Mobile Security, Another Oxymoron...

Were you aware that the sheer number of malicious software, known as “malware,” aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185 percent in less than a year. This according to the United States Government Accountability Office (GAO) report to the Congressional Committee, Sept. 2012.

Cyber criminals may use a variety of attack methods, including intercepting data as they are transmitted to and from mobile devices and inserting malicious code into software applications to gain access to users’ sensitive information. These threats and attacks are facilitated by vulnerabilities in the design and configuration of mobile devices, as well as the ways consumers use them. Common vulnerabilities include a failure to enable password protection and operating systems that are not kept up to date with the latest security patches.  

What can you do as an Individual, or as an Organization?  Glad you asked, because the GAO had some answers that were specific to those questions:

Key Security CONTROLS for Individuals to Protect their Mobile Devices

Security control	Description
Enable user authentication	Devices can be configured to require passwords or PINs to gain access. In addition, the password field can be masked to prevent it from being observed, and the devices can activate idle-time screen locking to prevent unauthorized access.
Enable two-factor authentication for sensitive transactions	Two-factor authentication can be used when conducting sensitive transactions on mobile devices. Two-factor authentication provides a higher level of security than traditional passwords. Two-factor refers to an authentication system in which users are required to authenticate using at least two different “factors”—something you know, something you have, or something you are—before being granted access. Mobile devices themselves can be used as a second factor in some two-factor authentication schemes used for remote access. The mobile device can generate pass codes, or the codes can be sent via a text message to the phone. Two-factor authentication may be important when sensitive transactions occur, such as for mobile banking or conducting financial transactions.
Verify the authenticity of downloaded applications	Procedures can be implemented for assessing the digital signatures of downloaded applications to ensure that they have not been tampered with.
Install antimalware capability	Antimalware protection can be installed to protect against malicious applications, viruses, spyware, infected secure digital cards and malware-based attacks. In addition, such capabilities can protect against unwanted (spam) voice messages, text messages, and e-mail attachments.
Install a firewall	A personal firewall can protect against unauthorized connections by intercepting both incoming and outgoing connection attempts and blocking or permitting them based on a list of rules.
Receive prompt security updates	Software updates can be automatically transferred from the manufacturer or carrier directly to a mobile device. Procedures can be implemented to ensure these updates are transmitted promptly.
Remotely disable lost or stolen devices	Remote disabling is a feature for lost or stolen devices that either locks the device or completely erases its contents remotely. Locked devices can be unlocked subsequently by the user if they are recovered.
Enable encryption for data stored on device or memory card	File encryption protects sensitive data stored on mobile devices and memory cards. Devices can have built-in encryption capabilities or use commercially available encryption tools.
Enable white listing	White listing is a software control that permits only known safe applications to execute commands.

Key Security PRACTICES to for Individuals to Protect their Mobile Devices

Security practice	Description
Turn off or set Bluetooth connection capabilities to no discoverable	When in discoverable mode, Bluetooth-enabled devices are “visible” to other nearby devices, which may alert an attacker to target them. When Bluetooth is turned off or in no discoverable mode, the Bluetooth-enabled devices are invisible to other unauthenticated devices.
Limit use of public WiFi networks when conducting sensitive transactions	Attackers may patrol public WiFi networks for unsecured devices or even create malicious WiFi spots designed to attack mobile phones. Public WiFi spots represent an easy channel for hackers to exploit. Users can limit their use of public WiFi networks by not conducting sensitive transactions when connected to them or if connecting to them, using secure, encrypted connections. This can help reduce the risk of attackers obtaining sensitive information such as passwords, bank account numbers, and credit card numbers.
Minimize installation of unnecessary applications	Once installed, applications may be able to access user content and device programming interfaces, and they may also contain vulnerabilities. Users can reduce risk by limiting unnecessary applications.
Configure web accounts to use secure connections	Accounts for many websites can be configured to use secure, encrypted connections. Enabling this feature limits eavesdropping on web sessions.
Do not follow links sent in suspicious e-mail or text messages	Users should not follow links in suspicious e-mail or text messages, because such links may lead to malicious websites.
Limit clicking on suspicious advertisements within an application	Suspicious advertisements may include links to malicious websites, prompting the users to download malware, or violate their privacy. Users can limit this risk by not clicking on suspicious advertisements within applications.
Limit exposure of mobile phone numbers	By not posting mobile phone numbers to public websites, users may be able to limit the extent to which attackers can obtain known mobile numbers to attack.
Limit storage of sensitive information on mobile devices	Users can limit storing of sensitive information on mobile devices.
Maintain physical control	Users can take steps to safeguard their mobile devices, such as by keeping their devices secured in a bag to reduce the risk that their mobile devices will be lost or stolen.
Delete all information stored in a device prior to discarding it	By using software tools that thoroughly delete (or “wipe”) information stored in a device before discarding it, users can protect their information from unauthorized access.
Avoid modifying mobile devices	Modifying or “jail breaking” mobile devices can expose them to security vulnerabilities or can prevent them from receiving security updates.

