Mobile Malware Threats to Enterprise Network Security: Analyst Q&A with VisionGain
by Kyle FlahertyMobile malware is the latest challenge facing enterprise network security, and many enterprises are just beginning to understand its impact. Unfortunately, while they are determining the next step, they aren’t making necessary moves to protect against it. This is why BreakingPoint has released hundreds of pieces of mobile malware for testing, and it’s why London-based analyst firm VisionGain recently published a Mobile Device Security Report. The report goes into extensive detail about the nature of mobile malware attacks, the dangers they pose to devices, infrastructures, and companies, and what is being done to combat them.
In talking with the report’s author, Michela Menting, it becomes clear that enterprises don’t yet understand the urgency of these risks. According to Menting, “Recent high-profile cases involving malware in Android apps have raised some awareness [of mobile security threats] beyond expert circles, but it still remains limited.” VisionGain’s report aims to improve understanding of the issues created by mobile malware.
Here are excerpts from my Q&A with Menting (emphasis mine on the most important points raised).
What is the greatest threat that mobile malware currently poses to large organizations?
Many large organisations typically have robust security mechanisms to guard their IT systems, and it is quite difficult to penetrate [them] with an outside attack. However, mobile phones can present a back door into the organization's IT systems. The greatest challenge for large organisations at the moment is effectively monitoring and managing a host of mobile devices, which may not all have the same operating system or be the same model. If an organisation does not have strict device management policies in place, the chances that malware will find its way into the system are relatively high.
What is the first thing that IT departments should do in the short term to reduce the risks associated with mobile malware?
Set up policy guidelines on device security and ensure that all employees undergo some form of training. These should also be constantly revised as technology evolves and new security threats evolve. Often, the employee is the weakest link in the security chain, and mobile threats also include social engineering techniques as well as technical exploits. The policy guideline should be well defined, detailing precisely the different measures and procedures applicable within the organisation.
As IT departments work to combat mobile threats, how should their attention be apportioned among securing mobile devices, educating mobile users about threats, and securing network equipment?
Securing mobile devices and educating users about threats should be done initially, with revisions on a regular basis. Mobile devices can also be monitored remotely and security updates issued when they become available. However, the brunt of efforts should be focused on securing the organisation's infrastructure and monitoring it to ensure that it can respond effectively and quickly to any attacks or threats. It will not be possible to prevent all threats at all times, and therefore detection, response, and containment are just as important.
How are network equipment manufacturers responding to these threats?
Network equipment manufacturers have not responded concretely to mobile threats. We’re still in the early days of mobile malware, and equipment manufacturers still feel too far removed from the problem to feel the need to respond at this time. However, GSM uses a number of cryptographic algorithms for security, and upcoming 4G networks also contain built-in security mechanisms.
What was the most surprising finding from your research for this report?
The most interesting finding from the research was the surprising adaptability of cyber criminals to the mobile platform and the ease with which they have been able to transpose online threats to handsets.
Phishing scams using man-in-the-middle attacks and the use of SD cards to transmit malware to PCs are highly innovative and show a real understanding of the potential for criminal exploitation.
What is the one thing that corporate IT professionals should know about mobile malware and related security threats?
Without a doubt, mobile threats are real and growing. Although the number of current malware aimed specifically at mobile devices remains relatively low when compared to desktops, it is certainly possible to draw a parallel with the evolution of PC-based malware. IT professionals can apply their knowledge and experience in desktop computing to the mobile landscape. This will help IT professionals better address mobile threats and combat malware.
To read Michela’s Mobile Device Security Report, follow this link. To learn more about what you can do to fight these threats, take a look at our two-part “CISO’s Guide to Mobile Malware.” You can also click here to find out more about BreakingPoint’s coverage of mobile malware for your network and data center simulations.
Related content:
- The CISO's Guide to Reducing Mobile Malware Threats, Part I
- The CISO's Guide to Reducing Mobile Malware Threats, Part II
