Review: Mobile Security

With mobile devices now ubiquitous in the workplace, you need to have some level of protection in place. Ashton Mills investigates.

Smartphones are integrated into our lives. Tablets are here to stay. Laptops are lighter and more portable than ever. And all of them can come and go from your network. That you need security policies to govern their use is a given, but while laptops can use the same software as desktops to prevent or detect intrusions, what about the smartphones and the ever-expanding range of mobile devices popping up every year?

The fact that there are multiple architectures doesn't make the job any easier. Smartphones and tablets can carry both personal and professional data, yet the analysis of the security landscape that can impact them is only now coming to the fore.

In the space of five years Android has gone from a glint in Google's eye to the most popular smartphone operating system (59% share by last count according to IDC), and with it we've gone from no viruses to an explosive growth of some 300% in the last year. It is by all accounts the vector Du-jour. But it's not the only one -- Apple's iOS isn't immune nor is corporate stalwart Blackberry.

Apple's walled-garden approach has led to a reasonably secure environment for iOS, but it's not immune.

Like it or loathe it, the sheer size of the target that mobile devices represent means that malware, identity-theft, and in extreme cases corporate espionage are all but inevitable. But just how serious a security hole can mobile devices pose, and what are your options?

Defining mobile security

One facet of security is defined by the size of the target -- the bigger it is, the more appealing for unscrupulous opportunistic individuals or organisations. It's also a function of size that the larger it is the harder it can be to protect, and with the rapidly evolving mobile landscape we have today -- in platforms, devices, architectures -- mobile security is, no pun intended, a bit of moving target.

It would be foolish to ignore how important this segment is to your organisation. So important, in fact, that industry giant Intel is focusing its development squarely on the mobile platform with its up-coming Haswell and Broadwell architectures in the next two years: CPUs that are designed to go up against ARM for a piece of the low-power, portable computing pie. And where Intel goes, entire industries follow.

With an estimated six billion smartphones already in use around the world today -- a number which is only going to grow -- that they would be seen as playground for malware should come as no surprise. Yet, at the same time, it's not as clear cut a picture as we see in the traditional desktop and server computing platforms, which have decades of development and in turn decades of malware development behind them. By comparison, malware on mobile devices is relatively young.

But that's not to say there isn't a threat. According to security software vendor Kaspersky, some 30,000 new Android malware samples were added to its database in 2012. F-Secure, another popular vendor, reported as much as 50,000 samples out in the wild. Putting these values into context is a report from Lookout Security, yet another player in the mobile security arena, which estimates some 18 million Android devices will encounter malware in 2013. The hint being that at least one of those will likely be in your organisation.

These are big numbers, but it's important to temper them with sense: many malware samples are variants of a particular strain rather than unique in themselves, some are more dangerous than others (many simply try to phone-home with premium-number services, while others can be engineered for identity theft or corporate espionage), much of it is regional (Russia and China have much greater infection rates than the rest of the world) and most importantly of all, infection most often occurs using illegitimate sources for programs -- illegal app stores and jailbroken devices.

In fact, while malicious apps themselves are a main vector of attack they're not the only one: malware for mobile devices can be found buried on websites through suspicious advertising just as with desktop computers. There are even examples of legitimate, safe, apps that rely on ad banners to make a profit by inadvertently serving up malware.

Which only serves to complicate the issue further, of course. It doesn't help that there are multiple platforms to defend, or that each platform has a different approach to app distribution. Apple's walled-garden, despite being maligned for its restrictive (and sometimes anti-competitive) nature, never-the-less makes it harder for malware to find its way onto a device. The explosive growth of Android malware has seen Google implement new mechanisms to try and detect these apps before they even make it onto the Play store. But malware and security has always been a cat-and-mouse game, and there are already examples of malware working its way around these security measures: in one instance on Android a known Trojan simply waited before issuing its payload, thereby appearing as a benign app to the store's automated checking routines designed to observe an app's behaviour.

Which is a roundabout way of saying that there's a battle going on right here, right now, with the millions of mobile devices in use today. Could infected devices find their way onto your network? Of course. Mitigating risk is the name of the game, but what are these risks?

Types of malware

The very nature of smartphones, tablets and other mobile devices has seen a change in the nature of malware too. It's no secret that Android is more susceptible than both iOS and Blackberry, if only because the former has more stringent app-store filtering and the latter is a smaller target. The most popular forms of malware on Android at the moment are simple scams to net their authors cash-in-hand: programs that call premium-rate numbers, charging the user for services that they did not sign up for.

