Smartphone Security: Alarming Complacency Among Mobile Users
Most consumers are unaware of the security risks associated with their smartphones.
Last week, IBM X-Force came out with its 2011 Mid-Year Trend and Risk Report. The report touched on a number of cyber security issues, such as pointing out that the traditional vulnerabilities are still a problem, attacks on weak passwords are commonplace on the Internet, as are attacks that leverage SQL injection vulnerabilities in Web applications to compromise backend databases. Databases have become an important target for attackers. Critical data used to run organizations - including financial/ERP, customer, employee and intellectual property information such as new product designs - is stored in relational databases.
The report also discussed the advances in security (now there's some positive news for a change). According to a release from IBM:
The first half of 2011 saw an unexpected decrease in web application vulnerabilities, from 49 percent of all vulnerability disclosures down to 37 percent. This is the first time in five years X-Force has seen a decrease. High and critical vulnerabilities in web browsers were also at their lowest point since 2007, despite an increasingly complex browser market. These improvements in web browser and application security are important as many attacks are targeted against those categories of software.
But the real thrust of the report was its findings on mobile malware. The problem isn't just that we are using more smartphones and tablets than ever before and the bad guys are figuring out how to effectively attack those devices. The real concern is what IBM called the "Bring Your Own Device" approach. People are regularly using their own personal devices to log into the enterprise network, and this is creating a whole new area of security vulnerabilities.
We've discussed this before: The personal devices in the enterprise workspace. How much control can a company have over the personal devices used by employees, especially if said employees are being asked to use their personal devices for work. Budgets are tight for a lot of people, after all, and it is cheaper for businesses to let employees use a device they already own. A year ago, that might have been fine, but now, as the IBM report shows, the stakes are getting higher. For example, the report projects that the year 2011 will see twice the number of mobile exploit releases that occurred in 2010, largely because mobile device vendors aren't good at pushing security updates, and the bulk of malware is distributed via third-party apps.
Tom Cross, manager of Threat Intelligence and Strategy for IBM X-Force, said:
For years, observers have been wondering when malware would become a real problem for the latest generation of mobile devices. It appears that the wait is over.
And now that the "wait is over," it is time for enterprise security officials to make some definitive policy decisions regarding personally owned devices in the workspace - should they be able to access the corporate network? If it does access the network, how much control should IT departments have over what is downloaded to the device? As Computer Weekly pointed out:
IBM advised IT departments to step up anti-malware and patch management software in the face of increasing malware making use of mobile premium rate services, such as SMS, and targeting personal information.
Concerns about mobile security are only going to increase as smartphones and tablets become the norm in business, and the time to create policy surrounding those devices is now.