Mobile device security whats coming next?

The mobile device revolution is quite possibly the most significant change in computing since we shifted from the mainframe more than twenty years ago. These handheld devices feature ubiquitous connectivity, constant access to the biggest repository of mankinds knowledge, and more computing power than the NASA control room for the first moon landing.

But whats coming next, and what are the security implications?

Mobile device security whats coming next?

Mobile device security whats coming next?

Your mobile knows where you are, where you are supposed to be and who you should be talking to. We can now instantly connect our real lives to digital information purchasing tickets, sharing business data or connecting with friends who happen to be nearby. Mobile devices and their rapid innovation and development are already enabling busy professionals and home users to conduct business and manage their lives on the move. Furthermore, they are enabling a whole host of new business models and services. As such, they are set to be the linchpin of future economic growth. Hats off to the mobile hardware and software developers modern technology is amazing. But what are the key technologies driving evolution of the mobile, what happens next, and what are the security implications?

New technology, new privacy and security issues

It is inevitable that mobile devices will grow more powerful and become ever more integrated into our personal and work lives. Greater computing power and downsizing will make these devices an increasingly viable replacement for the conventional PC rather than just a supplemental tool. Already many of us are using them as such for a significant portion of the day. We can also expect further diversification of form factors; the tablet PC has already had immense success but more challengers will follow. These new device form factors will further blur the boundary of the PC and the mobile.

While many of us naturally worry about traditional attacks like malware and phishing on these new devices (and without doubt these issues do exist), new functionality breeds fresh opportunities for the bad guys. New features like augmented reality, facial recognition and integrated social media could leave users open to new kinds of abuse. Augmented reality, for example, connects location information with a users social media friends, enabling them to identify digital contacts nearby. I dont know about you, but I am far more scrupulous about my real friends than I am with my digital connections. This in turn opens up new prospects for social engineering, such as figuring out when you are away from your home for crime purposes (sites like PleaseRobMe.com do just this). Of the same ilk, facial recognition technology and the tagging of users in photos on social media sites blur the work-home boundaries even more. For example, police officers have already come under attack after their identities were breached by social media and facial recognition technology.

NFC (Near Field Contact) technology is another interesting example of innovative technology that aims to deliver convenience for consumers. However, it will introduce a new dimension of challenges for security professionals; mobile devices become much more interesting as a target to steal money. There is a push to build NFC technology into mobile devices, enabling users to make payments or pass on personal information with a simple swipe of a mobile device over a reader. This will further transform the mobile into the single device from which most aspects of your life are driven making it even more attractive to cyber criminals.

James Lyne Director of Technology Strategy, Sophos

Mobile device security whats coming next?

The more data we make available on our mobiles, the more tools we provide the bad guys to weave creative attacks designed to compromise our personal lives, businesses and finances. Equally, the more applications and new capabilities we use the more we increase the attack surface area for the bad guys. Security is not the only victim, privacy will be challenged too. As we adopt more of these technologies for convenience, we can expect our lives to come under greater surveillance with mobiles becoming the combination of a passport, personal record store and social life.

A change of attitude
Alongside these radical technology changes, business expectations have also changed. Only a few years ago enterprises wanted to block social media sites and non-standard, unmanaged devices. Now we are all consciously trying to embrace these technologies; look at the number of organizations with teams of people entirely focused on using social media as a channel to market. A stark contrast to years previous. These changes in technology and business expectations mean a new attitude is needed to information security. Embrace or die. This change of attitude also impacts the future of mobile security and applications the default answer to new technology is becoming yes rather than no.

Mobile applications, the browser and fat clients

Mobile devices too have been quite disruptive to the technology used to produce applications. Over the past few years browser-based applications have been challenging the traditional fat client. This is primarily due to their cross platform capabilities and the fact that they can be accessed from anywhere (or any device). Local mobile applications are now extremely numerous, spurred on by rapid application development frameworks its easy to write an app, which is why you can find an app for anything. These applications can also contain vulnerabilities and there is significant evidence that even basic legacy security best practice is often not applied, for example, passwords or user data are often poorly encrypted (if at all). Fat clients and browser clients often provided secure APIs and services for these functions, which, after years of pain, many are now using (although far from ubiquitous) . Mobile OSs increasingly do too but developers, as yet, are not consistently using them. Due to a lack of transparency, it is unclear how comprehensive application quality checks like Apples actually are. The so called walled garden claims to keep bad applications out but in many cases application security seems to let the side down. We can expect more challenges at the application layer in the coming years.

