The desire for a mobile-first organization is changing the dynamic of new mobile-enabled services. It forces enterprises to operate in new realities:
- BYOD programs serve a broad range of people, all of whom actually control their own devices and apps.
- New demands placed on mobile devices not built to withstand modern threats.
At the same time, new global cybercrime arises, derived from greed, hacktivism, and the quest for more economic power and political control. The increasing use of mobile organizational practices enlarges the attack surface for hackers, who only need a narrow space to succeed. For example:
- Impersonate to a legitimate Cell Tower or a Wi-Fi hotspot and intercept or modify communications.
- Solicit a careless user to install a Mobile Remote Access Trojan (mRAT) and assume complete control over the smartphone from afar and suck all the on-device data or take screenshots.
- Inject a trusted Bluetooth credential via Near Filed Communications, dial the phone and listen to the surroundings.
- Deliver iOS Malware using fake certificates or malicious profiles.
- Transform a private call into a conference call.
- Exploit the known SS7 inter-carrier network security flaw to locate a device and tap calls and messages.
The new wave of threats is turning enterprises to be both a target of cybercrime and a conduit of attacks directed at their employees. Furthermore, IT teams struggle to ensure not only the protection of sensitive data but the resilience of mobile devices meant to streamline the business.
The mobile security ecosystem fights cybercrime by addressing threats on the device, in the applications and in the network. It focuses on detecting threats and mitigating the risk involved. Given the BYOD constraints, organizations are trying to balance privacy, good user experience and risk-based mobile management at the same time. Enterprises enact a three-way secure BYOD practice:
- Identify real-time threat levels based on suspicious patterns, characteristics, and behavior across apps, devices, and networks;
- Deploy risk-driven security controls via user alerts, access control, and delayed access;
- Enforce and monitor compliance with corporate policies while assessing real-time vulnerabilities.
Though this strategy minimizes the impact on users and allows managerial flexibility for IT administrators, it does not safeguard against salient cyber-attack vectors:
- It maintains a wide attack surface.
- It facilitates the user’s freedom to be careless.
- It focuses on device management within the boundaries of known weaknesses.
- It functions by the natively unprotected processes of commercial Mobile OSs.
- It is reactive by nature.
Mobile devices remain soft targets of cybercrime, forcing secretive organizations to apply a more holistic strategy. Next-generation mobile security solution needs to create a zero mistake environment. It means diminishing the attack surface, leaving nothing for the user judgement, eliminating in real-time security gaps left by COTS components, and being proactive. It should incorporate the following core elements:
- 1 - A trusted mobile execution environment containing production-controlled mobile device and hardware-based root-of-trust to eliminate malicious implants such as password backdoors, active malware rootkits, and network service backdoors. More than that, security-minded organizations using substantial devices volume should explore purpose-built devices exclusively manufactured for them.
- 2 - A security-enhanced operating system (OS) that resolves known security breaches of commercial operating systems along with same day over-the-air software patches. This OS should be natively integrated with the device and run security functions based on fully-known code and drivers. Flashing commercial devices with a partially transparent code will leave unknown Black holes that may jeopardize security.
- 3 - An OS-fused central command and control application, enforcing device use policies that guarantee zero usage mistakes and cannot be bypassed by the user. Enhanced defense controls and restrictions should eliminate interception and network-based threats, silent injection of malicious services, phishing attacks, malicious and risky applications, side-loaded applications, non-app store signers and unauthorized USB-wired data extraction. OS-embedded controls will enable complete governance on user behavior.
- 4 - A security applications layer that creates multiple lines of defense with components such as encrypted communications, persistent VPN, SS7 vulnerabilities abolition, data-at-rest encryption, and service APIs obfuscation tier. Encompassing many one-dimensional defenses may result in high cost. As such, this method should be carefully evaluated based on internal perceived risks and the desired security level to match them.
- 5 - Mashed technologies for detecting threats across the network (Man-in-the-middle attacks), device (rooting; vulnerable configurations; suspicious anomalies; version/device exploits; files tampering) and applications (known malware; malicious behaviors; messaging interception; credentials theft Spyphones; Bots; RATs). Hackers tend to outpace threat detection solutions so more is better – as long as it is not the sole defense line.
- 6 - Dedicated defense controls for preventing careless use via focused features such as hashed in-message links/ numbers/addresses, blocked in-message media items, controlled USB connection, granular applications permissions scheme, blocking accessibility and more. Only custom-built OS will allow extended security measures necessary to create an adequate shield against curiosity-derived mobile user behavior.
- 7 - Multi-dimensional remediation strategy and toolset for a swift recovery from risky situations. These solutions include capabilities such as removing malware by an antimalware app, blocking access to malicious sites once tracked, disconnecting/alerting on 2G connectivity, remote data recovery, a quick button to erase on-device content, remote security inspection and more – all by the common use practices in the organization. A cohesive organization-wide remediation strategy is required based on the perceived risk. However, this requires quite heavy and exhausting implementation that can only be bridged by light yet effective tactical recovery.
The truly security-sensitive organization cannot rely on BYOD programs, no matter how advanced they are. BYOD programs compromise security due to their privacy limitations. Cautious organizations need to run their daily conduct via corporate-owned devices that are built from the ground up for safe enterprise mobility.