Security’s Ever-Growing, Ever-Moving Target

Written by

It would seem there is no airport, no train station, and no mode of transport that has not been used by mobile service providers to demonstrate the capabilities of their networks.

We’ve all seen the happy faces of sharp-suited mobile workers, head-down into their work wherever they are. Being agile. Being productive. Yet it’s tempting to wonder how happy they would appear if they had an inkling of what they may be doing as regards security.

The Consequences of Corporate Flexibility

Mobile is a given for companies of all sizes. Moreover, a large number of enterprises worldwide have adopted the bring your own device (BYOD) trend to increase work productivity and reduce IT infrastructure costs. But there is a balancing act: the more flexibility and access anyone has to their corporate network, the more ways in which that network can be reached. The most secure network is one with no mobile access. It will also be the most unproductive.

Amritesh Suman, an analyst with Allied Market Research, looked at how this circle is being squared: “Today, there is a growing acceptance for the use of mobile devices by employees at work. [Yet] as a consequence of the same, executives, managers and other corporate employees have to connect their mobile devices to corporate servers which involves a high data security risk of corporate data for the enterprises, thus increasing the need for data monitoring and security.

“In addition to enterprise users, individual users also demand cohesive, integrated mobile device protection and security solutions. Mobile security solution providers deliver security solutions for individual use that are able to restore and secure the data for any subsequent mobile device, regardless of the operating system.”

The Mobile Threat Landscape

Here is the thing about mobile: demand is insatiable. The Apple iPhone 6s launch typified what the industry is all about. Faster processors, larger screens, enhanced access to richer applications. Such mobile platforms basically allow you to do more, much more, for your business. Sadly more should now really include security issues. Mobile malware is spiking, and is all too often pre-installed on a user’s device.

In September 2015, researchers from security expert G DATA found that over 26 models from some well-known manufacturers including Huawei, Lenovo and Xiaomi have pre-installed spyware in the firmware. During the second quarter of 2015, researchers saw 6,100 new malware samples every day. By comparison, in the first quarter of 2015 they saw about 4,900 malware apps per day, representing an increase of almost 25% quarter over quarter.

Further, and maybe more alarmingly, the G DATA Q2 2015 Mobile Malware Report shows that there will be over two million new malware apps by the end of the year. Worse, the researchers suspect people are modifying the devices’ software to steal user data and inject their own advertising to earn money.

Christian Geschkat, G DATA mobile solutions product manager, said: “Over the past year we have seen a significant increase in devices that are equipped with firmware-level spyware and malware out of the box which can take a wide range of unwanted and unknown actions including accessing the internet, read and send text messages, install apps, access contact lists, obtain location data and more—all which can do detrimental damage.”

Considering the mobile threat environment, Check Point’s global VP of products Gabi Reish suggested that the biggest risk to mobiles right now is large-scale vulnerabilities that affect mobile operating systems.

“Mobile device vendors are having to move so fast to add new features that innovation has raced ahead of security—when you develop quickly, some things get easily missed,” he warned.

“The patch cycles for these flaws are slow, leaving millions of devices at risk—often without the users being aware… Check Point’s 2015 Security Report found that in an organization with more than 2,000 devices on its network, there is a 50% chance that there will be at least six infected or targeted mobile devices on their network. That may not seem high, but in many cases the infections were sending traffic from mobile devices for weeks or months. What sensitive data could have been stealthily siphoned from just a single device during that time?”

 New Platforms, New Threats

Mobile malware is very much a trend for 2015. Geschkat explains that “an estimated 2.5 billion people worldwide use a smartphone or tablet to go online. Chatting, surfing and shopping are possible anytime, anywhere thanks to smartphones and tablets. At the same time, the number of mobile malware apps has sharply increased in the past three years.”

The G DATA report also found that the first six months of 2015 has already broken all previous malware records—over a million new Android malware strains (1,000,938) were discovered within just six months. It’s fairly safe to say that the second half of 2015 will see more of the same and in a number of key places.

The G DATA security experts expect yet another significant increase in Android malware instances in particular. In those six months, the analysts have already discovered almost as many Android malware instances as in the whole of 2013. These include the recent Certifi-gate and StageFright flaws. Both affect hundreds of millions of Android devices, and, the latter flaw makes all Android devices targets of remote take-over by simply receiving an MMS message, without even having to open or view it.

“Hacking Team, an IT company that develops a wide range of malware for intelligence services and governments, suffered a cyber-attack this year,” the report noted. “After this attack, corporate data and source code for an Android malware strain were published. G DATA security experts expect cyber-criminals to exploit this easily accessible knowledge base and publish large numbers of more mature Android malware.”

But before anyone thinks this is just an Android problem bear in mind that arch rival Apple has its own mobile security issues. August 2015 research from identity protection specialist Centrify Corporation found that lack of encryption and weak or shared passwords on Apple devices in the workplace were exposing sensitive corporate and customer information. It found that businesses were simply not investing enough resources to secure or manage their devices with just over half (51%) of all products such as an iPhone or iPad secured by a password that is merely a single word or a series of numbers. Most devices (58%) did not have software installed to enforce strong passwords and only just over a third of Apple devices had encryption of stored data enforced by their company.

“Mobile device vendors are having to move so fast to add new features that innovation has raced ahead of security” Gabi Reish, Check Point

Flexible Solutions for Mobile Data

So how is the industry dealing with mobile security? By spending a lot of money it would seem. Allied Market Research calculates that the global mobile security market is estimated to reach $34.9bn by 2020, growing at a CAGR of 40.8% during the forecast period 2014-2020. It added that enterprise end-user security solutions was the largest revenue generating end user segment in the global market and accounted for $2.86bn in 2013.

Allied Market Research’s Suman believes that there are a number of discernible trends emerging in the fields of mobile security, first among them authentication, mobile application management and mobile data protection. Drilling down he sees that two-factor authentication is the latest trend adopted by most of the service providers in their products, while he expects the mobile application management trend is likely to increase as more of such solutions are offered. Some of the prime reasons for the development of application security solutions are the increasing dependency on applications and the frequency and length of usage.

The good news is that the mobile industries and device makers are making positive steps to improve mobile security. Even Android. In August 2015 Adrian Ludwig, head of Android Security at Google revealed just how much his company was pushing mass updates of patches over the air (OTA) to its Nexus Android devices, to address issues such as Stagefright.

For CheckPoint’s Reish, there was a basket of necessary solutions to remedy issues: “What’s needed to protect against these threats is a range of technologies including on-device sandboxing, static code analysis, mobile app reputation scoring, behavioral risk analysis and machine learning—ideally integrated with an organization's existing MDM/EMM solution, and managed by a single dashboard for controlling supported devices and stopping mobile threats.”

Assessing the True Risk to Business

The mobile genie is completely out of the bottle and unless firms wish to hunker back into a bunker of limited access they will have to accept the fundamental risk of using mobile devices and services. But that is not to say that there are not ways in which such risks can be mitigated.

It’s not just a question of technology, but also a question of practice making, if not perfect, then increased protection. For example, under no circumstances should jail-broken devices be allowed to access the corporate network. Businesses should enforce rigorously standards and procedures for passwords and other forms of authentication.

And then there is the thorny issue of lost devices. Devices will get lost—that cannot be stopped. What can be stopped is lost devices automatically being a problem for the business. The technologies and services to do such things are readily available.

In fact, in this case, and in all others when it comes to mobile security, the answer is right in your hands.

What’s hot on Infosecurity Magazine?