Cell phones, tablets, wearables, and other mobile devices dominate our lives. I personally bring my trusty iPad to everywhere, and, like everyone else, have my phone with me at all times. The biggest attack surface for any enterprise, then, may well be these devices. How can we assess the threats? What are the components in need of protection? What are some key methods of protecting them?
We can start with the devices themselves, and then look at the infrastructure behind them. Mobile devices: same basic architecture as any computer: hardware (processor, storage, memory, input/output systems, and communications systems), firmware, operating system, and applications. Each has its own class of vulnerability. Much of the hardware is manufactured in countries that may view the U.S. in a friendly light, so supply chain risks are an issue. The same holds true for the software; some brands have software components from thousands of providers all over the world. In a more familiar experience, people lose their devices; the ability (and willingness) to wipe a device remotely is thus an important element in mobile security.
The operating systems and applications are also vulnerable, and the ubiquity of these devices makes exploits very lucrative for bad actors. Anti-malware software, then, is not just for computers.
Mobile devices also offer a wealth of communication options: WiFi, Cellular service, Bluetooth, near-field communication (NFC), and so on. Each of these offers an avenue of potential attack. Public WiFi is notoriously hazardous, so it makes sense to use a VPN for any type of Internet access. VPNs are not perfect, but they are better than operating “in the clear”.
The infrastructure behind these devices is also vast, and presents a wealth of opportunities for the attacker: cloud storage services, the cellular network which integrates with geolocation systems, the Internet, WiFi networks, and the application stores we all use when we realize “there’s an app for that”.
I have given just a small sample of the threat landscape regarding mobile devices. The scope of the problem demands an enterprise-level approach. An enterprise mobile management (EMM system is an enabling technology, but, as with any security problem, the solution will never be automatic. Start with the essentials, and stay on top of the problem. Here are some key factors to consider:
1. Can you protect the data? Is it encrypted in place, and in transit?
2. Do you know what assets your users can access? Identify the assets and acceptable access, and protect them with both policy and technology.
3. Endpoint protection: anti-malware, secure browsing, strong access control to the device, and remote-wiping capability in case of a lost or stolen device.
Mobile devices are a huge component of an enterprise’s attack surface. They should receive a proportionately large percentage of cybersecurity protection.