The Evil Eight: Top Mobile Security Threats

— October 09, 2012

The Cloud Security Alliance (CSA) Mobile Working Group released findings from a new survey that calls out the specific security concerns enterprise executives say are the real and looming threats as it relates to mobile device security in the enterprise environment.

The new report, “Top Mobile Threats,” is a result of a survey of more than 200 enterprise participants representing 26 countries globally. The survey serves as an important first step in a larger effort to provide industry guidance on where enterprises should place their resources and focus when it comes to addressing mobile security threats.

With the rapid adoption of mobile computing, and immediate connection to cloud computing, the CSA established the Top Threats to Mobile Computing research discipline, in addition to the current Top Threats to Cloud Computing, to provide its membership with specific data on how the security community views such threats.

“Personally owned mobile devices are increasingly being used to access employers’ systems and cloud-hosted data, both via browser-based and native mobile apps. This, without a doubt, is a tremendous concern for enterprises worldwide,” says John Yeoh, Research Analyst for the Cloud Security Alliance. “The results of this research will play an important role as we set out to develop much needed guidance on where time, talent and money should be placed when it comes to addressing mobile security threats.”

The Evil Eight: Rank of Top Mobile Threats
1. Data loss from lost, stolen or decommissioned devices
Threat Level: High
The information accessed through the device means that theft or loss of a mobile device has immediate consequence. Weak password access, no passwords and little or no encryption can lead to data leakage. Users may also sell or discard devices without understanding the risk to their data.

2. Information-stealing mobile malware
Threat Level: High

Android devices, in particular, offer many options for app downloads and installations. Unlike iOS devices, which need to be jailbroken, Android users can easily opt to install third-party apps. To date, the majorly of malicious code distributed for Android has been disseminated through third-party app stores, predominantly in Asia. Most of this malware is designed to steal data from the host device.

3. Data loss and data leakage through poorly written third-party applications
Threat Level: Medium

Although the main marketplaces have security checks, certain data collection processes are of questionable necessity. All too often, apps either ask for too much access to data or simply gather more than they need or otherwise advertise.

4. Vulnerabilities within devices, OS, design and third-party applications
Threat Level: Medium

The unique ecosystem inherent in mobile devices provides a specialized array of security concerns to hardware, OS, and app developers, as the devices increasingly contain all of the functionalities attributed to desktop computing with the addition of cellular communication abilities.

5. Unsecure Wi-Fi, network access and rogue access points
Threat Level: High

As more users are mobile and data plans become more limited, users will increasingly use Wi-Fi in public locations, the number of which has exploded in the last few years. This has increased the attack surface for users who connect to these networks. In the last year, there has been a proliferation of attacks on hotel networks, a skyrocketing number of open rogue access points installed and the reporting of eavesdropping cases.

6. Unsecure or rogue marketplaces
Threat Level: High

The specifics of this threat are the same as number two, and Android malware is being distributed through these marketplaces more and more frequently.

7. Insufficient management tools, capabilities and access to APIs (includes personas)
Threat Level: Medium

Granting users and developers access to a device’s low-level functions is a double-edged sword, as attackers, in theory, could also gain access to those functions. However, a lack of access could lead to insufficient security. Plus, with most smartphone and table OSes today, there is little, if any, guest access or user status. Thus, all usage is in the context of the admin, thereby providing excessive access in many instances.

8. NFC and proximity-based hacking
Threat Level: Low

Near-field communication (NFC) allows mobile devices to communicate with other devices through short-range wireless technology. NFC technology has been used in payment transitions, social media, coupon deliver and contact info sharing. Due to the info value being transmitted, this is a likely target of attackers in the future.

Addressing the Threats
“The results of the CSA Mobile Working Group survey are a testament to the security threats that mobile devices introduce to the corporate network,” says Patrick Harding, CTO of Ping Identity. “With more and more enterprises adopting a BYOD model, it is critical that mobile devices adhere to the same corporate security policies as other devices, and that proper identity and access management processes are put in place to ensure the security and integrity of the organization.”

The results in this report, which focused on those threats posed by smartphones and tablets, are intended to aid information security professionals and educate the industry about security concerns.

In addition to identifying top threats, 64% of respondents believe that NFC and proximity-based hacking will happen in 2013. Also, 81% of respondents believe that unsecure Wi-Fi and rogue access points are already happening today. This is of particular concern, as the proliferation of mobile devices consequently increases the use of and reliance on Wi-Fi networks.

"The CSA Mobile Working Group findings highlight the threats that experts in the field find to be the most critical. There are few stronger indications of where we should be focused,” said Dan Hubbard, CTO of OpenDNS. "As we move further into an era where mobile computing is ubiquitous, we're seeing an entirely new threat landscape."


comments powered by Disqus

RATE THIS CONTENT (5 Being the Best)

Current rating: 4.2 (9 ratings)



Must See


What Enterprise Apps Need Now

Mobile Enterprise explores how companies across all segments are increasingly leveraging mobile apps to enhance productivity for everyone, from field service workers to C-level executives.