Editor’s Note: Welcome to our weekly Reality Check column. We’ve gathered a group of visionaries and veterans in the mobile industry to give their insights into the marketplace.
The “bring-your-own-device” gold rush is alive and well as we start the new year. Once reticent CIOs and CISOs are now embracing the BYOD imperative. According to Forrester, 94% of companies are allowing a BYOD policy or are issuing corporate mobile devices. And for good reason. BYOD allows mobile employees to feel more comfortable with the technology they are using, increasing their productivity. It also makes it easier for employees to work outside the office, making workers available at all hours.
Despite the advantages, the mobile security situation this presents can be summed up in one word: Yikes! Mobile devices, whether employee owned or company issued, are the new security wild west. They are hard to manage open devices that mix business with pleasure. The bottom line is employers don’t have control over the security of networks to which devices connect, what apps they install and what they do with data.
Even with a mobile device management system to enforce polices on Android and iOS devices, the devices are still vulnerable to network and malware attacks. Here are nine critical threats facing mobile workers, and their employers.
The nine critical threats
1. Mobile malware, crimeware and zero-day attacks on the rise. In October 2012, Gartner warned that employee-owned devices would get infected with malware at more than double the rate of corporate controlled computers. Research shows that mobile malware on Android devices has risen 580% between September 2011 and September 2012.
2. Keyloggers, already the kings of compromise, are going mobile. Keystroke loggers track all input from the keyboard including usernames and passwords, making it easy for hackers to steal login information and gain access to corporate data. Keystroke logging is the most common way for criminals to compromise VPN and cloud services.
3. Compromised Wi-Fi hotspots lead to stolen credentials, information. Employees use their local Wi-Fi networks anywhere on the planet. These public Wi-Fi hotspots can be hacked or monitored without users’ knowledge. Hackers can use evil-twin hotspots with spoofed websites, man-in-the-middle and FireSheep attacks to steal logins and passwords or monitor everything that is accessed through a public Wi-Fi hotspot, all without you knowing.
4. Mobile browsers vulnerable to DNS poisoning. With DNS poisoning, hackers change the address of the domain name so that you think you are accessing the real site, when in fact you are visiting a hacker’s duplicate of the site and are handing over your login information. Then they redirect you to the site you wanted, leaving you clueless about the hack.
5. Malicious mobile apps booming. This is particularly dangerous for Android users, because its open source platform and app stores allow almost anyone to post applications, including malicious apps. Most malicious apps imitate to be popular applications, such as Angry Birds, but with a piece of crimeware installed as part of the application. Recent data shows that 175 million downloads of “high risk” apps were found in Google Play’s Top 500. This allows criminals to monitor incoming and outgoing messages and data usage, or even send messages to pay for services to gain money.
6. Jailbroken and rooted devices open mobile hacker floodgates. What if one of your employees lets their child use their device, and it gets jailbroken or rooted? That opens the device up to a world of security vulnerability, from malicious apps to keyloggers, data stealing trojans and even botnets hosted on the device.
7. Unpatched operating systems lead to higher malware rates. Older versions of operating systems have unpatched security vulnerabilities that are widely exploited by hacking kits. Over time software companies stop making patches for older versions of their software, and if an employee hasn’t updated the version of their operating system and are using it to access corporate documents, those documents are at risk. This will be compounded by the high rate of change in mobile OS platforms.
8. Mobile adds new dimension for spear-phishing. One of the most insidious threats today is spear-phishing of employees in order to steal passwords, or to infect their devices with crimeware that allows attackers to get into the corporate network. Spear-phishing attacks are targeted attacks meant for one person or department and are often designed to look like they come from within the company or someone close to it. Often the attack tries to get the recipient to click a link or download an attachment that contains a virus. Mobile devices provide rich new ground for hackers to use malware, social media, SMS or e-mail as part of a multi-pronged spear-phishing attack.
9. Advanced persistent threats targeting mobile devices. APTs are the most dangerous threat that we face today. Cybercriminals, hostile governments and hactivists are eager to gain access to corporate networks. Compromising employee devices is the most effective way for these organizations to gain access efficiently without being caught.
A new paradigm for mobile and IT security
Organizations need to take mobile and IT security beyond the heavy reliance put on signature-based defenses. Each virus or piece of malware has its own “signature” that is then used by anti-virus programs to help detect and keep out threats. The problem is this approach only works with known attack vectors; every time a new threat is found, the anti-virus software needs to be updated for it to catch the threat. According to industry research sources recently cited in The New York Times, however, the average life span of a new attack is one hour before it is replaced with a new one, yet it can take weeks before they are effectively blocked. The result: these “zero-day” attacks will go undetected by antivirus, firewalls, intrusion detection systems and other mainstays of IT security infrastructures for a long time.
A new more effective paradigm to extend security is to start from the premise that a device is already infected with malware, and protects the user’s information anyway using an integrated multi-layer security platform that includes endpoint, network, authentication and back-end monitoring. Network protection is just as important as endpoint protection since so many threats occur on the network rather than the endpoint. Examples include phishing websites, man-in-the-middle attacks, malevolent hotspots and DNS poisoning. A good network protection solution should verify Web destinations, strictly control site access, encrypt communications and authenticate devices.
Attackers rely on there being different levels of security and attempt to exploit the weakest link. Only by linking all these components can you effectively prevent all the different type of attacks including APTs, zero-day attacks, man-in-the-middle and DNS poisoning.
While embracing the BYOD trend, changing your security paradigm is essential. Focus on turning the table on these nine critical threats and your organization can reap even greater benefits through lower infrastructure costs, greater productivity and broader use of cloud apps.