Small Business Attack – Mobile Defense
As mentioned yesterday, mobile devices are a pretty big threat. In fact, it’s so obvious to those of us in security, that we often wonder why we don’t see many attacks along this vector. Of course, that all changed this past weekend. Now that we’ve had one that got media attention, there will be more… and they’ll be trickier.
So how do you defend against them?
The easiest way is to forbid such devices from accessing your network. This can be done by limiting access on the perimeter to various services. However, this won’t do anything if someone either:
- Brings their device to their workstation and does a manual sync.
- Has proprietary data on the phone that can be accessed by an attacker.
So it’s a bit more complex than that. Some people solve the problem by giving all employees a standard mobile device. IT is then responsible for maintaining the device and making sure that it’s secure. This model is pretty much the same as workstations. It balances the business’s control against the employee’s desire to be accessible.
Others say that the mobile device is the employee’s responsibility and invests in technologies that allow greater auditing capabilities. This way it doesn’t matter what attack vector is used, the data itself is protected. It allows maximal flexibility for the employee, but does require that the audit technology be reasonably layered so that a failure in one spot doesn’t expose everything.
The real risk is when a business does neither. If mobile devices are allowed access, but not controlled or protected, and there is no internal audit process, an attacker can waltz right in and take what they want, all while some employee somewhere is distracted playing their iPhone Ocarina.