Definition of Mobile Security
Mobile Security (also known as Mobile Device Security) involves protecting both personal and business information stored on and transmitted from smartphones, tablets, laptops and other mobile devices. The term mobile security is a broad one that covers everything from protecting mobile devices from malware threats to reducing risks and securing mobile devices and their data in the case of theft, unauthorized access or accidental loss of the mobile device.
Mobile security also refers to the means by which a mobile device can authenticate users and protect or restrict access to data stored on the device through the use of passwords, personal identification numbers (PINs), pattern screen locks or more advanced forms of authentication such as fingerprint readers, eye scanners and other forms of biometric readers. Mobile security is closely related to mobile device management (MDM), which is a term that specifically applies to protecting mobile devices in the enterprise or business environments from loss or theft, as well as protecting the data on these devices.
Security Threats on Mobile Devices
Security threats on mobile devices come from a variety of places. For example, joining an unsafe Wi-Fi network can allow others to gain access to your device. Threats can also come in other forms:
- Phishing scams: Since many of us use our phones to access our email, it's highly likely you could click a malicious link and inadvertently cause a virus to spread through your device.
- Malicious apps: Some phone manufacturers keep a pretty close eye on apps and their developers, but unprotected phones or apps downloaded from less reputable locations can be full of malicious content. Malicious software can infect all types of devices and, though rare, iPhones can be a target.
- Network spoofing: That Wi-Fi network you just logged onto while sitting in the grocery store parking lot? Yes, it might be a fake network designed to grab your personal information.
- Spyware: Spyware allows hackers to break into your phone and oversee everything you do, from where you are at any given time to your credit card number to text messages you send.
- Bluetooth vulnerabilities: In late 2017, experts discovered that millions of devices had a vulnerability that made them susceptible to threats through Bluetooth technology that could pass from one device to another nearby relatively easily.
Mobile Security Concerns
Components of Mobile Device Security
Here are some solutions that can help keep mobile devices more secure.
- Endpoint security: As organizations embrace flexible and mobile workforces, they must deploy networks that allow remote access. Endpoint security solutions protect corporations by monitoring the files and processes on every mobile device that accesses a network. By constantly scanning for malicious behavior, endpoint security can identify threats early on. When they find malicious behavior, endpoint solutions quickly alert security teams, so threats are removed before they can do any damage.
- VPN: A virtual private network, or VPN, is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents unauthorized people from eavesdropping on the traffic and allows the user to conduct remote work safely.
- Secure web gateway: Secure web gateways provide powerful, overarching cloud security. Because 70 percent of attacks are distinct to the organization, businesses need cloud security that identifies previously used attacks before they are launched. Cloud security can operate at the DNS and IP layers to defend against phishing, malware, and ransomware earlier. By integrating security with the cloud, you can identify an attack on one location and immediately prevent it at other branches.
- Email security: Email is both the most important business communication tool and the leading attack vector for security breaches. In fact, according to the latest Cisco Midyear Cybersecurity Report, email is the primary tool for attackers spreading ransomware and other malware. Proper email security includes advanced threat protection capabilities that detect, block, and remediate threats faster; prevent data loss; and secure important information in transit with end-to-end encryption.
- Cloud access security broker: Your network must secure where and how your employees work, including in the cloud. You will need a cloud access security broker (CASB), a tool that functions as a gateway between on-premises infrastructure and cloud applications (Salesforce, Dropbox, etc.). A CASB identifies malicious cloud-based applications and protects against breaches with a cloud data loss prevention (DLP) engine.
Next Generation of Mobile Security
There is expected to be four mobile environments that will make up the security framework:
- Rich operating system: In this category will fall traditional Mobile OS like Android, iOS, Symbian OS or Windows Phone. They will provide the traditional functionality and security of an OS to the applications.
- Secure Operating System (Secure OS): A secure kernel which will run in parallel with a fully featured Rich OS, on the same processor core. It will include drivers for the Rich OS ("normal world") to communicate with the secure kernel ("secure world"). The trusted infrastructure could include interfaces like the display or keypad to regions of PCI-E address space and memories.
