Posted by: mobilitycloud | December 16, 2011

10 Best Practice Suggestions for Common Smartphone Threats

With the huge growth of mobility with Smartphones and Tablets that we are seeing in all facets of the industry, one of the things that we can’t take for granted is how to protect your companies data from security breaches and other associated threats that could occur should that information fall in the wrong hands. I took the highlights of these suggestions, many of which are fairly common sense (but we won’t get into that argument today) and if nothing else, highlights the need to have a good corporate IT policy in place on how to address these issues. At a bare minimum, sit down and draft a policy that all employees need to follow plus investigate Mobile Device/Application Management companies that for a very low monthly fee can help protect the data that you consider critical, especially if you are allowing a Bring Your Own Device (BYOD) policy within your firewalls.

Dell Executive summary Today’s smartphones and tablets represent the easiest means for a hacker to gain access to your corporate network. According to security vendor McAfee, the number of pieces of mobile malware grew by 46 percent in 2010, many of them on Nokia Symbian and Google Android™ platforms. At the same time, Forester Research reports that 37 percent of workers recently surveyed said they’ve used their own smartphones for work. Smartphones lack an operating system as robust as a Windows ® or Linux®. So protecting the devices is much more difficult as they have fewer API’s and functionality. Organized crime and nation states are focusing on smartphones since it’s much easier to get the data they want. In this white paper we will discuss some of the most common threats and suggest high level best practices that will help mitigate risks.

1) Wi-Fi Man-in-the-Middle Attacks – This means of attack is popular and effective today in coffee shops, bars, restaurants and airports that offer wireless Internet access without a password. In this environment, anyone else on the same network can hack your device in less than five minutes, downloading all your data, email, contacts, and files unless the data is encrypted. Even without hackers present, other devices, such as laptops, tablets, and smartphones infected with malware can search for other vulnerable devices, infect them, and send information on back to the hacker. Recommendation: Turn off your Wi-Fi unless you are at work or at home. Use a Mobile VPN product if your company has one. If you are encrypting your desktop/laptop, include the contents of your smartphone. Unfortunately, most smartphones purchased today have little or no encryption capability

2) Bluetooth Man-in-the-Middle Attacks – When using your Bluetooth headset, others can easily listen to phone conversations, make calls, and of course download your data. Why would you secure the smartphone but leave this avenue via the Bluetooth headset open? Recommendation: Unless you are using an encrypted Bluetooth headset—the overwhelming majority are not encrypted— turn off Bluetooth and use a wired headset. Again, as a general recommendation, if you are encrypting your desktop or laptop, an encrypted Bluetooth headset is appropriate.

3) Lack of Awareness and Standardized Policies – Many security breaches, for mobile devices as well as laptops and desktops, occur because users don’t understand the risks associated with everyday actions. Recommendation: Create and maintain a portable media and device policy to describe expected employee behavior. Create an End User Acceptance Policy that contains clear requirements and expectations for mobile devices, including corporate-owned as well as personal-owned devices that are allowed to access enterprise resources. Educate all users on the content of these policies on a recurring basis, and update each as necessary to respond to the changing mobile device landscape.

4) Compromised Devices and Open Gateways – Stolen phones and devices login to company networks every day, exposing corporate data to unauthorized disclosure or modification. Recommendation: Use a mobile NAC (Network Access Control) software solution that authenticates, reviews, and compares devices to your policies before allowing them into the corporate environment. Blocked devices that fail to meet the policy requirements can be quarantined to a site outside the DMZ. IT should require registration of employee owned devices that will access corporate resources.

5) Social Media Vulnerabilities: Advanced and persistent hackers use social sites to collect data about you, your network of colleagues, and friends to create targeted and malicious emails. The personal info posted on these sites is used to help create a relationship of trust, in hopes that you’ll open an email link connected to an infected website. Recommendation: Limit your employees’ exposure on social sites by discouraging them from sharing personal data and closely reviewing “friend” requests and emails. Instruct them to never click on links in an email from people they haven’t met personally – and even then, be wary.

6) Unprotected Corporate Data: Do you know what data should be protected and where it is physically located? If not, you’re not alone. Most companies fail to perform any data classification and location assessments. The importance of data classification and appropriate security controls, like encryption and Data Leak Prevention (DLP) systems cannot be emphasized enough. Recommendation: Perform a DLP storage assessment to understand where your key data and intellectual property sits. Implement controls appropriate to the risk of data loss.

7) IT Compliance Failures: Even as more corporate data is stored on personal devices, many companies have not adequately assessed the risks of allowing personal devices in their environment. Likewise, they fail to understand or implement the appropriate controls to ensure compliance with regulatory and corporate governance requirements. Recommendation: Review your company’s governance requirements and the organizational risk appetite as part of an overall approach to mobility security. Implement appropriate tools, including mobile device management solutions to deploy and enforce corporate mobile policies. Secure mobile messaging to encrypt corporate email on mobile devices. And secure mobile application development tools, which deliver mobile applications in encrypted containers to prevent unauthorized access. Each of these solutions allow for the remote deletion of corporate information from lost or stolen mobile devices.

8) Unmanaged Mobile Devices: Mobile devices left unmanaged by IT expose the corporate environment to excessive risk, including data leakage through connection to unauthorized networks and Bluetooth devices. Lax security controls may allow unauthorized access to corporate information if a device is lost or stolen. Recommendation: Implement a Mobile Device Management solution to provide centralized management and enforcement of corporate policies, password requirements, hardware and device control, certificate management, reporting, and problem alerting.

9) Smartphone Viruses: Viruses continue to spring up from untrusted marketplace applications. Current anti-virus software is only half as effective as needed. And free mobile applications are making their way in greater numbers to users with buried malware. The historic, signature-based approach to anti-virus is not likely to be effective for mobile devices. Recommendation: Companies should take a multi-tiered approach to securing their mobile devices. Implement a device management solution to manage security policies. Many device management solutions support allowing/blocking specific applications. Some solutions allow organizations to restrict application downloads to a private marketplace that contains only approved, reviewed applications. Use an encrypted email solution to prevent access to corporate email data in the event that a malicious application copies the device contents to a remote location.

10) Short Message Service (SMS) Attacks: Short text messages to phones and other mobile devices have increasingly become a vehicle for malware. It is one of the easiest ways to infect a phone. If the user clicks on a specially crafted message, malware can be deployed to the phone providing full remote control of the device. Recommendation: Encrypt the phone’s memory and storage. Use security software that blocks this type of malware or turn off SMS if security is more important than this convenience.

Link to Dell Security White Paper


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: