simplifying the challenges of mobile device security three ...€¦ · three steps to reduce mobile...

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks Smartphones and tablets are invading the workplace along with the security risks they bring with

them. Every day these devices go unchecked by standard vulnerability management processes, even

as malware on phones and tablets continues to increase at rapid rates. Leaving mobile security out of

your integrated security strategy opens your network to security breaches, data loss, intellectual

property theft, and regulatory compliance issues. This whitepaper introduces three steps that mid-size

and large enterprises can take immediately to reduce security risks around mobile devices and

improve overall security management.

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks

Contents

Executive Overview ..................................................................................................................... 3

Mobile Device Security: Just as Critical as Security for Desktops, Servers, and Networks .................. 4

Find the Risks: A Vital First Step in Mobile Device Security ............................................................. 5

Put Mobility In-Context: Integrating Mobile Device Security with Vulnerability Management .............. 6

Close the Gap: Centralized Management of Mobile and Physical Environments ................................. 7

Act Now to Safely Embrace the Consumerization of IT .................................................................. 12

Next Steps ................................................................................................................................ 12

About eEye Digital Security ........................................................................................................ 12


Executive Overview

A wide range of mobile devices—from BlackBerrys and Droids to iPhones and Tablets—are invading

the workplace. Front-line employees as well as senior management now demand the freedom to

bring their own devices to work and interact with corporate networks and data. However, the security

risks that come with those mobile devices typically go unchecked by traditional security management

processes and vulnerability management products—even as malware on smartphones and tablets

continues to increase at rapid rates.

In some cases, IT security managers may simply be unaware of the threats that exist in this

environment. In other cases, attacks may occur through mobile devices, but IT has no way to

determine the occurrence of an attack or the source of the attack. In both situations, IT security

teams are struggling to understand the true extent of their mobile security risk.

And, for those IT security pros that are keenly aware of mobile device security threats, many have

struggled to find a simple solution to discover weaknesses within their mobile environment. In short,

so few solutions have existed to help detect mobile vulnerabilities.

But, make no mistake about it; leaving mobile security out of your overall integrated security strategy

opens your network to breaches, data loss, intellectual property theft, and regulatory compliance

issues. With the use of smartphones and tablets on the corporate networks rising sharply, preemptive

measures are needed. This whitepaper introduces three steps that mid-size and large enterprises can

take immediately to find mobile device vulnerabilities and minimize the risk.


Mobile Device Security: Just as Critical as Security for Desktops, Servers, and Networks

Mobile devices are becoming more prevalent in the workplace. According to recent reports, more than

80 percent of employees now use personal smartphones for work-related purposes. And according to

other research, the creation of malware for smartphones and tablets was up 273 percent in the first

half of 2011.

These situations create major security challenges for IT managers, and the extent of the IT security

problem will only increase over time. According to Gartner, enterprises are forced to accommodate

consumer devices because employees now insist on having just one device for both business and

personal use. This makes mobile security an even greater challenge for IT security managers as they

struggle to understand and minimize the security risks that come with these devices.

The challenge is not going away and is likely to grow rapidly in scope, scale, and complexity. The

threats themselves are also going to grow exponentially, as described in a recent report from IBM X-

Force which documents a steady rise in the disclosure of security vulnerabilities affecting mobile

devices and finds that:

Malicious software targeting mobile phones is often distributed through third-party app markets.

Mobile phones are an increasingly-attractive platform for malware developers as the sheer size of

the user base grows rapidly.

Mobile malware is often capable of spying on a victim's personal communications as well as

monitoring and tracking their physical movements via GPS capabilities.

Given that many employees use their smartphones for both corporate and personal use, problems like

these pose a major threat to otherwise-protected corporate networks. But the problems have also

been difficult to address because IT often treat these devices differently, separating mobile device

security from their overall security and vulnerability management practices.


Find the Risks: A Vital First Step in Mobile Device Security

The first step in mobile device security is to identify and

inventory all threats. According to a 451 Group

report…“We believe most security and IT administrators

have turned a blind eye to scanning for weaknesses in

mobile device hardware, applications, and configurations

as so few tools have existed to help detect mobile

vulnerabilities.”

Many mobile device vulnerabilities originate from mobile

applications. Downloadable apps present many security

issues—including malware, which launches malicious

attacks, and spyware, which can be exploited for

malicious purposes, including collecting sensitive

information from the infected device.

And because mobile devices are constantly connected to

the Internet, Web-based threats have become a major

problem. This includes phishing scams, which can be

unleashed via websites, e-mail and text messages, and

social media sites such as Facebook, LinkedIn, and

Twitter. Mobile Internet users are also subject to drive-by

downloads when visiting malicious Web pages, or by

browser exploits delivered through a vulnerable Flash

player, PDF reader, or image viewer.

When you add in the vulnerabilities that can germinate

from within mobile-device hardware and firmware—along

with those caused by incorrect device configuration and

end-user failures to follow password policies—IT has a

wide range of vulnerabilities to discover and inventory

across all mobile devices accessing the corporate network.

This can be a massive challenge if the right solution is not

used.

Does BlackBerry = Security?

The long-popular BlackBerry device is

perceived to be secure, particularly in

comparison to Android and iPhone

devices. This is understandable since

BlackBerry has gained a reputation in

the mobile space during the past

decade as the "most secure" handheld

device and mobile platform available.

But the popularity of BlackBerry and

its breadth of applications has also

brought with it an increasing number

of vulnerabilities in both BlackBerry

servers and devices.