But these are inconveniences. Bigger threats are Trojans that gain root access and can upload files remotely, access SMS and email, and transmit phone logs. Identity-theft or compromising a device for future access is usually the motivation, but this can obviously work in favour of corporate espionage too.

It's important to remember that mobile devices today are fully-functional computing platforms with the added bonus of extra functionality bundled in such as GPS, cameras and microphones. Which, if you think about it, makes them all the more dangerous. Something that the US Naval Surface Warfare Center hasn't failed to notice: it recently developed -- ostensibly for research purposes -- malware for smartphones that opportunistically uses the phone's camera to gather environmental information, combining it with positional information via GPS and a gyroscope most phones have to build detailed profiles of a building's environment, unaware to the user. Adds new level to spyware doesn't it?

And this says nothing of using a smartphone's mic to eavesdrop on localised conversation, too. Said another way, a compromised smartphone is a veritable treasure-trove of information, not just for what's currently stored on it but what it can record while infected, too.

But the malware has to get on there in the first place, and unfortunately the most vulnerable vector for mobile malware is the same as has always been for decades: people. Social engineering is leveraged to trick users into installing seemingly benign programs piggybacking virus payloads, often on the more questionable quality programs available (fart apps anyone?) -- though there are examples of high-profile programs falling prey. Both Opera Mini and gaming superstar Angry Birds, for example, had fake versions uploaded carrying malware and netted the authors tens of thousands of dollars before being pulled.

Naturally, the most subversive of these types of programs are malware that pose [i]as[/i] security apps themselves, offering to protect a smartphone but instead infecting it, as the appropriately named 'Android Security Suite Premium app' (note the selection of keywords there) demonstrated last year. Apps that claim to extend battery life are another big carrier (it's not to say all are, but if it sounds like snake oil, it usually is).

Avast's free security suite is an example of the many anti-malware apps available for Android.

Presumably in part due to its initially lax approach on the Play Store, its rapid growth and now dominating market share, Google's Android currently has substantially more malware than the other mainstream platforms. It's no surprise, then, that there's also a wider variety of security suites for it as well, including from big players in the ecosystem such as McAfee, Kaspersky, Symantec, Trend Micro and Bullguard.

Whatever platform dominates your workplace, it would be naive to not have policies and procedures in place to secure mobile devices and reduce the attack surface for your organisation.

Best practice

While every company is different, there are a range of guidelines to help you manage mobile devices and minimise risk. Expect that the mixture of platforms means you're unlikely to find a one-size-fits-all solution, either in policy or management software, but as a rapidly evolving battlefield and with mobile devices having an ever-increasing role in the corporate ecosystem, software will eventually improve.

Start with some common-sense practices such as:

* Enabling remote-kill and data deletion features, facilitating a remote wipe should the device be lost or stolen.

* Separate personal and enterprise information on a device if possible, enabling IT to secure, control and erase corporate data and applications without adversely impacting personal data.

* Require the use of anti-malware on all company-owned and BYOD products that connect to the network.

* Push automated system updates and anti-malware software updates.

* Control exactly what data mobile devices can access on the network.

* Enable or use tools to encrypt data both in storage and communication.

* Set up a lost phone and tablet hotline to make it easy for staff to report losses, and thus enable remote-wiping sooner rather than later.

* Set up unique firewall policies for traffic coming from mobile devices, limiting access only to services smartphone and tablet users are likely to use. For e.g. are they really likely to need to edit financial spreadsheets on a smartphone?

* Perhaps not often thought of -- but avoid displaying company logos on mobile devices. Should a device be lost or stolen outside of the office it would be better to not incentivise its use for nefarious purposes.

Some of these will require the use of mobile device management (MDM) solutions (more on this below), which for large enterprises is all but a must. Smaller businesses may be able to rely on both the inherent features in a device and some of the extra protective features offered in anti-malware suites, however.

The following should also be employed in all cases:

Create an Acceptable Use Policy

Create one policy for company-owned and employee-owned devices that sets strict guidelines on mobile device use. This can include:

* Devices must be password protected.

* Mandate the use of encryption (using approved software if necessary).

* Always use a VPN when connecting remotely.

* Require the use of a company-approved and managed anti-malware suite.

* Ensure any anti-spam, web protection, and firewall services are enabled.

* Inform IT in the event of loss or theft of device immediately.

* Jail-broken devices will be unsupported and unable to connect to the network.

It's important to tailor a policy both to the business and the users -- surveying how smartphones and tablets are utilised by staff helps to learn more about their needs and preferences, and in turn determine what products and services suit various job functions.

