This document discusses securing mobile devices in the business environment. It notes that mobile devices are increasingly being used for both personal and work purposes. While this brings advantages like increased productivity, it also poses security risks if not properly addressed. The document outlines various security threats to mobile devices like loss/theft, malware, spam, phishing, and issues with Bluetooth/Wi-Fi. It recommends developing a mobile security strategy that identifies allowed access to data and supported devices. The strategy should also determine management responsibilities and include policies and controls following best practices and IBM's security framework.
BlackBerry Enterprise of Things presentation - Gartner IT ExpoBlackBerry
BlackBerry secures, connects, and mobilizes the enterprise by connecting people, devices, processes, and systems to fully realize a secure “Enterprise of Things.” BlackBerry is no longer about the smartphone, but the smart in the phone and in cars and containers, medical devices and wearables, consumer appliances and industrial machinery, and ultimately the entire enterprise. BlackBerry software secures the Enterprise of Things.
WEBINAR - August 9, 2016: New Legal Requirements for Mobile SecurityMobileIron
As of 2016, California requires all companies, no matter where they are based, to implement a minimum set of mobile security controls if they process sensitive personal information about California residents. Spend 30 minutes with us on how to comply with these new requirements. Review the California Data Breach Report for the new requirements.
International Legal Technical Association Dec 09 Peer to Peer article - highlighting your risk of accidental document metadata leakage from mobile devices (e.g. iPhone, Blackberry, Netbook etc)
Yamana is our mobile device management service by which it gets easy to ensure that the Company’s employees use their mobile devices within the bounds of corporate policies.
BlackBerry Enterprise of Things presentation - Gartner IT ExpoBlackBerry
BlackBerry secures, connects, and mobilizes the enterprise by connecting people, devices, processes, and systems to fully realize a secure “Enterprise of Things.” BlackBerry is no longer about the smartphone, but the smart in the phone and in cars and containers, medical devices and wearables, consumer appliances and industrial machinery, and ultimately the entire enterprise. BlackBerry software secures the Enterprise of Things.
WEBINAR - August 9, 2016: New Legal Requirements for Mobile SecurityMobileIron
As of 2016, California requires all companies, no matter where they are based, to implement a minimum set of mobile security controls if they process sensitive personal information about California residents. Spend 30 minutes with us on how to comply with these new requirements. Review the California Data Breach Report for the new requirements.
International Legal Technical Association Dec 09 Peer to Peer article - highlighting your risk of accidental document metadata leakage from mobile devices (e.g. iPhone, Blackberry, Netbook etc)
Yamana is our mobile device management service by which it gets easy to ensure that the Company’s employees use their mobile devices within the bounds of corporate policies.
The Cisco 2010 Midyear Security Report includes:
* Results and analysis from two new Cisco studies -- one focused on employee collaboration and the other on the concerns of IT decision-makers worldwide
* International trends in cyber-security and their potential impact on business
* Insight into how hackers penetrate “soft spots” in enterprise security to steal sensitive data and sell it to the highest bidder
* An update on global spam trends since late 2009 and spam volume predictions for 2010
* Guidance from Cisco security experts to help businesses improve their enterprise security by 2011
Mobile Security: Preparing for the 2017 Threat LandscapeBlackBerry
For years, security researchers and leaders have warned: “The mobile threat is coming.” Well, in 2016 it arrived in full force. Attackers are finding new, creative means of stealing user credentials and penetrating critical systems via the mobile channel. And healthcare entities—with an increasingly mobile workforce and patient population—are square in the middle of this expanding mobile threatscape, as attackers seek to capture and monetize critical healthcare data.
What are the most prevalent new threats, and what are leading organizations doing to bolster mobile security as we head into 2017?
This interview with BlackBerry VP Government Solutions Sinisha Patkovic, on Mobile Security: Preparing for the 2017 Threat Landscape, was produced for of a recent ISMG Security Executive Roundtable sponsored By BlackBerry.
Integrating Enterprise Mobility - an Assessment WHITE PAPERMobiloitte
We offer complete satisfaction to our customers by following standardized SDLC processes, hiring the best of breed developers and mastering most of our requirements gathering, wireframing, designing, developing, testing, delivering, deploying and maintenance tasks.
Ours is an off-shore model, but we ensure that both customer and Mobiloitte are always in touch by keeping communications open, providing regular updates and iterative releases so that the customer is always well informed.
