Security Challenges Ahead

By  Jeff Koonce
The mobile advancements of 2012 brought with them new security concerns for the enterprise in 2013. Manufacturers continued to release new devices and cloud communications became a leading choice for data storage. Easy access to data, the key point of mobility, is also the point of risk. Aside from those trying to get into the backend through downloads, simply using the Bluetooth signal on the device can be risky as well.

More devices and more mobile users connecting to the cloud, means more access points for hackers and malware, and an increased chance for breaches.  BYOD coupled with an unaware user carries additional layers of security concern, so protecting corporate data on the device, in the cloud  and in your pocket all while keeping the user’s personal information out of the mix is increasingly  complex.

Data Compartmentalization
Devices can be replaced, albeit at a cost, but the greater cost to the enterprise is the risk from the data residing on the device. Thus, mobile device management (MDM) is evolving  to address mobile data management, and one way is through data containment.

In some cases, this is built into the device and with one touch, the user moves from the work  side of the device to the personal side. Containerizing can also be implemented through an app that acts in the same way, separating the the data. This creates both a secure environment for the enterprise and handles the privacy concerns of the end user by using a technique of separation and isolation of user data.

Some enterprises have gone as far as disabling the use of cloud services in their BYOD policies to ensure the data stays within the organization’s infrastructure.  

For those IT departments that are running Microsoft servers, another option to manage the flow of their confidential information is to implement Microsoft’s Right Management Services (RMS) within their Active Directory. This option, however, does take more technical expertise to implement than using a restrictive BYOD policy to control the mobile device.

RMS is information protection technology that works with RMS-enabled applications to help safeguard digital information from unauthorized use-both online and offline, inside and outside of the firewall and can be mobile device restrictive.

Mobile Malware, Data Breaches
The expansion of mobile commerce transactions has increased by leaps and bounds as evidenced by PayPal’s payment growth over the last few years.  In 2009, PayPal’s mobile payment services had $141 million in transactions which increased to over $4 billion in 2011, thanks in part to the introduction of the QR card reader.  This basically allowed a credit card to be replaced with a smartphone which contained all of the credit card information. In the same realm, coupons have also “gone digital.”

BYOD enterprises need to be concerned with the potential data breach that could occur through the end user’s shopping habits.  Remember the days of the coupon printer running rampant malware on a PC network?  Now the same is happening in the mobile network and this is just one example of the dangers of malware.

Programmers with malicious intent are aware that over 35 million mobile phone users will use mobile coupons by 2013.  If even a small group of those users bring their devices into the workplace under a BYOD policy, it can create a rampant release of malware attacks.  IT departments need to be aware of, and educate users about, potential reverse phishing and the  data breaches that can occur with mobile coupon programs or any other program with malicious intent running within their infrastructure.

International based companies should also be aware of mobile malware programs such as FakeInst SMS or SMSZombie, which are currently prevalent in Russia and China and focus on the Android device. These malicious programs, once installed, obtain device admin privileges and are very difficult to remove.

Anti-malware software needs to be pushed to the mobile device via the MDM solution in order to scan any such application that is loaded on the device.  

Data breaches can also unknowingly come from the employee. Dropbox is a perfect example of an out-of-the-box  app, which is excellent for transferring files to and from the cloud, but creates a security risk due to its ease of use.  A user can transfer a confidential work file without IT even knowing.  This would be considered  a security breach, therefore, the use of such apps like this needs to be addressed, through policy or practice.


Bluejacking, Bluesnarfing, Bluebugging
It wasn’t that long ago when scanning devices were created that could scan a credit card while it was still in your wallet or purse without your knowledge.  A hacker would use a mobile reader and get close enough to someone to be able to scan their credit card and then burn this information onto blank cards.

Today, this is being done on mobile devices by utilizing the Bluetooth signal that is usually always on. Known as Bluejacking, it started as a mere fun way to transmit SMS messages to a mobile device, often to an unsuspecting person.  Since there was no stealing of data or actual usage of the phone, it was not originally deemed illegal.

Unfortunately, this lead to very illegal bluesnarfing and bluebugging, which allowed an attacker to gain unauthorized access to the information contained on the mobile device through a Bluetooth connection. This can not only allow someone to gain access to the data, but it can also enable the hacker to activate the microphone or camera of the mobile device in order to eavesdrop.  

This is one reason why some major companies have their end users sign a BYOD policy that allows the IT department to fully deactivate both microphone and cameras on mobile devices while on company property.

A simple way to prevent such an attack is to turn off the Bluetooth service on the mobile device if it is not needed, or to at least turn off the “discoverable” option within the Bluetooth settings making the mobile device hidden.

Since the majority of older Bluetooth devices used “0000” as the pairing code, it was easy for a hacker to guess the pairing code.  Newer Bluetooth devices now allow the default pairing code to be changed by the user, and, even better, are those devices that actually send a text message to the mobile device during the pairing process which provides the pairing code.

However, even if the mobile device is set to “hidden,” it may be “bluesnarfable” by the hacker since they could guess the device’s MAC address via a brute force attack. This would take time since Bluetooth uses a 48-bit unique MAC address, of which the first 24 bits are common to a manufacturer with the remaining 24 bits having approximately 16.8 million possible combinations, and the hacker would need to be within Bluetooth range, but it’s just another reason to always be aware of your surroundings.  

Threats to the enterprise through technology will always exist and are, in essence, the same regardless of where or even how the data is being delivered. The difference with mobile is that it changes so fast, it’s hard for IT to keep up.  Plus, it’s literally much more outside of the enterprise’s control.  By having  clear and sound BYOD policies along with strong MDM and network protection, IT departments can regain some of that control needed to ensure data integrity.