security Compass Mobile Application Security Assessment
- Symantec: Mobile Security Assessment Suite
- Veracode: Mobile Application Security
Step 4: Conduct a Company-Wide Mobile Security Audit
No comprehensive mobile security strategy is complete without an audit that examines your mobile infrastructure, devices, and apps to identify current weaknesses and help guide your organization's next steps.
A typical security audit methodology might include:
- Evaluating your organization's overall mobile infrastructure;
- Conducting penetration tests on your mobile clients and the servers that control them;
- Assessing the security of your mobile devices and apps to determine their susceptibility to data breaches;
- Evaluating the gap between your current policies and procedures and known best practices.
Mobile security assessment services are offered by many security vendors, including:
- McAfee Foundstone: Mobile Security Assessment
- Neohapsis: Mobile Security Center
- NetSPI: Security Services for Mobile Computing
- Savid Technologies: Mobile Device Security
- Security Brigade: Mobile Security Assessment Service
- Symantec: Mobile Security Assessment Suite
- Verizon: Mobility Professional Services
Paul Rubens is an award-winning technology journalist who has been covering IT security for over 20 years. He has written for leading international publications including The Economist, The Times, The Financial Times, The Guardian, the BBC, and Computing.