Blind trust security does not equal

security. To ensure security for these

devices, patches and updates must be

loaded on a regular basis, and there

are always configuration issues to be

concerned about. In addition to

staying on top of patches and

updates, organizations need to

monitor if the users of these devices

have disabled their passwords or

violated the password policy. Similarly,

it is important to identify and monitor

whether or not they have installed

unauthorized applications.


Put Mobility In-Context: Integrating Mobile Device Security with Vulnerability Management

The security risks that come with mobile devices typically go unchecked by traditional vulnerability

management practices. However, it’s important to analyze

mobile vulnerabilities within the context of, and alongside

with, all vulnerabilities associated with the network. This

comprehensive view will allow for the most appropriate

resolution based on the risks of operating the business and

protecting its data.

To put it another way, high risk is high risk—whether it’s a

vulnerability that might impact servers, the network

infrastructure, desktops, or mobile devices—it is still a risk.

Instead of considering each vulnerability area separately,

consider them all at once.

To do this effectively, IT needs a centralized, consolidated

view of all vulnerabilities—mobile and non-mobile. Only then

can IT make the best decisions around what to fix first.

Leading vulnerability management solutions assist with this

step by providing centralized management of all

vulnerabilities – from mobile devices to desktops and servers

– allowing IT to reduce overall security risk by extending

vulnerability management to mobile devices.

Doesn’t my Mobile Device

Management (MDM) solution

provide sufficient security?

Some enterprises have turned to a

Mobile Device Management (MDM)

solution to provision and manage

mobile devices. Although these

mobile device management

platforms work well for their

primary purpose—specifically,

device provisioning and

management —they are not built

for assessing mobile vulnerabilities.

Adding a complementary product

that specifically scans for

weaknesses in mobile device

hardware, applications, and

configurations is needed to reduce

mobile risk.


Close the Gap: Centralized Management of Mobile and Physical Environments

eEye Digital Security recently released a new version of its flagship product, Retina, which

dramatically reduces security risks in physical and mobile environments. Retina CS is the first

vulnerability management solution to provide mobile device assessment as part of its unified

vulnerability management solution, decreasing mobile security risks and protecting against data theft.

Retina CS helps medium and large enterprises address the challenge of thwarting mobile threats by

first scanning for vulnerabilities across all devices—regardless of whether or not each mobile device is

connected to the corporate network during the time of the scan. Retina CS also provides built-in and

custom audits to scan for weaknesses in mobile device hardware, applications, and configurations.

And, built-in reports provide guidance for risk prioritization and remediation.

Built-In and Custom Audits

Easily scan for weaknesses in mobile device hardware, applications, and configurations with built-in

audits. These audits scan for standard vulnerabilities as well as configuration and policy violations.

Or, create custom audits to scan for custom configurations/policies or applications.

Sample Built-In Audits


Sample Custom Configuration and Policy Audits


Sample Custom Application Audits


Out-of-the-Box Mobile Management

Easy-to-use reporting displays and ranks vulnerabilities involving devices and applications as well as

policy violations to accelerate risk prioritization and remediation.

Sample Mobile Vulnerability Report

Sample User Interface for Mobile Assets


Retina CS provides these capabilities while reducing the effort required by IT to securely manage their

environment. Retina CS includes a simple-to-deploy connector interface or mobile agents that are

securely connected to the mobile device repository (Blackberry Enterprise Server or ActiveSync),

deployed as agents on Android devices. Vulnerability discovery, reporting and management is

performed via a single tool, streamlining the remediation process and reducing exposure to risk.


Act Now to Safely Embrace the Consumerization of IT

As the consumerization of IT continues, mobile security is an increasingly serious IT security problem.

The visibility that Retina CS provides eliminates the ‘blind spots’ mobile devices can create to reduce

security risks in both physical and mobile environments. With Retina CS, organizations can gain

visibility into the risks associated with mobile devices residing on their network. And, it provides best

practice methods to include mobile device security as part of the organizations’ overall security

program.

Deploying Retina CS is critical for enterprises that plan to embrace the bring-your-own-device to work

approach. Retina CS helps enterprises move efficiently and effectively through the three key steps as

defined above so that they can monitor, control and determine what each mobile device is that

accesses the corporate network and the risk that each device imposes.

To successfully ride the “consumerization of IT” wave, organizations must prepare now to identify

what devices are being let in and the risks they bring with them.

Next Steps

Get Retina CS Community, for free

Retina CS Community, a free security console for up to 128 IPs provides centralized vulnerability

management, vulnerability assessment for BlackBerry mobile devices, and Microsoft and third-party

application patching. Download Retina CS Community for free now.

Find out more about eEye Mobile Device Security Solutions

eEye Mobile Solutions Overview

Retina CS Overview

Contact eEye today at 866.339.3732 or [email protected]

About eEye Digital Security

Since 1998, eEye Digital Security has made vulnerability management simpler and more effective by

providing the only unified vulnerability and compliance management solution that integrates security

risk discovery, prioritization, remediation, and reporting into a complete offering. Consistently the first

to uncover critical vulnerabilities and prevent their exploit, eEye leverages its world-renowned

research and development to strategically secure customer assets. Thousands of mid-to-large size

organizations, including some of the most complex IT environments in the world, rely on eEye

solutions to protect against the latest known, unknown, and zero-day vulnerabilities.

http://www.eeye.com/products/retina/community

http://www.eeye.com/solutions/business-Need/mobility-solutions

http://www.eeye.com/products/retina/community

http://www.eeye.com/

http://www.eeye.com/solutions/business-need/vulnerability-management

http://www.eeye.com/products/retina

simplifying the challenges of mobile device security three ...€¦ · three steps to reduce mobile...

Documents