As mobile grows, so do security threats. I recently had the opportunity to attend a breakfast with several chief information security officers (CISOs) and hear them talk about their mobile security concerns and strategies. It quickly became apparent that everyone had their own unique company cultures and primary concerns they were trying to address. Here’s how the meeting played out:

Breakfast Is Served

We were arranged around a long boardroom table, and introductions started directly opposite me, meaning I would be the last to introduce myself and comment on mobile threats and strategies. My goal was to learn as much as possible about their concerns and educate them on my experiences without delivering a biased sales pitch. It turned out to be one of the most valuable mornings I have had in the past several years.

The first few attendees got right into the issue of protecting devices, managing the end-user experience and dealing with the cultural concerns of Big Brother. Their primary concern, which is consistent with the results of IBM’s “The State of Mobile Security Maturity” report, was how they could secure a device so that if it were lost or stolen, they could locate it, wipe it and prevent it from becoming a conduit back to the enterprise.

The challenge is doing this without having a major impact on the end-user experience and making users feel as if the company is watching their every move. This theme was consistent with what I hear every day. I was ready to jump on the topic, but there were several more attendees ahead of me.

Challenges Surrounding Access Controls and Mobile Security

The discussion around user experience led right into the topic of managing access. The CISOs talked about how they can manage access to make it as simple as possible while also maintaining security. They posed the question, “If my access control is strong enough, do I need to worry about protecting the device?”

While it still wasn’t my turn to speak, the answer is “no” — one security measure does not replace the other. They are both part of a layered-defense approach to securing the enterprise.

Then, they teed up the topic of context-based access control: How do I put some intelligence around my access-control decisions so I can decide what level of authentication is required based on context around the session? This is a topic I really enjoy talking about. Every session has so much context that goes with it, and when viewed in relation to previous sessions, the context can assist you in making the right authentication decision.

Balancing Personal and Corporate Information

From there, the discussion turned to securing content and collaboration. However, they didn’t use those words — those are the words used in the IBM Mobile Security Framework. They did talk about how they could protect documents, separate business and personal content and allow for document creation, editing, etc.

The mixing of business and personal content is a major concern for companies. How do you protect business content that is intermingled with personal memos, contacts, documents and other things? No one wants to see this month’s sales plan or the new product strategy accidentally shared outside the company. This led to discussions about secure containers and how they affect the end-user experience.

I thought we were going to miss the topic of application security, but someone finally raised questions around managing apps. How do you manage end users who constantly add and update apps on their devices? How do you identify devices that have apps with known security issues? How do you conduct whitelisting and blacklisting of apps? As long as we’re talking about identifying risky devices, how do you identify devices that contain malware or have been jailbroken or rooted?

There are several answers here. First, provide users with approved apps via a private app store or supply a list of approved apps. End users will often go with an approved option if it is offered to them. In the absence of approved apps, they go with whatever they can quickly and easily get their hands on. Second, educate users on what makes some apps dangerous and how jailbroken or rooted devices affect the built-in security features of a device.

The Need for Tough Love

Finally, be prepared to enforce your security measures with tough love. Put simply, there are certain things you cannot tolerate if you want to have a secure enterprise. Tell employees that if they insist on doing these things, they will not have mobile access to the enterprise. This doesn’t have to be a consequence that lasts forever. As soon as the risk has been remediated, they can again have access to sensitive corporate resources.

By the time the CISOs were done with introductions, they had raised all the topics I had planned to discuss for the day. It was obvious that the CISOs had the full range of mobile security concerns on their plate, even though they each had their own top priorities. I thanked them for the perfect lead-in to my pitch and started my presentation.

My presentation was laid out as the IBM Mobile Security Framework. While it carries the IBM name, it is really a blueprint that anyone can use when they develop their mobile security strategy. It introduces the following four imperatives:

  1. Protect devices
  2. Secure content and collaboration
  3. Safeguard applications and data
  4. Manage access and fraud

My key message to the audience was that they have identified the mobile threats, but as soon as they search for a solution, they should take a holistic view of the challenges and look for an integrated approach to addressing them.

To learn more, watch a panel of IBM Mobile Security experts in our on-demand webinar titled, “Take an Integrated Approach to Mobile Security and Address the Full Breadth of Threats.”

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…