It’s not outrageous to suggest that you might be reading this on a mobile device. Nor is it outrageous to think that most people use a mobile device for the majority of their reading these days. I’m even writing this on a mobile device. So for those not following along, at this point, mobile security is really just security. There really isn’t any difference anymore.

What Makes Mobile Security Different?

The unique challenge with mobile devices is that we haven’t accepted them as what they are: powerful pocket computers that are always transferring and storing data. Today’s pocket devices absolutely steamroll a 1999 workstation and transfer and store data like it’s a commodity. They’re ubiquitous too.

That’s what makes mobile device management so difficult today: The devices are powerful, they store and transfer extremely valuable data, and there are just so darn many of them. Not too long ago, it was one desktop for a household of four. Now, it’s four devices per person — and that may even be an understatement for some.

You No Longer Own Your Pipeline

Remember when you owned the infrastructure you used? There was a different mindset then. You invested in it, you owned it and you maintained it. Nowadays, it’s all about services, meaning a lot of what happens is actually happening outside of your own ecosystem. You not only have to worry about your own network, you also have to worry about that random Wi-Fi network you’re plugging into.

So how did we get here? Simple: We sought freedom and convenience. Security was not really on our mind. You can really only have two of the three, and with security concerns on the rise, we need to reweigh and reallocate our priorities.

To best manage mobile security within your enterprise, you also need to maintain another balance: technology, enterprise and user responsibilities. With more mobile devices on the way due to 5G deployment, winning this device management game means establishing the right foundations before you start divvying up responsibilities.

Treat the Problem From a Risk Management Perspective

According to Verizon’s “Mobile Security Index 2019,” 33 percent of respondents admitted suffering at least one compromise due to a mobile device, with the majority saying the impact was major. Furthermore, 67 percent said they’re less confident about their mobile security than other IT assets. Clearly, there is marketplace worry and a lack of confidence.

At the center of any security issue is the concept of risk, so if you are not treating this problem from a risk management perspective, you’re missing the boat. This piece won’t go into the how-to of risk management; there is plenty of information on that. This piece outlines what you need to know to properly divvy up responsibilities between the three groups mentioned above. Just keep in mind these risk choices as we run through considerations:

  • Risk acceptance
  • Risk transfer
  • Risk avoidance
  • Risk mitigation
  • Risk deferral
  • Risk exploitation

Define Your Business Processes and Needs

Assume for a moment that you have done all your standard risk management work. Does it mean anything without proper definitions of your business processes and needs? Not really. You see, if you define your business processes and needs, you can map out how certain vulnerabilities will impact your business. More importantly, you can decide which risk choice you wish to make.

For example, does a particular business process absolutely require a certain application that has known security flaws and must be installed on all devices? Well, if it does, you may find yourself in a case where you have to choose risk acceptance.

This initial mapping is incredibly important, because if you muck it up, you’re just building on poor foundations where the result is increased fragility. It won’t matter what you do later if you’re starting on shaky ground.

Configure and Set the Right Permissions

By now, you should be at the point where you know what you want and you know what risk choices you’re going to make. This is where the nitty-gritty comes in — the stage where you make the technical changes that align all your business processes and needs against your risk choices.

Need certain ports open? Fine, make sure those are open and close all the others. Don’t need an application? Create a rule that bans installation of it on any device. Have concerns about certain hardware products? Put them on a ban list, preventing them from entering the procurement process.

At this phase, you should also be asking the following questions:

You’ll note that so far, this sure looks like a lot of enterprise work. Well, it is. The enterprise really needs to ensure the foundations are set up correctly if it wants to get mobile security and device management right.

Shared Responsibility

Now comes the tough stuff: figuring out who is responsible and accountable for what. A metaphor could be useful here. Imagine a well-built, three-room house. The builders got everything right in the construction stages. Certifications, licenses, the best materials — you name it. Now imagine this house has three occupants, one for each room. They all live harmoniously together, can enter each other’s rooms pretty freely, with some expectation of privacy of course.

Sounds good so far, right? Well, there is one requirement: Each occupant is responsible for maintaining their room, because if one room is not well-maintained, it can ruin it for the others. They’re all connected, and what impacts one impacts the others.

Welcome to the world of mobile security and device management. That’s exactly the scenario you’re dealing with, and it’s only going to get more difficult to manage as we see more and more devices and data. The bottom line is that all three aspects — technology, the enterprise and the user — must be responsible for their own piece of the mobile security pie.

Mobile Security Isn’t Easy

There are plenty of resources out there to help identify mobile security problems. The Open Web Application Security Project (OWASP)’s Mobile Top 10 is a great place to start for technical issues. Unfortunately, I think we’re still a ways away from a UL-type certification for mobile and internet of things (IoT) devices. The marketplace isn’t ready for that slowdown.

The key to deciding who is responsible for what in the mobile security arena really begins with getting your risk management assessment and mapping right. These assessments and, specifically, the risk choices are not easy, but remember the old rule: Anything worth doing isn’t easy. Protecting your critical data is always worth doing.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read