Challenges and Security Issues in Future IT Infrastructure ComponentsMubashir Ali
Over the past 2 decades, the information technology infrastructure has gone through an exponential change with the introduction and evolution of new technologies and trends. Organizations previously having their data on-premise and their infrastructure comprising of multiple server machines on multiple server racks and dedicated client personal computers (PCs) are moving towards cloud computing & virtualization to Smartphone and tablets. This rapid advancement and constant change, although increasing productivity for the organizations is resulting in a rising number of challenges and security issues for the organizations, their managers, IT administrators and technology architects. This paper discusses the future IT infrastructure components and the challenges & security issues that arise after their implementation that needs to be taken care of in order to get the full advantage of IT.
C0c0n 2011 mobile security presentation v1.2Santosh Satam
Mobile phone security has been a hot topic for debate in recent times. The top mobile manufacturers seem to claim that their mobiles and applications are secure, but recent news on mobile hacking and malware suggest otherwise.
One of the key challenges in mobile security is the diverse platforms and multitude of operating systems (both open and proprietary) in the market. This makes it almost impossible to devise a generic catch-all strategy for mobile application security. Every platform whether it is iOS, Android, Blackberry, Windows Mobile, Symbian etc. is unique and requires a specialized treatment.
In this talk, we will demystify mobile and related application security. We will understand the architectures of various mobile operating systems and the native security support provided by the manufacturers and operating system vendors. Then we will look at how hackers have come up with different techniques and tools to break mobile security, and what mobile companies are doing to mitigate these attacks.
Finally, we will look at secure practices for mobile deployment in the Enterprise using policy files and other technology solutions, We will also outline best practices for business users and road warriors, on how to ensure your company data is protected while still continuing to enjoy the flexibility provided by mobile phones.
Android in the Enterprise New Security Enhancements: Google and BlackBerry St...BlackBerry
BlackBerry and Google have worked together to enhance and simplify secure mobile productivity. The collaboration brings the leader in mobile security together with the world’s most popular mobility platform.
With enterprises rapidly embracing the Android platform to transform their workflows and processes through mobile innovation, Google has made a number of significant improvements in Android-specific security. These enhancements add to Google-provided security services, which are continuously updated to address both new and ongoing threats.
While security at the application and operating system level is critical, enterprises can go further by choosing the right mobility management platform. Building on Google’s security enhancements, BlackBerry Secure EMM Suites deliver the best Android security, productivity, and flexibility, to meet all enterprise use cases.
The complementary solutions delivered by BlackBerry and Google accelerate change while ensuring compliance with corporate security guidelines. This paper describes how these developments work together to keep enterprise Android users productive and protected.
BlackBerry Unified Endpoint Manager (UEM): Complete Multi-OS Control for Secu...BlackBerry
BlackBerry UEM delivers unified endpoint management and policy control for your diverse and growing fleet of devices and apps. With its single management console and trusted end-to-end security model, it provides the flexibility and security you need to keep your employees connected and protected.
The Cisco 2010 Midyear Security Report includes:
* Results and analysis from two new Cisco studies -- one focused on employee collaboration and the other on the concerns of IT decision-makers worldwide
* International trends in cyber-security and their potential impact on business
* Insight into how hackers penetrate “soft spots” in enterprise security to steal sensitive data and sell it to the highest bidder
* An update on global spam trends since late 2009 and spam volume predictions for 2010
* Guidance from Cisco security experts to help businesses improve their enterprise security by 2011
Mobile Security: Preparing for the 2017 Threat LandscapeBlackBerry
For years, security researchers and leaders have warned: “The mobile threat is coming.” Well, in 2016 it arrived in full force. Attackers are finding new, creative means of stealing user credentials and penetrating critical systems via the mobile channel. And healthcare entities—with an increasingly mobile workforce and patient population—are square in the middle of this expanding mobile threatscape, as attackers seek to capture and monetize critical healthcare data.
What are the most prevalent new threats, and what are leading organizations doing to bolster mobile security as we head into 2017?
This interview with BlackBerry VP Government Solutions Sinisha Patkovic, on Mobile Security: Preparing for the 2017 Threat Landscape, was produced for of a recent ISMG Security Executive Roundtable sponsored By BlackBerry.
