Every day, more and more people use portable devices such as laptops, tablets, and smart phones for things they might have previously chosen to do on a desktop computer. These devices afford people to stay connected and to be productive wherever they go. With the ability to access Internet resources, communicate through email, chat, and make voice calls from virtually anywhere, as well as enabling users to bring important data with them, mobile devices are becoming more prevalent in the business environment.
With all of the benefits that mobile devices offer, it is still important to consider the unique threats and vulnerabilities associated with them. Because of their nature, these devices do not normally exist in a typical network environment.
Desktop computers are usually only connected to an organization’s internal network and are protected by several layers of security. These networks often have firewalls, intrusion detection systems, data loss prevention solutions, anti-malware products, group policies, and a whole breadth of physical measures to protect against unauthorized access and other threats. Mobile devices being used off the organization’s network do not have these protections.
Mobile threats
According to the results of a recent study by the Department of Homeland Security, mobile devices are uniquely susceptible to threats that are different than those to your less-than-portable computing equipment. They focused on the unique features of mobile devices such as mobile operating systems, mobile applications, mobile network protocols and services, how the devices are physically accessed, and their network infrastructure. Keeping in mind that not all of these apply to all mobile devices, DHS has defined these basic categories of mobile threats:
- Denial of service – through theft, overloading or jamming networks, ransomeware, etc.
- Geolocation – tracking the location, speed, and direction of movement
- Information disclosure – Communication interception, leakage from apps or network transmissions, eavesdropping on voice or data communications, remotely accessing microphones or cameras
- Spoofing – Impersonating email or SMS traffic from another device, fraudulant WiFi access points or cellular base stations
- Tampering – Modifying data in transit, modifying hardware or software in the supply chain, jailbreaking or rooting
The National Institute of Standards and Technology (NIST) released a draft version of their internal report titled Assessing Threats to Mobile Devices & Infrastructure – The Mobile Threat Catalogue. This report details much of the same types of threat categories, but goes into much greater details explaining more specifically how these threat categories affect mobile devices.
Gaps in mobile technology security
The DHS study on mobile device security also address several gaps in security due to the way mobile devices are built and operate. They note that in spite of the industry’s efforts to continually improve security, mobile devices maintain several deficiencies because of what they are and how they are used. These include:
- Intrusion detection – inability to monitor for real-time exploits
- Updates – patch schedules are irregular and often slow, depending on the vendor
- Software quality – very little control over the development process of applications
- Authentication – strong authentication mechanisms are mostly unavailable
Protecting mobile devices
Though there are a few technologies available to assist in mobile device security, ensuring the best possible security for mobile devices mostly boils down to adhering to some simple safe practices. By following these tips, the chance that sensitive data might be lost or compromised can be greatly reduced.
Authentication: Utilize the most complex form of authentication method available for the device. Finger print authentication can easily be beaten. Long PINs or pass codes offer the greatest security.
Authentication failures: Enable features that disable devices after multiple authentication failures. Often these features will only disable the devices for a period of time, but can prevent brute-force attacks and allow time for device recovery or remote wiping.
Apps: Use only apps from trusted sources or from native app stores. Do not root or jailbreak devices or use apps that require this to be done.
Updates: Ensure application and operating systems are kept current. Apply any available updates as expeditiously as possible.
WiFi: Avoid connecting to public wireless Internet hot-spots. Practice disabling WiFi on devices when it is not needed.
Bluetooth: Disable Bluetooth when not in use.
Geo-location: Disable location services on apps. Do not use location-based “check-in” features in apps such as those available for popular social media apps.
Data storage: Most modern portable devices offer whole-disk encryption. Enabling this helps to protect data against unauthorized access if devices are lost or stolen.
Remote wipe: Many devices or even third-party services enable the ability to remotely wipe devices such as laptops, smart phones, and tablets. This should be utilized for all devices so they can be remotely cleared in the event they are lost or stolen.
Disposal: Ensure that devices are completely wiped and reset to factory default settings before releasing control of mobile devices.