Cyber attacks against mobile devices are on the rise
Combine a lack of security with the fact that mobile devices are being targeted by cybercriminals and you have reason for serious concerns. According to the Government Accountability Office (GAO), the amount of malicious software aimed at mobile devices has risen 185 percent from about 14,000 to 40,000 in less than one year.
This malicious software takes advantage of numerous vulnerabilities that can be the result of inadequate technical controls and poor security practices by users. Businesses need to take steps to improve the security of mobile devices, but security controls are not always consistently implemented.
One common inconsistency is that passwords on mobile devices are not implemented to guard access to data stored on the device. When there are passwords, users often choose passwords or Personal Identification Numbers (PIN) that can be easily guessed such as 1234 or 0000. Without passwords or PINs to lock the device, sensitive information can be accessed and used when the device is lost or stolen.
In addition to passwords, a security practice known as “Two-factor Authentication” (TFA) generally provides a higher level of security than traditional passwords and PINs.
The “Two-factor” refers to an authentication system in which users are required to authenticate using at least two different “factors”.
TFA requires that two of the three following factors are used: 1) something the user knows, such as a password or Pin, 2) something a person has, such as a ATM card or Smartcard, and/or 3) something the user is, such as their fingerprints. This type of security is best suited for banking or other sensitive transactions.
To safeguard data, cloud-based security is a convenient way to avoid having to shop at your local computer store and install the software yourself. Once installed, the cloud security provider usually updates the anti-virus protection automatically to ensure mobile security for web browsing and other wireless communications.
Wireless transmissions may not always be encrypted. Without encryption, information sent by a mobile device is vulnerable in transit, making it easier to be intercepted. A convenient hot spot for sending emails may also be a favorite spot for hackers to steal sensitive information.
Mobile devices become vulnerable when downloaded software is disguised as a game, security patch, utility, or other useful application. It is difficult to tell the difference between a legitimate application and one containing malware.
Many mobile devices do not have firewalls to limit the connection to these applications or other devices. Without a firewall, a WiFi network or a Bluetooth enabled device could allow an attacker to install malware through that connection, surreptitiously activate a microphone or camera to eavesdrop on the user, or connect to the device directly.
Devices may also be compromised through a practice known as jail-breaking. When a device is jail-broken, it is switched from one mobile carrier to another. Security limits imposed by the original carrier that are specific to a particular device are bypassed. The bypassing of the manufacturer’s application vetting process increases the security risks. The device no longer receives any further security updates from the manufacturer.
What can you do?
Here is a “checklist” to help you secure your mobile devices:
- Enable user authentication to require devices to be configured to require passwords or PINs for access.
- Activate idle-time screen locking to prevent unauthorized access.
- Enable two-factor authentication for sensitive transactions such as mobile banking or other financial transactions.
- Enable file encryption to protect sensitive data stored on mobile devices and memory cards. Use built-in encryption or commercially available encryption tools.
- Subscribe to a cloud based security service which offers the ability to log into an account to remotely lock the device or wipe the data. Before wiping any data, some phones have the capability to locate where the phone was left.
- Allow security updates so that software can be automatically transferred from the manufacturer or carrier directly to a mobile device when newer versions are available.
- Install anti-malware protection to verify the authenticity of downloaded software to guard against malicious applications, viruses, spyware and malware.
- Enable whitelisting to permit only known safe applications to execute commands on the device.
- Install a firewall to protect against unauthorized connections.
- Establish a mobile device security policy to define rules, principles, and practices on how an organization treats mobile devices, whether they are issued by the organization or owned by the individual.
- Train employees on the mobile security policies to ensure that mobile devices are configured, operated, and used in a secure and appropriate manner.
- Perform risk assessments to identify vulnerabilities/threats and estimate potential damage from successful attacks on the mobile devices.
BY Nick Pascarella, TruBambu and Art Hendela, Hendela System Consultants. Pascarella and Hendela serve on the Meadowlands Regional Chamber’s Technology Committee, which is aimed at helping members understand and utilize emerging technology tools to advance business operations.