Professional Documents
Culture Documents
I Care?
MOBILE SECURITY FOR THE REST OF US
by
Share this:
Contents
Foreword ......................................................................................................................... 1
by Chris Wysopal
Co-founder, CTO & CISO of Veracode, Inc.
Weve created this mobile security book to help you successfully ride that wave.
After reading this book you and your employees will learn, as we have at Veracode,
it takes a coordinated effort between employees and IT/security personnel to truly
secure mobile computing in the enterprise.
Formulating a BYOD policy is only one side of the equation employee education is
the other. Most business users simply arent aware of the security threats facing
them when they use their favorite mobile device at work. This book aims to increase
that threat awareness level and ultimately convert your employees into willing
participants in your organizations secure mobile computing or BYOD program.
This book lists 10 simple things that every business user can do to help protect
their personal information as well as their companys data, IP and brand when
they use their mobile devices at work. Weve made every effort to make our mobile
security story a fun one to read. Some of the details around the mobile security
stack can be tedious, but its hard to resist when the stack looks like a club
sandwich!
We hope you and your employees find this book helpful, and we encourage you
to share it with your colleagues. Wed also appreciate your feedback, so feel free
to email us (info@veracode.com) or contact us on Twitter (@Veracode) with your
comments.
Happy reading
Chris Wysopal
PART ONE
Its Scary Out There
Share this:
2
Our mobile devices are wonderful things.
Not only are they highly portable, they are essentially small
computers themselves allowing us to stay productive
with apps, email and Internet access at all times. We use
them on our commute, we take them when we travel, and
increasingly, we bring them to the office with us. They store
vast amounts of information and provide a critical gateway
to the rest of the organization.
3
Joe IT here already knows a lot about mobile device security.
Its his job to secure the corporate network and all of the
hardware that runs on it, like laptops and servers.
Hes worried about all the smartphones, tablets and other
mobile gadgets that are now accessing his precious network
and the sensitive business data it protects.
Worried is a strong word.
Lets say terrified.
4
Now that introductions are out of the way, lets look first at
40 BILLION
Estimation of
how many
applications
have already
been
3.1 BILLION
downloaded
from the Apple
iTunes store
Estimated and Android
number of Marketplace.
1 BILLION mobile
broadband
The average
smartphone
Number of iOS subscribers by user is
and Android 2015, beginning to
smartphones compared to spend more
and tablets 848 million time in mobile
40 MILLION expected to be
activated by
The number
applications
than they do
today of mobile
Number of the end of browsing the
broadband
42% tablets sold in
less than 2
2012.
Since 2007
subscribers
worldwide
web.
5
Its clear that consumers are going mobile in huge numbers.
Now, they want that same great mobile experience they have
at home to come with them to the workplace.
Yup, thats me.
I love having my iPad with
me at conferences, and
its so much easier to
present on it at sales
calls.
Weve talked He just
about this. doesnt get it.
6
I certainly dont understand the danger here!
I mean, its a smartphone.
Nobody attacks mobile phones.
7
Good point, Joe IT.
To understand the threat better, its important to review some
more stats on
8
In fact, a single successful mobile attack can cripple your
favorite device, result in the loss of personal or business data,
open the door to possible identity theft or worse, result in
financial loss to either you or your organization.
Consider the potential damage:
One study examined 855 data
breaches in 2011 alone that were
responsible for 174 million
records stolen.7
9
Among all organizations that reported the source of breach
incidents in 2011, 40 percent were traced back to
application security issues such as cross-site scripting and
SQL injection.10
10
App stores have been very quick to remove malware once
discovered, but thats typically after the damage is done.
They need to get serious about vetting code before it is made
available for download. Users cant rely on the halo effect
of a reputable app store or trust fellow user reviews to
rate the reputation of app vendors when it comes to mobile
code security. In some app stores, legitimate apps have been
pulled down by hackers, corrupted with malware, and then
reposted without the original publishers knowledge.
I can help
but I cant follow you around all day.
I need help from you too.
12
It doesnt matter if you work in sales, HR or accounting
its everybodys responsibility to protect the
organizations sensitive data. Neither of you would want
confidential information about your customers falling into
the wrong hands, would you? IT can lead the mobile security
charge, but Joe cant be expected to take on complete and full
responsibility especially if its your personal mobile device.
13
PART TWO
Whose Job is It, Anyway?
Share this:
14
Similar
m r to the
t PCP security
s u market,
rk
there are a number of players responsible for delivering
mobile security. These include:
15
Its helpful to think of these 4 layers as a stack;
lets call it the...
16
The upper layers of the stack rely on all of the lower layers to
ensure that their components are appropriately safe.
17
Hang in there!
18
Apps and services at the application layer communicate with
the outside world by sending data all the way down the stack
and over the telecom network or the Internet. Security flaws
and vulnerabilities at this layer generally originate from:
1. Coding flaws in the mobile apps themselves; or
2. Poor implementation of available mobile security measures.
19
We all have a stake in mobile security because of all
the compelling reasons weve already covered.
20
Well, we have started to develop
more of our own mobile apps,
but why is testing so important?
21
No, but with end users its all in the approach, Joe IT. Its too
easy to throw your hands up and say that they just dont care.
Watch this.
Argh!
Make it stop! Of course
I wouldnt choose any of those things!
