Philip Ewing reports on a nightmare scenario for the Department of Defense.
Suppose a worker’s Android phone is infected with malware, and she innocently plugs it into her work computer to charge and sync contacts. You can imagine the government IT workers turning green at the thought of thousands of unknown phones running unknown software being plugged into official computers, even when the workers doing it are being scrupulous about handling secure information.
While this may sound a tad alarmist, it illustrates a very real problem. Many government and private sector workers hate their work computers and smartphones. They want to use their own devices–circumventing the very security processes their bosses paid to put into place. Employees are using personal mobile devices for work-related calls, email, and accessing corporate data, raising the risks to overall security from malware and data breaches.
As McAfee’s Brian Contos argued, era of “technocracy” is over: IT departments would once say “‘this is what we’re going to run, this is how we’re going to run it, these are the applications you’re going to use,” but can no longer expect to dictate these policies across the enterprise. While it is true that– as Cisco points out, users can easily be fooled into installing malware on their smartphones–it is also irrelevant. Users are becoming as accustomed to using smartphones and mobile apps as music fans have become with downloading music off the Internet.
As Ewing notes, Symantec Corporation sees the broader solution to the problem in identity management: giving employees the ability to use a single ID that would link up all of their third-party services, devices, and accounts. This large-scale solution, however, is a year away, and remains to be seen in practice. It does, however, illustrate the growing importance of mobile security as a information assurance market as smartphones–and their compliment of third-party mobile apps continue to proliferate.
Making the problem worse are structural issues with mobile devices themselves that make it more difficult to enhance security. Unlike personal computers, smartphones have mobile network carriers. This brings a whole new dimension of complexity to security to the usual mixture of software vendors, hardware vendors, enterprises, and end users. Cisco’s Seth Hanford points out the problem:
At any point along this chain, stakeholders could decide to hold back on updates for whatever reason, and the chance for risk to the ecosystem increases. … For example, a patch may be necessary to improve enterprise network security, but it may adversely impact the user experience that had been enjoyed up to that point. All of these stakeholders have valid reasons to do or not do the things necessary to improve security or usability for themselves or their partners, but their decisions can have far-reaching ripple effects. This could result in users being unable to update their devices until each upstream party permits fixed software to make its way to an end device.
One example of this is what Hanford calls “trust models” for mobile apps. Android, for example, gives users a wide degree of latitude in choosing mobile apps–even if many users are not able to make informed decisions about the security of the programs they are downloading. Apple, in contrast, uses a vetted system, but may prevent users from downloading useful security updates that Apple has not vetted. It also, as Hanford elaborates, may prevent users from finding alternatives to programs with malware if they also haven’t been vetted by Apple.
The pernicious issue is not only the security of the devices themselves but their ability to be used as stepping stones for access into larger networks. CoreSecurity explains that while open network technologies allow for faster distributed business, a “Pandora’s Box was opened years ago when corporations allowed wireless devices into their secure enclaves.” 4G is a particular culprit, as CoreSecurity argues.
Devices equipped with 4G experience backward compatibility issues since they also have 3G or GSM capabilities. They are vulnerable to vestigal issues inherited from 3G and GSM, and this also holds true when connecting to Wi-Fi networks. CoreSecurity notes instances of fake 2G base stations in Europe being used to attack 3G and 4G processors, and telecommunications companies in Eastern Europe exploiting roaming vulnerabilities by boosting the power of cell towers in border regions to jam signals from neighboring countries. Fake networks can easily claim to be “roaming partners.” Worst yet, as CoreSecurity notes, mobile devices are generally vulnerable to client-side attacks–the iPhone’s use of 3G to connect to Wi-Fi allows an infected device to connect to sensitive networks.
The problem of wifi is bigger than 3G and 4G, Hanford observes:
Connectivity for mobile devices tends to prefer Wifi over cellular for data, under the assumption that Wifi connections will be more responsive and less likely to incur a usage charge. But if users keep Wifi enabled while on the move, they may find themselves connecting to untrustworthy Wifi hotspots (either automatically, unintentionally, or for convenience). Some users might use corporate VPN connections or secure email configurations to tunnel sensitive traffic if they think of it, but without per-application settings exposed to users, they have little control over what each one does with their data.
Of course, while these technical threats are important, my friend Alex Olesker points out frequently that most hackers billed by the media as nearly superhuman menaces simply follow the path of least resistance. They take advantage of bad passwords, poor operational security practices, human frailty, complacent to nonexistent security practices, and the inevitable consequences of forgetfulness and bad luck. A 2008 survey found that in a six-month period 31,000 New Yorkers left their mobile devices in cabs. Basic security procedures are often not followed–if employees are even aware of them to begin with.
A joint McAfee/Carnegie Mellon University survey this year found that two-thirds of employees do not understand or are not aware of their company’s mobile security policy–bad news since the survey also found that 63% of employees use work-related mobile devices for personal business. 40% of the companies surveyed reported loss or theft of mobile devices, half of which contained crucial business data.
Mobile device risk management is thus not only a organizational issue of creating workable and sustainable policy across the organization and a technical one of enterprise management. It’s also a human problem.