Today I took part as speaker to an event organized by my Company concerning Cloud and Mobile security. For this occasion I prepared some slides summarizing some concepts spread all over my blogs.
In my vision (you should know if you follow my blog) mobile vulnerabilties are mainly due to:
- False security perception by users: they consider their device as a “simple” phone, forgetting they bring a small dual-core in their pockets;
- “Light” behaviour from users: Sideloading, Jailbreak and Rooting are not good security practices;
- Consumerization of Devices: well known (partially abused) concept: some mobile devices come from the consumer world and hence do not natively offer enterprise class security or suffer from intrinsic vulnerabilities:
- Consumerization of Users: many users think they have consumer device so they think they do not deserve enterprise class security measures.
And the risks are:
- False Security Perception leads to high probabilities of theft or loss of the device, and most of all, of its data;
- “Light” behaviour from users dramatically increases the probability to directly install malware or surf towards insecure shores…
- Consumerization of Devices leads to vulnerabilities that may be exploited to access and steal sensitive data or authentication credentials;
- Consumerization of Users leads the users themselves to adopt imprper habits not appropriate for an enterprise use, which in turn make the device even more vulnerable to malware (i.e. installing non business application, lending it to others, etc.).
How to mitigate the risks?
- Educate users to avoid “promiscuous” behaviours (no root or sideloading or jaibreak, do not accept virtual candies from unkown virtual persons);
- At an organizational Level, define security policy for managing (un)predictable events such as device thieft or loss;
- Beware of risks hidden behind social Network;
- Use (strong) Data Encryption;
- Do not forget to use security software;
- Enforce Strong Authentication;
- Keep the device update.
This in turn corresponds to enforce a device management policy in which mobile devices are treated like “traditional” endpoints (but they will sone become tradional endpoints).
You may find the slides on SlideShare… They are mainly in Italian but if you want, ask me and I will provide an additional translated version.