NexGen Cloud: Mobile Security In Business Environments Remains Elusive Target
Mobile device security at work has become a major issue and, while processes and tools are available to secure the devices, people and good old-fashioned inertia continue to be weak links in the chain.
That's the word from Lance James, chief scientist at Flashpoint, the New York-based provider of business risk intelligence technology, who told solution providers and security vendors at last week's NexGen Cloud Conference and Expo that mobile threats must be identified and dealt with quickly. That starts, he said, by identifying the risks involved with mobile devices.
Risk assessment starts with identifying which assets must be protected, such as emails that can be accessed by multiple devices, said James, who also serves as consulting detective at Unit 221b, a New York-based provider of advanced cybersecurity services.
Businesses also have to identify the types of attacks they might face because of mobile devices. The dangers are as varied as someone intercepting messages or simply lending a mobile phone to another user, all of which could get malware on the device, James said. "It's not always an attack on the phone [itself]," he said. "It's often just a move to get malware on another device."
Businesses also have to identify potential types of attackers, whether they are looking for money, for social status, or for state secrets, he said.
Once such information is collected, it is possible to develop a risk matrix as a way of understanding where attacks might come from, James said.
A traditional risk matrix, expressed mathematically, says that risk equals the probability of an event times the severity of an event, he said. But when it comes to mobility, the equation is a bit more complicated.
Mobile risk equals the combination of intent and capability times the combination of vulnerability and exposure. The "intent" refers to the types of possible attacks; the "capability" is the sophistication ranging from script kiddies to nation states. "Vulnerability" defines the types of attacks that can actually be executed on a particular device and "exposure" refers to what is being protected, he said.
Many users depend on two-factor authentication, which requires possession of a device combined with passwords, to protect information or assets, James said.
However, he said, in many cases, two-factor authentication is not perfect. Many applications like email have passwords that are saved in the device, so that if an attacker has access to the mobile phone, those applications and their data can be accessed without another password, he said. "Attackers can tailor attacks to cross-infect mobile devices to complete authentication," he said.
The bring-your-own-device movement in enterprises brings along policy enforcement issues, James said. "It's really hard to tell people to not bring their cell phones to work. … They'll work around it," he said.
One way to mitigate issues caused by using personal devices for work is the use of containers on the device, such as Samsung's Knox technology, James said. Separate containers allow automatic authentication of a business user via near-field communications as the device comes within range of the corporate Wi-Fi system, he said.
"Within the container context, you can reduce the attack surface," he said. "Containers can also help clean the systems."
Businesses should look at a variety of ways to mitigate issues related to mobile security, James said. This includes encrypting all data, making sure virtual private networks and audit trails are used, ensuring S/MIME (secure/multipurpose internet mail extensions) are used with email applications, and data is stored using a managed service, he said.
The mobile industry as a whole still has work to do, James said. For instance, data sent over Bluetooth is currently unencrypted, but there should be some way to let businesses know that Bluetooth is a secure protocol. Also, there needs to be easier ways to use mobile devices over VPNs, he said.
James finished with a friendly warning to Android device users to seriously consider using a password instead of the simple finger movement "puzzles."
"I've seen a guy who can see users' puzzles via the reflection off their glasses," he said.
Personal devices on corporate networks has become a huge concern, said Stephone Darby, president and CEO of Advanced Information Technologies, a Florence, Al.-based managed service and cloud service provider for small businesses.
"If people who bring in their own devices can't conform to corporate policies, this creates risk," Darby told CRN. "We are looking for ways to better manage devices."
Darby said he was at the NexGen Cloud Conference primarily looking for mobile security solutions for his company's small business customers.
"Small businesses are still not seeing mobile security risks unless companies like us point it out," he said. "Actually, they're not seeing security risks in general."