Integrating Enterprise Mobility - an Assessment WHITE PAPERMobiloitte
We offer complete satisfaction to our customers by following standardized SDLC processes, hiring the best of breed developers and mastering most of our requirements gathering, wireframing, designing, developing, testing, delivering, deploying and maintenance tasks.
Ours is an off-shore model, but we ensure that both customer and Mobiloitte are always in touch by keeping communications open, providing regular updates and iterative releases so that the customer is always well informed.
Challenges and Security Issues in Future IT Infrastructure ComponentsMubashir Ali
Over the past 2 decades, the information technology infrastructure has gone through an exponential change with the introduction and evolution of new technologies and trends. Organizations previously having their data on-premise and their infrastructure comprising of multiple server machines on multiple server racks and dedicated client personal computers (PCs) are moving towards cloud computing & virtualization to Smartphone and tablets. This rapid advancement and constant change, although increasing productivity for the organizations is resulting in a rising number of challenges and security issues for the organizations, their managers, IT administrators and technology architects. This paper discusses the future IT infrastructure components and the challenges & security issues that arise after their implementation that needs to be taken care of in order to get the full advantage of IT.
C0c0n 2011 mobile security presentation v1.2Santosh Satam
Mobile phone security has been a hot topic for debate in recent times. The top mobile manufacturers seem to claim that their mobiles and applications are secure, but recent news on mobile hacking and malware suggest otherwise.
One of the key challenges in mobile security is the diverse platforms and multitude of operating systems (both open and proprietary) in the market. This makes it almost impossible to devise a generic catch-all strategy for mobile application security. Every platform whether it is iOS, Android, Blackberry, Windows Mobile, Symbian etc. is unique and requires a specialized treatment.
In this talk, we will demystify mobile and related application security. We will understand the architectures of various mobile operating systems and the native security support provided by the manufacturers and operating system vendors. Then we will look at how hackers have come up with different techniques and tools to break mobile security, and what mobile companies are doing to mitigate these attacks.
Finally, we will look at secure practices for mobile deployment in the Enterprise using policy files and other technology solutions, We will also outline best practices for business users and road warriors, on how to ensure your company data is protected while still continuing to enjoy the flexibility provided by mobile phones.
Android in the Enterprise New Security Enhancements: Google and BlackBerry St...BlackBerry
BlackBerry and Google have worked together to enhance and simplify secure mobile productivity. The collaboration brings the leader in mobile security together with the world’s most popular mobility platform.
With enterprises rapidly embracing the Android platform to transform their workflows and processes through mobile innovation, Google has made a number of significant improvements in Android-specific security. These enhancements add to Google-provided security services, which are continuously updated to address both new and ongoing threats.
While security at the application and operating system level is critical, enterprises can go further by choosing the right mobility management platform. Building on Google’s security enhancements, BlackBerry Secure EMM Suites deliver the best Android security, productivity, and flexibility, to meet all enterprise use cases.
The complementary solutions delivered by BlackBerry and Google accelerate change while ensuring compliance with corporate security guidelines. This paper describes how these developments work together to keep enterprise Android users productive and protected.
BlackBerry Unified Endpoint Manager (UEM): Complete Multi-OS Control for Secu...BlackBerry
BlackBerry UEM delivers unified endpoint management and policy control for your diverse and growing fleet of devices and apps. With its single management console and trusted end-to-end security model, it provides the flexibility and security you need to keep your employees connected and protected.
Программа локальных мероприятий №2. Улучшение пешеходных переходов. v1.00Alex Egorov
ЛУГ разработал вторую программу по локальным мероприятиям для города Твери. На этот раз мероприятия касаются повышения безопасности пешеходных переходов.
Предложения по оптимизации эвакуации v0.97Alex Egorov
Выступал с ней на Общественном совете при Минтрансе Тв. области. Обсуждение на ТИА http://tvernews.ru/news/164101/. Новость на сайте Минтранса http://mintrans.tver.ru/TGS/dts/home.nsf/news/06-12-2013-17-12-40.html
Salesforce Communities for Sales: 10 Questions You Should Ask YourselfRelayware, Inc.
Thinking of getting a channel management solution? Thinking of using Salesforce's Communities for Sales? Think carefully! For a list of key considerations and “10 Questions to Ask Yourself,” be sure to take a look through these slides.
