Mobile Device Security: What You Need to Know
February 10th, 2020 by admin
Compared to desktops and laptops, mobile devices have unique behaviors that increase their security risks to your organization. Here are the top five mobile device risks:
1. They are almost always on and usually connected to the internet.
Without any user intervention, mobile devices are constantly trying to connect to available networks around them that have similar features to ones they already “know.” This means that if a hacker can mimic a known network, a mobile device will try to connect to it. When a device connects to a fake network, its traffic can be spoofed, changed, and recorded. Additionally, the user may unknowingly accept fake service certificates - exposing encrypted “secure” sessions to man-in-the-middle (MITM) scenarios.
The kind of security that mobile devices use is also important because they usually host a wide variety of applications that are continuously reaching for updates and passing credentials to service providers.
2. Application designs often prioritize speed and convenience over security.
The majority of mobile app developers spend their time on “wowing” their customers with cool new bells and whistles, not on protecting their security. These apps are feature-rich and security-poor, making the data they contain an easier target for hackers.
3. It can be hard to tell legitimate apps from illegitimate ones.
The probability of installing an application that was designed for illicit purposes is high because most users can’t always distinguish questionable sources.
By default, both iOS and Android devices are configured to only install apps from the Apple store. But Androids do allow users to install applications from other sources. Since the bulk of malicious applications are coming from stores outside Apple and Google Play, users should always be wary of installing them.
4. Application updates are often overlooked.
Unpatched vulnerabilities in mobile device operating systems and other apps contribute significantly to risk. Just like desktop applications, mobile apps must be continually and proactively updated using only legitimate sources to lessen these risks.
5. Physical protection is a common problem.
Because mobile devices are portable and small enough to fit in your pocket, they’re often easily misplaced or stolen. This means devices and the sensitive data they contain have to be physically protected in order to prevent sensitive information from getting into the wrong hands.
Why Mobile Device Security Is Important
Mobile devices contain lots of data in many forms, including applications, documents, stored account credentials, photographs, preferences, and email. It goes without saying that the average user would not want much of this data made available for unrestricted access.
Data typically falls into two categories: business and personal. Unauthorized access to business information can do tremendous damage to an organization and may result in the theft of intellectual property, customer information, strategic plans, and trade secrets stored as documents and spreadsheets. Unintended access to devices can also jeopardize network login credentials, stored application credentials, VPN profiles, and password databases.
Unauthorized use of personal data can directly impact an individual if their financial, credit, or medical information is compromised. Additionally, if that personal information includes passwords or other credentials that are recycled and used for logging into business applications, then the breach of personal accounts becomes a much bigger problem. Now it can impact the security of business data.
Because mobile devices (either business or personal) can contain so much valuable information, organizations need to be aware of the consequences and take the necessary steps to maximize their protection.
Ways Data Can Be Stolen From Mobile Devices
Mobile devices are susceptible to a variety of attacks. These attacks can be physical, over the network, or via malware. Here are some methods used to attack and/or hack mobile devices.
Physical Security
Where your device is physically located, who has possession of it, and the data security features on it are all very important. Having physical possession of a lost or stolen mobile device creates an opportunity for a bad actor using readily available technology to bypass default security measures.
Requiring the use of enhanced security options such as six-digit PINs and facial or fingerprint IDs can raise the bar and help keep would-be hackers at bay. Without a formal policy and a mechanism for enforcement, leaving this task to each individual user results in spotty compliance at best. A Mobile Device Management (MDM) solution enables security and other policies to be applied or removed from mobile devices.
MDMs are effective because they automate the implementation of security policies, and can be based on the location of the user (inside or outside the country) or the status of the device (lost or stolen). Policy changes can be used to enable or disable features, or in the case of a lost or stolen device, lock down and wipe clean the entire device.
Device encryption is another robust security measure organizations can employ. Device encryption can be installed as a separate application on Windows-based laptops or can be enabled on-device for smart phones.
Device encryption has been a default option for iOS devices for quite some time but needs to be user-enabled for most Android devices. Since studies show that roughly 85% of the world’s devices are Android, a large target of opportunity for hackers clearly exists.
Network Security
Cybercriminals look for ways to get in between a mobile device’s communication and the back-end service they’re connecting to.
A Wi-Fi man-in-the-middle attack is when a hacker acts as an impersonator of one or both endpoints - stealing the information transmitted between legitimate users. If done correctly, these hacks become virtually impossible to detect and represent one of the more dangerous attacks on mobile information. Ways to reduce this risk include avoiding public Wi-Fi networks and turning off Wi-Fi service when you aren’t using it. Leaving Wi-Fi completely disabled so that communication is forced to move over a cellular network can also reduce some of this risk. But requiring users to access a corporate network using a full tunnel VPN solution provides even better protection against interception or modification.
Bluetooth is another avenue for hackers to enter your device. As convenient as an automatic Bluetooth connection can be for productivity and comfort, it can also present security risks. While many security problems identified in years past have been resolved, some are still an issue, not to mention the ever-looming “yet-to be-discovered” ones. Avoid using unprotected Bluetooth networks and turn off your Bluetooth service when you aren’t using it.
Malware Security
Mobile devices have become big targets for cybercriminals, with attacks increasing exponentially each year. At the same time, malicious apps continue to be widely distributed on third party app stores. Some organizations “whitelist” or “blacklist” applications - mostly manually - to reduce the infiltration of mobile malware, while others focus on limiting the source of applications to lessen these threats.
But malicious apps do frequently slip under the radar - even on official stores. And vulnerabilities discovered in legitimate apps require continual updates of OS and applications, which poses a big challenge for most organizations.
Because mobile malware has evolved so rapidly, traditional signature-based malware detection software can be easily bypassed, leaving those who use it with a false sense of security. To make things even more difficult, the mobile OS itself can even sometimes provide barriers to detecting malware.
Fortunately, there are Endpoint Protection Platform solutions available that use real-time, distributed threat intelligence and AI to defend mobile devices against malware in various operating stages (installation, execution, and post-execution).
Key Takeaways About Mobile Device Security
Mobile devices in the workplace are here to stay, and a wide variety of employee-owned devices make up a growing portion of them. Organizations have to address the unique management and security requirements of mobile devices, then incorporate those requirements into what used to be a fairly homogeneous end-user environment.
In terms of securing the network, we need to change the way we think about mobile devices. Mobile devices are essentially small computers that have a lot of data collection, computing, and storage power. They continually work to maintain a network connection with a reliable and satisfying user experience. At the same time, when used as a business tool, they leave your entire network vulnerable to security threats.
Why? The answer is two-fold. The first issue surrounds user behavior. Mobile device users are accustomed to installing applications whenever they need a tool to help them achieve desired results. They expect to be able to use mobile devices wherever they happen to be, and connect to cellular and Wi-Fi networks without much thought of security.
Mobile users are also notorious for figuring out how to disable or remove security features that impact their productivity. Without a combination of the right security protection and policy controls, these devices become a launching pad for malware to infiltrate your network.
The second issue has to do with management and monitoring. All too often, mobile devices are operating as blind spots in organizations that use traditional security solutions. Without valid information on the threats these devices pose, the right protections can’t be taken. The task of mobile management is even trickier if your organization allows employees to “Bring Your Own Device” (BYOD) or permits the use of internet-connected wearables (Fitbits/smartwatches) and voice-activated assistants (Echo/Google Assistant).
If you haven’t given much thought to the role of mobile devices in your overall network security equation, contact us for a risk-free, no-cost consultation. We’ll show how we can help fortify your security and set your business on the path to rock-solid protection.
Posted in: Business Advice, Mobility, Cyber Security