The New Era of Mobile Malware: 4 Steps to Reduce Your RiskMarch 6, 2014 by Amber Corrin
Mobility today enables a more productive and connected workforce than ever before. But the ubiquity of mobile devices is accompanied by serious risks—particularly the rapid rise in mobile malware that can threaten business operations.
According to a recent Alcatel-Lucent report, the mobile malware infection rate escalated by 20 percent in 2012, leaving nearly 12 million devices infected at any given time. If any of these infected devices connect to your enterprise network, hackers can steal sensitive corporate information, use your devices as bots and even spy on your activity via things like keystroke logging.
The risks to corporate networks are growing amid the increased use of bring-your-own-device (BYOD) policies and use of personal devices for work purposes—even if it’s just checking work email on your smartphone.
So how can businesses strike a balance between keeping their networks and data safe while empowering their employees? The key is security, and to get there, managers must thoroughly understand where they’re falling short. Here are four ways to evaluate your business’s risks and vulnerabilities to mobile malware.
Audit Your Mobile Operating Systems
Awareness of mobile threats includes knowing what and where threats exist, training employees to avoid them and understanding risks associated with specific devices that access your network. For example, Android users are at a dramatically greater risk to be targeted by mobile malware—according to Cisco Systems’ 2014 Annual Security Report, 99 percent of mobile malware in 2013 targeted an Android platform.
“It makes a very big difference if you have an iPhone or Android,” says Richard Bejtlich, chief security strategist at computer security firm FireEye.
“The iPhone is a very tightly coupled system, so there’s a clear idea of how to get updates from Apple all the way down to the phone. But this is a giant problem with Android platforms because they’re so distributed—you have manufacturers, operating system vendors, app vendors, carriers, handset makers. There’s no clarity in who’s responsible for what when it comes to staying up-to-date.”
Mobile apps, such as those built on Android’s open platform, are usually the easiest way to infect a device. Once downloaded, apps created by malicious developers have free reign to access information stored in your phone.
Unlike Apple’s more tightly controlled iTunes store, apps for Android can be downloaded from anywhere and anyone, including unofficial app stores that do not offer the security of the Google Play store, for example. Even in iTunes or Google Play, it’s still possible for malware to slip through security measures. Mobile malware can also be delivered through malicious websites that are accessed via smartphones or tablets.
Once again, Android is the most vulnerable platform, with Android users accounting for 71 percent of malicious website encounters. The most common form of malware is the Trojan virus, which can steal passwords and other data, track movements and unleash “back doors,” or openings for illegal access to the network.
Even if your enterprise is using iPhones, security is not guaranteed. A 2013 report from Symantec noted that Apple’s iOS had 387 documented security holes in 2012, as opposed to just 13 for Android.
Whatever your platform, it’s essential to be aware of threats and to mitigate them with a portfolio of security measures. Blackberry tends to be the safest, but its market share has dropped off significantly. In reality, no platform is 100 percent secure, which means your business needs solid security policies in place.
Implement a Mobile Security Policy
Mobile policies should be tailored to the business they serve, but fundamentally they must enforce security measures to prevent network breaches via mobile devices. “If you don’t have security around a device that is driven by policy, then the devices are more susceptible to malware,” Roberts explains.
A strong security policy should include clear strategies for each of the following:
➔ Access management: This includes login credentials for authenticating user identity, rules for what employees can and cannot remotely access and device encryption.
For example, limiting remote access to internal apps or programs that involve sensitive corporate data would mean that even if an employee’s connection at Starbucks is hacked, malicious actors wouldn’t be able to access a company’s most valuable data.
➔ Remote-wipe control: This includes the ability to remotely wipe potentially sensitive information if a device gets lost or stolen. There are many programs available that provide remote-wipe services so that if a device ends up in the wrong hands, managers can either wipe app-specific data or the entire device to prevent unauthorized access.
➔ Inventory management: This includes which devices are permitted to access the network and the ability to track in in real time who is trying to access the network through what means and from where. Having a robust inventory management program in place can monitor for unusual behavior—for example, it would immediately raise a red flag if someone is downloading large amounts sensitive data at 3 a.m.
Having these set policies in place helps guide employees working remotely as well as managers overseeing operations.
“It doesn’t matter what your business is, what we all have in common is a regulatory environment and a need to authenticate users, safeguard data through encryption and set tailored policies for different groups and people in the organization,” says Anders Lofgren, vice president of product management at Acronis.
Practice Good [Security] Hygiene
More often than not, the weakest security link is not the technology—it’s the people using it. A recent report from Congress on government agencies that experienced major data breaches showed numerous employee failures in basic security practices by employees, e.g. writing down passwords and leaving laptops unlocked. Businesses would be wise to avoid the same mistakes.
