The CISO's Guide to Reducing Mobile Malware Threats, Part I
by Kyle FlahertyUpdate: The CISO's Guide to Reducing Mobile Malware Threats, Part II
By 2015, more people will access the Internet through a mobile device than through a wired Ethernet connection. Unfortunately, adoption of good security habits isn’t keeping pace with the adoption of mobile computing. One survey found that a majority of mobile users—53%—are unaware of the need for security software on their smart phones, while another says that 44% are not practicing “safe browsing” from their mobile devices. An incredible 51% of Android owners don’t even take the simple step of using passwords to access their devices.
With so many soft targets available to attackers, it’s no surprise that mobile malware is on the rise, as the chart below from McAfee’s quarterly threat report shows. And it’s likely that mobile malware is already infecting hundreds of devices connecting to your network every day, putting at risk the security perimeter you have so carefully crafted.
We polled our customers and field consultants to gather their best advice for securing networks against mobile threats. We will share those ideas in this post and others over the coming weeks. First up, we look at policies, testing, and education, focusing on three key points:
- Create clear policies for employee use of mobile devices, balancing the need to conduct business with the need to maintain information security.
- Deploy security devices from vendors who have tested and validated their ability to detect and block mobile-specific threats. Then perform regular testing of these devices to ensure ongoing resiliency to the very latest attacks.
- Educate employees about how to avoid becoming infected by mobile malware in order to prevent it from entering your infrastructure to begin with.
Mobile Device Usage Policies
To control mobile malware risks, CISOs must define which mobile devices are allowed on the corporate network and under what conditions, while keeping in mind the need to support business objectives. Policies for mobile devices should focus on limiting access to the network and to data storage and transfer functionality. It is also vital to have easy-to-follow guidelines for what users must do to comply with policies; these will make it easier to monitor and enforce compliance. For example, there are systems that automatically detect when a mobile device is connected to a desktop PC and then prompt the user to self-register and upload security software.
Security policies will vary greatly for every company. However, it’s important to remember that comprehensive policies, user-friendly guidance, monitoring, and compliance will be the keys to protecting your network from users who may unknowingly introduce malware to your network.
Security Testing and Validation Against Mobile Malware
Firewalls, IPS devices, and anti-virus products are your first line of defense—as long as you can be certain they will detect and block the latest mobile attacks. The best way to know with certainty that you are protected is to buy from vendors who have validated their ability to detect and block dedicated mobile threats. Before you purchase, put them to the test using a representative mix of your network traffic and a range of attacks to make sure they are living up to their marketing claims. Then put them to the test again before deploying and after any configuration changes are made.
Regular testing of all security devices, as advocated by Gartner and many of our advanced customers, is the only way to ensure ongoing resiliency to the very latest attacks. We’ve blogged extensively on how to do this and have produced a guide for validating content-aware security devices.
Educate Employees about the Dangers of Mobile Malware
You can lock down your operation with appropriate policies and hardened defenses, but you will still remain vulnerable unless you have a vigilant and educated workforce. Users need to fully understand the threat posed by mobile malware, the common sources and consequences of infection, and the best ways to avoid falling into malware traps.
It is important that every employee trusted with access to the network understands that, like traditional malware, mobile malware is often designed to spread, gain access to sensitive information, shut down systems, and even siphon money out of bank accounts. On this last point, it is not surprising that the big growth area in mobile malware is the “money maker” category, as shown by the graph below from Fortinet:
Stemming the Spread of Mobile Malware
To help employees spot and avoid attacks, it’s important to have them understand the two main ways malware gets on a device—repackaging and drive-by downloads. In a repackaging attack, the malware maker inserts malicious code into an otherwise legitimate application, and then reposts it to an app store. Once a user downloads the corrupted app, the malware carries out its evil intentions.
The second popular malware delivery method, drive-by downloading, happens when a user visits a malicious Web site via their mobile browser. These sites, which have been used for years with traditional non-mobile malware, are engineered to trick the visitor into downloading an application that seems safe but actually installs malware.
Once loaded, the more sinister variations of mobile malware do a better job of hiding themselves and, unfortunately, could end up costing you. For example, there are variations of mobile malware that install on devices and actually send hidden SMS messages back to a short code number. These messages—which work just like the legitimate short-code numbers used by the Red Cross to collect donations—can charge users’ accounts and go unnoticed for months.
Mobile Malware Will Only Get Worse, So Get Prepared Now
Like many other forms of malicious attacks, mobile malware will only become more damaging over time, infiltrating devices that seem protected. At BreakingPoint, we have expanded our product capabilities to help customers validate their ability to block mobile malware. This adds to our extensive coverage of mobile application protocols and common communications applications to help you validate your defenses.
However, it’s important to remember the biggest threat to your network—employees unaware of the dangers. Create policies with teeth and educate individuals to take responsibility for helping prevent mobile malware from getting onto their devices in the first place. In Part II of this guide, we share four tips that you can provide to your employees to help them protect themselves from mobile malware.
Related Posts:
- The CISO's Guide to Reducing Mobile Malware Threats, Part II
- Vulnerable to Data Breaches? Five Tips for Data Breach Security Testing
- Putting Top Network Gear to the Test: A Step-by-Step Guide to Device Evaluations
- The Cost of Corrective Action vs. Proactive Network and Cloud Testing: Lessons from the Sony Breach
