Q&A: Preventing Mobile Vulnerabilities
Best practices for keeping mobile devices safe.
When it comes to protecting mobile devices connected to enterprise resources, security managers face a dilemma: can security be enforced without negatively impacting productivity? To learn more about the state of mobile security, we turned to Dr. Hongwen Zhang, co-founder and chief executive officer at Wedge Networks and the co-inventor of his company’s WedgeOS security technology.
Enterprise Strategies: What unique challenges do mobile devices introduce into an environment?
Dr. Hongwen Zhang: I see four major challenges:
- Mobile devices move in and out of the corporate perimeters, so perimeter-based defenses are not effective
- These devices have zero or limited defense abilities; their primary design objectives are power consumption and portability, not security
- They are easily stolen or lost, along with sensitive information and access tokens stored in them
- It is very difficult to obtain a comprehensive audit trail for mobile devices because of the multiple service providers involved
Do ordinary vulnerabilities affect such devices, or are they subject to an entirely different set of threats?
Due to the weak defense capabilities of most mobile devices and the increasing popularity of them in the business world, one can only expect that they will be subject to vulnerability exploits on a more frequent basis.
An interesting example of this new threat is on mobile laptops and netbooks. On the surface, they can be installed with all the latest and greatest security software just like their desktop counterparts. However, because they are not always online, it is quite common that the security intelligence used by the software is not updated as frequently as on desktops. As soon as these devices are online, they can be compromised before they even get a chance to receive the latest attack signatures.
Certain uses of mobile devices also make them vulnerable to new types of attacks. For example, there are attacks aimed at compromising mobile payment schemes causing the mobile users to suffer financial losses.
Do enterprises have the tools they need to protect these devices? For example, I know that enterprises can reset laptops to make them worthless once a laptop has been reported missing. Do newer devices such as iPhones have the same feature?
Tools are slowly emerging for the most commonly used mobile devices; the remote reset capability on iPhone was only first introduced with the release of iOS3. Given the diversity of mobile devices, enterprises currently do not have unified toolsets to consistently manage these devices.
To combat these threats, technology solutions are emerging that use innovative methods to provide consistent security management for all mobile devices. For example, with our WedgeOS technology, our BeSecure network content security appliances can help prevent malicious content from reaching mobile devices no matter what model or make they are; it works by stopping the attack at the network level.
How good a job are security specialists doing in protecting mobile devices?
Given the lessons learned throughout the history of computing, it is definitely not the case that security professionals are caught off guard with mobile security issues. As a matter of fact, champions of mobile security were often blamed for crying wolf too often and too soon. However, with the rapid adoption of mobile devices in businesses, you can expect that what happened previously to Windows machines will also happen to mobile OSes on a much larger scale.
Security specialists are doing their best with the tools they have and are actively seeking new and innovative technologies. It is interesting to notice the number of inquires that we get at Wedge about mobile security-related solutions. Since resources are limited, security professionals need to find solutions that can help them manage risks related with mobility effectively.
What's the biggest challenge they face? Employees using their personal devices? Lost or theft of these devices? Hacking?
Mobile devices present a plethora of “big challenges” for enterprise organizations. However, the biggest challenge is the lack of platform-based solutions that provide the proper amount of visibility to allow enterprises to manage these risks consistently across all devices and all networks.
What are some of the biggest mistakes security pros make in trying to protect these devices?
The dilemma between convenience and security is even more noticeable in mobile computing. Enterprises that solely seek convenience and ignore security warnings will suffer from data leakage, operation disruption, and compliance breaches. Security professionals who deny the use of mobile devices are also committing a major crime of depriving their businesses of the competitive advantages offered by mobile computing.
Another set of mistakes is blindly copying certain practices that are effective in the desktop world. For example, similar to the desktop world, there is security software that runs on mobile phones. However, a poorly developed mobile anti-malware solution can cause its own problems, such as quickly draining your battery. Have you noticed this on your enterprise laptop or mobile device? We need to be careful on what we choose to install on our phones.
What best pracices can you suggest to address these mistakes?
Remote device management, such as resetting iPhones, is certainly an integral best practice to guard against stolen or lost devices, but with our mobile phones becoming regular Internet devices, the biggest risk is now an attack from network-borne malicious content.
Organizations must secure the content that goes into the enterprise mobile devices on the network layer. As a unified security solution, Wedge BeSecure network security appliances can prevent the mobile devices from being compromised, no matter what OS, no matter where the remote user is, or which networks provide the connectivity.