Mobile Device Security: What s Coming Next?

Transcription

1 Mobile Device Security: What s Coming Next? By James Lyne, Director of Technology Strategy The mobile device revolution is quite possibly the most significant change in computing since we shifted from the mainframe more than 20 years ago. These handheld devices offer connectivity almost anywhere for constant access to the Internet, and more computing power than the NASA control room for the first moon landing.

2 What s coming next, and what does it mean for security? Your mobile device knows where you are, where you are supposed to be and the details of your conversations and business or personal life. We can now instantly connect our real lives to digital information purchasing tickets, sharing business data or connecting with friends who happen to be nearby. Mobile devices and their rapid development are already helping busy professionals to conduct business and manage their personal lives on the move. But what key technologies are driving the mobile revolution, what happens next, and what are the security implications? New technology, new privacy and security issues It s inevitable that mobile devices will grow more powerful and become ever more integrated into our personal and work lives. We ve seen this in just a short space of time with the big changes in popular platforms like the iphone. Greater computing power and downsizing will make these devices an increasingly viable replacement for the conventional PC, rather than just a supplemental tool. We can also expect further diversification of form factors; the tablet PC has already had immense success but more challengers will follow, including Microsoft s entry in to the hardware market. These new device form factors will blur the boundary of the PC and the mobile until over time they are one. While many of us naturally worry about traditional attacks like malware and phishing on these new devices (and without doubt these issues do exist), new functionality breeds fresh opportunities for the bad guys. New features like augmented reality, facial recognition and integrated social media could leave users open to new kinds of abuse. Augmented reality, for example, connects location information with a user s social media friends, allowing them to identify digital contacts nearby. Many of us are far more scrupulous about real friends than our digital connections. This opens up new possibilities for social engineering, such as figuring out when you are away from your home for crime purposes (sites like PleaseRobMe.com do just this). Facial recognition technology and the tagging of users in photos on social media sites blur the work-home boundaries even more. For example, police officers have already come under attack after their identities were breached by social media and facial recognition technology. NFC (near field contact) technology is another interesting example of innovative technology that aims to deliver convenience for consumers. Some devices already have NFC active and there is a push to use NFC technology to make payments or pass on personal information with a simple swipe of a mobile device over a reader. However, it will introduce a new challenges for security professionals as mobile devices become a target to steal money. A Sophos Whitepaper October

3 The more data we make available on our mobile devices, the more ways bad guys have to create attacks designed to compromise our personal lives, businesses and finances. Equally, the more applications and new capabilities we use the more we increase the attack surface area for the bad guys. Security is not the only problem. Privacy will be challenged too. As we adopt more of these technologies for convenience, we can expect our lives to come under greater surveillance, with mobile devices becoming a combination of a passport, personal record store and social life. A change of attitude Alongside these radical technology changes, business expectations have also changed. Only a few years ago enterprises wanted to block social media sites and non-standard, unmanaged devices. Now we are all consciously trying to embrace these technologies. Organizations now employ teams of people entirely focused on using social media as a channel to market. The default answer to new technology is becoming yes rather than no. We need a new attitude toward information security: Embrace or die. This change of attitude also impacts the future of mobile security and applications. Information security presents us with the interesting challenge of managing risk of allowing devices that in some cases are less secure and more expensive to manage. Mobile applications, the browser and fat clients Mobile devices have been disruptive to the technology we use to produce applications. Over the past few years browser-based applications have challenged the traditional fat client. This is primarily due to their cross-platform capabilities and the fact that they can be accessed from anywhere (or any device). Local mobile applications are growing in number, spurred on by rapid application development frameworks. It s easy to write an app, which is why you can find an app for anything. These applications can also contain vulnerabilities. We ve seen evidence that app writers ignore even basic security best practices. For example, passwords or user data are often poorly encrypted (if at all). Fat clients and browser clients often provided secure APIs and services for these functions. Mobile operating systems increasingly do too, but developers are not consistently using them. Because these platforms lack visibility to back end configuration, these mistakes don t often come to light. Due to a lack of transparency, we don t know how comprehensive application quality checks like Apple s are. The so called walled garden claims to keep bad applications out. But numerous demonstrations of researchers uploading malicious applications show that this security is not a panacea. That said, the volume of malware for Android has far outstripped what we ve seen for Apple. We can expect more challenges at the application layer in the coming years. A Sophos Whitepaper October

