WHITE PAPER Three Steps to Reduce Mobile Device Security Risks
Table of Contents Executive Overview 3 Mobile Device Security: 3 Just as Critical as Security for Desktops, Servers, and Networks 3 Find the Risks: 4 A Vital First Step in Mobile Device Security 4 Put Mobility In-Context: 5 Integrating Mobile Device Security with Vulnerability Management 5 Close the Gap: 5 Centralized Management of Mobile and Physical Environments 5 Built-In Custom Audits 6 Act Now to Safely Embrace the Consumerization of IT 10 Next Steps 10 About BeyondTrust 11 2 2013. BeyondTrust Software, Inc.
Smartphones and tablets are invading the workplace along with the security risks they bring with them. Every day these devices go unchecked by standard vulnerability management processes, even as malware on phones and tablets continues to increase at rapid rates. Leaving mobile security out of your integrated security strategy opens your network to security breaches, data loss, intellectual property theft, and regulatory compliance issues. This whitepaper introduces three steps that mid-size and large enterprises can take immediately to reduce security risks around mobile devices and improve overall security management. Executive Overview A wide range of mobile devices from BlackBerrys and Droids to iphones and Tablets are invading the workplace. Front-line employees as well as senior management now demand the freedom to bring their own devices to work and interact with corporate networks and data. However, the security risks that come with those mobile devices typically go unchecked by traditional security management processes and vulnerability management products even as malware on smartphones and tablets continues to increase at rapid rates. In some cases, IT security managers may simply be unaware of the threats that exist in this environment. In other cases, attacks may occur through mobile devices, but IT has no way to determine the occurrence of an attack or the source of the attack. In both situations, IT security teams are struggling to understand the true extent of their mobile security risk. And, for those IT security pros that are keenly aware of mobile device security threats, many have struggled to find a simple solution to discover weaknesses within their mobile environment. In short, so few solutions have existed to help detect mobile vulnerabilities. But, make no mistake about it; leaving mobile security out of your overall integrated security strategy opens your network to breaches, data loss, intellectual property theft, and regulatory compliance issues. With the use of smartphones and tablets on the corporate networks rising sharply, preemptive measures are needed. This whitepaper introduces three steps that mid-size and large enterprises can take immediately to find mobile device vulnerabilities and minimize the risk. Mobile Device Security: Just as Critical as Security for Desktops, Servers, and Networks Mobile devices are becoming more prevalent in the workplace. According to recent reports, more than 80 percent of employees now use personal smartphones for work-related purposes. And according to other research, the creation of malware for smartphones and tablets was up 273 percent in the first half of 2011. These situations create major security challenges for IT managers, and the extent of the IT security problem will only increase over time. According to Gartner, enterprises are forced to accommodate consumer devices because employees now insist on having just one device for both business and personal use. This makes mobile security an even greater challenge for IT security managers as they struggle to understand and minimize the security risks that come with these devices. 3 2013. BeyondTrust Software, Inc.
The challenge is not going away and is likely to grow rapidly in scope, scale, and complexity. The threats themselves are also going to grow exponentially, as described in a recent report from IBM X-Force which documents a steady rise in the disclosure of security vulnerabilities affecting mobile devices and finds that: Malicious software targeting mobile phones is often distributed through third-party app markets. Mobile phones are an increasingly-attractive platform for malware developers as the sheer size of the user base grows rapidly. Mobile malware is often capable of spying on a victim s personal communications as well as monitoring and tracking their physical movements via GPS capabilities. Given that many employees use their smartphones for both corporate and personal use, problems like these pose a major threat to otherwise-protected corporate networks. But the problems have also been difficult to address because IT often treat these devices differently, separating mobile device security from their overall security and vulnerability management practices. Find the Risks: A Vital First Step in Mobile Device Security The first step in mobile device security is to identify and inventory all threats. According to a 451 Group report We believe most security and IT administrators have turned a blind eye to scanning for weaknesses in mobile device hardware, applications, and configurations as so few tools have existed to help detect mobile vulnerabilities. Many mobile device vulnerabilities originate from mobile applications. Downloadable apps present many security issues including malware, which launches malicious attacks, and spyware, which can be exploited for malicious purposes, including collecting sensitive information from the infected device. And because mobile devices are constantly connected to the Internet, Web-based threats have become a major problem. This includes phishing scams, which can be unleashed via websites, e-mail and text messages, and social media sites such as Facebook, LinkedIn, and Twitter. Mobile Internet users are also subject to drive-by downloads when visiting malicious Web pages, or by browser exploits delivered through a vulnerable Flash player, PDF reader, or image viewer. When you add in the vulnerabilities that can germinate from within mobile-device hardware and firmware along with those caused by incorrect device configuration and end-user failures to follow password policies IT has a wide range of vulnerabilities to discover and inventory across all mobile devices accessing the corporate network. This can be a massive challenge if the right solution is not used. Does BlackBerry = Security? The long-popular BlackBerry device is perceived to be secure, particularly in comparison to Android and iphone devices. This is understandable since BlackBerry has gained a reputation in the mobile space during the past decade as the most secure handheld device and mobile platform available. But the popularity of BlackBerry and its breadth of applications has also brought with it an increasing number of vulnerabilities in both BlackBerry servers and devices. Blind trust security does not equal security. To ensure security for these devices, patches and updates must be loaded on a regular basis, and there are always configuration issues to be concerned about. In addition to staying on top of patches and updates, organizations need to monitor if the users of these devices have disabled their passwords or violated the password policy. Similarly, it is important to identify and monitor whether or not they have installed unauthorized applications. 4 2013. BeyondTrust Software, Inc.
