[BreachExchange] Be prepared to handle a mobile security breach

Tue Apr 17 18:49:41 EDT 2018

https://searchmobilecomputing.techtarget.com/tip/Be-
prepared-to-handle-a-mobile-security-breach

IT should ask some key questions about its security infrastructure to be
prepared in the event of a mobile security breach.

A number of scenarios can expose mobile users, data and entire mobile
infrastructures. Yet, it's less common to hear about these types of
security incidents than about those carried out by traditional computers
against traditional networks.

This is likely due to a lack of visibility into mobile systems and their
related data. Perhaps it's because of the assumption that mobile is secure
if IT uses mobile device management (MDM), enterprise mobility management
(EMM) or unified endpoint management (UEM). These technologies can
certainly lead to a false sense of security.

Types of mobile attacks

Security events involving mobile can come in various forms. IT should
understand the potential ways a mobile security breach can happen.

Lost or stolen devices. Even if IT has strong access controls, attackers
can still access some mobile devices using legitimate forensics recovery
tools, such as the Elcomsoft Mobile Forensic Bundle. Because end users
often use mobile devices to access business applications, such as email,
cloud file-sharing and remote access, as well as to store sensitive
information on their devices, stolen devices can affect businesses.

Mobile app vulnerabilities. This is an area of exposure with its roots in
the software development lifecycle and lax security testing. A malicious
mobile app user can do as he pleases and IT would likely never know about
it.

Malware infections. Although mobile malware infections are uncommon due to
mobile devices' secure architectures, they still occur.

Man-in-the-middle attacks. These attacks carry out exploits to access
communication sessions between mobile users and the services that they are
using. All it takes for exposure is for a user to connect to a rogue
wireless access point.

Web application or services attacks. On the other end of mobile devices are
web applications and web services that hackers can attack directly. This is
an often forgotten component of mobile security. Make sure that you look
below the application layer.

Ask the right questions

IT pros may assume that they have the necessary control over mobile
security, but that's not enough given all the avenues of attack and the
lack of security visibility in the typical enterprise. If IT uses MDM, EMM
or UEM, that's a great first step. However, IT must look at the bigger
picture and how those tools tie into other security systems.

For example, does IT have full visibility in terms of malware protection?
What about network-related anomalies? Will IT be alerted about problem
traffic? Is it all tied together through a bigger system, such as a
security information and event management tool? Are these controls just
local, or does IT have visibility and control across the mobile
infrastructure and out to the cloud? Most organizations are woefully
deficient in terms of cohesiveness.

Most organizations are BYOD shops with little to no standardization. BYOD
creates greater network complexity, so IT must ensure that security
standards are in place.

For example, do mobile security standards for Apple iOS apply to Google
Android? What other mobile operating systems do workers use? Are
smartphones and tablets equally covered? What about laptops? Are MacBooks
included? Is IT fully aware of the various mobile OSes and devices and how
they interact with the mobile infrastructure? It's important to know how
those devices may expose mobile assets.

Finally, IT should determine its incident response capabilities to prepare
for a mobile security breach. Assuming IT can detect mobile security
events, how will it respond? How is mobile different than a traditional
computing environment? Will mobile security require different tools for
response efforts? Does the organization have the internal skill and tool
sets to do so? If IT has a documented incident response plan, does it
include all of the pertinent areas for mobile?

Before IT pros do anything else, such as buy new mobile security tools,
implement new policies or tweak their incident response plan, they should
perform a detailed security assessment of their mobile environment.

IT must know its network, threats, vulnerabilities and business risks --
whether it obtains that information as part of an overall information risk
assessment or from a more targeted look at mobile systems. It's not enough
to simply document policies and deploy products.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180417/20f8d04a/attachment.html>