4 A different architecture for a different time Mobile devices are not just a smaller version of the traditional PC. The underlying operating systems, from Android to ios, are fundamentally different from PCs and manufacturers have introduced new concepts based on lessons learned from traditional operating systems. Modern mobile platforms tend to include capabilities like sandboxing technology which can isolate applications. The access control and permission systems have also undergone drastic reform from the conventional OS. Rather than a permissions system based on access to arbitrary items like registry keys, they instead focus on more human access permissions, such as whether an application needs to access your location data or SMS messages. These capabilities show great promise for producing a more secure, usable OS. But they are far from perfect. Many of these controls do not come with smart, secure defaults or rely on the user to edit the permissions of an application being installed. And we all recognize the tendency for users to just click OK. Sandboxes are also limited by the need for flexibility and functionality, so aren t complete solutions. However, security vendors can use them to bolster the security of the device by managing them. Mobile device makers are also starting to define their architectures based on modern working practices. BlackBerry, for example, has introduced a feature which provides two isolated working environments on the same device, allowing you to separate work and play data. This creates a trustworthy and secure business environment alongside the flexibility to play games or perform personal tasks. These features combined with security vendors offerings could make for very usable, more secure devices. Unfortunately, to date these solutions have been plagued by poor performance, user experience and battery issues. Malware, hacking and phishing Malware attacks against mobile devices don t come close to the number of attacks against the conventional PC, but they do exist. Android, in particular, has suffered attacks due to its more open application market. But even those with a strong security reputation like BlackBerry have been victims too. Mobile malware we ve seen to date includes fake Internet banking applications which steal your credentials and your money, and in some cases your authentication token code sent by a bank via SMS. Some have been predicting disaster in the mobile security space for many years, and mostly it s been little more than hype. But over the past 12 months we have seen a significant volume of malicious code for Android and other platforms. That said, the threats are still relatively simple and easy to avoid compared to prolific PC malware. This is definitely an area that enterprises need to keep their eye on as the threats evolve. A Sophos Whitepaper October

5 Regulators, compliance and mobile devices Compliance standards continue to evolve, increasing the powers of regulators and enhancing compliance requirements to include full-disk encryption. These standards focus on the PC as the main source of data loss. However, these standards and laws can be equally applied to mobile devices. The form factor of the technology is not an excuse for data loss. Be aware that mobile devices lacking basic compliance controls pose just as much risk to your data compliance as a PC. As more data breaches occur via mobile devices, we are bound to see more sanctions and specific regulation for them. Of course, the requirement for controls and policy may be the same for mobile devices as PCs. But the technical implementation on mobile devices will differ significantly. Pace of development and innovation Perhaps the most significant challenge to mobile device security is the pace of innovation and development on mobile platforms. Where traditional computers might evolve on an month cycle, mobile platforms are changing on a quarter-to-quarter basis, or even more frequently. This velocity of change means users will adopt new applications and ways of sharing data before the security community has a chance to understand the privacy and security implications. As security practitioners we will need to keep re-evaluating these devices and applications to identify new evolving risks. Security solutions will need to be agile and updated faster than before as new issues come to light. Security becomes even more of a service, with constant updates. Although applications and services on the device may update automatically, OS updates for devices often depend on user interaction. This poses the risk that devices missing these updates can be open to vulnerabilities. Jailbreaking of iphones is an excellent example of user desired malware which uses security holes. Jailbreaking allows users to customize their device more than Apple allows and run pirated applications. It s a fairly widespread practice, but it leaves the devices open to malware attacks. The infrastructure for updating and patching security vulnerabilities in mobile devices is far less evolved than the traditional computer industry. Perhaps we should take a look at the lessons Microsoft has had to learn over the years. A Sophos Whitepaper October