Launching Salesforce Communities: Flipping the Switch and Making them WorkSalesforce.org
In this webinar, we’ll go over basics of activating a Customer Community, customizing it, and inviting your first Community Members. But building a healthy community is about more than just “flipping the switch,” we’ll also share key lessons learned from the team that launched the Power Of Us HUB, the online community for Salesforce.com Foundation customers.
In this first installment of our Secure Salesforce Development webinar series members of the Salesforce Trust team will introduce the core concepts behind developing secure applications on the Salesforce platform using Apex and Visualforce. We’ll walk through creation and development of a simple, on-platform app and examine common security vulnerabilities that developers unintentionally introduce to their applications. After discussing the danger of these vulnerabilities and demonstrating their impact we’ll go in depth into how to avoid introducing them in your code, how to review existing code and find them, and how to fix them.
I Brought My Own Device. Now What? by Paul Andersen, Marketing Manager at Array Networks .
The consumerization of IT is underway. In its report Tablets Will Rule the Future Personal Computing Landscape, Forrester predicts sales of 375 million tablets in 2016 with over 750 million tablets in use.
3 data leak possibilities that are easy to overlookPeter Hewer
Mobile data leaks is a reality and its a big risk for 2019 and beyond. Hackers and malware apps are smart, be smarter. Start with the simple areas first.
James F. Fox, information security practice lead at Booz Allen Hamilton MENA, discusses the critical issue of mobile security, and what it means for telcos.
Mobile devices, specifically smartphones, have become ubiquitous. For this reason, businesses are starting
to develop “Bring Your Own Device” policies to allow their employees to use their owned devices in the
workplace. BYOD offers many potential advantages: enhanced productivity, increased revenues, reduced
mobile costs and IT efficiencies. However, due to emerging attacks and limitations on device resources, it is
difficult to trust these devices with access to critical proprietary information. Therefore, in this paper, the
potential attacks of BYOD and taxonomy of BYOD attacks are presented. Advanced persistent threat (APT)
and malware attack are discussed in depth in this paper. Next, the proposed solution to mitigate the attacks
of BYOD is discussed. Lastly, the evaluations of the proposed solutions based on the X.800 security
architecture are presented.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Best practices for mobile enterprise security and the importance of endpoint ...Chris Pepin
With the rapid growth of smartphones and tablets in the enterprise, CIOs are struggling to secure mobile devices and data across a wide range of mobile platforms. Attend this session to learn best practices around defining a mobile security policy, educating employees about safe computing practices, and deploying a secure technology framework. We'll discuss the benefits of endpoint management solutions like IBM Endpoint Manager in the context of a comprehensive enterprise deployment encompassing smartphones, tablets, PCs and servers.
Trends in Cybersecurity that Businesses Need to Look Out for in 2023.pptxMetaorange
5G networks will usher in a new era of IoT connectivity. This interconnectedness between devices makes them vulnerable to outside interference, threats, or undetected software flaws. Google has revealed critical flaws in its Chrome Web Browser, which is the most widely used.
10 Reasons to Strengthen Security with App & Desktop VirtualizationCitrix
Explore 10 reasons why app and desktop virtualization should be the foundation for your layered approach to information security. It will enable organizations to pursue priorities such as mobility, flexwork and consumerization while effectively managing risk.
10 Reasons to Strengthen Security with App & Desktop Virtualization
Securing mobile devices 1
1. IBM Global Technology Services October 2011
Thought Leadership White Paper
Securing mobile devices in
the business environment
By I-Lung Kao, Global Strategist, IBM Security Services
2. 2 Securing mobile devices in the business environment
As the world becomes more interconnected, integrated and ● Improved client services—Sales or support employees who
intelligent, mobile devices are playing an ever-increasing role in regularly interface with customers may respond more effi-
changing the way people live, work and communicate. But it is ciently, directly increasing customer satisfaction.
not just happening in personal life: Smartphones and tablets are ● Reduced IT cost—By allowing employees to use, and often
also being rapidly adopted by enterprises as new work tools, pay for, their own mobile devices and wireless services, compa-
joining existing laptops and desktops. The use of mobile devices nies potentially save IT spending on device purchases as well
for business has experienced an explosive growth in the past few as management and communication services.
years and will only accelerate in the near future.