22
I do know one thing about JW. Hes a gadget guru.
Maybe hed actually like discovering some of
the cool security features of his smartphone.
Maybe we can help him become a mobile power user?
JW, lets give you the power to secure your own mobile device.
Weve developed a checklist of 10 quick things you can do
today to develop these important skills, so lets get started
23
PART THREE
10 Ways to Secure
Your Mobile Gadget
Share this:
24
So now that you guys are seeing eye-to-eye
er somewhat, its time to review the 10 simple things
that every mobile user can do right now to secure their
smartphone or other device from hackers and criminals.
25
Use Password Protected
Access Controls
All mobile devices come with the ability to set a lock requiring
a passcode or pattern for access. Yet its amazing how some
mobile users dont employ even this basic safety feature!
It may take you a couple extra seconds to unlock your
smartphone before using it, but it could take a thief a very long
time to figure out your PIN. Phones that arent locked lay bare
a treasure trove of personal information email, contacts,
addresses and access to social networks and apps that may
contain financial data.
So I guess password
isnt a good one? Groan!
Try to pick an association that only you would know, and that
wont be personally identifiable with you. On most devices
you can set the idle interval you want the phone to wait
before it locks, that way its not shutting you out all the time
when not in use.
26
PINs arent the only locking mechanisms in use.
Grid-based pattern locks work fine, but they leave smudge
marks on the touchscreen that may be easier to guess than
passwords. Some devices are rolling out facial recognition
as an access mechanism, but this technology isnt perfected
yet so its not recommended.
We dont have the space here to cover all screen and key lock
options and exactly how to set them on your particular device.
Refer to your user manual, or start by looking in the general
settings to locate these functions. For most users however,
basic access controls should be enough.
27
Control Wireless Network
& Service Connectivity
29
Control Application Access
& Permissions
Its amazing that this far into the personal computing age,
most users still dont copy their critical info to ease data
recovery in case of theft or loss.
Depending on how much you use your phone, you may want to
take a data backup daily or weekly, but certainly once a month.
There are commercial backup services for mobile devices
as well, but most users find that the standard data sync
functions cover their basic needs.
32
Wipe Data Automatically
if Lost or Stolen
33
Never Store Personal
Financial Data on Your Device
34
Beware of Free Apps
The problem is, more and more free and innocent apps are
trying to make money from their offerings, so sometimes they
track your personal information with limited disclosure or
authorization, then sell your profile to advertising companies.
The app developers in question may not even be aware of
their privacy violations leaking your location, gender, age
and other personal data to embedded mobile ad networks
while in the pursuit of revenue.
Why is that fun-looking game asking
to be able to place calls?
Maybe to add hundreds of dollars to your
bill ringing premium rate numbers!
Caution is key. Be sure to read the reviews and download
only from reputable publishers. As weve pointed out, look
closely at the permissions that the app is requesting.
More and more free apps are just wrappers for malware,
unfortunately. When you log into mobile banking that
innocent app might capture your credentials then call the
criminals up to pass them the data.
Sometimes free simply means too good to be true.
35
Try Mobile Antivirus Software
or Scanning Tools
36
So did you hear about Yeah, it takes a couple
the new iPhone virus? bytes out of your Apple!
37
Use MDM Software,
if Recommended by IT
38
If your organization doesnt offer MDM, there are other
options provided natively on many devices that accomplish
similar ends. SIM card locks and credential storage functions
protect the phone by requiring a passcode to use network-
dependent services, and operate similar to screen/key
access PINs.
39
One last thing, Joe.
Its still up to IT professionals to make mobile security
as invisible to enterprise users as possible. The more
you can do to harden the organizations sanctioned
mobile devices before distributing them, the better.
You have to security test your mobile apps before
folks like JW download or install them. Its also good
to provide a whitelist of applications that are safe and
approved for use. IT pros must proactively implement
mobile security best practices on behalf of our new
power users!
40
This was actually kinda fun for me, in a power user sort of way.
Now that Ive got all these recommendations completed,
am I free to roam?
41
References
1
Study by Software Advice, Inc.
2
IDC Research, Worldwide Mobile Phone Tracker, Q1 2012
3
Comscore, 2012 Mobile Future in Focus, February 2012
4
IDC Research, Worldwide Mobile Phone Tracker, Q1 2012
5
The Brookings Institute, 10 Facts about Mobile Broadband,
8 December 2011
6
Ponemon Institute, Global Study on Mobility Risks,
February 2012
7
Verizon, 2012 Data Breach Investigations Report
8
Ponemon; 2011 Cost of a Data Breach
9
BusinessWeek: Global Payments Trades Halt on Breach Probe,
30 March 2012
10
Data Loss Database
11
Juniper Networks: Mobile Security Report 2011, February
2012
12
Veracode, State of Software Security Report vol. 4
v e Us obile
a n
H a
t to p 10 M oyees ?
W
t h e To r Empl
ent you
Pres Tips to
ity
S ecur We can make that happen
- at no cost to you!
If you can get 250 employees together well come
to your site for a 90 minute mobile security seminar.
Your employees will leave the seminar with a clear
understanding of todays mobile computing threats
and be able to take action to protect your company
against those threats.
Bonus Offer!
Get one FREE Android mobile application
security scan when your organization hosts
an onsite seminar or online webinar
About Veracode
Share this: