Preparing for the Next Mobile Attack
Prevention driven approach to mobile security can help organisations achieve the right balance of protection, mobility and productivity.
In a world where results determine the success of projects, though everyone wants fast, good and cheap, products and services. Inevitably one gets compromised to maximise the other two. You can have a good project delivered quickly, but not cheaply, and so on.
Similarly in IT Security organisations compromise one of the three corners, (security, mobility and productivity) to maximise the other two. Usually, organisations take one of two approaches: either enable mobility to boost productivity, with security inevitably being compromised; or they try to deliver more effective security for mobile fleets, compromising productivity.
BYOD not BYOT
There used to be a time when companies did not need to worry about mobile devices. Today, mobile devices are considered the weakest security link in the enterprise. A 2017 survey of 850 businesses determined that 100 per cent had at least one mobile malware attack in the past year. With approximately 80 per cent of organizations adopting Bring Your Own Device (BYOD) programs, that allow employees to use personal smart phones for personal and office, to improve efficiency and reduce cost, not having a comprehensive mobile threat prevention approach is tantamount to Bringing Your Own Trouble (BYOT) to the enterprise.
Simply put, smart phones don’t get infected by themselves. Users tend to invite malwares and virus by their behaviour on the Internet. Even those careful enough to visit only reliable websites download verified apps, or clicking links from known sources are susceptible to infection.
Even a single compromised device can trigger a chain of events with the potential to bring down a digital enterprise to a grinding halt. For instance, when an unwitting employee uses a compromised device to log into an enterprise systems containing sensitive data, cybercriminals may collect their usernames and passwords. Then, they can exploit unsecured networks, infecting other mobile devices, stealing, or changing data. They can even install malicious apps that give them virtually unrestricted access to a device and its data.
An issue that’s getting out of hand
Most organisations simply don’t do enough to manage or secure employees’ own devices. Part of the reason is because IT teams don't have endless time and resources to invest in securing mobility. They have to prioritise – and the influx of employee devices is racing ahead of the resources available to manage them.
And then there are those organisations who may be relying too much on employees being security-conscious in processing corporate data on their personal devices – and many employees do demonstrate that responsibility. However, employees are typically focused on working more efficiently and getting their jobs done, not on whether their actions might create a security risk. Most of the time, nothing happens despite the risk. So goes the adage “there are only two types of organizations, those who have been hacked or those who will be”
Multiple devices, multiple problems
So how should organisations approach protect their sensitive data against the risks of loss or theft from both corporate and personal devices? One of the key issues is that mobile security is not a single problem, but a mix of challenges from securing remote access, to securing data on devices, to securing documents that need to be shared. There’s also the challenge of making users aware of the organisations' data security policies and of the possible consequences from data losses, through education.
Many companies rely on basic mobile hygiene policies using mobile device management (MDM) or enterprise mobility management (EMM) solutions. These solutions help control damage by compromised devices and known threats, but are unable to detect recently created malware or new vulnerabilities in networks, operating systems, and apps.
Four cornerstones of security, mobility and productivity
What’s needed to enable this is an integrated approach that addresses the four main mobility problems. These are:
• Extending protection against threats to any device, wherever it’s being used
• Being able to set up a secure workspace on any device, to protect business data
• To protect business documents anywhere inside or outside the business, on any device
• Detecting exploit attempts during the pre-infection stage
The first problem occurs when a device becomes infected by malware when used outside the corporate perimeter. This makes the data stored on the device vulnerable, and when the infected device is used again, the threat can spread to the corporate network. An effective solution to this issue is to deliver security to devices as a cloud-based service, using an encrypted VPN tunnel. This prevents suspicious file downloads, block malicious websites, and stop bots before they can cause damage, protecting users, networks and business data from threats inside and outside the company network. It also enables corporate security policies to be extended to all devices, for easier management.
The second issue is enabling secure use of personal devices while protecting and managing business data on those devices. The solution in this case is to create a secure business environment on the device which segregates business and personal information and applications, while protecting both. This lets users access corporate email, documents, and assets from within a secure, encryptedapplication workspace on the device that is separated from personal data.
The third mobile security problem is protecting business documents everywhere they go, both inside and outside the network. Here, the ideal solution is to secure the document itself, to ensure only authorised users can open and read frequently-used document types such as Word, Excel, PowerPoint and Acrobat. Security should be established when the document is first created, and travel with it, so that corporate security guidelines are always enforced, with full logging and auditing of who accessed the document.
The fourth issue is related to protecting the organization from unknown malware, threats hidden in SSL and TLS encrypted communications, zero-day exploits and other such targeted attacks through advanced CPU level inspection techniques designed to analyze malware exploits, at the instruction level, well before it has the chance to deploy and evade future detection.
Taking a device-agnostic approach to security, and focusing more on managing and protecting the use of business data greatly simplifies mobility challenges. Locking down devices too tightly can interfere with employees’ application user experience and their privacy, which in turn can lead to them trying to work around the organisation’s policies. Also, the type of device being used to access and process the information does not matter as long as the data and session are secured, and the person using the data has the appropriate rights to do so.
With this approach, organisations can ensure their security project triangles have the right balance and shape: they can enable true enterprise mobility and productivity anywhere, without compromising security.
Mobile devices require an intelligent approach to threat prevention. MDM and EMM protection and secure containers are not enough, and antivirus products cannot cope with new malware found every day. Even iPhones are not secure. The continuous, rising wave of attacks puts organisations at serious risk. Organisations need a threat prevention solution that continuously analyzes devices, uncovering vulnerabilities and criminal behaviour and protects the enterprise against, mobile triggered, network or data breaches, DDoS and ransomware attacks.
—by Bhaskar Bakthavatsalu, Managing Director, Check Point, India & SAARC.