Back in the days of Maxwell Smart, the fictitious crime fighter from the 1960s television show “Get Smart,” “Max” had the first ever mobile phone, which was built into the bottom of his shoe. That mobile device allowed him to contact his colleagues back at “Control,” which fought the criminals, “KAOS.” Today, strangely, mobile phones aren’t as secure as Max’s shoe phone. That’s why you must know about the following security controls, which are important to any organization that allows mobile phones to connect to its network.
Smartphones represent an easy means for a hacker to gain access to your corporate network. In Q4 of 2012, a global study by Forrester Research Inc. found that 74 percent of employees use personal smartphones for business tasks. If an employee has a virus on a smartphone that connects to your network, it could become infected. It’s not easy to update smartphone vulnerabilities with patches to prevent infections. When makers of mobile devices and mobile applications release a patch for a vulnerability, they don’t send it to the user directly so he can patch the problem. Typically, it takes at least two or more companies to approve a patch for mobile phones before the patch is made available to the end user. If any single player refuses to approve the change, the security flaw remains.
Killing You Softly
The main ways smartphones become infected with malware are via application (app) repackaging, malicious URLs and SMiShing. In the app repackaging technique, attackers use either legitimate apps or create new ones, and insert malicious code into them. They then either sell them or give them away on third-party app stores. Once the user installs the app, malware is secretly downloaded into the phone. Once the phone connects to your company’s network, “Chaos” may have access to it.
The second popular form of infection is via malicious URLs. Attackers plant malicious links on social media sites or on other legitimate websites that they’ve hacked. When a mobile user clicks on the link, malware can surreptitiously download and install itself.
The third most popular form of infecting mobile phones is via SMiShing. An attacker sends a user a text message (SMS) containing a hyperlink. When the user clicks on the link, malware is downloaded, giving the attackers control of a user’s phone. The malware could allow the attacker to listen in on calls, and see all incoming and outgoing e-mails.
Smartphones are needed to conduct business. Smartphones run up to 10 mobile operating systems today, with security-related products that offer varying capabilities depending on the device and mobile OS used. To protect your network from infected mobile phones, your business should meet with an independent security consultant who will help you decide on proper mobile policies to put in place, on the types of devices that should be allowed to connect to the network and to define the required level of security you should implement in regard to to authentication, encryption, access control and central management.
Company Mobile Applications
Businesses have created mobile applications to accommodate smartphone users, many of whom conduct more business on their smartphones than on their computers. Like computer applications, mobile applications have vulnerabilities and increase security and compliance risks by increasing the attack surface for hackers and by inadvertently creating a risk of unauthorized access and data loss. Companies with mobile apps should be able to answer the following questions:
- How can you safely enable your customers, employees and business partners?
- How can you maintain security, minimize risk and ensure compliance while using mobile applications?
- How does your mobile app access and interact with your network?
- How do you ensure that your customer, employee and partner data is protected?
Mobile applications must be designed with security in mind from the start, with a focus on protecting all sensitive data. Applications should take full advantage of permissions management and should secure isolation functionality provided by the mobile platform. When developers try to implement these features for themselves and work against the platform, mistakes occur. Data transmitted via Wi-Fi, cellular or blue tooth, should be sent via an encrypted channel between the app and backend service. Ensure you can authenticate the users that are talking to your backend platforms because people can attack the backend service directly from the Internet if you are not doing proper authentication and authorization.
An outside security testing provider, who assesses mobile applications and networks daily, should assess your mobile applications for security. The assessor should understand how the application communicates with your customers, employees and business partners, and how it interacts with your backend systems.
A Mobile Application Security Assessment should look at the security and compliance risks of your entire solution from the app on the device to the backend systems that the app connects to, as well as ways data flows between them. It’s not until you connect the application together from end to end that a vulnerability that you can’t see on its own emerges. By using an external security partner to test your mobile apps, you’ll benefit from their experience of seeing similar implementations and weaknesses of mobile apps in other organizations. You’ll also have another expert to challenge the design assumptions that were made by the developers to ensure security.
With an assessment, you should receive actionable guidance to reduce or eliminate risk, and guidance to improve overall mobile application security and compliance. You should also receive ongoing consultant support for 12 months.
For your mobile security to stay ahead of chaos, you’ve got to do one of two things: Get a mobile security assessment, or use a shoe phone.
Dell SecureWorks, a global information services security company, helps organizations of all sizes reduce risk, improve regulatory compliance and lower their IT security costs. For more information on securing your organization, please contact [email protected] and write “Get Mobile Smart” in the subject line.