Finally, as the social engineering is still the most likely vector for attack, there's one other important guideline.

Educate your staff

Create an easy to read handbook or online guide to educate your staff covering, beyond the basics:

* Re-iterate the need for password-protected devices.

* Use common sense when installing applications -- does an animated background app really need access to your phone book? If the access it requires doesn't sound right, don't install it.

* Don't download software from illegitimate sources -- only install apps from Google's Play store for example, not a third-party source.

* Don't open or respond to unsolicited text messages -- these can pose a similar risk to unsolicited email.

* Always keep your mobile operating system up to date.

* Disable Bluetooth any time it's not actively being used (some devices enable it by default, and can be abused to allow access from nearby devices).

* Be cautious with scanning QR codes -- while a great feature, they could just as easily re-direct you to a malware-laden URL.

* It's ok if a device is lost or stolen -- don't delay informing IT out of embarrassment. S*hit happens, and it's better for IT to know sooner rather than later.

Rather than mitigate the risk, some companies have been known to outright ban smartphones or tablets. This is extreme, however, as mobile devices continue to play an increasingly important role in business processes and productivity.

Managing malware

The front line when it comes to defence against malware is of course an anti-malware suite, for which there are plenty of options, with the majority currently for the Android platform.

Beyond the obvious of an anti-malware engine, mobile security suites often come with a host of other features, many of which can be beneficial for your own acceptable use policy or aid in mobile device management:

* Remote lock and wipe -- As it says on the tin: in the event of theft or loss, the ability to remotely lock a device and the data on it or alternatively destructively wipe it entirely.

* Tracking & location -- Before taking the step to remotely wipe, first see if its location can be found. Suites that include tracking allow you to pin-point a phone's location via its built-in GPS, and may save both time and money should the 'loss' turn out to be a case of the employee losing their phone behind the couch!

* Online backup -- some suites provide the functionality to backup data to a cloud service. This is a good solution for small businesses without an MDM solution to ensure company phones are at least protected somewhat from data loss.

* Web and spam protection -- Web browsing and email can be vectors of attack of malware for smartphones and tablets just as much as PCs. Suites that include URL filtering and anti-spam protection can help reduce unintended infections.

* Scheduled scans -- most software will scan apps as they're downloaded and allow for manual scans, but not all feature the ability to setup regular scheduled scans. Setting up scheduled scans can also catch malware that may have found its way onto a device through files a user downloads (for example, from cloud services like Dropbox).

* Online management -- the ability to monitor and enable features remotely such as the aforementioned tracking, wipe, and backing up data.

* Activity logs -- further control and monitoring of the comings and goings on a mobile device, which may help to track down any intrusions.

* Battery use -- While security comes first, naturally software that scans apps and protects the phone as an always-on solution is going to use some power.

Most products come with free trials, so take advantage of these to test them to see if they suit your needs as well as measure their performance in factors such as battery life.

Again, depending on your budget and the size of your company, a malware suite may provide both the protection and management features you require without investing in a more comprehensive MDM solution. Some security vendors will also be able to tie in their mobile anti-malware products with their standard desktop products through their own corporate solutions.

Mobile device management software

The ubiquity of mobile devices in the workplace and the threat mobile malware can pose has seen a rise in mobile device management (MDM) software to help IT administrators to both simply manage mobile devices in the workplace but also to mitigate the security risks mobile devices pose.

Typically an MDM suite will consist of a server component and client component that runs on the mobile device. Configuration and commands can be sent to client devices, security and operating system updates can be pushed to the devices, apps and programs can be vetted before being installed, selective and complete wipes can be performed for BYOD or company-owned devices (if an employee leaves for eg), and detailed monitoring and reporting makes it easier to ensure devices comply with company policy.

MDM products will often include anti-malware software as part of a comprehensive device-management model, too. This can make it easier than running separate software for MDM and anti-malware security, but it's not essential if your company is already invested with a particular anti-malware vendor. Increasingly, and showing how malleable the market has become, anti-malware vendors are adding MDM functionality to their products.

BlackBerry has its own mobile device management (MDM) product for Blackberry devices.

Some examples of MDM software and vendors include Juniper Networks' Junos Pulse Mobile Security Suite, AMTel's Mobile Device Management suite, Zenprise MDM, or McAfee's Enterprise Mobility Management. Blackberry also recently released its updated MDM solution Blackberry Enterprise Service 10.

As a rapidly growing sector, expect more comprehensive MDM software in the near future although, as we've covered, with the range of platforms, operating systems and new products regularly entering the market it's often a game of catch-up.