Notes

Dyman & Associates Risk Management Projects: 75% of mobile security breaches will result from misuse


With use of smartphones and tablets on the rise and sales of traditional PCs on the decline, attacks on mobile devices are maturing, says IT research and advisory firm Gartner Inc.

By 2017, the focus of endpoint breaches will shift to tablets and smartphones. And, according to Gartner, 75 percent of mobile security breaches will be the result of mobile application misconfiguration and misuse.

Common examples of misuse are “jailbreaking” on iOS devices and “rooting” on Android devices. These procedures allow users to access certain device resources that are normally unavailable — and remove app-specific protections and the safe "sandbox" provided by the operating system, putting data at risk.

Jailbreaking and rooting can also allow malware to be downloaded to the device, enabling malicious exploits that include extraction of enterprise data. These mobile devices also become prone to brute force attacks on passcodes.

According to Dionisio Zumerle, principal research analyst at Gartner, a classic example of misconfiguration is improper use of personal cloud services through apps residing on smartphones and tablets. “When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices," he said.

The best defense for an enterprise is to keep mobile devices fixed in a safe configuration by means of a mobile device management policy, supplemented by app shielding and "containers" that protect important data.

Gartner recommends that IT security leaders follow an MDM/enterprise mobility management baseline for Android and Apple devices as follows: ask users to opt in to basic enterprise policies, and be prepared to revoke access controls in the event of changes.

Users who are not able to bring their devices into basic compliance must be denied (or given extremely limited) access; require that device passcodes include length and complexity as well as strict retry and timeout standards; specify minimum and maximum versions of platforms and operating systems. Disallow models that cannot be updated or supported; enforce a "no jailbreaking/no rooting" rule, and restrict the use of unapproved third-party app stores.

Devices in violation should be disconnected from sources of business data, and potentially wiped, depending on policy choices; and require signed apps and certificates for access to business email, virtual private networks, Wi-Fi and shielded apps. IT security leaders also need to use network access control methods to deny enterprise connections for devices that exhibit potentially suspicious activity.

"We also recommend that they favor mobile app reputation services and establish external malware control on content before it is delivered to the mobile device," said Zumerle.

Mobile security trends will be discussed at the Gartner IT Infrastructure & Operations Management Summit 2014, June 9–11 in Orlando, Fla.