It’s hard enough securing a high-powered internet-connected workstation from all the threats it may face. But what about mobile devices, which are typically less powerful yet just as connected? Indeed, what about mobile devices that do not even belong to the organisation, but individual staff, under bring your own device (BYOD) policies?
“One of the challenges of mobile security is that the device landscape is changing so quickly and the range of devices is constantly changing,” says Jason Brown, enterprise solutions architect at McAfee.
The range of potential threats is far reaching. First, there is the huge range of apps that can be downloaded. While PCs in the enterprise were (eventually) locked down to prevent users from loading any applications they wanted, mobile devices have yet to be subject to the same treatment.
As a result, mobile has become the primary target of malware writers. In 2010 McAfee picked up just a handful of samples of mobile malware. But by the beginning of 2013, it had counted more than 35,000 samples – 95 per cent of which had appeared during 2012, overwhelmingly targeting Android. That would not matter so much if mobile devices had not become the lynchpin of personally and professionally valuable data – devices used to access corporate systems, to transfer files between PCs, and as communications hubs containing valuable contact details.
Perhaps most ominous of all though, warns Brown, is that even some apps that have been approved by Apple, Google, or any other platform controller may contain questionable features.
“McAfee conducted a test across the app world. We were not looking at the way it was created or what it does, we were looking at what it was ‘talking’ to. Of the 100,000 apps that we were looking at in this test, about four per cent were connecting to untrusted locations,” says Brown.
Even popular apps can exhibit worrying traits. For example, Angry Birds sends such data back to its maker Rovio as the last number dialled on the device. For an organisation, this is an unforgivable security flaw.
Other apps demand far-ranging permissions before users can run them. “The problem is that it’s not the permissions individually that causes the problem, it’s the combination of permissions,” says Brown. “It’s ‘what can it do if it combines those permissions?’”
There’s a number of different ways of delivering security to mobile devices, Brown continues. However, endpoint security cannot be deployed on Apple’s iOS operating system – the company does not allow it in its app store.
While the company’s tight control of its own platform and the apps that can be run on it keeps it relatively secure, if sufficiently serious flaws are found – some 200 vulnerabilities were found in iOS 6 – it can become a wide open target. That is why iOS exploits carry such a high price tag on the black market.
Android, though, remains the most vulnerable mobile platform, crackable as easily as the user simply clicking on a URL they may have received in an email. Or, malware can find its way onto devices via “trojanised apps”, which look and work like legitimate apps, but which have been adapted to contain malicious features.
While security software is available for Android devices, it can slow them down and the risk is that users will remove it rather than persevere with it.
Enterprise-wide, if an organisation wants to secure its mobile devices, it does not need new infrastructure. “A mobile device is just another endpoint device. You shouldn’t need to do anything special just because it’s a mobile device,” says Brown.
“Our strategy focuses on three areas: the device itself, protecting the data that is held on the device and, finally, protecting the device from the apps,” he continues.
A large part of this is enforced via the corporate security policy. Protecting the device means enforcing policies in the configurations that the device supports: if it supports encryption, that should be switched on; and, if it has a passcode facility, that should be switched on too. URL filtering should also be mandatory.
Where things get trickier is in such abilities as remote lock and wipe, especially if the devices don’t belong to the company. Brown recommends “containerising” corporate data on the device so that it can be treated differently from personal data and apps. “If you do need to wipe a device, it’s not going to wipe everything off,” he says.
The value of such a policy will become clear when someone leaves an organisation, potentially taking corporate data on their devices with them. The security software should also be able to analyse and report on devices that are not compliant with the organisation’s security policies.