Mobile Security Challenges
The rise of the mobile era caused a dramatic shift in the way large corporates operate and communicate. The shift towards the mobile worker, and the fact that people are always connected, at home and on the go, increases the exposure level of the organization’s sensitive data. People use their phones everywhere, and are not always aware of the threats of using a mobile phone for conducting their work. Furthermore, if previously users only installed licensed and approved software on their computers, according to IT guidelines, nowadays users are accustomed to downloading and installing apps on their own, from the various app store locations. This is done without taking into account the potential hazards of using public applications that can actually penetrate and expose sensitive organizational information that now resides on the same mobile devices.
While smartphones nowadays are commonly used for accessing email accounts, browsing the internet or accessing private or confidential information (work-related, financial, health etc.), smartphones’ related security approaches have not kept pace with the more traditional IT security mechanisms where firewalls, HW encryption, virus/malware/Trojans detection mechanisms, network based anomaly detection, etc. are common practices. Moreover, with the extensive usage of mobile phones as well as with the common “Bring Your Own Device” approach, organizations are now far more vulnerable to advanced mobile threats while the existing defense mechanisms are not up to the task.
Mobile threats can be commonly divided into three groups: Communication related, Device related and User actions related:
Communication related threats are mostly the product of communication interception. Simple tactical solutions, pretending to be legitimate cellular-base-stations, can be used to intercept exchanged communication over a regular cellular network. Data communication can also be intercepted over WiFi networks using simple “Man in the middle” techniques.
Device related threats are reflected by the amount of information kept on the device as well as the ability of installed applications to access that information. Be it a legitimate application that is granted with access to sensitive information, a rogue by nature application that is downloaded from unknown sources, or a Trojan horse that was specifically engineered to steal information, all have a huge effect on the ability to secure both private as well as corporate related data.
Last but not least are the users themselves. Users are usually reluctant to give away their mobile freedom, usability and functionality for better, higher level of security. Therefore, mobile security through restrictions is often not effective as users generate and require access to large amounts of information, applications of all sorts and kinds as well as extensive social media activities without understanding or sometimes even care about the security implications associated with those actions. Counting on users to do the right security savvy thing or make the right security savvy decision when handling new and exciting mobile functionalities or content, would, in most cases lead to a security disaster.
There are multiple mobile security solutions out there, trying to deal with the evolving mobile security threats landscape in their own unique manner however, in order to create an effective mobile security solution that aims to provide effective defense against emerging mobile threats, one better keep in mind the following guidelines:
The solution should address the whole breadth of threats and attack vectors. It should provide the enterprise with a holistic approach to the whole range of mobile security issues.
With the ongoing fast changes in the mobile domain together with the growing security challenges those changes bring, the solution should provide flexibility and robustness to address rapid changes.
Balancing security and usability is a key success factor. Security by restrictions usually drives the common user (who usually cares more about his convenience than the security risks his actions create) to seek the required functionality elsewhere and carry two devices – one is restricted and the other is usable. This creates a whole new spectrum of security challenges since the user is now in charge of using the right device at the right time. The challenge here is to create a solution that is both usable as well as secured.
Since the user is the weakest link in any security structure, it would be best if security would have been transparently implemented into the mobile device, protecting the end-user at all times without the need for any end-user decision making or specific interaction. Having said that, “Justice has to be also seen” and the challenge here is to be as transparent as possible yet visible enough at all times.
The security solution should be designed with the ever changing security threats landscape in mind, and should support the the ability to quickly adjust to known and unknown threats. The infamous “cat and mouse” security game, in which an identified vulnerability is patched just for another vulnerability to appear should be replaced with a flexible, fast moving, intelligent mechanism.
Strong, effective, usable mobile security is required, no doubt about that. End users education is no less important as most users are not even aware of the threats they are exposing themselves to. Smartphones have changed our world for the better but also created many security challenges. It is time for innovative solutions to step up their mobile security game.