mobile devices and hidden threats

Share

For my first blog around mobility for business, I thought that the basic security experience is a good point to start with.

In this “hyper techno-world" mobility is being promoted in a broad sense, how useful it can be and how it will improve your productivity and reactivity. Many are also predicting the end of traditional ways of working and switch from an 8 -5 job to always being connected.

As we are all “important” ;=)) and require the latest electronic mobile gadgets, a couple months ago I have decided to get a brand new tablet in order to test the promising new applications and capabilities that have been hyped up.

A couple days after installing the only corporate-approved applications (MS Exchange), I started to browse the application store and did install completely non-secured and un-approved applications such as dropbox, google apps, SIP/video applications, games, file-sharing etc.. . and for most of them .. this included the capability for these applications to access sensitive data.

To make this point and by using Netqin security tool, you can see a fairly scary example of taginlineimportapplications accessing various parts of my device:

22   applications accessing my address book
4     applications accessing my SMS and mail
27   applications accessing my location
37   applications accessing my device information

So, even if an application seems to be benign, by giving access to stored on a device, which is sometimes connected to corporate information (such as corporate directory) the user's device -- and thus the enterprise -- is potentially vulnerable to spyware, malware, viruses, etc.

Most people working in IT acknowledge the fact that adding tablets and smartphones, aka a bring-your-own-device (BYOD) policy, to the corporate ecosystem contains a lot of threats that need to be taken extremely seriously without delay before talking about any potential business opportunity.

Some food for thought around security to think about before letting new devices access corporate data:

  1. authenticated access -- If a tablet is lost, stolen or left unattended, enforcing native, device-level authentication (PINs, passwords) can reduce the risk of a stored data breach or device application and connection misuse.
  2. anti-loss measures -- Native remote lock, find and wipe capabilities can often be used to recover a lost device or permanently prevent it from becoming a security liability, including devices issued to employees who have left the organization. .
  3. authorization -- Mobile operating systems support native techniques like code signing, application data protection, and device feature restrictions that enterprises can use to reduce risks posed by mobile malware or inappropriate use. Devices don't come with native anti-virus, anti-spam, or intrusion detection, but these can be obtained from third parties.
  4. data protection and encryption -- Mobile operating systems provide native support for security data traffic including SSL and selected VPN protocols.
  5. device management – Various solutions exist (afaria, Mobile Iron, 3LM…) to centrally provision and control tablets and smartphones, enforce their security settings, manage applications and monitor their usage.

To wrap this up, I would reinforce the point that, prior to to seeing mobile devices as an opportunity, top-down mobile security enforcement is becoming a must have for any secured corporate mobile usage.

Philippe

Nicolas Jacquey
Philippe Schaufelberger
Extremely curious  and passionate about  mobile technology (application, usage, hardware & human interface), I am a great believer that we are still in the early days of B2B mobile usage and that its potential is endless and full of opportunity for creative mindsets. Outside working hours, I do enjoy spending time outside with my two beautiful little daughters, ride my mountain bike in the steep dirt road or spend time by my beehives to make a delicious home made honey.