There are some cautions, however. Companies need to fully rec-
And while the BlackBerry® has been the de facto mobile device ognize that when employees connect mobile devices to the
for business for many years, the availability of other smartphones enterprise and merge both business and personal data, those
and tablets with broader consumer appeal, such as iPhone® and mobile devices must be treated just like any other IT equipment,
Android™ devices, is fundamentally changing the game. with appropriate security controls. If security is not addressed at
Employees are now bringing their own mobile devices to the the outset, these mobile devices may become a point of security
workplace and asking companies to support them. These new weakness that threatens to disclose business information or
devices offer improved hardware performance, a more robust become a new channel to introduce security threats to the com-
platform feature set and increased communication bandwidth, pany’s IT infrastructure and business resources. Many IT depart-
expanding their capabilities beyond voice and email. As a result, ments are finding significant challenges in securing mobile
however, this increased access to enterprise systems can also devices, for a variety of reasons:
bring an increased security risk to the organization.
● A range of mobile device platforms, such as BlackBerry,
This paper explores how companies can more safely introduce Symbian®, IOS®, Android and Windows Mobile, needs to be
employee- or corporate-owned mobile devices into the work- supported, and each platform brings with it a unique security
place, identify the risks inherent in their broader access to corpo- model. Other than the BlackBerry platform, most started
rate data, and derive enhanced business value. as consumer platforms and lack enterprise-strength
security controls.
Mobility brings both advantages and risks ● Business and personal data now coexist on the same device.
to the enterprise Finding a balance between strict security control and privacy
As employees bring mobile devices into the workplace, many of personal data, particularly when the device is no longer a
organizations are motivated to encourage their use for business corporate-issued asset, can be challenging.
purposes, because they tend to drive:
● Unauthorized or non-business oriented applications have the
potential to spread malware that affects the integrity of the
● Increased employee productivity—Mobile devices can give device and the business data residing upon it.
employees access to corporate resources and enable continu-
● Mobile devices are prone to loss and theft, due to their small-
ous collaboration with colleagues or business partners. size and high-portability. Whenever a device is lost, corporate
data is at risk both on the mobile device and within the corpo-
rate network.
3. IBM Global Technology Services 3
● Many mobile devices are always on and connected, so vulnera-
bility to malicious attacks increases through different commu- Mobile operating system exploits
2006-2011 (Projected)
nication channels. 40
● Mobile technology is advancing quickly and becoming increas-
35
ingly complex. Many companies do not have enough resources
30
or skills in house to fully embrace mobile technology in
25
the workplace.
20
Security threats to mobile devices 15
The security of mobile devices has become a top concern for
10
many IT executives. Hackers are discovering the benefits of
5
compromising both business and personal data contained within
mobile devices. Because many mobile platforms are not natively 0
2006 2007 2008 2009 2010 2011
designed to provide comprehensive security, hackers have a
Mobile OS exploits
strong incentive to develop new techniques or create mobile-
centric malware specifically for these devices. In a recent
IBM X-Force® security research report, mobile operating sys-
Figure 2: Mobile operating system exploits.
tem vulnerabilities have increased significantly (see Figure 1) and
exploits of vulnerabilities are also on the rise (see Figure 2).1
The latest smartphones are designed to provide broad Internet
and network connectivity through varying channels, such as 3G
Total mobile operating system vulnerabilitiees
or 4G, Wi-Fi, Bluetooth or a wired connection to a PC. Security
2006-2011 (Projected) threats may occur in different places along these varying paths
200
where data can be transmitted (see Figure 3). When a device
180
downloads a new mobile application from any online application
160
store, the software may contain malware that can steal or dam-
140
120
age data on the device and, in some cases, even disable the
100
mobile device itself. Most mobile devices now have Internet
80
connections, so common web-based threats that have attacked
60 laptops or desktops may also apply to mobile devices. A device
40 connected through Wi-Fi or Bluetooth is at greater risk
20 because the Wi-Fi source or the other Bluetooth-enabled
0
2006 2007 2008 2009 2010 2011
device may have been compromised and can play a role in a
“man-in-the-middle” attack (when a hacker configures a laptop,
Mobile OS vulnerabilites
server or mobile device to listen in on or modify legitimate
communications) or other attack type.
Figure 1: Total mobile operating system vulnerabilities.
