Mobile Devices and (in)Security

Currently more and more people are using their mobile devices; there’s a tremendous shift from personal computers to mobile devices.  4 out of 10 users use their mobile as their primary work device.  This presents a major security risk since we don’t really think about mobile devices and security.

According to a study performed by McAfee, 74% of users do not think or consider their mobile devices as having any security risks, 84% of users are unaware that their devices can transmit confidential data, 20% of users store credit card details, passwords, and pin codes on their devices, and 51% of users do not employ any type of basic keypad or password locks.  These statistics are alarming and favor hackers successfully infiltrating our mobile devices.  The threat landscape has changed and it is time to shed the light on the (in)security of mobile devices.

Hackers are using your mobile devices as pivot stations to leap into juicier information assets because let’s face it, you are using your mobile devices to access company data.  What’s easier than just circumventing a company’s network defenses than attacking low hanging fruit such as these mobile devices.  Look at the statistics above, 84% of users are unaware that mobile devices can transmit confidential data.

There are various methods being used by hackers for intrusion into mobile devices; these can be infected or poorly written applications that you would download onto your mobile devices.  The lack of encryption on legitimate applications also make it easy for hackers to exfiltrate information in clear-text.  If you are connecting to open-wifi networks you are at risk of leaking out confidential data because there’s no way to be able to tell if the open-wifi you are on is safe or not.

There are several products available to anyone really in order to be able to get information out of mobile devices.  Here are some of the tools that are readily available:  Anti, Faceniff, Mobile Spy, and iLocalis.  These tools will help a malicious user to be able to successfully attack your mobile devices.

Even though mobile devices are vulnerable to all of these attack methods, you can still mitigate these security risks by taking precautions.  How can you do that?

1.  Do Not Use Open-Wifi 2.  Enable Passwords and Pin Codes on your mobile devices 3.  Be Aware!  Learn Where and What the Risks Are! 4.  Install Security Applications on your Mobile Devices.

These are just some of the basic things you can do to mitigate the security risks associated with mobile devices.

Regards,

Michael Kaishar, MSIA | CISSP

www.creosec.com

Categories: Data Loss Prevention, Data Privacy, Data Protection, Encryption, Information Security, InfoSec Tools, Mobile Device Security, Security Attacks, Security Issues, Social Engineering, Threat Mitigation | Tags: Anti, Faceniff, Hotspot (Wi-Fi), ilocalis, iPhone, McAfee, Mobile Computing, Mobile device, Mobile Spy, Personal computer, Security, Wireless Data | Permalink.

Bring Your Own Device To Work

People bringing in their own device to work is not something new.  It’s been around for quite sometime; but people were bringing in their laptop or BlackBerry and not iPhone, iPad, Android, etc.  The company IT department would then go ahead and install protection mechanisms on the laptop; most likely anti-virus and encryption.  The BlackBerry would be secured using the company’s BlackBerry Server with all of the protection features offered.  There would also be sufficient security policies documenting acceptable usage.  It was easier to place technical and administrative controls around such devices.

Bring Your Own Device or BYOD has really picked up momentum.  Now, people want to use their personal iPads, iPhones, Androids, and so forth to conduct company business as well as use their device for personal business.  Instead of carrying several devices, people want to use one device for everything.  That is very nice and great but it presents many problems for the people as well as for the companies allowing these devices on their business networks.  BYOD is a nightmare for us security people!

Here’s a scenario for you. I bring in my own iPad to use at work for business purposes. I save confidential information on the iPad and then head over to Starbucks for coffee. I leave my iPad on the table to go grab my coffee and in less than 30 seconds my iPad is GONE!!! Someone has just stolen my personal device.  Now not only do I have to worry about the intrinsic value of the iPad but I also have to worry way more about the confidential data that is on my personal iPad.  To continue on with the scenario; let us say that the company follows a great information security program and they have all iPads encrypted.  Now I no longer have to worry about the data on the iPad because it’s encrypted.  The iPad is also protected in the sense that it has all of the best practices in locking down the device including the number of attempts an attacker would try to login to the iPad.  Given that all of these protection methods are all in place; are you willing to have the company REMOTE WIPE YOUR iPAD?  They cannot only remote wipe company data, they would need to wipe EVERYTHING from the iPad.  This is something you as the user would have to consider when bringing in your own device to conduct company business.

Another issue to consider is this.  What kind of privacy are you expected to have once you bring in your own device to work.  Will the company monitor your personal information as well as company information?  Are there any security policies documenting the fact of acceptable use regarding personal vs business information and how the data is handled?  I personally would not bring in my own iPad to use it for company business.  If the company is willing to give me an iPad, then by all means I would not have an issue with it.  However, having your personal iPad to conduct company business opens a can of worms for the individual and for the company.

There have been numerous accounts of data breaches involving company laptops.  So what’s new here?  A personal device might contain some really embarrassing information about the individual, as well as, sensitive and confidential company information.  Now, not only would a company have to answer to a data breach regarding it’s confidential data, but it might have to answer to the individual’s embarrassing content.  The individual might be put on the spot and might also lose their job given the fact that they have some embarrassing content on their personal device that they also use for work. 

I rambled on and on with this…but it is definitely a tough situation these days.

Regards,

Michael Kaishar, MSIA | CISSP

 Tweet
!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=”//platform.twitter.com/widgets.js”;fjs.parentNode.insertBefore(js,fjs);}}(document,”script”,”twitter-wjs”);

Categories: Data Breaches, GRC, Information Security, Security Issues, Threat Mitigation, Vulnerability Assessment | Tags: Acceptable Use, Android, Data breach, Intrinsic Value, iPad, iPhone, Security Policy | Permalink.