Common Mobile Security Vulnerabilities for SMBs
Corporate security has always been a huge issue. Security initiatives are designed to keep all that is under control by the company behind a security perimeter, while everything not under control of the company remains outside the perimeter. Mobile security was once concerned with those concerns when employees would take company assets outside of the perimeter on business trips or telecommuting from home. Today’s landscape has to deal with the rise of uncontrolled electronic mobile devices, such as smartphones, personal tablets and wearables, coming inside the security perimeter. Security has to consider software vulnerabilities as well as hardware and network. Yet, the greatest vulnerability may still be employee knowledge and behavior.
Access by Legitimate Mobile Apps
Employees may be unwitting agents to security breaches and information loss every single day. The scenario is simple. They own a smartphone which they carry to work each day. The phone has access to millions of applications designed to make life and work more comfortable and easier to manage. They download a productivity application or like application and give the application sweeping permissions to their company’s network. Now all personal and corporate data is to a remote server and advertising networks to be mine by hostile governments and cybercriminals. The employee has good intentions and the application is relatively harmless, but the correct set of circumstances and the desire of a malicious mind and much information is lost.
Knowledge Deficiencies and Carelessness
Many employees do not believe that data security is their responsibility. The may even believe that corporate information is secure even when a host device such as a laptop is lost or left in a restaurant. They may not be aware of the risks of accessing corporate networks while sitting in their local coffee shop and using the unsecured WiFi provided as a matter of customer service. Employees simply do not understand the risks associated with mobile devices and security teams generally do not have the resources or time to provide adequate training to everyone. There was a time that risks from mobile security was limited to a small number of employees, but now it can be any person, employee, vendor or customer alike, who can be the host to a potential attack.
As corporations begin to adopt cloud services to reduce overall IT costs and improve productivity by having information available at anytime and anywhere, companies are likely to facilitate access of cloud data though multiple interfaces, including mobile devices. The cloud infrastructure may be highly secure, but authentication attacks on mobile devices may grant immediate or delayed access to data residing on the cloud. So while the data on the mobile device is attractive, the potential data the device can access is even more so. Most mobile devices do not have passwords enabled, making access even easier.
Rogue Access Points
Connection hijacking is a growing concern. Mobile devices are prime targets to be rogue access points into corporate networks. An unknowing employee sits down at a local restaurant and opens their laptop to access a file on their company’s internal network. A nearby attacker uses the opportunity to perform a man-in-the-middle attack, certificate forgery, or DNS poisoning.
Consumer patterns are easy to manipulate. Malware can be easily disguised as a game, security patch, utility or legitimate application and most users are not savvy enough to understand the difference between legitimacy and malware. Users will download the disguised malware and attackers now have access to data on the device, being transmitted to and from the device, or data accessed from the device. Often mobile devices are not preinstalled with security software.
Nature of the Beast
Mobile devices are ripe with vulnerabilities that most security professionals work diligently to overcome on computer systems and laptops. Flaws in the operating system, such as the Android fragmentation issue, out of date operating systems and software on the device, configurations for unlimited access to the Internet, lack of encryption in wireless transmissions are all vulnerabilities to security but are commonly found on mobile devices whether the fault of the manufacturer, service provider, or user.
Mobile Device Policies
SMBs are most likely to not define an effective mobile device policy covering rules for authentication and personally identifiable information (PII) restrictions for mobile devices and email. Every company should have a policy in place and require employees to read and sign off before receiving a company-owned mobile device or granted permission to access company resources using personal mobile devices. The mobile device policy is the first step in building a firm security position against vulnerabilities advanced by a mobile society.