Today, virtually every organisation relies on mobile devices to do business. While enterprises may have relied on security through obscurity, a recent report by the MobileIron Security Labs found that as mobile becomes the dominant platform for business, more mobile-specific vulnerabilities have surfaced. These have manifested as outright malware and network-based attacks that can expose enterprise data.
While Android has been the main OS of choice for malware and vulnerabilities, iOS is increasingly being targeted. Despite corporations following best practices for securing the mobile environment, hackers are still finding ways to exploit vulnerabilities and compromise corporate data.
Risks for apps, networks, and the cloud
While sandboxing decreases risk to mobile operating systems (first seen in iOS, but more recently in Android and Windows), this simply provides better protection for data at rest, not necessarily protection of data as a whole.
When it comes to mobile apps, there are simply too many options end users can access that have hooks to enterprise systems. The behaviour of these applications is unknown – in some cases, apps accessing a cloud application can potentially synchronise thousands of records to a mobile device without IT’s approval.
> See also: Malware de ja vu: why we're falling for the same old threats
Without the proper compensating controls, corporate data provided to these mobile apps can be at significant risk to accidental loss or explicit theft. The MobileIron report reveals the top blacklisted cloud platforms centre around data storage including Dropbox, Box, OneDrive, Google Drive and SugarSync.
Blacklisting is an unsophisticated and out-dated method for trying to manage data leakage. Enterprises need to define the data and application platforms they want to enable and ensure only authorised apps can access them.
Furthermore, they need to ensure that data and application platforms are accessed only across trusted data sessions, as devices can be vulnerable to unprotected networks.
Device risks
Up until now, the focus for enterprises securing the mobile environment was on Android vulnerabilities, risks, and malware because iOS was perceived as relatively invulnerable. That view is changing. The National Vulnerability Database reported that in 2015 there were 375 Apple iOS vulnerabilities.
On top of this, as of December 2015, one in 10 enterprises were found to have at least one compromised device. Furthermore, the data from the Q4 2015 report shows an upward trend, in which the number of enterprises with compromised devices increased by 42%.
However, the same research reveals that what constitutes a compromised device is more complex than whether a device is jailbroken or not. There are variants of jailbreaking tools as well as anti-detection tools that hide the fact that a device is jailbroken. These create a false sense of security. An enterprise mobility management (EMM) platform should be able to identify these variations and take appropriate action.
Mobile malware threats
Over nine out of ten mobile malware variants target Android but, as noted earlier, 2015 saw a significant rise in iOS malware.
Worryingly, new iOS malware no longer requires that the device is jailbroken. Malware such as XcodeGhost exploited Apple’s Xcode SDK, which is used by developers to create iOS apps, circumvented Apple’s App Store security review processes.
This allowed users to unknowingly download malicious apps from Apple’s curated App Store. FireEye identified more than 4,000 apps in the App Store infected with XcodeGhost.
Governance policy enforcement
A fundamental requirement for most regulatory compliance, such as PCI and HIPAA, is the ability to preserve the confidentiality of employee personal data as well as corporate trade secrets. This is done through having a system of policy enforcement.
The MobileIron report found that 53% of enterprises have at least one device that is not compliant. It also identified some interesting non-compliance trends with enterprise-managed mobile devices: 33% had missing devices (either lost or stolen); 22% had users remove a PIN from their device; 5% had users remove a mobile device management (MDM) App; and 20% had devices with old policies.
A non-compliant device is a prime target for a malicious attack on the enterprise, the aggressive use of strict compliance policies with an EMM solution to quarantine non-compliant devices is recommended as this would prevent the device from accessing critical systems and sensitive data.
Managing mobile risks
As organisations look to become more reliant on mobile devices, they also have to get ahead of the growing number of security vulnerabilities that are emerging. Constantly evolving attack vectors mean that enterprises require a flexible mobile security strategy, enabling the secure control of devices, without compromising usability.
Sourced from Sean Ginevan, Senior Director, Strategy, MobileIron