Posts
Apple devices--ever more popular in the workplace--are about to become more
popular with cyber criminals.
That is one of a number of findings in security vendor Zscaler's Q1 State of
the Web Report that should be unsettling to enterprises that permit employees to
"bring your own device," or BYOD.
The biggest mobile targets of malware so far have been devices powered by
Android, since it is in the widest use and is an open platform.
But that may change soon. Zscaler's report said in a survey covering 200
billion transactions, Apple iOS web traffic jumped from 40% in the last quarter
of 2011 to 48% in the first quarter of 2012, surpassing Android, which dropped
to 37%.
More iOS traffic means more Apple devices in use at enterprises, which is
likely to make them more attractive to cyber criminals.
And a significant majority of enterprises allow BYOD: A survey released in
April by the SANS Institute found that 61% of more than 500 companies surveyed
allowed BYOD. A press release announcing the survey included as part of its
headline: "Lack of awareness, chaos pervades with BYOD."
The so-called "consumerization of IT" is an apparently unstoppable trend. And
most businesses don't want to stop it, because of the advantages that
collaboration and social networking with mobile devices can bring to the
enterprise. Still, increasing security threats could undermine those
advantages.
Blake Turrentine, CEO of HotWAN and trainer at Black Hat, has been a
penetration tester for more than 12 years. His continuing mantra is, "most
everything you do on a smartphone can and may be monitored," although he does
qualify that by saying he believes Apple iOS devices that are kept up to date
with the latest firmware are relatively secure.
Rachel Ratcliff Womack, a vice president with the digital security firm Stroz
Friedberg, told The Bottom Line's Herb Weisbaum on MSNBC that most people carry
both business and personal information on their mobile devices. "It brings those
two worlds together in a very convenient package for criminals to target," she
said.
And the damage malware can do is the same as on other devices: steal personal
information, drain bank accounts and spy on users.
"[Yet] users may view these devices as eminently secure, when in reality they
are just waiting to receive more attention from cyber criminals," James Lyne,
director of technology strategies at the online security firm Sophos, told
Weisbaum.
In the face of these impending threats, multiple security surveys find both
employees and employers appear to be relatively blase about them. SANS reported
that only 9% of companies participating in its survey said they were "fully
aware" of all the devices accessing their networks. Another 50% were "vaguely or
fairly" aware. Nearly a third of the companies said they had no management
policy for employee mobile devices.
Some of this may be inevitable. Turrentine says he doubts that enterprises
can control their employees' personal devices. "Users control their own phones,"
he says, acknowledging that this is "a big [security] hole." The proliferation
of smartphones, alone with their ever-expanding capabilities means "the attack
surface is expanded," he says, noting that Apple devices are prized because of
their cutting-edge functionality.
And he agrees that security is not the priority it should be at all levels --
users, enterprise leaders and the manufacturers themselves. The pressure on the
makers of devices is not for better security but more functionality. "They're
racing so fast to come up with more capabilities, because the mobile market is
changing so rapidly," he says.
Meanwhile, Mike Geide, senior researcher at Zscaler ThreatlabZ tells Network
World that employees regularly try to bypass their companies' security policies,
even using anonymous proxy servers to get to unauthorized web sites.
Turrentine says even relatively savvy smartphone users seem blissfully
unaware of the ways they are exposing their confidential information. He says he
visited a Verizon kiosk in a shopping mall and talked to some of the workers
there who were doing things like, "downloading questionable third-party apps and
also doing online banking."
The good news, he and others say, is that a solution is not terribly
complicated. The best thing users can do is to make sure they have the latest
versions of apps and the operating system of their device. Turrentine says the
latest iOS is fairly secure, noting that it took the jailbreak community 10
months to break the iPad 2.
Beyond that, Lyne tells The Bottom Line that users should
have a robust password, use encryption, and be very careful about what apps they
install.
0 comments
Post a Comment