Back in the old days when information was only available on paper, corporate security was easy – just employ an ex-forces chap on the front desk to scare the living daylights out of staff and everything pretty much looked after itself.
And staff really did have to stop working the moment they walked out of the office as the information couldn’t come with them.
Today, though, not only are increasingly frayed staff effectively tethered to their jobs 24 hours a day via their home PCs and mobile devices, but their access to corporate information has never been greater.
Which is why no organisation today can have a lackadaisical approach to security, especially the mobile kind.
What makes mobile security particularly challenging is the range of attack vectors that can be deployed against mobile devices, and the fact that most of the devices will be only partially managed by the enterprise.
These threats range from simple device loss – via theft, for example – open or compromised Wi-Fi connections, and malicious apps or phishing techniques. At the same time, even legitimate apps can demand far-reaching privileges of users, such as the ability to switch on the phone’s microphone for purposes unspecified.
Basic defence, says Graham Cluley, the public face of Sophos Anti-Virus for more than a decade and today an independent security technology analyst, starts with a robust password – and that means more than the four-digit number used by the typical iPhone user (if they deploy any authentication security at all).
“A four-character number has just 9,999 combinations. You can connect the iPhone to a computer and brute force it in micro-seconds,” says Cluley. “And if you’re running Android, you definitely need an anti-virus programme running.”
However, he adds, new security features in iOS7 can render even a stolen device worthless. The “reactivation lock”, also known as the iCloud lock, enables users to remotely lock their lost or stolen devices, requiring the iCloud password to reactivate it – not even a full wipe of the device will enable it to be returned to active service.
Another frequent security lapse that people often make is connecting their devices to open Wi-Fi connections, adds Cluley, which means that all their web surfing is likely to be transmitted in easily intercepted plain text, too. “I recently went to a security conference where the Wi-Fi was completely open. When I went on stage to give my presentation, I asked the people there, all professionals, whether they were using Wi-Fi – a lot of hands went up,” he says.
Cluley’s own personal measures include using a virtual private networking (VPN) service that encrypts his own internet usage. That costs a couple of pounds per month in subscriptions, but Cluley believes it’s worth it to ensure his data is protected, regardless of whether he is connected via the shonky Wi-Fi at conference or his own mobile operator’s 3G or 4G connection.
Another attack vector unique to mobile devices – and ironically highlighted by the US National Security Agency (NSA), which itself is believed to have exploited the flaw – is the mobile phone’s “baseband” microprocessor.
This is a secondary chip designed to handle communications with the mobile network, with which a mobile device is constantly connected. Attacks taking advantage of bugs in the firmware – typically closed-source software, much of it produced by Qualcomm – emerged during 2012, some of which involve an attacker spoofing a cell tower, which can be done using open source software, such as OpenBTS.
Only firmware upgrades can guard against these attacks – assuming that the company that has written the software has spotted and patched the bug, and that it is rolled out by the user’s mobile operator.
Mobile device management
The question is, though, is mobile device management (MDM) software really a worthwhile investment for the average organisation, given its cost?
According to analysts Forrester Research, 71 per cent of organisations now view mobile device management (MDM) as a high priority. This is because not only are staff “bringing their own device” to work, they are also buying devices especially to facilitate work and even buying apps for work, too.
For organisations managing hundreds, even thousands, of devices, such software is a must, says Cluley, if only for the ability of the organisation to enforce security rules on devices – even to demand a “corporate partition” in which corporate apps and data will reside.
After all, whatever the security threats posed by mobility, simply returning to pen and paper is not going to happen.
Click on logo to register