Managing a Mobile Threat

MANAGINGA MOBILE THREAT Security risks and data breaches are growing while traditional computer usage is shrinking. Today a high volume of enterprise data is created and consumed on mobile devices which are open to attack. 95% of firms now allow you to bring your own device (BYOD), yet only 35% have a BYOD policy in place. Four out of 10 businesses have been affected by a security breach on a device. One third of personal or corporate- owned mobiles have full access to One fifth of those that did suffer a breach, experienced more than four mobile security lapses, not just the one. the company's internal network or sensitive client data. THE WORST MOBILE SECURITY BREACHES OF 2014 APR JUL AUG OCT ** A HEART BLEED CALL FLAW FAKE ID BROADANYWHERE Able to forge messages from any , sender, crash oF restart your device, or even completely wipe all data stored on the phone. Heartbleed can be used to steal This vulnerability allows malware to initiate or end a call without Hackers can create malicious apps to imitate the Android system. Málicious apps will then operate stealthily in user's mobile devices, secretly stealing account numbers, passwords and other private information. huge amounts of sensitive data, including accounts and passwords. first gaining the permission of the user, causing big financial loss for the victims. THE BIGGEST THREATS TO iOS iOS Surveillance and Mobile Remote Access Trojans (mRATs) These attacks jailbreak a device, which removes all the built-in i0S security mechanisms, and install surveillance and MRAT software that gives the attacker the ability to remotely gain access to everything stored and flowing through the device. Fake iOS Enterprise or Developer Certificates These attacks use distribution certificates to 'side-load an application (with malware), which means it doesn't have to go through Apple's app store validation process and can be downloaded straight onto the device. Malicious i0S Profiles A user may be tricked into downloading a malicious profile and, by doing so, unknowingly provide the rogue configuration the ability to re-route all traffic from the mobile device to an attacker-controlled server, further install rogue apps, and even decrypt communications. Zero-Day Attacks Zero-day attacks represent exploits of vulnerabilities that have been uncovered - but not yet released. Many times, these vulnerabilities lead to the silent WiFi Man in the Middle (MitM) A MitM attack occurs when the device connects to a rogue WiFi hotspot. Since all communications are passed through the attacker-controlled network device, they can eavesdrop and even alter the network's communication. WebKit Vulnerabilities WebKits enable web browsers to correctly render web pages for a user. Attackers will exploit vulnerabilities in a Webkit to execute scripts of their own. installation of attacks, such as MRATS on a device. THE BIGGEST THREATS TO ANDROID $ Android Adware Android adware abuse is often tied to apps that manage to display ads outside of the app, using pop-up notifications, browser bookmarks and taskbar notifications. Android Premium Service Abusers Premium service abusers subscribe Android Data Stealers Android data stealers often bilk users of users to various "services" that add to their phone bill at the end of the month. A large number of the attacks are labelled as SMS Trojans, designed to send text messages to premium numbers. Many apps attempt to collect other personal data without requesting permission from the device user. information such as their operating system version, product ID, International Mobile Equipment Identity (IME) number and other information that could be used in future attacks. Malicious Android Downloaders Once a malicious downloader has infected a victim's Android device, it is designed to contact a remote server to await instructions or download additional Android malware. Android Rooter Rooter malware has the capability to root infected devices, giving an attacker complete control of the Android smartphone or tablet. Root privileges grants a remote attacker access to files and the device's flash memory. TOP TIPS FOR CREATING A MOBILE SECURITY POLICY 60 CONSULT CHOOSE PROTECT ENFORCE Consult with various departments within the business, including finance, HR and legal departments about their needs. Your mobile device policy doesn't just affect the IT department. Decide on a policy for mobile devices depending on your requirements and the company's attitude to risk. Although BYOD is popular, it can pose a much higher risk than policies such as choose your own device (CYOD) and corporate-owned, personally enabled (COPE) which may be more appropriate. Ensure all mobile devices are password protected including laptops, tablets, PCs as well as smartphones. Always use two-step authentication for devices and apps where possible. With two-step authèntication it is necessary to provide both a password and an additional information piece of information such as a code sent to an email address if the device is lost or stolen. Enforce the policy once it's decided by taking action against individuals and shutting phones off if necessary. DATĂ PROTECTION -LOOKING AFTER THE INFORMATION YOU HOLD The rise of the mobile workforce means that you need to keep your users' mobile data secure, but it is also essential that you are responsible with any client data that you process. Only collect information that you need for specific · Ensure it is relevant and Only hold as much as you Allow the subject of the need, and only for as long information to see it on request Keep it secure up to date purpose as you need it Disclosing customer personal information over the phone Keeping personal information Meeting the reasonable expectations of customers and employees secure O Keep passwords secure and change regularly O Collect only the personal information needed for a particular business O Be aware that there are people who will try and trick staff to give out personal information purpose O Lock / log off computers when away from desks O Explain new or changed business purposes to customers and employees O Carry out identity checks before giving out personal information O Dispose of confidential paper waste securely O Update records promptly O Perform similar checks when making outgoing calls O Prevent virus attacks by taking care when opening emails O Delete personal information the business no longer requires REFERENCES cmcm.com/blog/en/security/2015-01-14/521.html telegraph.co.uk/sponsored/technology/4g-mobile/engaging-customers/11339970/top-mobile-security-tips.html csoonline.com/article/2864464/mobile-security/csos-2015-mobile-security-survival-guide.html?nsdr-true fedtechmagazine.com/article/2015/01/striking-mobile-security-balance fcw.com/articles/2015/01/13/managing-mobile-security.aspx telegraph.co.uk/sponsored/technology/4g.mobile/data-security/11325996/new-it-role-mobile-security.html appstechnews.com/news/2015/jan/08/apps-wi-fi-and-attacks-exec-reveals-mobile-security-thoughts-2015/ rcrwireless.com/20150109/opinion/2015-predictions-mobile-security-set-for-change-in-2015-tag10 blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/ appthority.com/company/news-and-events/news/top-iphone-and-android-apps-can-be-byods-biggest-threat/ infosecurity-magazine.com/news/92-of-top-500-android-apps-carry-security-or/ crn.com/slide-shows/security/240146800/top-5-android-malware-threats.htm/pgno/0/1 neon www.neonsms.ie sms mir