4. 4 Securing mobile devices in the business environment
Wi-Fi device App store
Internet
Mobile Telco service
Web site
device provider
Mobile Corporate Corporate
device VPN Gateway intranet
(Bluetooth enabled)
Mobile device
A threat can occur
Figure 3: Flow of data transmission.
Because of the variety of communication mechanisms available No matter what the threats are, the targets that hackers try to
and increasing use of business applications on mobile devices, access and exploit typically consist of one or several of the
the security threats to mobile devices have evolved to all the following:
threats applicable to desktops or laptops, plus new threats that
are truly unique to mobile devices. Therefore, mobile devices ● Credentials to access business or personal accounts
need to be protected with an even broader set of security tech- ● Confidential business or personal information
niques than those employed for traditional desktop or laptop ● Phone or data communication services
operating environments. ● The mobile device itself
5. IBM Global Technology Services 5
The most frequently seen mobile device security threats are: malware developers in the past few years, the Google Android
platform is leading in new malware development, primarily due
● Loss and theft to its popularity and open software distribution model. The
● Malware mobile threat research report from Juniper Networks also states
● Spam that malware on Android grew 400 percent from June 2010 to
● Phishing January 2011.3
● Bluetooth and Wi-Fi
Malware can cause a loss of personal or confidential data,
Loss and theft additional service charges (for example, some malware can send
Small size and high portability make loss and theft top security premium Short Message Service (SMS) text messages or make
concerns when a mobile device is used in the workplace. phone calls in the background) and, even worse, make the device
According to a mobile threat study by Juniper Networks, unusable. Although quickly removed, numerous malicious appli-
1 in 20 mobile devices was stolen or lost in 2010.2 When devices cations recently found their way onto the Android marketplace.
are lost or stolen, all of the data stored on or accessible from the Some of these were legitimate applications that had been repack-
mobile device may be compromised if access to the device or the aged with a Trojan designed to gain root access or additional
data is not effectively controlled. privileges to users’ devices. Unsuspecting users may have had
malicious code or additional malware installed in that single
While not foolproof, some techniques can help reduce the risk download from the applications store. Malware can then spread
of data compromise, such as using a complex password to access quickly through a wired or wireless connection to another device
the device or critical data, remotely locating the device on a map or a company’s intranet.
using global positioning services (GPS), remotely locking the
device to render it useless, or remotely wiping data on the Companies can significantly reduce the malware risk by adopting
device. Some mobile platforms natively provide these tech- a similar approach to be used for both mobile devices as well as
niques, and in the event they do not, basic platform capabilities the desktop and laptop environment. In addition to advising
can often be augmented by functionality available in third party employees to only download and install trusted applications and
mobile device management or mobile security solutions. take appropriate actions when suspicious applications are identi-
fied, a company should run antimalware software on each
Malware employee’s device to detect malware in real-time and scan the
Mobile device malware—viruses, worms, Trojans, spyware—has entire device periodically.
been on the rise over the past few years because most mobile
platforms do not yet have native mechanisms to detect malware.
Virtually no mobile platform available today is immune to
malware. Although more established mobile platforms such as
Symbian and Windows Mobile have been a proving ground for
6. 6 Securing mobile devices in the business environment
Spam application. Two-factor authentication is also useful to thwart
With the growth of text messaging, spam—unsolicited commu- phishing: First, a user enters a static password, then a
nication sent to a mobile device from a known or unknown second authentication factor, such as a one-time password or a
phone number—is also on the rise. Spam is not only a big con- device fingerprint, is dynamically generated to further authenti-
cern for mobile service providers because it wastes a significant cate the user. So even if a user’s static password is stolen by a
amount of bandwidth, but it is also a growing security issue for hacker using a phishing technique, the hacker cannot login to
mobile device users. According to the recent Global System for the genuine site without the user’s second authentication factor.
Mobile Communications Association (GSMA) pilot of the
GSMA Spam Reporting Service (SRS), the majority of spam Bluetooth and Wi-Fi
attacks are for financial gain, with 70 percent of reports of spam Bluetooth and Wi-Fi effectively increase the connectivity of
being for fraudulent financial services rather than the traditional mobile devices within a certain range, but they can be easily
advertising scenarios found in email spam.4 exploited to infect a mobile device with malware or compromise
transmitted data. A mobile device may be lured to accept a
We feel that the most effective method to thwart spam is to Bluetooth connection request from a malicious device. In a
define a blacklist to block spam messages either by using the “man-in-the-middle” attack, when mobile devices connect, the
functions of an antispam solution or by turning on the antispam hacker can intercept and compromise all data sent to or from the
feature on the device if it is available. connected devices.