- Trusted Execution Environment (TEE): Made up of hardware and software. It helps in the control of access rights and houses sensitive applications, which need to be isolated from the Rich OS. It effectively acts as a firewall between the "normal world" and "secure world".
- Secure Element (SE): The SE consists of tamper resistant hardware and associated software or separate isolated hardware. It can provide high levels of security and work in tandem with the TEE. The SE will be mandatory for hosting proximity payment applications or official electronic signatures. SE may connect, disconnect, block peripheral devices and operate separate set of hardware.
- Security Applications (SA): Numerous security applications are available on App Stores providing services of protection from viruses and performing vulnerability assessment.
Mobile Device Security Trends
As the world of mobility changes, enterprises are also adapting. Here are some of the latest security trends in enterprise mobility:
- Using Cyber Liability Insurance: One of the biggest security trends in the enterprise is with cyber liability insurance. This type of insurance covers the losses that result in a data breach. In other words, in case a mobile device is hacked and the data gets compromised, all potential financial losses will be covered. Given the fact that mobile devices have a target on their back and are now the primary threat vector, enterprises need to ensure that their cyber liability insurance policies cover the mobile devices. It is imperative have this policy in order to protect against potential data breaches and leaks. When a cyber attacks occurs on a mobile device, an enterprise needs to act fast. If data is breached, all affected users must be notified. The cost of this tremendous communication burden can add up, and the company’s brand could be at risk. With the average cost of a corporate data breach nearly $4 million, it is worth exploring to have an insurance policy that covers data on enterprise devices.
- Avoiding Public WiFi: Public WiFi represents one of the biggest attacks vectors for all types of mobile devices. The problem is that when workers connect to public WiFi networks, the assumption is that they are safe to use. The truth is that a hacker can easily breach the device, access the network, and steal data. Some hackers are specifically targeting unsuspected users who access a public WiFi network that looks safe, but is really vulnerable to attacks. There have been cases where hackers created fake WiFi networks that seem innocent (calling them names like ‘Coffee Shop’) but, it is really just a way to trap users. The trend is to educate workers about these dangers. All employees should be aware that WiFi networks pose a significant threat, and should be avoided when accessing enterprise apps. The problem is that some employees ignore this advice and go on the public WiFi. To combat this issue, a growing trend in the enterprise is to program the devices in a way that prohibits employees from accessing public WiFi.
- The Emergence Of IoT Device Security: Similar to cellular devices, IoT devices are also vulnerable to the same threats. IT departments recognize this issue, and are addressing it by protecting IoT devices the same way that traditional mobile devices would need it. After all, any endpoint in an enterprise needs to have the best protection. The difference is that the recent trend is to take extra steps to protect IoT devices. Some enterprises are actively removing these devices from the main network and placing them in their own isolated network, such as a virtual LAN. By segregating these devices onto a separate firewalled network, there could be fewer security incidents. In addition, some enterprises are enacting extra precautions by disabling certain functions with IoT devices. For example, if a wireless printer (which is a considered an IoT device) has faxing capabilities that it never uses, a company might shut that function down for security reasons. These steps make sense for IoT, but not for mobile devices, which usually require full network access. One security protocol that both IoT and traditional mobile devices share is encryption, which is a big trend in the industry. Many organizations are leveraging encryption to protect data.
Security Reference Model (SRM)
Information Security Governance
Adaptive Security Architecture (ASA)
Business Model for Information Security (BMIS)
Common Data Security Architecture (CDSA)
Payment Card Industry Data Security Standard (PCI DSS)
Enterprise Information Security Architecture (EISA)
Fault Configuration Accounting Performance Security (FCAPS)
Information Systems Security (INFOSEC)
Information Security Management System (ISMS)
Information Technology Security Assessment
Mobile Application Management (MAM)
Mobile Business Intelligence
Mobile Content Management (MCM)
Mobile Device Management (MDM)
Mobile Information Management (MIM)
Mobile Maturity Model
Mobile Operating System
Mobile Platform as a Service (mPaaS)
Mobile Software Management (MSM)