Talking Security: Addressing the Challenges of Securing Mobile Devices
Vigilant Asia CTO Clement Arul points out the many vulnerabilities of a mobile device
Mobile devices have become indispensable in the workplace, thus securing them is increasingly becoming a priority for IT administrators.
How best to tackle the challenges of securing mobile devices? Zimperium's Pat Shueh, Vice President Pre-Sales, Asia-Pacific & Japan, and Clement Arul, Chief Technology Officer of Vigilant Asia were on-hand to share their insights on mobile security.
In an enlightening conversation, both men clarified some of the murkier bits of securing devices and what both IT administrators and end-users need to know.
Malicious apps abound both within mobile ecosystems and third-party sites. What do you think app hosting providers (Apple App Store/Google Play) could do to better educate users about safe app downloads?
Pat Shueh: I think there's been a good [spread of] awareness in the media, even Apple and Google are doing a good job in reviewing applications. And letting people know the threat malicious apps pose and how they impact the user, for instance, in cases of fraud.
I think Google has probably been a little bit more collaborative. What they have done recently is talk to security vendors, actually asking how they can help provide Google with more support and help to protect the ecosystem.
And what Apple has done in their approach is really restricting what goes on the market, and they have a rigorous review process. I think end-users need to be aware of the importance of downloading apps only from official sources, and not from third-party sites.
Clement Arul: As documented in threat reports from the likes of Symantec (and others), they have actually found tons of malware in Google Play itself. So even if they don't download from a third-party, app, there is a possibility that they might still download an infected app.
For instance, when searching for a bank app, they might search for Bank ABC and find two results. Same name, different publishers. But users often don't check the publisher of the app and only go by the app description.
So a tip: users should make sure they're downloading from the actual app publisher and that the app is verified by Google. Don't just go by the description or app screenshot.
What do you see as the biggest mobile threats at the endpoint? How do you think users should approach securing their phones?
Pat: The biggest problem, to me, is not any single one threat in particular. I think it's the lack of visibility.
Looking at it from a perpetrator's point of view – getting you to download something is a long shot. End-users need to know it's more than that. You need to be aware of what's around you; that's what I mean by visibility. To clearly see the good and bad, and to be able to get that feedback.
When it comes to viral apps, such as the popular FaceApp, users are easily drawn to the cool features. As Clement mentioned during the presentation, users need to be aware of what permissions are being asked by the app and to review them. Most people don't do that.
Ask: why would a flashlight app need access to my phone? So we're seeing that now it's not just about permissions. The latest version of iOS now is more discerning about giving permissions at certain times – so you can decide to only share locations only while using the app, at all times or not at all. So Apple is giving more granular control to the end-user.
There needs to be a way for end-users to have the right to decide how they share data and have a way to review it before they use an app.
Clement: That kind of granular security should be in everything that we do, rather than us needing to push for it. It's the kind of thing that needs to be available to every end-user.
Zimperium's Pat Shueh breaks down the seven most common attack vectors
Is it better practice to not keep sensitive information on your phone altogether, as difficult as it might be?
Pat: The key thing here is to practice hygiene, update your devices, and be aware of the risks in using public charging stations or Wi-Fi. Instead of relying on those, perhaps have your own pocket WI-Fi instead or get a better roaming plan.
Keeping sensitive information off devices is a little extreme. You're restricting yourself to the point you might as well not use the phone. Actually, mobile devices do give you a lot of control and freedom. At the same time, it also goes back to maintaining basic security and data hygiene.
I think it is not about hindering innovation. It's about embracing new things but with caution around security. And I think the whole point of Maxis bringing this capability to the market to secure devices is actually to encourage people to use their devices, but at the same time, get some assurance.
Clement: We can't, you know, just go back to the days of sending messages by carrier pigeons.
How do you think corporations should approach cloud storage, seeing how even they are vulnerable to attacks?
Pat: The reality is that people often use their own devices, and thus are exposed to different levels of risk. What can they do on their desktop, as opposed to what can they do on mobile – and often it's not protected in a way that adheres to accepted compliance and control practices.
The thing about cloud storage, like everything else, is that you can never truly secure everything 100%. You can secure where you store it, or how you move things to your device. But I think you need a holistic approach to making sure that every part of the security process and transaction that you are introducing is sound.
It's about maintaining traditional best practices on security, making sure your user IDs have multi-factor authentication, and being aware of the context of the user – where they are at any given time.
At the endpoint, where users are accessing the information, you also need to make sure they're protected.
Clement: There is no silver bullet. The entire supply chain of security needs to be locked down, and everyone needs to know what they are doing. And to ensure that there are no attack entry points.
Would frequent (weekly or end-of-day) purging of sensitive information on devices be an impractical solution? Or would it be better to focus on making it difficult to access in the first place?
Pat: For corporate devices today, there's some process or capability to help you manage devices remotely, where they can apply compliance rules. It can lock down the devices, remotely wipe the device, and so on.
We are not seeing a lot of adoption here in Malaysia right now. I think one of the challenges you find is that those devices are typically not owned by the company but are personal devices.
Now, the way to mitigate that is, instead of trying to control the entire device, you could manage access to specific applications and attach security controls.
As for data purges, mobile apps aren't the same as desktops. When a mobile app is developed properly, you don't store a lot of data locally. But you do have cases, where some data is still stored in caches. What you do then is create policies that prevent that from happening, and that's something a company can control.
You can then control access depending on risk profile; within the office environment, connected to the office network, you can access more resources. Once you leave the office or connect to outside networks, your access is then restricted – for instance, you might get asked for your PIN.
The higher your risk profile, the more you escalate. If a malicious app somehow takes control of the device, you can then block access to company resources or remotely remove data from the device. So rather than erase it frequently, you only act as and when needed.
In the end, it's really about making it about conditional access and setting the proper security rules.
Learn more about mobile threats and their impact on your business in our series:
- Mobile Devices: Five Billion New Doors to Cyber Threats
- Mobile Threats: What is the Cost of a Security Breach?
- Employee Negligence: The Greatest Mobile Threat is Sitting in Your Office
- Building Resilience: Three Ways to Defend Your Company Against Mobile Threats
- Enterprise-Grade Defence: Choosing a Mobile Security Solution That Works for You