Phishing Setting the device’s Bluetooth to an undiscoverable mode and
“Phishing” is an email or an SMS text message (dubbed, turning off the device’s automatic Wi-Fi connection capability,
“SMiShing”) sent to trick a user into accessing a fake website, especially in public areas, can help reduce risks. To completely
sending a text message or making a phone call to reveal personal block incoming connection requests from unknown devices, a
information (such as a Social Security number in the United local firewall should be installed and run on the mobile device—
States) or credentials that would allow the hacker access to finan- another traditional security practice that can be extended to the
cial or business accounts. Phishing through mobile browsers is mobile environment.
more likely to succeed because the small screen size of mobile
devices does not allow for some protection features used on the
Establishing a mobile security strategy
PC, like web address bars or green warning lights.
Creating a stringent strategy that defines guidelines and policies
helps lay the foundation for a more security-rich mobile envi-
The most effective antiphishing approach helps a user recognize
ronment. This strategy should focus on several key areas: Data
a fraudulent website when it is presented. Some financial institu-
and resources accessible from mobile devices, platform support,
tions have deployed “site authentication” to confirm to users that
management methodology and best practices.
they are communicating with a genuine website before they
enter account credentials from either a web browser or a mobile
7. IBM Global Technology Services 7
Initially, your organization should identify which business data it need to be employed to provide comprehensive security controls
will allow to be stored and processed on which mobile devices. for mobile devices. As such, depending on how these security
This helps determine what needs to be protected and to what solutions are delivered (on-premise or from the cloud), a
degree. Many enterprises only permit employee email, contact company may choose to use a hybrid model for device
and calendar information. Others allow access, through a security management.
browser or native mobile application, to other business-critical
applications such as enterprise resource systems (ERP) or cus- No matter what the mobile environment, a number of mobile
tomer relationship management (CRM). Different degrees of security policies and best-practice procedures need to be put in
access from mobile devices require varying levels of security con- place and should also be identified in the company’s mobile secu-
trols. However, it should be noted when business data flows rity strategic plan. Fortunately, many best practices that have
from a more strictly controlled location (for example, a database been exercised for desktops and laptops can be duplicated for
or a file server) to a less protected device, the risk of losing the mobile devices, such as:
data becomes greater.
● Specification of roles and responsibilities in managing and
You may also need to determine which mobile device platforms securing the devices
will be allowed in the business environment and, thus, need to ● Registration and inventory of mobile devices
be supported in the mobile security strategy and plan. Different ● Efficient installation and configuration of security applications
mobile platforms have different native security mechanisms that on devices
need to be outlined and understood, although applying a set of ● Automatic update of security patches, polices and settings
security controls to all supported platforms in a consistent man- ● Reporting of security policy enforcement status
ner is desirable. ● Employee education on securing mobile devices
Another important decision is the responsibility for mobile secu- Applying security controls based on a
rity management work, whether using the current IT security
framework
team to handle mobile devices, or outsourcing to a managed
Taking a broad look across the IT and business environment,
security service provider. Multiple security technologies may
IBM has developed a well-defined framework that
specifies security domains and levels for applying various
security technologies.
8. 8 Securing mobile devices in the business environment
When applied to mobile devices, the framework suggests the
following security controls, with actual requirements varying
by deployment:
IBM Security Framework
● Identity and access
SECURITY GOVERNANCE, RISK MANAGEMENT ● Data protection
AND COMPLIANCE ● Application security
● Fundamental integrity control
PEOPLE AND IDENTITY ● Governance and compliance
Identity and access
DATA AND INFORMATION ● Enforce strong passwords to access the device
● Use site authentication or two-factor user authentication to
APPLICATION AND PROCESS help increase the trustworthiness between a user and a website
● If virtual private network (VPN) access to corporate intranet is
allowed, include capability to control what IP addresses can be
NETWORK, SERVER AND END POINT accessed and when re-authentication is required for accessing
critical resources
PHYSICAL INFRASTRUCTURE Data protection
● Encrypt business data stored on the device and
during transmission
Common Policy, Event Handling and Reporting
● Include capability to wipe data locally and remotely
Professional Managed Hardware
● Set timeout to lock the device when it is not used
services services and software ● Periodically back up data on the device so data restore is possi-
ble after the lost device has been recovered
● Include capability to locate or lockout the device remotely
Figure 4: IBM Security Framework.
