These handheld devices feature ubiquitous connectivity, constant access to the biggest repository of mankind’s knowledge, and more computing power than the NASA control room for the first moon landing.
Too many people assume that mobile devices are secure because they’ve never experienced malware on them before. The reality is that, until recently, there was little data on them that was worth stealing.
Nevertheless, now that they do contain valuable information – from email addresses and passwords to bank account logins – cybercriminals will be paying closer attention. And just because mobile threats may not look like they do on the traditional PC, this doesn’t mean there are no security issues.
New Technology, New Threats
Mobiles will experience all the malware that PCs have before them, including viruses, phishing, worms and more. How these threats attack them will be different, however, as the vehicle will vary between the device, the operating system (OS), and the application. For example, attacks against the closed Apple iOS model are going to be significantly different to those affecting Google’s Android, which liberally allows applications to be published (including nasty applications).
In addition, new devices and new functionalities will breed fresh opportunities for cybercriminals; features such as augmented reality, facial recognition and integrated social media all add new dimensions that could be targeted. Augmented reality, for example, can connect location information with a user’s social media ‘friends’, enabling them to identify digital contacts nearby. This infringes privacy and potentially hands out more information than we would usually share with our digital contacts.
NFC (near-field communication) technology is another innovation that introduces new challenges for security. Primarily, the discussion over NFC has focused on its use with mobile payments, and therefore instantly means that mobile devices are likely to become much more of a target to steal money. In addition, other information associated with NFC – such as personal data, preferences or habits – may also be valuable to a cybercriminal, and be targeted as a result.
Mobile networks are currently undergoing significant upgrades, enabling faster and more reliable connectivity. Although delivering better usability for customers, this ubiquitous connectivity can make mobile devices a more attractive target for both networks and command-and-control, because the network is strong enough to support an effective attack.
It’s not all doom and gloom. Some new technology will, of course, enhance security. Modern mobile platforms tend to include capabilities such as sandboxing technology, which can isolate applications to prevent compromised ones from accessing all of the device’s data. Access control and permission systems have also undergone drastic reform from the conventional OS; rather than being based on access to arbitrary items like registry keys, they instead focus on more human access permissions, such as whether an application needs to access location data or SMS messages, making it easier to understand for consumers.
Mobile device architectures are also becoming more tailored to modern working practices – BlackBerry, for example, has introduced a feature that provides two isolated working environments on the same device, allowing a separation between work and personal. This provides the benefits of a trustworthy and secure business environment, alongside the flexibility to play games and manage a personal life. These features are not yet widespread and the robustness of the security is unproven, but they do show a positive direction that could better secure the modern remote user in a way that works for both the business and the employee. It will be interesting to see if other vendors follow suit.
These capabilities show great promise for producing a more secure mobile environment. That said, they are as-yet far from perfect, and many of these controls do not come with smart, secure defaults. Instead they rely on the user to edit the permissions of an application, a process that requires some knowledge and expertise. Education and awareness is therefore vital to ensure users know what options they have, and how best to secure a mobile device.
IPv6 will also stamp a mark on the mobile security industry, especially because mobile device and telecoms providers are major proponents of IPv6, the next generation of protocols that will drive the internet. IPv6 will provide enhanced performance features, but it also has new functionality designed specifically for mobile and security. For example, IPSec – the industry standard for secure VPN connections – was incorporated into IPv6 and back ported to IPv4. Some of the changes enhance security, but others could leave a backdoor into your environment if not configured and managed correctly.
Protecting Yourself, and Your Business
Priority one is to get the basics under control. Despite all the hype, most mobile security breaches occur due to basic failures, such as poor passwords, lack of encryption, poor patching or social engineering. Mobile device management solutions can help ensure these capabilities are enabled.
Some will be provided by the device in hardware, such as full volume encryption; others by the OS, for example, sandboxing. These will be managed and reported on by security vendors. Software security solutions, including mobile device management (MDM) and anti-malware capabilities, will be increasingly required, although their implementation will vary from their PC counterparts and differ from platform to platform.
Data loss prevention (DLP) strategies must also be implemented specifically to mobile and, as data flows between different devices, continuous encryption to protect data wherever it resides will be powerful. Ultimately, the protection stack for mobile will expand over time, much as with the PC. It won’t be the same at first, but will need to remain as progressively capable.
Essentially, the more data we make available on our mobiles, the more incentive we provide cybercriminals with to weave creative attacks that compromise our personal lives, businesses and finances. Equally, the more applications and new capabilities we use, the more we increase the surface attack area to be exploited.
Privacy is also at risk, and as mobiles become the combination of a passport, personal record store and social life, we can expect to come under greater surveillance.
Technology is constantly changing as are the threats. A six-month strategy is therefore far more effective than the conventional three- to five-year plan many IT teams use.
James Lyne, director of technology strategy, is focused on the five-year technology strategy at Sophos in the Office of the CTO. Working with key business and technology trends and combining a detailed knowledge of threats, Lyne extrapolates from the modern world of threat protection to explore future security and technology requirements. Aside from technology strategy, he frequently engages with customers and industry forums to evangelize the security problem domains.