“The key is to use the same great technology and security tools in place today on your desktop to detect mobile malware,” says Kevin Manwiller, manager of security and mobility architecture at Cisco.
“You have to send traffic through a firewall, install malware inspection tools like intrusion detection systems, and you have to watch traffic and behavior on those devices. You have to make sure you’re funneling everything through your security tools.”
Mobile security hygiene encompasses regular and rigorous use of those tools and practices, including:
➔ Installing and updating anti-virus and anti-malware programs. Like their desktop predecessors, these programs can scan for the presence of malicious activity on a device. They can be downloaded as apps—just make sure the download is from a credible and verified source, and not a third-party app store or vendor. After your anti-virus or anti-malware is installed, make sure it’s always updated with the latest patches and versions.
➔ Verifying sources of downloaded apps and programs. If it’s free and too good to be true, or from an unheard-of source, it’s probably not the safest bet. To avoid downloading malware from an unvetted source, do your research on the best and most-trusted resources before you download.
“Official” app stores are best: Apple’s iTunes, Android’s Google Play, Microsoft’s Windows Store or Blackberry World. Each platform runs security checks on apps and their sources—but again, nothing is ever 100 percent secure.
➔ Creating strong PINs and passwords. This is the first, and easiest, step to prevent unauthorized access. If a device is lost or stolen, a strong PIN and password will provide the first defense against bad actors getting in.
A strong PIN has at least five digits. Strong passwords are at least 10 characters, do not include dictionary words and combine length, numbers, letters and symbols. Each account should have a different PIN and password.
➔ Securing data on the device—not just the device itself. While many companies set rules for employees’ mobile use, such as not allowing personal devices to access the corporate network, the reality is that many workers will find ways around those rules. That is where mere management will fall short, and strong security will be a lifesaver.
The most critical step in securing data is encryption, which scrambles information and makes it unreadable to unauthorized users. If you have an IT department, consult with them on the best encryption measures; outside of that, some operating systems offer their own encryption and security capabilities.
Apple’s Advanced Encryption Standard and Android’s enterprise features, including the manufacturer-specific Samsung Approved for Enterprise (SAFE) program, are good places to start. Blackberry, well-known for its advanced security, also offers a full range of encryption capabilities.
“Managing the device is not the same as securing all of the information on that device,” explains Chris Roberts, vice president at Good Technology. “Failing to secure the devices and the data will allow breaches, even unintentional ones, to be caused by employees.”
If you’re uncertain about your employees’ understanding of security hygiene, providing them with adequate training and education is a smart move. It can even be free: the Mobile Work Exchange, a public-private partnership, is a free resource dedicated to promoting and providing education and capabilities for mobility in the workplace.
Adopt a Mobile Device Management (MDM) Strategy
If security measures on a mobile device itself fail, having network safeguards in place are vital to further prevent your business from getting hacked. Network security is the sum of the awareness, policies and security hygiene that makes up mobile security.
At a business level, this includes the firewalls that act as a perimeter defense, intrusion detection systems that scan for malicious activity breaching the firewall and network monitoring capabilities that can be on the lookout for suspicious behavior inside the network.
All of these tools are part of a comprehensive governing strategy known as mobile device management (MDM). Think of it like overall physical health: if security policy and hygiene are the equivalent of working out and eating healthy, MDM encompasses total wellness, including diet, exercise, preventative care, doctor visits and everything else you do to stay healthy.
MDM combines the use of strategy, hardware and software to execute a complete portfolio of security measures. Its use, which is growing along with the BYOD and mobile-workforce movement, is quickly becoming the baseline for security in today’s age of working anywhere, anytime.
Experts say MDM is perhaps the most critical component for businesses to have a well-fortified network. “It’s the traditional defense-in-depth strategy,” Manwiller says.
With a strong MDM strategy in place, when requests are made to enter an organization’s network, the network can intercept these requests and provide an inventory of what devices are trying to connect.
The network can then identify what types of devices (e.g. laptops, iPads, Androids) are attempting to access the network, their location and how they’re trying to access the network. If everything meets the organization’s security policies, the network can then grant them access.
Protecting your business from the threat of mobile malware isn’t difficult: create and implement strong policies, practice good security hygiene and develop a solid MDM strategy. “If you’re a small or medium business, those steps will take care of most everything,” Bejtlich says.
“Make a good choice in what phones you buy, keep your phone up to date, install updates, stay away from malicious apps and stores, have a PIN and encryption. Doing all of those things will protect you from most threats.”