"By making the mobile security framework context and risk aware, organizations adopt a smarter way to addressing the unique risks of the mobile channel."
In the previous sections we discussed the four imperatives that must be addressed to have a truly secure mobile enterprise. However, for maximum and sustained effectiveness, these capabilities must be powered by context and risk awareness as well as global security and threat intelligence.
Integrating context and risk awareness into the mobile enterprise infrastructure
As enterprises empower employees with mobile access to enterprise content and apps it is critical to gauge the risk of the underlying device and apply appropriate controls. For example, enterprises may want to prevent the delivery of enterprise content to high-risk devices, remove content from devices that fall out of compliance and limit access to enterprise resources based on risk profile.
Determining if a device is “high risk” depends on the following considerations:
- Is the device jailbroken or rooted? Users that are looking to install apps that have not been vetted by Apple or Google often run a process known as jailbreaking (for iOS) or rooting (for Android) on their devices. This process is developed by hackers and is updated as new OS versions are introduced. While it enables users to install any app they like, it breaks the device security model and makes it highly susceptible to malware attacks. We strongly advise businesses to prevent such devices from entering their enterprise network.
- Is the device infected with mobile malware? A device may already be infected with malware when enterprise access is requested, or may become infected over time. Malware can tamper with critical services such as SMS, contacts and email and capture personal information including credentials, call records and photos. Detecting the presence of malware, in real time, is critical to assessing device risk and enforcing the relevant enterprise policies on the device.
- Is the device using the latest software and all security patches? Similar to other enterprise platforms, users should have the latest security patches (packaged with the latest OS build) on their devices. Especially with Android OS, some devices never get updated or fall behind with critical unpatched vulnerabilities present.
- Is the device used in a suspicious context? Suspicious usage can be derived from context. Where and when is the device used, is this a new device or one that has been registered before. For examples, accessing the account from a foreign country when previous access always occurred within the United States west coast.
Once these risks can be detected and analyzed various remediation steps can be taken. For example, an enterprise mobility management system can erase any enterprise content from compromised devices, prevent the delivery of new content and remove malicious apps. Access to enterprise resources can be restricted until the device risk is remediated. Mobile applications can disable or restrict sensitive functions based on device risk. The access control layer can restrict vulnerable device access with risk-based authentication (so strong authentication is only used in truly high risk situations).
By making the mobile security framework context and risk aware, organizations adopt a smarter way to addressing the unique risks of the mobile channel.
Sustain mobile security controls with expert research and threat intelligence
One of the challenges facing security controls is continuous adaptation to emerging threats. Mobile security controls are no different. For example, jailbreak detection logic must address the evolution of jailbreak hiders¹⁰ that are designed to conceal the fact that a device is jail broken so it is not flagged as a high risk device. Similarly, as more behavioral and contextual controls are created, hackers are looking to closely imitate the victims to evade detection.
Overall, keeping mobile security controls viable requires dedicated research teams and a credible source for real time, global threat intelligence.
Integrate mobile security into the broader enterprise security context
Mobile devices create a new enterprise access channel. Mobile security events should therefore be managed as part of the overall enterprise security context. By feeding mobile security events into an enterprise security information and event management system (SIEM), mobile-centric threats and attack vectors can be incorporated into the enterprise incident response processes.