9. IBM Global Technology Services 9
Application security ● Platform support—The solution should support a variety of
● Download business applications from controlled locations mobile device platforms with a consistent, easy-to-manage
● Run certified business applications only administration console that is platform-agonistic to help
● Monitor installed applications and remove those identified to reduce security policies across different devices.
be untrustworthy or malicious ● Feature expandability—Mobile device technology advances
very rapidly and new mobile threats are evolving all the time.
Fundamental integrity control The solution must be flexible enough to accommodate future
● Run antimalware software to detect malware on storage technology changes and incorporate more advanced capabili-
and in memory ties to counter new threats.
● Run a personal firewall to filter inbound and outbound traffic ● Usability—Features that are easy to use and require little user
● Integrate with the company’s VPN gateway so a device’s secu- intervention can help drive acceptance by end users and
rity posture becomes a dependency for intranet access increase the effectiveness of security control.
● Reporting and analysis—The solution needs to contain
Governance and compliance
reporting and analysis capabilities, with information that helps
● Incorporate mobile security into the company’s overall risk the company to support policy and regulation compliance, rec-
management program ognize the mobile threat landscape and evaluate the solution’s
● Maintain logs of interactions between mobile devices and the effectiveness in countering threats.
company’s VPN gateway and data transmission to and from ● Deployment and management—No matter how capable a
servers within the intranet
security solution is, its value is greatly diminished if it cannot
● Include mobile devices in the company’s periodic security audit be efficiently deployed or easily managed. The company needs
to carefully assess the overall efforts required for initial roll-
Choosing the right solution out and ongoing management of a solution.
When choosing a mobile security solution, several factors need
to be taken into consideration: Another important decision in the solution choice is who will be
responsible for the overall mobile security implementation effort
● Solution architecture—The solution should be built on a and subsequent ongoing management. Although it is possible to
sound client-server architecture in which the server centrally have the current IT team responsible for desktop and laptop
controls and manages security policies and settings for various management and security also handle mobile devices, resource
security features. The client should be installed on the mobile or skills constraints could prove challenging, particularly in a
device and regularly communicate with the server to enforce global, heterogeneous environment.
policies, execute commands and report status.
10. 10 Securing mobile devices in the business environment
Outsourcing is another option. Leveraging the industry- wide IBM Security Services provides a wide set of managed
mobile security expertise of a managed service provider can not services, including:
only free up in-house IT resources, but also inject policies
and procedures that can, down the road, build up internal skills ● Requirement assessment and policy design
without putting the enterprise at risk. In addition, an outside ● Training and providing knowledge assets
provider may have the ability to provide a range of delivery ● Guidance for production roll-out
options, from on-premise to in the cloud, or even a hybrid ● Monitoring, alerting and reporting
solution that may better fit the enterprise’s changing needs. ● Policy maintenance and calibration
● Threat intelligence sharing
IBM hosted mobile device security
solution provides security from the cloud The solution combines industry-leading mobile security
To help organizations embrace both company- and employee- technologies with IBM’s deeper security knowledge and
owned mobile devices in a security-rich environment, highly skilled technical professionals around the world to help
IBM Security Services offers a robust mobile device security reduce risks and better manage regulatory compliance. With
management solution. The solution, built on a client-server IBM Security Services, companies can benefit from improved
architecture, helps efficiently deliver mobile security services operational, financial and strategic efficiencies across the enter-
from the IBM Cloud to mobile devices on a variety of platforms. prise, and, most importantly, can enhance their overall security
postures to increase their business competitiveness.
These services can help companies address the major mobile
security issues discussed in this paper with a single solution. For more information
By both leveraging existing mobile devices owned by branches To learn more about IBM Managed Security Services (Cloud
and employees in different groups or geographies, and avoiding Computing)—hosted mobile device security management, con-
the purchase of additional hardware or software, companies can tact your IBM marketing representative, IBM Business Partner,
reduce capital and operational costs. or visit the following website: ibm.com/services