Hackers are going to focus more on smart phones and tablets and less on laptops and PCs, according to a report from Gartner Inc. Some 2.2 billion smart phones and tablets will be sold in 2014 and make an enticing target for fraudsters. While security incidents originating from mobile devices are rare, Gartner said that by 2017, 75% of mobile security breaches will be the result of mobile application misconfiguration.
Most of these hacks will originate with misconfigured apps or devices. “The most obvious platform compromises of this nature are ‘jailbreaking’ on iOS or ‘rooting’ on Android devices. They escalate the user’s privileges on the device, effectively turning a user into an administrator,” says Dionisio Zumerle, principal research analyst at Gartner.
While these methods enable users to access certain device resources that are normally inaccessible they also put data in danger. This is because they remove app-specific protections provided by the operating system. They can also enable malware to be downloaded to the device and open it up to all sorts of malicious actions, including extraction of enterprise data. “Rooted” or “jailbroken” mobile devices also become prone to brute force attacks on passcodes.
The best defense is to keep mobile devices fixed in a safe configuration by means of a mobile device management policy, supplemented by app shielding and “containers” that protect important data.
Gartner recommends that IT security leaders follow a mobile device management and enterprise mobility management baseline for Android and Apple devices as follows:
- Ask users to opt in to basic enterprise policies, and be prepared to revoke access controls in the event of changes. Users that are not able to bring their devices into basic compliance must be denied, or given extremely limited, access.
- Require that device passcodes include length and complexity as well as strict retry and timeout standards.
- Specify minimum and maximum versions of platforms and operating systems. Disallow models that cannot be updated or supported.
- Enforce a “no jailbreaking/no rooting” rule, and restrict the use of unapproved third-party app stores. Devices in violation should be disconnected from sources of business data, and potentially wiped, depending on policy choices.
- Require signed apps and certificates for access to business email, virtual private networks, Wi-Fi and shielded apps.
IT security leaders also need to use network access control methods to deny enterprise connections for devices that exhibit potentially suspicious activity.