James Lyne Director of Technology Strategy, Sophos

Mobile device security whats coming next?

A different architecture for a different time

Mobile devices are not just a smaller version of the traditional PC, even though they increasingly perform an identical set of tasks. The underlying operating systems, from Android to iOS, are built fundamentally differently to PCs and manufacturers have introduced new concepts based on lessons learned from traditional operating systems over many years of computing. Modern mobile platforms tend to include capabilities like sandboxing technology which can isolate applications. The access control and permission systems have also undergone drastic reform from the conventional OS. Rather than a permissions system which is based on access to arbitrary items like registry keys, they instead focus on more human access permissions, such as whether an application needs to access your location data or SMS messages. These capabilities show great promise for producing a more secure, usable OS but they are, as yet far from perfect. Many of these controls do not come with smart, secure defaults or rely on the user to edit the permissions of an application being installed (a question they often may not know the answer too and we all recognize the tendency for users to just click OK). These capabilities are not bad news however, as security vendors can use them to bolster the security of the device by managing them.

Mobile devices are also starting to define their architectures based on modern working practices BlackBerry, for example, has introduced a feature which provides two isolated working environments on the same device, allowing you to separate work and play data. This allows the benefits of a trustworthy and secure business environment alongside flexibility to play games or alike. These features are not yet widespread and the robustness of the security unproven, but they show a positive direction which could much better secure the modern remote worker. These features combined with security vendors offerings could make for very usable, more generically secure devices.

Malware, hacking and phishing

There have of course been examples of malicious code for a variety of platforms but this is minimal when compared to that targeting the conventional PC. Android, in particular, has suffered more attacks from malicious code due to its more open application market, although even those with a strong security reputation like BlackBerry have been victims too. While malware attacks for mobile devices are undoubtedly different they are still entirely possible. Mobile malware weve seen to date includes fake internet banking applications which steal your credentials and your money, and in some cases your authentication token code sent by a bank via SMS. Many assume these devices are eminently secure as theyve never experienced malware. The reality is that until recently most of us were not placing data on these devices that was worth stealing. Now that these devices contain valuable assets (as increasingly we use the device as a part-time replacement for the PC) the bad guys are paying attention. We can expect a significant increase in the volume of malware targeting these devices over the coming years. Anti-virus capabilities will be important, though the defense technologies will work differently to the PC focusing more on reputation and behavior rather than traditional content security.

James Lyne Director of Technology Strategy, Sophos

Mobile device security whats coming next?

Regulators, compliance and mobile devices

Regulators and compliance standards have been through a series of reforms at break-neck speed of late, increasing the powers of regulators and enhancing compliance requirements to be more explicit as to the requirement for controls like full disk encryption. These standards have been somewhat targeted at the PC as the major vector of data loss and its position as the traditional focus of security investment. However, when you read these standards and laws they are written generically and can be equally applied to mobile devices the form factor of the technology is not an excuse for data loss. Indeed, as more data breaches occur via mobile devices, regulators will pay more attention to them and we are bound to see more sanctions and specific regulation for them. However, today, be aware that devices lacking basic compliance controls could pose just as much risk, if not more, to your data protection compliance as a PC. The requirement for controls and policy may be the same but the implementation on mobile devices will differ significantly.

Pace of development and innovation

Perhaps the most significant challenge to mobile device security is the pace of innovation and development on mobile platforms. Where traditional computers at best might evolve on an 18-24 month cycle, mobile platforms are undergoing significant change on a quarter-to-quarter basis. Born from this velocity is the challenge that new applications and ways of sharing data will often be adopted by large numbers of users before the security community has a chance to vet it and understand the privacy and security implications. As security practitioners we will need to keep re-evaluating these devices and applications to identify new evolving risks. Security solutions will need to be designed to be agile and updated faster than ever before as new issues come to light. Security as a constantly evolving service.