6 The user perception issue We ve all been using smartphones for some time now and are accustomed to buying applications or banking online. However, end users of mobile devices seem to feel immune from the risks they acknowledge when they use a PC. We suspect this feeling of invulnerability comes from users having experienced scams or malware on their PC but not on their mobile device. The problem is that users may view these devices as eminently secure, when in reality they are not. When the tide turns and cybercriminals more closely target mobile devices, it may take time for users to understand the threats. Many enterprises have an acceptable use policy and security training for employees on how to protect data and avoid compromise. But some businesses ignore mobile devices as part of their security training. Make sure you modernize your awareness training and get users thinking about mobile device security now, before the security risks become too great. Applying security lessons we ve learned As an industry we ve learned a great number of lessons about producing secure software and enabling security vendors to produce solutions. Vendors and businesses enjoy a relatively supportive relationship with the traditional OS vendors, enabling them to deliver the required security controls. It s far from perfect, but we ve made progress. With these new devices, we are now moving to a new vendor ecosystem. New vendors, including Google and Apple, have different processes, attitudes and levels of expertise. Mobile security has been held back by an absence of APIs. And vendors have in some cases made the same mistakes as the PC industry in the areas of credential security, encryption and privacy. It s critical that these vendors apply the lessons of the traditional PC, rather than starting over. We all need to make sure we apply appropriate pressure on vendors to deliver smart, secure defaults. And we should institute good security capabilities as minimum requirements for mobile devices. Future security tools Future mobile security solutions will need to integrate device, OS and vendor capabilities. Some capabilities will be provided by the device in hardware (e.g., full volume encryption) or the OS (e.g., sandboxing) but will be managed and reported on by security vendors. Anti-malware capabilities will be increasingly required, although they will not be the same as their PC counterpart. Sophos Mobile Security for Android, for example, takes a fundamentally different cloud-based approach to dealing with the malware problem. As mobile devices begin to replace the PC, the delivery model for security will need to evolve. The traditional inspection points for DLP or IPS, for example, will need to work wherever you A Sophos Whitepaper October

7 may be, across many platforms. Tips for planning your mobile security strategy Overall, the mobile security market today is relatively immature and there is a lot of work to do to develop the right security controls on mobile devices. It may be tempting to start with the concept of a comprehensive security offering for mobile devices including antivirus, DLP, HIPS, encryption, app control (and so on). But in reality these capabilities are not yet broadly available or in many cases possible to deliver. Priority one for your mobile security strategy is to get the basics under control. Most data breaches occur due to basic configuration failure: poor passwords, lack of encryption, poor patching or social engineering. Over time mobile threats and the available security controls will evolve. In the meantime, we recommend that you start planning now for the long term. Follow these tips to start planning your mobile security strategy. 1. Continue to evolve. Perhaps the most critical aspect of your long-term strategy is updating and revising it. Mobile devices and technology are going to evolve at an incredible rate, and a conventional three-to-five-year IT strategy is unwise. You should define a six-month strategy and constantly re-evaluate new risks. It is likely user demands and business requirements will change as fast as the market. 2. Keep an eye on compliance. Plan for mobile devices to be more explicitly included in your compliance and regulation requirements, not just the traditional PC. 3. Mind your platforms. Any technology solutions you adopt (such as device management) should be applicable to devices of any type and OS. Popular devices will change quickly and you need to future proof your security controls as much as possible. There is a risk that as you adopt more device types you increase the cost and complexity of managing them. Challenge vendors to solve this issue for you with broad platform support. 4. Manage personal device use. Carefully look at the combination of work and personal data on mobile devices. These devices are often the extreme scenario, blending work and personal contacts, and data into one UI with little differentiation for the end user. Deploy policies and practices to help users avoid making silly mistakes which lead to compromising themselves and your business. You should also carefully review the employee contracts and legal rights that change with a blended device versus the traditional work-only platform. 5. Invest in user awareness. Your users need to understand that their mobile devices are not completely secure. Help your users to appreciate the value of the information (both personal and business) on their devices. Security is a combination of people, process and technology. Make sure your users stay aware of threats as they evolve. A Sophos Whitepaper October

8 6. Go broad. Don t be overly clinical with your definition of mobile devices. Different form factors are evolving every day and your strategy needs to encompass tablets, smartphones and other potential embedded devices. That said, it would be wise to authorize a specific list of devices. Many enterprises allow specific versions of an OS which include minimum required security capabilities like full-disk encryption. As the devices mature, your list will grow longer. 7. Embrace or die. Entirely resisting new devices and technologies is not a tenable position for most organizations. Allowing certain devices like the ipad at an appropriate level of security in your organization will give you points with employees. That good will allows you to ban more risky technologies, and helps you avoid insecure adoption under the radar. 8. Get the basics right. Patching, good passwords and proper configuration of inbuilt security controls can go a very long way. Yet many enterprises still put themselves at risk by introducing these devices without enabling these controls. 9. Watch this space. At Sophos, we re releasing new mobile security controls as the platforms and problems evolve. Customers running our mobile security capabilities are linking in to a journey as the issues evolve, rather than a final mobile security capability. Sophos EndUser Protection Try it now for free United Kingdom Sales: Tel: +44 (0) sales@sophos.com North American Sales: Toll Free: nasales@sophos.com Australia & New Zealand Sales: Tel: sales@sophos.com.au Boston, USA Oxford, UK Copyright Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners. A Sophos Whitepaper 10.12v1.dNA