Introduction | 2011 In Review | 2011 In Numbers | Executive Summary | Safeguarding Secrets: Industrial Espionage in Cyberspace | Against the Breach: Securing Trust and Data Protection | Consumerization and Mobile Computing: Balancing the Risks and Benefits in the Cloud | Spam Activity Trends | Malicious Code Trends | Closing the Window of Vulnerability: Exploits and Zero-day Attacks | Conclusion: What’s Ahead in 2012
Consumerization and Mobile Computing: Balancing the Risks and Benefits in the Cloud
Risks with ‘bring your own device’Employees are increasingly bringing their own smartphones, tablets or laptops to work. In addition, many companies are giving employees an allowance or subsidy to buy their own computer equipment. These trends, known as ‘bring your own device’, present a major challenge to IT departments more used to having greater control over every device on the network. There is also the risk that a device owned by an employee might be used for non-work activity that may expose it to more malware than a device strictly used for business purposes only.
The proliferation in mobile devices in the home and in business has been fueled in large part by the growth in cloud-based services and applications, without access to the Internet many mobile devices lack a great deal of the functionality that has made them attractive in the first place.
Threats against mobile devicesOver the past ten years we have seen a proliferation of mobile devices but there has not yet been a corresponding rise in mobile threats on the same level as we have seen in PC malware. If we look at how PC malware evolved, there are three factors needed before a major increase of mobile malware will occur: a widespread platform, readily accessible development tools, and sufficient attacker motivation (usually financial). The first has been fulfilled most recently with the advent of Android. Its growing market share parallels the rise in the number of mobile threats during 2011.
Unlike closed systems such as Apple’s iPhone, Android is a relatively open platform. It is easier for developers, including malware writers, to write and distribute applications. In 2011, we saw malware families, such as Opfake; migrate from older platforms to Android. The latest strains of Opfake have used server-side polymorphism in order to evade traditional signature-based detection. Without a single Android marketplace for apps and central control over what is published, it is easy for malware authors to create trojans that are very similar to popular apps , although Android users must explicitly approve the set of permissions that is outlined for each app.
Currently, more than half of all Android threats collect device data or track users’ activities. Almost a quarter of the mobile threats identified in 2011 were designed to send content and one of the most popular ways for phone malware authors to make money is by sending premium SMS messages from infected phones. This technique was used by 18% of mobile threats identified in 2011. Increasingly, phone malware does more than send SMS. For example, we see attacks that track the user’s position with GPS and steal information.
The message that is coming through loud and clear is that the creators of these threats are getting more strategic and bolder in their efforts. People regard their phones as personal, private, intimate parts of their life and view phone attacks with alarm. The motivations for such attacks are not always monetary: in this example, it was about gathering intelligence and personal information.
Mobile threats are now employing server-side polymorphic techniques and the number of variants of mobile malware attacks is currently rising faster than the number of unique families of mobile malware. Monetization is still a key driver behind the growth in mobile malware and the current mobile technology landscape provides some malicious opportunities; however, there are none at the same revenue scale achievable in Windows, yet.
What mobile malware does with your phone
Consumerization of IT and cloud computingAs more people are bringing their own devices to work, consumer technology is invading the office.. They’re also using social networking sites for a variety of purposes, including marketing. And they’re using cloud applications instead of company-managed software to store files or communicate.
In some cases, this is being done ‘below the radar’ by individual employees without the support of the company. In other cases, businesses are embracing the benefits of cloud computing, mobile working and the price/performance of consumer devices to reduce costs and improve productivity. For example, 37% of businesses globally are already adopting cloud solutionsxxviii.
The risks of unmanaged employee adoption of cloud computing or the use of consumer devices and consumer websites in business are clear. But even if companies deliberately choose consumerization, there are still security challenges. It makes it harder for companies to erect an impermeable boundary around the business and control exactly what is on employees’ PCs and how data is stored, managed and transferred, especially when tracking how and where corporate data and information is being used.
Confidence in the Cloud: Balancing RisksMany companies are keen to adopt cloud computing. It can reduce costs by outsourcing routine services, such as email or CRM, to third-party specialists and by swapping upfront capital expenditure with lower, more predictable per-user fees. It can also give companies access to newer and better technology without the difficulties of installing or upgrading in-house hardware.
However, it is not without its risks. The first risk is unmanaged employee use of cloud services. For example, an employee starts using a file sharing Web site to transfer large documents to clients or suppliers, or sets-up an unofficial company page or discussion forum on a popular social networking site. In fact, the tighter the IT department holds the reins, the more likely it is that employees will work around limitations using third party Web sites.
The main risks involved in the use of ad-hoc cloud computing services include:
- Security and compliance - the interfaces between users, endpoints and backend systems all need to be secure with appropriate levels of access control in place.
- Is data encrypted as it is transferred over the internet?
- Non-compliance with data protection regulations –for example, if the data is hosted overseas, from a European standpoint this could result in a breach of privacy legislation.
- Lack of vendor validation – is the service reputable and secure? Can the users easily transfer their data to another vendor should the need arise?
- Public and private cloud providers depend on system availability and strong service level agreements (SLAs) can help to promote high availability.
- Secure access control over company data stored on third party systems. Does the service offer control over how the data is stored and how it can be accessed?
- If the service is unavailable for any reason, the company may be unable to access its own data.
- Are there legal risks and liabilities that may arise as a result of vendor terms and conditions? Always make sure the terms and conditions are clear and service level performance can be monitored against the agreed SLAs.
IT managers and CISOs can address these concerns by validating an approved list of cloud applications in the same way that they would authorize on-premise software. This needs to be backed-up with the appropriate acceptable usage policies, employee training and, if necessary, enforcement using Web site access control technology. In addition, where employees access consumer sites for business use, such as using social networking services for marketing, companies need to protect users against potential attacks from Web-hosted malware and spam.
xxviiiAppendix D: Vulnerability Trends: Figure D.3