4 MDM, Mobile Device Dangers That Are More Of A Threat Than Malware
Malware is always an issue for a device, particularly a fast new mobile device, or in an MDM situation. The pathways are open to intrusion one way or another, but the threats may be coming from unexpected places…
Malicious apps particularly for the android platform have made their way into the play store, as well as a few new apps into the strictly controlled apple market.
While malware is a significant concern, the main issue is usually put aside in the headlines; User error, lost devices, and insecure communication play the biggest role in device security, according to experts.
mobile users — especially those in North America — should worry more about other threats. While smartphones and tablets could be platforms for a whole new generation of malicious functionality, the ecosystems surrounding the most popular devices work well to limit their exposure to malware. The number of malware variants targeting the Android platform is certainly expanding — surpassing 275,000 as of the first quarter of 2013, according to security firm Juniper Networks — but few of the malicious programs have snuck into the mainstream application marketplaces.
Instead, the top threats to organizations grab fewer headlines. While security experts continue to put malware as a significant threat, lost and stolen devices, insecure communications, and insecure application development affect many more users. Juniper, for example, puts insecure communications at the top of its list, says Troy Vennon, director of the mobile threat center at Juniper Networks.
“We see a lot of organizations that have gone to the BYOD model, and they are encouraging their users to connect back into the enterprise for access to data and resources,” he says. “They are trying to figure out how they are going to secure that communication and secure that transfer of data.”
Enterprises also have to be aware of what their users are installing on their phones and how they may be using the devices for handling sensitive corporate data, says Con Mallon, a senior director of Symantec’s mobility business.
“You can only secure what you know about, so knowing what you have walking around your enterprise is important,” he says, adding that the defenses should extend to applications and how those applications deal with data. “I should not be able to take the company data and put it in my own personal Dropbox folder.”
Based on data and interviews with experts, here are the top four threats:
1. Lost and stolen phones
In March 2012, mobile-device management firm Lookout analyzed its data for U.S. consumers who activated the company’s phone-finding service, estimating that the nation’s mobile users lose a phone once every 3.5 seconds. In another study released around the same time, Symantec researchers left 50 phones behind in different cities and found that 83 percent of the devices (PDF) had corporate applications accessed by the person finding the phone.
“Mobile phones and tablets are being lost or stolen on an increasing basis,” says Giri Sreenivas, vice president and general manager for mobile at vulnerability management firm Rapid7. “The challenge is that there is relatively easy techniques for evading some of the on-device security controls, such as bypassing a lock screen password.”
While Apple’s TouchID, announced this week, may help consumers and employees better secure their devices against theft, the majority of users still do not even use a passcode to lock their devices against misuse. Companies should train users to lock their smartphones and tablets and use a mobile-device management system to erase the device if necessary, Juniper’s Vennon says.
In the company’s latest mobile-security report, Juniper found that 13 percent of users used its MDM solution to locate a phone and 9 percent locked a device. Only 1.5 percent of users — or about one in every eight that lost a device — wiped the smartphone, indicating that the device was likely not found, Vennon says.
“Every company should be able to locate, lock, and wipe,” he says. “It’s hugely necessary.”
2. Insecure communications
While there is a lot less data on how often mobile users connect to open networks, companies consider insecure connections to wireless network a top threat, Rapid7′s Sreenivas says. The problem is that wireless devices are often set to connect to an open network that matches one to which it had previous connected.
“A lot of people will look for a WiFi hotspot, and they won’t look to see if it is secure or insecure,” he says. “And once they are on an open network, it is quite easy to execute a man-in-the-middle attack.”
The solution is to force the user to route traffic through a mobile virtual private network before connecting to any network, he says.
3. Leaving the walled garden
Users who jailbreak their smartphones or use a third-party app store that does not have a strong policy of checking applications for malicious behavior put themselves at greater risk of compromise. For example, while only about 3 percent of users in North America have some sort of suspicious or malicious software on their smartphones, the incident of such badware is much higher in China, with more than 170 app stores, and Russia, with more than 130 stores, according to Juniper’s Third Annual Mobile Threats Report.
A well-secured app store, which vets each submitted application, is part of the overall ecosystem that secures a mobile device. Users who buy from a marketplace with little security put their phones at risk, Juniper’s Vennon says.
“There is no question that if you, as a user, are making the decision to download an app from an unknown source in a third-party app store, you are opening yourself up for the potential of malware,” he says.
4. Vulnerable development frameworks
Even legitimate applications can be a threat to the user if the developer does not take security into account when developing the application. Vulnerabilities in popular applications and flaws in frequently used programming frameworks can leave a device open to attack, Rapid7′s Sreenivas says.
The Webkit HTML rendering library, for example, is a key component of the browser in most smartphones. However, security researchers often find vulnerabilities in the software, he says. Companies should make sure that employees devices are updated — currently the best defense against vulnerabilities.
“Understand the corresponding vulnerability risk and make sure that the devices are patched,” Sreenivas says. “It is very interesting that proximity attacks, and techniques for jailbreaks, and other attacks can all be mitigated by bringing the mobile platform for your device up to date.”
Malicious And Suspicious Software
Malware, adware, and other questionable software are a threat, but mainly in China, Russia, and other countries. Yet, while North American users have less to worry about malware, suspicious software — including privacy-invasive apps — is quite rampant. Juniper, for example, has blocked infections of malicious and unwanted software on 3.1 percent of its customers’ devices.
