Mobile Security: Is Anyone Listening?

Jan. 27, 2009
Seven things you can do right now to decrease your organization’s risk

Mobile computing has become a cornerstone of business productivity. All of the conveniences and benefits associated with mobile computing are obvious to practically everyone. Envision a world without wireless Internet, smart phones and remote access. It is hard to imagine how we could get by without it. Now that’s the rose-colored glasses perspective — but there is a dark side to mobile computing that very few in business want to talk about or address. It is the flip side to all of those conveniences and benefits: the threats lurking, awaiting their turn to exploit the weaknesses inherent in every mobile device.

The Mobile Monster
From the so-easy-a-monkey-can-do-it functionality of iPhones to extravagant laptop “comforts,” there is seemingly nothing we cannot do with our mobile systems. Functionality is advancing faster than IT operations can deploy the technologies that are supposed to take the pain out of our day-to-day work. Therein lies a big part of the problem — your users have business tools that all too many IT shops have not had the time to learn the basics of, much less secure.

The underlying issue with mobile computing is that more effort is going into enabling it than securing it — it is that simple. The security of laptops and smart phones is just not being treated with the same importance and it is creating business risks that many security professionals have never known before.

Mobile security is the elephant in the room. Is it because IT and security staff are too busy? What about users? Given their “Don’t touch it, it’s mine” approach, are they responsible? Is mobile security completely off their radar? I think it is a combination of these issues and a whole lot more. Mobile computing has become one of the most difficult areas of security to manage given the complexity of today’s information systems. Many people have enough trouble securing their immobile systems. Throw hundreds if not thousands of more devices into the mix, and what’s an IT or security professional to do?
In any given organization, there are literally thousands of “islands” of sensitive and valuable information. And we thought the Internet opened up a lot of avenues of attack! The truth is that electronic information has sprouted legs, and we absolutely have to find some reasonable ways to keep it protected. There are compliance pressures from all angles and mobile security is not exempt. This is nothing really new, but a new mindset is required. Past approaches to security (and arguably some current ones) just will not work all that well in the mobile world.

Our Own Worst Enemy
Getting to the heart of the matter, I strongly believe that we humans are at the root of the problem. If anything, people (management, admins, users and so on) are at least inhibitors to decent mobile security. People have asked me what I think is the one greatest threat to mobile security and my answer is always “ignorance.” Based on what I see in my work, the perception of risks on the mobile side of things is just not there. It is a silly (mis)perception because all you have to do is look at the data breach studies. Incident after incident involves mobile devices. And these are only the breaches that people know about. What is going undiscovered and ignored?

This starts with management — and users to an extent — not valuing business assets. It is people essentially ignoring what is at stake and what can (and will) happen. Even with all of the awareness of security issues today, I see minimal leadership coming from the top. That puts the folks in IT in a precarious position. They are often made out to be the bad guys — the amateurs — not properly securing some of the organization’s most precious assets. The thing that’s unobvious to most is that their hands are tied. What is needed to thwart these mobile security threats and vulnerabilities is a culture of privacy and security, but it is just not there.

Many IT and business managers I meet with readily admit that they have not thought about what there is to lose as it relates to mobile computing. End-users are typically of the same mindset. Here are some other weaknesses I see:

• Management being too trusting of employees and outside contractors and visitors;
• Employees being given mobile computing privileges but no one really knows how they are using them;
• Employees being given responsibilities and/or complete reign to manage their own mobile security;
• Mobile security platforms falling outside the scope of security assessments and audits; and
• Mobile policies put in place for show more than anything without any real enforcement.
In many situations, I see pushback on the part of management and users because of the many inconveniences and barriers to getting work done that often result from “improved security.” They are right in many ways. Poorly-implemented security controls — especially on intimate mobile devices — is a recipe for backlash that can lead to even bigger security vulnerabilities in the end.

Vendors to the Rescue?
In the spirit of the government handholding pervasive in our society, can we turn to mobile computing vendors to keep us safe and secure long-term? Well, there have been some really positive changes in mobile security hardware and software as of late. The neat thing is that we are seeing such innovation and forward thinking all without a taxpayer-funded bailout! For example, a laptop I bought recently has built-in support for whole disk encryption, a fingerprint scanner, removal storage controls and other endpoint security options that were simply out of sight and out of mind just a couple of years ago. Intel’s new Centrino 2 with vPro chipset used in business-class laptop systems sports remote diagnostic and management capabilities as well. Such features can tie into an organization’s overall network access controls helping bring information security full circle — mobile systems and all.

The vendors are certainly making strides and leading enterprises in the right direction with mobile security, but you have to be willing to actually embrace these technologies. This means being willing to use such technical controls as enforcement mechanisms for your policies. Otherwise, you have spent money on security controls you really did not need, and you have spent time creating rules you are not going to be able to enforce.

Action Exercises
It may seem like we are heading down the same old beaten path when I talk about these mobile security threats and vulnerabilities. It actually is similar in a way, but there is something big that sets mobile computing apart. We now have to look at things multi-dimensionally from every possible angle rather than the standard one-dimensional flat network approach to security we have been using. Mobile business is leading us to more information systems complexities. This complexity turns into greater security concerns. So do new technologies — they almost always introduce something new for the bad guys to take advantage of. Finally, with increased regulations coming at us, there are now greater consequences for not doing what’s right to keep the mobile enterprise locked down.

As with wireless networks, the good news is that you do not have to spend a lot of money to make this happen. Many tools and controls are free. They are built right into the mobile devices you own. Enterprise-based solutions that are centrally-managed can provide the visibility and control you need to stay secure. They are not that expensive, all things considered. But before you go out and write a new policy or buy a new technology, you have to have goals and a plan. Here are seven things you can do right now ensure you approach mobile security in the right way.

1. Define your needs — what’s at stake, why mobile security is important to your particular business, and what it is going to take to make it happen.
2. Find out where your weak spots are — perform an in-depth security assessment (i.e. not a checklist audit) to see which mobile computing vulnerabilities can be exploited both inside and outside your organization.
3. Establish practical policies — the policies to reasonably reduce business risks will be obvious after you find out where you are weak.
4. Enable built-in controls — use what you have already paid for, in the form of whole disk encryption, malware protection, USB controls and so on.
5. Implement centrally-managed tools — if you do not have the right controls to reasonably mitigate the vulnerabilities uncovered in step 2, look outward to third-party solutions. You can also gain the benefits of enhanced change control, more robust reporting and more.
6. Educate your users on what to do and not do — keeping mobile security on the top of the minds of your users (that is everyone — management included) is a critical component of effective mobile security.
7. Periodically and consistently validate — make sure that policies are being enforced and security controls are working as they were intended.
Using a goal-oriented and level-headed approach such as this will ensure you not only get your priorities straight, but will also ensure you do just what it takes to secure your mobile systems and spend your money and efforts wisely at the same time. Once you get your hands around these mobile security essentials, you can then tweak things as your business needs change. Whatever you do to secure your mobile systems, just do something — because these mobile security issues are not going away.

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent information security assessments. He has authored/co-authored seven books on information security including “Hacking for Dummies,” “Hacking Wireless Networks for Dummies,” and “Securing the Mobile Enterprise and Laptop Encryption for Dummies” (Wiley). He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at [email protected].