Pocket Guide To Securing Mobile Devices

Smartphones, tablets, and other mobile devices are forcing enterprise IT managers to re-evaluate how they secure technology.

With workers more likely to use a personal device for work, companies are less likely to be able to specifically configure the mobile devices that have access to the corporate network. Add to that the fact the software ecosystem surrounding mobile devices is, to a large degree and depending on platform, closed. Less access means attackers have a harder time hacking the devices, but that also means third-party firms are harder pressed to provide solutions to the problems mobile devices do have.

For those reasons, the recommendations are that, rather than focus on securing each device, IT groups should look to educate users, set good security policies, secure access, and help manage the devices, says John Engels, principal product management for Symantec's enterprise mobility group.

"We are trying to surround the devices with security and protect and control what goes into the device and what comes out of it," Engels says.

A key component to the approach is mobile device management (MDM), which initially took off as a way to keep track of all the costs associated with a company's gaggle of cell phones, but increasingly has a security role as well.

The four major threats to mobile devices are device theft (or forgetful employees), wireless network sniffing of communications, malicious software, and the infrequent direct attack. Of those four major threats, however, MDM mainly solves only one: lost and stolen devices, says Dan Hoffman, chief mobile security analyst for Juniper Networks.

"When you look at mobile device management, it does nothing for malware, nothing for a direct attack, and nothing for data communication interception," Hoffman says.

For that reason, companies have to look beyond just adopting MDM solutions, he says. Here are four recommendations:

1. Know the threats.
As any carny knows, the easiest mark is one who is not paying attention.

Employees who do not understand the possible mobile attacks make far easier victims than workers educated about the threat. For that reason, education and good security policies are of paramount importance in dealing with consumer-owned mobile devices.

"Make your employees aware of the security risks: A smart user is more secure than a dumb user," says Brian Reed, vice president of products at mobile-device management firm BoxTone.

The education of users around selecting passwords, paired with a good remote wipe policy, is a good example.

Because the principal threat to smartphones are lost and stolen devices, a key feature of all device management platforms is the ability to remotely wipe a device. With a policy of wiping a device after, say, 10 wrong passwords, a company does not have to attempt to enforce a complex password requirement on users. A mere five- or six-digit password will likely suit the needs of security.

2. Only use approved app stores.
Because of the closed software ecosystems of many mobile devices -- notably Apple, Microsoft, and RIM's BlackBerry -- a significant amount of security relies on making sure that workers do not download apps from nonofficial sources.

Take a look at malware incidents to date: Almost every piece of malicious software that has infected a real phone has been a Trojan horse. DroidDream, the most successful malicious app, infected a quarter-million Android phones in March by posing as real applications.

While Apple, Google, and Microsoft have their official application marketplaces, other companies, such as Amazon, are providing alternatives. In addition, companies such as Apperian have software to allow enterprises to set up their own app stores.

3. Check the bills.
In his 1989 book, The Cuckoo's Egg, Cliff Stoll launched an investigation into his network's security because of a 75-cent accounting error.

While corporate spies intent on stealing data will never run up a large phone bill, cybercriminals are focused on profit. One current way to leech cash from a phone: billing the victim using premium numbers or premium SMS. Criminals who keep such charges small could escape notice if the company is footing the bill for the devices.

If an employee downloaded any of the applications, such as a tic-tac-toe game, then carrying the rogue GGTracker app, a $10 charge, would show up on the bill.

"These apps try to hide the charges, but it will always show up on the bill," says Kevin Mahaffey, chief technology officer of mobile security firm Lookout.

4. Antivirus, still a question mark.
What might not be necessary? Antivirus.

Because of mobile devices' own limitations on applications, security vendors cannot take over low-level control of a smartphone in the same way they can with personal computers. For that reason, security companies have focused on finding ways to manage security from the outside and create mobile applications that manage the configuration of the device for the user.

"A lot of security for devices will boil down to managing the settings on the device and linking into security of the environment," Symantec's Engels says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.