Put Mobility In-Context: Integrating Mobile Device Security with Vulnerability Management The security risks that come with mobile devices typically go unchecked by traditional vulnerability management practices. However, it s important to analyze mobile vulnerabilities within the context of, and alongside with, all vulnerabilities associated with the network. This comprehensive view will allow for the most appropriate resolution based on the risks of operating the business and protecting its data. To put it another way, high risk is high risk whether it s a vulnerability that might impact servers, the network infrastructure, desktops, or mobile devices it is still a risk. Instead of considering each vulnerability area separately, consider them all at once. To do this effectively, IT needs a centralized, consolidated view of all vulnerabilities mobile and non-mobile. Only then can IT make the best decisions around what to fix first. Leading vulnerability management solutions assist with this step by providing centralized management of all vulnerabilities from mobile devices to desktops and servers allowing IT to reduce overall security risk by extending vulnerability management to mobile devices. Doesn t my Mobile Device Management (MDM) solution provide sufficient security? Some enterprises have turned to a Mobile Device Management (MDM) solution to provision and manage mobile devices. Although these mobile device management platforms work well for their primary purpose specifically, device provisioning and management they are not built for assessing mobile vulnerabilities. Adding a complementary product that specifically scans for weaknesses in mobile device hardware, applications, and configurations is needed to reduce mobile risk. Close the Gap: Centralized Management of Mobile and Physical Environments BeyondTrust Digital Security recently released a new version of its flagship product, Retina, which dramatically reduces security risks in physical and mobile environments. Retina CS is the first vulnerability management solution to provide mobile device assessment as part of its unified vulnerability management solution, decreasing mobile security risks and protecting against data theft. Retina CS helps medium and large enterprises address the challenge of thwarting mobile threats by first scanning for vulnerabilities across all devices regardless of whether or not each mobile device is connected to the corporate network during the time of the scan. Retina CS also provides built-in and custom audits to scan for weaknesses in mobile device hardware, applications, and configurations. And, built-in reports provide guidance for risk prioritization and remediation. 5 2013. BeyondTrust Software, Inc.
Built-In Custom Audits Easily scan for weaknesses in mobile device hardware, applications, and configurations with built-in audits. These audits scan for standard vulnerabilities as well as configuration and policy violations. Or, create custom audits to scan for custom configurations/policies or applications. Sample Built-In Audits: 6 2013. BeyondTrust Software, Inc.
Sample Custom Configuration and Policy Audits 7 2013. BeyondTrust Software, Inc.
Sample Custom Application Audits 8 2013. BeyondTrust Software, Inc.
Out of the Box Mobile Management Easy-to-use reporting displays and ranks vulnerabilities involving devices and applications as well as policy violations to accelerate risk prioritization and remediation. Sample Mobile Vulnerability Report Sample User Interface for Mobile Assets 9 2013. BeyondTrust Software, Inc.
Retina CS provides these capabilities while reducing the effort required by IT to securely manage their environment. Retina CS includes a simple-to-deploy connector interface or mobile agents that are securely connected to the mobile device repository (Blackberry Enterprise Server or ActiveSync), deployed as agents on Android devices. Vulnerability discovery, reporting and management is performed via a single tool, streamlining the remediation process and reducing exposure to risk. Act Now to Safely Embrace the Consumerization of IT As the consumerization of IT continues, mobile security is an increasingly serious IT security problem. The visibility that Retina CS provides eliminates the blind spots mobile devices can create to reduce security risks in both physical and mobile environments. With Retina CS, organizations can gain visibility into the risks associated with mobile devices residing on their network. And, it provides best practice methods to include mobile device security as part of the organizations overall security program. Deploying Retina CS is critical for enterprises that plan to embrace the bring-your-own-device to work approach. Retina CS helps enterprises move efficiently and effectively through the three key steps as defined above so that they can monitor, control and determine what each mobile device is that accesses the corporate network and the risk that each device imposes. To successfully ride the consumerization of IT wave, organizations must prepare now to identify what devices are being let in and the risks they bring with them. Next Steps Get Retina CS Community, for free Retina CS Community, a free security console for up to 128 IPs provides centralized vulnerability management, vulnerability assessment for BlackBerry mobile devices, and Microsoft and third-party application patching. 10 2013. BeyondTrust Software, Inc.
About BeyondTrust With more than 25 years of global success, BeyondTrust is the pioneer of Privileged Identity Management (PIM) and vulnerability management solutions for dynamic IT environments. More than half of the companies listed on the Dow Jones Industrial Average rely on BeyondTrust to secure their enterprises. Customers include eight of the world s 10 largest banks, seven of the world s 10 largest aerospace and defense firms, and six of the 10 largest U.S. pharmaceutical companies, as well as renowned universities. The company is privately held, and headquartered in Carlsbad, California. For more information, visit beyondtrust.com. CONTACT INFO NORTH AMERICAN SALES 1.800.234.9072 sales@beyondtrust.com EMEA HEADQUARTERS Suite 345 Warren Street London W1T 6AF United Kingdom Tel: + 44 (0) 8704 586224 Fax: + 44 (0) 8704 586225 emeainfo@beyondtrust.com CONNECT WITH US Twitter: @beyondtrust Facebook.com/beyondtrust Linkedin.com/company/beyondtrust www.beyondtrust.com 11 2013. BeyondTrust Software, Inc.