How do you quantify the impact of mobility on IT security? That this is a challenge all organizations need to face up to cannot be doubted; a 2013 Quocirca research report, Digital identities and the open business, showed that 63% of businesses provide formal access to some of their business applications to mobile users. And that is before considering informal access and other challenges thrown up by the ubiquity of mobile devices.
To understand the scale of the problem it needs looking at in two parts; the way mobility changes the approach that needs to be taken to an organization’s core IT infrastructure and the security challenges of mobility itself.
At the core – however it is provisioned – mobility simply scales up exiting problems. As Bergman et al say in their 2013 book Hacking Exposed Mobile Security Secrets & Solutions:
“What do we do now? Here’s what may be a shocking answer: the same thing we’ve done before! Despite all the hype, we submit that mobile is “the same problem, different day.” Fundamentally, we are still talking about a client-server architecture: OK, we may have exaggerated a bit, but not much.”
The aims of the bad guys and the techniques they use remain pretty much the same. Find a way in to your infrastructure to steal data and/or identities, disrupt business etc. A paper titled 'Systems Security Research' by Lorenzo Cavallaro of the Information Security Group at Royal Holloway University of London looks at the behaviour of mobile specific malware samples. Out of 1,356 unique samples that were stimulated to act in some way, 67% attempted file system access (think data theft) and 66% attempted to access personal info (think identity theft), whereas just 3% attempted to send an SMS and 4% to make or alter a phone call; both of which may be considered mobile specific threats.
From the point of view of the IT core, mobility simply extends the attack surface of an organization and therefore its vulnerability. As a recent presentation given by Quocirca at the EE Business Customer Forum points out; mobility means more devices, more users (especially external ones as reach is extended) and more network traffic (see IT security in the “Superfast Mobile Age”. (Note EE or Everything Everywhere is the Orange/T-Mobile mobile network partnership that has taken a lead in rolling out 4G services in the UK.)
Mobility also means more software as more on-demand applications are put in place to support business processes that are now reliant on mobility, which are by their very nature more open and, of course, all those mobile apps.
In most cases, dealing with these changes is simply a matter of scale. Understanding who users are needs better identity and access management that can provide a federated view of all users and describe access rights. More network traffic needs faster content filtering to search for malware and spot exfiltration. More devices may need network access control (NAC) which can ultimately be used to keep mobile devices away from you network (see Quocirca report, Next-generation network access control).
However, if as most do, you allow some level of access to your network and applications by mobile users, you will increasing need to face up to some new challenges that are specific to mobile use. These include the obvious, such as devices are more easily lost and stolen (so need to be disabled and wiped remotely), users are more vulnerable as they deal with more fiddly interfaces in distracting environments (i.e. they are easier to dupe) and app stores open new ways for malware to be loaded on to devices.
That said, despite much comment about the security of the Android operating system in particular, the configuration of mobile devices is generally more secure in the first place than the Windows environment many are familiar with on PCs. Android apps run in their own containers and this can be with least privilege (depending on how well the app has been written). Compare this to the way many Windows PCs are configured where each application runs with admin access and, therefore, access to almost any resource it requests.
This may be why, as the Economist reports, in an article on Nov 30th titled, Thief in your pocket? that “When it comes to mobile devices, viruses are not the problem they are made out to be—at least, not yet. Instead, the biggest risk for organisations comes from absent-minded or nefarious employees”.
Nevertheless, black hats, white hats, IT security vendors, journalists and indeed analysts will all continue to show an interest in the growing number of mobile users, devices and software as a means of attacking organisations in the coming year. Those responsible for the protection of data and users need to keep their eye on the ball too. Quocirca will aim to help you do that as it reviews aspects of mobile security throughout 2014.