ORGANIZATIONAL Security CONTROLS to Protect their Authorized Devices

Security control	Description
Adopt centralized security management	Centralized security management can ensure an organization’s mobile devices are compliant with its security policies. Centralized security management includes (1) configuration control, such as installing remote disabling on all devices; and (2) management practices, such as setting policy for individual users or a class of users on specific devices.
Use mobile device integrity validation	Software tools can be used to scan devices for key compromising events (e.g., an unexpected change in the file structure) and then report the results of the scans, including a risk rating and recommended mitigation.
Implement a virtual private network (VPN)	A VPN can provide a secure communications channel for sensitive data transferred across multiple, public networks during remote access. VPNs are useful for wireless technologies because they provide a way to secure wireless local area networks, such as those at public WiFi spot, in homes, or other locations.
Use public key infrastructure (PKI) support	PKI-issued digital certificates can be used to digitally sign and encrypt e-mails.
Require conformance to government specifications	Organizations can require that devices meet government specifications before they are deployed. For example, NIST recommends that mobile devices used in government enterprises adhere to a minimum set of security requirements for cryptographic modules that include both hardware and software components. The Defense Information Systems Agency has certified a secure Android-based mobile system for use by DOD agencies. The system allows DOD personnel to sign, encrypt and decrypt e-mail, and securely access data from a smart phone or tablet computer.
Install an enterprise firewall	An enterprise firewall can be configured to isolate all unapproved traffic to and from wireless devices.
Monitor incoming traffic	Enterprise information technology network operators can use intrusion prevention software to examine traffic entering the network from mobile devices.
Monitor and control devices	Devices can be monitored and controlled for messaging, data leakage, inappropriate use, and to prevent applications from being installed.
Enable, obtain, and analyze device log files for compliance	Log files can be reviewed to detect suspicious activity and ensure compliance.
Install an enterprise firewall	An enterprise firewall can be configured to isolate all unapproved traffic to and from wireless devices.
Monitor incoming traffic	Enterprise information technology network operators can use intrusion prevention software to examine traffic entering the network from mobile devices.
Monitor and control devices	Devices can be monitored and controlled for messaging, data leakage, inappropriate use, and to prevent applications from being installed.

ORGANIZATIONAL Security PRACTICES to for Individuals to Protect their Mobile Devices

Security Practices	Description
Establish a mobile device security policy	Security policies define the rules, principles, and practices that determine how an organization treats mobile devices, whether they are issued by the organization or owned by individuals. Policies should cover areas such as roles and responsibilities, infrastructure security, device security, and security assessments. By establishing policies that address these areas, agencies can create a framework for applying practices, tools, and training to help support the security of wireless networks.
Provide mobile device security training	Training employees in an organization’s mobile security policies can help to ensure that mobile devices are configured, operated, and used in a secure and appropriate manner.
Establish a deployment plan	Following a well-designed deployment plan helps to ensure that security objectives are met.
Perform risk assessments	Risk analysis identifies vulnerabilities and threats, enumerates potential attacks, assesses their likelihood of success, and estimates the potential damage from successful attacks on mobile devices.
Perform configuration control and management	Configuration management ensures that mobile devices are protected against the introduction of improper modifications before, during, and after deployment.

Source(s):

• Juniper Networks, Inc., 2011 Mobile Threats Report (Sunnyvale, Calif.: February 2012),
• Symantec Corporation, Internet Security Threat Report, 2011 Trends Vol.17 (Mountain View, Calif.: April 2012),
• Lookout Mobile Security, Lookout Mobile Threat Report (San Francisco, Calif.: August 2011), 
• McAfee, Securing Mobile Devices: Present and Future (Santa Clara, Calif.: 2011).
• http://www.gao.gov/assets/650/648519.pdf

So “Once more unto the breach, dear friends, once more;”

____________________________________________________________

About Rick Ricker

An IT professional with over 20 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.

For more information, contact Rick at (800) 333-8394 x 689