All that said, whilst applications and services on the device are updated, often automatically, OS updates for the device sometimes require painful cable connections or user interaction. This is a significant risk as missing these updates can leave devices with open vulnerabilities. Jail-breaking iPhones is an excellent example of user desired malware which uses such holes. Jailbreaking allows users to customize their device more than Apple allows and run pirated applications it is a fairly widespread practice. These same holes could be used for user-undesired malware too!). The infrastructure for updating and patching security vulnerabilities in mobiles has many lessons to learn from the traditional computer industry perhaps they should take a look at the lessons Microsoft has had to learn here over the years.

James Lyne Director of Technology Strategy, Sophos

Mobile device security whats coming next?

The user perception issue

Weve all been using smartphones for some time now and have very quickly grown used to buying applications, music or even banking online. Interestingly, it seems that using a mobile device doesnt raise the same security concerns as a PC with end users they seem to feel immune. I suspect that this is primarily the result of users having experience of scams or malware on their PC but not on their mobile device. The problem is that users may view these devices as eminently secure, when in reality they are just waiting to receive more attention from cyber criminals. When the tide turns and mobiles are more closely targeted, there could be a significant lag time while the user community at large is educated on the threats. Many enterprises I visit have an acceptable use policy and security training which tells employees how to protect data and avoid compromise. It is, however, extremely common for mobile devices to be missed out of this training. Make sure you have modernized your awareness training and you get users thinking about mobile device security now to avoid this lag.

IPv6 and networks

Mobile devices have been through a series of significant connectivity upgrades from GSM to 1G, 2G, 3G, 3.5G and now 4G. Right now mobile networks around the world are currently undergoing significant upgrades enabling broadband speed connectivity (or faster) to mobile devices. An excellent enhancement for the roaming user (increasingly the default in many businesses). These changes however also introduce interesting challenges for security having one ubiquitous connectivity makes mobile devices an attractive target for bot networks and commandand-control where previously they would have been less than ideal. Mobile device and telecoms providers are actually one of the major customers for IPv6, the next generation protocol designed to connect our networks and the internet at large. (For more information on IPv6 see the white paper on www.sophos. com/en-us/security-news-trends/ security-trends/why-switch-to-ipv6) The massively increasing number of mobile devices is making scalability difficult for telecoms operators. Not only does IPv6 provide performance features, but it also has new functionality designed specifically for the mobile and for security.

Features such as mobile IP in IPv6 are designed to make it easier for mobile devices to switch between different networks (Wi-Fi and 3G for example) while providing a consistent mobile IP address. This delivers consistent connectivity, coverage and enables efficient routing of traffic for the truly mobile road warrior. There are numerous security enhancements too. It is worth noting that IPSec, the industry standard for secure VPN connections was also invented in IPv6 and back ported to IPv4 in IPv6 its implementation is mandatory and native. Mobile devices could be a driving force of change in networking, but with these changes will also come security challenges and new skills for security professionals to master. Many mobile devices and tablets now talk IPv6 by default on your network, potentially leaving them vulnerable to attack if not addressed.

Applying lessons learned (please)

As an industry we have learned a great number of lessons about producing secure software, designing solutions with secure defaults, and enabling security vendors to produce security solutions. For many years vendors and businesses have enjoyed a relatively supportive relationship with the traditional OS vendors enabling them to deliver the required security controls. Whilst far from perfect, progress has been made.

James Lyne Director of Technology Strategy, Sophos

Mobile device security whats coming next?

We are now moving to a new vendor ecosystem, including Google and Apple (to name a few). It is critical that this new ecosystem applies the lessons learned from our experience with desktops, rather than throwing these devices back to the 1990s. Mobile security has in many cases been held back by an absence of APIs or security being a core part of requirements for these new providers. We all need to make sure we apply appropriate pressure to get smart, secure defaults from this new vendor ecosystem and re-enforce that good security capabilities are a part of the minimum requirements of a device.