Moreover, security researchers continue to analyze mobile devices for vulnerabilities, and cybercriminals are getting better at monetizing mobile-device compromises — two prerequisites for the malware to take off on mobile devices, Symantec’s Mallon says.
“We can see malware and monetization happening; toolkits are out there — all of these things parallel the development of malware in the Windows world,” he said.
2.
DSD certification confirms sandboxing is Good for mobile security & MDM
A new Good For Enterprise (GFE) platform is being released by the mobile vendor Good Technology this coming week, in the MDM world. A virtual sandbox of containers holds secure information to be accessed when need be by the device, all within a secure network. This is becoming a great option for BYOD Enterprise’s.
The certification of a mobile-security sandboxing platform from Good Technology to EAL4+ standards will pave the way for the use of application-isolation techniques to secure mobile and bring your own device (BYOD) rollouts across Australian businesses and government organisations.
GFE, which is now listed on the Defence Signals Directorate’s Evaluated Products List (EPL), runs on both iOS and Android and includes mobile client, MDM and a secure messaging exchange server through the Good Mobile Control, Good Mobile Messaging, and Good Mobile Access elements.
“The EAL4+ certification for Good for Enterprise confirms the security integrity of the solution and gives us the confidence to roll out deployment across our government department,” said Al Blake, chief information officer of the Department of Sustainability, Environment, Water, Population and Communities, in a statement.
“We have already seen vast productivity and efficiency improvements with the use of Good for Enterprise as it allows end-users to bring their preferred device, minimises the ICT support overhead and still maintains the strong security boundary we require around government information. The deployment has been an overwhelming success and has significantly increased staff connectivity and workplace flexibility.”
GFE is built on AES-192 bit encryption and securely tunnels data during every hop. The certification report for the platform notes that its design counters security threats including eavesdropping, theft of data, tampering, spoofing of mobile identity, and root or other unauthorised access to mobile devices.
3.
SAP announces support for key iOS 7 features
With iOS 7 on the rise, a new string of open BYOD/MDM security options will have to be set in place, SAP is on that, with a whole new set of iOS 7 support features.
SAP recently announced that the comprehensive suite of mobile solutions from SAP will now support key iOS 7 features. The company has validated iOS 7 for apps running on SAP Mobile Platform both on premise and in the cloud, and will further enhance support with upcoming releases of the Software Development Kit (SDK) for SAP Mobile Platform.
New features publically noted in iOS 7 further consolidate the role of mobile device management in protecting enterprises against costly downtime or IP theft. These include the simplified enrollment process, per app VPN for secure communications, Open In attachment management to control sensitive documents and email, Single Sign On for enterprise applications and VPP enhancements to improve licensing of enterprise applications. SAP will support new security and management features to offer scalable support for iOS 7 with the SAP Mobile Secure portfolio, including the SAP Afaria mobile device management solution and the SAP Mobile App Protection solution by Mocana both on premise and in the cloud.
“SAP Global IT supports more than 50,000 iOS devices used by employees worldwide. And the enhancements in iOS 7 will allow us to better serve our employees, who rely on more than 60 iOS mobile apps to succeed in their day-to-day jobs on both BYOD and corporate devices,” said Mike Golz, CIO, SAP Americas.
4.
Study: Most Orgs Not Using Mobile Device Management
While MDM is becoming more commonplace and openly understood, it has not taken a place within most organizations, says a new study:
Just 36 percent of IT organizations surveyed had fully deployed or are deploying mobile device management solutions, according to a CDW-commissioned study, announced on Monday.
Meanwhile, the IT professionals surveyed in the study expect that the demands of mobile devices on their networks will continue to grow. They expected that mobile device access would double over the next two years. The study was carried out by O’Keeffe & Co. for CDW, which sells a Total Mobility Management solution. It was split between a survey of 1,200 IT pros conducted in April and a survey of 1,200 mobile device users conducted in January.
“The reason organizations are not moving faster into mobility management solutions is that IT itself is working hard just to keep up with demand for more and more services with limited budgets, and mobility is a complex, multi-faceted challenge,” said Andrea Bradshaw, senior director and general manager for mobility solutions at CDW, in a released statement.
Mobile device users weren’t particularly happy about the bring-your-own-device (BYOD) support they were getting from the IT department in the workplace, with 41 percent giving a grade of “A or B” to the organization’s effectiveness. However, IT pros thought better of their efforts, with 64 percent giving themselves an “A or B” grade for BYOD support effectiveness.
The study found a bit of a communication gap. Only 51 percent of IT pros talk with employees about how they use their mobile devices to access the network.
IT pros are mostly using just simple measures to provide security for BYOD networks. Most (76 percent) provide guidelines to employees on accessing the network, while 69 percent require a password. A lock screen is enforced by 42 percent.
Just 24 percent of IT pros provide location tracking to secure mobile devices. Only 22 percent of IT pros put restrictions on the applications that can be installed by employees.
Mobile device users seem to be mostly comfortable or neutral about IT pro management of their personal devices. However, half (50 percent) indicated that they were “uncomfortable” with IT pros being involved in application management. It’s not clear why.
The top challenges for IT pros in addressing BYOD access include “securing data on personal devices (55%), securing network access (54%) and network performance (39%),” according to the study. IT pros expect to see network impacts from BYOD, such as increased bandwidth and increased server requirements, among others.
The post Mobile Device Management (MDM), Sept. 17th. appeared first on The Mobility Department: The Enterprise Mobility Epicenter.