The future security tools

Future mobile security solutions will need to feature a blend of device, OS and vendor capabilities in an integrated solution. Some capabilities will be provided by the device in hardware (e.g., full volume encryption) or the OS (e.g., Sandboxing) but will be managed and reported on by security vendors. Anti-malware capabilities will be increasingly required, though as previously noted they will not be the same as their PC counterpart. The most interesting area is perhaps data protection DLP to avoid those awkward accidental e-mail forwards and continuous encryption of data as it flows between different devices: mobile, PC or otherwise. The protection stack for mobile will expand over time much as the PC but with the data, not the network being the new enforced perimeter.

Overall, the mobile security market today is relatively immature and there is a lot of work to do to develop the right security controls on mobile devices. It may be tempting to start with the concept of a comprehensive security offering with parity to the desktop, including AV, DLP, HIPS, Encryption, App Control (and so on) for the mobile, but in reality these capabilities are not yet broadly available or in many cases possible to deliver. Priority one is to get the basics under control despite all the hype most data breaches occur due to basic configuration failure: poor passwords, lack of encryption, poor patching or social engineering. You can find more details on how to protect yourself on sophos.com. Over time mobile threats and the available security controls will evolve and Sophos will be providing customers with relevant and updated capabilities as required.

How to plan your mobile security strategy

Whilst some have been preaching doom in the mobile security space for many years, mostly it has been uneventful. However, recent events and changes in mobile technology indicate that it is likely that the threats on these devices will both diversify and significantly increase in number in the short term, so we must be ready to address them.

James Lyne Director of Technology Strategy, Sophos

Mobile device security whats coming next?

Here are some pointers on how to approach your longer-term mobile security strategy:
1. Perhaps the most critical aspect of your long-term strategy is how to approach updating and revising it. Mobile devices and technology are going to evolve at an incredible rate and the evolution of this breadth of technologies is too unpredictable. Therefore, developing a conventional 3-5 year IT strategy is unwise. Project teams dealing with adopting mobile devices should define a 6-month strategy using an agile methodology and then constantly re-evaluate how the devices are changing and what new risks are being introduced. 2. Plan for mobile devices to be more explicitly included in your compliance and regulation requirements. 3. Ensure that any technology solutions you adopt (such as device management) provide as much abstraction as possible to device type and OS. Popular devices will change quickly and you need to future proof your security controls as much as possible. There is a risk that as you adopt 5x the number of device types you increase the cost and complexity of managing them by the same order challenge vendors to solve this issue for you with broad platform support.

4. Carefully look at the combination of work and personal data on mobile devices. These devices are often the extreme scenario, blending your contacts, email and data into one UI with little differentiation for the end user. Consider your strategy for this on an ongoing basis as it is a trend that is likely to continue. Deploy processes, policies and practices to help users avoid making silly mistakes which lead to compromising themselves and your business. 5. Invest in building mindshare with your users on mobile security. They need to understand the value of the information (both personal and business) they are placing on their device and that these mobiles are not eminently secure. This will place you in solid stead as attack vectors evolve. 6. Go broad. Dont be overly clinical with your definition of mobile devices different format factors are evolving every day and your strategy needs to encompass tablets, smartphones and potentially other popular embedded devices. That said, it would be wise to specifically authorize a list of devices many enterprises for example will allow specific versions of an OS which included the minimum required security capabilities. As the devices mature, your list will grow longer.

7. Embrace or die. Entirely resisting these new devices and technologies for most organizations is not a tenable position. Most are in the position of having to adopt them. Enabling certain devices like the iPad at an appropriate level of security in your organization will earn you points to help prevent adoption of more risky technologies. 8. Watch this space. Sophos will be releasing new mobile security controls as the platforms and problems evolve. Customers running our mobile security capabilities are linking in to a journey as the issues evolve rather than a final mobile security capability. James Lyne, Director of Technology Strategy, Sophos @jameslyne

United Kingdom Sales: Tel: +44 (0)8447 671131 Email: sales@sophos.com

North American Sales: Toll Free: 1-866-866-2802 Email: nasales@sophos.com

Boston, USA | Oxford, UK Copyright 2011. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners.