Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks Smartphones and tablets are invading the workplace along with the security risks they bring with
them. Every day these devices go unchecked by standard vulnerability management processes, even
as malware on phones and tablets continues to increase at rapid rates. Leaving mobile security out of
your integrated security strategy opens your network to security breaches, data loss, intellectual
property theft, and regulatory compliance issues. This whitepaper introduces three steps that mid-size
and large enterprises can take immediately to reduce security risks around mobile devices and
improve overall security management.
Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Page 2
Contents
Executive Overview ..................................................................................................................... 3
Mobile Device Security: Just as Critical as Security for Desktops, Servers, and Networks .................. 4
Find the Risks: A Vital First Step in Mobile Device Security ............................................................. 5
Put Mobility In-Context: Integrating Mobile Device Security with Vulnerability Management .............. 6
Close the Gap: Centralized Management of Mobile and Physical Environments ................................. 7
Act Now to Safely Embrace the Consumerization of IT .................................................................. 12
Next Steps ................................................................................................................................ 12
About eEye Digital Security ........................................................................................................ 12
Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Page 3
Executive Overview
A wide range of mobile devices—from BlackBerrys and Droids to iPhones and Tablets—are invading
the workplace. Front-line employees as well as senior management now demand the freedom to
bring their own devices to work and interact with corporate networks and data. However, the security
risks that come with those mobile devices typically go unchecked by traditional security management
processes and vulnerability management products—even as malware on smartphones and tablets
continues to increase at rapid rates.
In some cases, IT security managers may simply be unaware of the threats that exist in this
environment. In other cases, attacks may occur through mobile devices, but IT has no way to
determine the occurrence of an attack or the source of the attack. In both situations, IT security
teams are struggling to understand the true extent of their mobile security risk.
And, for those IT security pros that are keenly aware of mobile device security threats, many have
struggled to find a simple solution to discover weaknesses within their mobile environment. In short,
so few solutions have existed to help detect mobile vulnerabilities.
But, make no mistake about it; leaving mobile security out of your overall integrated security strategy
opens your network to breaches, data loss, intellectual property theft, and regulatory compliance
issues. With the use of smartphones and tablets on the corporate networks rising sharply, preemptive
measures are needed. This whitepaper introduces three steps that mid-size and large enterprises can
take immediately to find mobile device vulnerabilities and minimize the risk.
Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Page 4
Mobile Device Security: Just as Critical as Security for Desktops, Servers, and Networks
Mobile devices are becoming more prevalent in the workplace. According to recent reports, more than
80 percent of employees now use personal smartphones for work-related purposes. And according to
other research, the creation of malware for smartphones and tablets was up 273 percent in the first
half of 2011.
These situations create major security challenges for IT managers, and the extent of the IT security
problem will only increase over time. According to Gartner, enterprises are forced to accommodate
consumer devices because employees now insist on having just one device for both business and
personal use. This makes mobile security an even greater challenge for IT security managers as they
struggle to understand and minimize the security risks that come with these devices.
The challenge is not going away and is likely to grow rapidly in scope, scale, and complexity. The
threats themselves are also going to grow exponentially, as described in a recent report from IBM X-
Force which documents a steady rise in the disclosure of security vulnerabilities affecting mobile
devices and finds that:
Malicious software targeting mobile phones is often distributed through third-party app markets.
Mobile phones are an increasingly-attractive platform for malware developers as the sheer size of
the user base grows rapidly.
Mobile malware is often capable of spying on a victim's personal communications as well as
monitoring and tracking their physical movements via GPS capabilities.
Given that many employees use their smartphones for both corporate and personal use, problems like
these pose a major threat to otherwise-protected corporate networks. But the problems have also
been difficult to address because IT often treat these devices differently, separating mobile device
security from their overall security and vulnerability management practices.
Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Page 5
Find the Risks: A Vital First Step in Mobile Device Security
The first step in mobile device security is to identify and
inventory all threats. According to a 451 Group
report…“We believe most security and IT administrators
have turned a blind eye to scanning for weaknesses in
mobile device hardware, applications, and configurations
as so few tools have existed to help detect mobile
vulnerabilities.”
Many mobile device vulnerabilities originate from mobile
applications. Downloadable apps present many security
issues—including malware, which launches malicious
attacks, and spyware, which can be exploited for
malicious purposes, including collecting sensitive
information from the infected device.
And because mobile devices are constantly connected to
the Internet, Web-based threats have become a major
problem. This includes phishing scams, which can be
unleashed via websites, e-mail and text messages, and
social media sites such as Facebook, LinkedIn, and
Twitter. Mobile Internet users are also subject to drive-by
downloads when visiting malicious Web pages, or by
browser exploits delivered through a vulnerable Flash
player, PDF reader, or image viewer.
When you add in the vulnerabilities that can germinate
from within mobile-device hardware and firmware—along
with those caused by incorrect device configuration and
end-user failures to follow password policies—IT has a
wide range of vulnerabilities to discover and inventory
across all mobile devices accessing the corporate network.
This can be a massive challenge if the right solution is not
used.
Does BlackBerry = Security?
The long-popular BlackBerry device is
perceived to be secure, particularly in
comparison to Android and iPhone
devices. This is understandable since
BlackBerry has gained a reputation in
the mobile space during the past
decade as the "most secure" handheld
device and mobile platform available.
But the popularity of BlackBerry and
its breadth of applications has also
brought with it an increasing number
of vulnerabilities in both BlackBerry
servers and devices.
Blind trust security does not equal
security. To ensure security for these
devices, patches and updates must be
loaded on a regular basis, and there
are always configuration issues to be
concerned about. In addition to
staying on top of patches and
updates, organizations need to
monitor if the users of these devices
have disabled their passwords or
violated the password policy. Similarly,
it is important to identify and monitor
whether or not they have installed
unauthorized applications.
Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Page 6
Put Mobility In-Context: Integrating Mobile Device Security with Vulnerability Management
The security risks that come with mobile devices typically go unchecked by traditional vulnerability
management practices. However, it’s important to analyze
mobile vulnerabilities within the context of, and alongside
with, all vulnerabilities associated with the network. This
comprehensive view will allow for the most appropriate
resolution based on the risks of operating the business and
protecting its data.
To put it another way, high risk is high risk—whether it’s a
vulnerability that might impact servers, the network
infrastructure, desktops, or mobile devices—it is still a risk.
Instead of considering each vulnerability area separately,
consider them all at once.
To do this effectively, IT needs a centralized, consolidated
view of all vulnerabilities—mobile and non-mobile. Only then
can IT make the best decisions around what to fix first.
Leading vulnerability management solutions assist with this
step by providing centralized management of all
vulnerabilities – from mobile devices to desktops and servers
– allowing IT to reduce overall security risk by extending
vulnerability management to mobile devices.
Doesn’t my Mobile Device
Management (MDM) solution
provide sufficient security?
Some enterprises have turned to a
Mobile Device Management (MDM)
solution to provision and manage
mobile devices. Although these
mobile device management
platforms work well for their
primary purpose—specifically,
device provisioning and
management —they are not built
for assessing mobile vulnerabilities.
Adding a complementary product
that specifically scans for
weaknesses in mobile device
hardware, applications, and
configurations is needed to reduce
mobile risk.
Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Page 7
Close the Gap: Centralized Management of Mobile and Physical Environments
eEye Digital Security recently released a new version of its flagship product, Retina, which
dramatically reduces security risks in physical and mobile environments. Retina CS is the first
vulnerability management solution to provide mobile device assessment as part of its unified
vulnerability management solution, decreasing mobile security risks and protecting against data theft.
Retina CS helps medium and large enterprises address the challenge of thwarting mobile threats by
first scanning for vulnerabilities across all devices—regardless of whether or not each mobile device is
connected to the corporate network during the time of the scan. Retina CS also provides built-in and
custom audits to scan for weaknesses in mobile device hardware, applications, and configurations.
And, built-in reports provide guidance for risk prioritization and remediation.
Built-In and Custom Audits
Easily scan for weaknesses in mobile device hardware, applications, and configurations with built-in
audits. These audits scan for standard vulnerabilities as well as configuration and policy violations.
Or, create custom audits to scan for custom configurations/policies or applications.
Sample Built-In Audits
Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Page 8
Sample Custom Configuration and Policy Audits
Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Page 9
Sample Custom Application Audits
Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Page 10
Out-of-the-Box Mobile Management
Easy-to-use reporting displays and ranks vulnerabilities involving devices and applications as well as
policy violations to accelerate risk prioritization and remediation.
Sample Mobile Vulnerability Report
Sample User Interface for Mobile Assets
Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Page 11
Retina CS provides these capabilities while reducing the effort required by IT to securely manage their
environment. Retina CS includes a simple-to-deploy connector interface or mobile agents that are
securely connected to the mobile device repository (Blackberry Enterprise Server or ActiveSync),
deployed as agents on Android devices. Vulnerability discovery, reporting and management is
performed via a single tool, streamlining the remediation process and reducing exposure to risk.
Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks
Page 12
Act Now to Safely Embrace the Consumerization of IT
As the consumerization of IT continues, mobile security is an increasingly serious IT security problem.
The visibility that Retina CS provides eliminates the ‘blind spots’ mobile devices can create to reduce
security risks in both physical and mobile environments. With Retina CS, organizations can gain
visibility into the risks associated with mobile devices residing on their network. And, it provides best
practice methods to include mobile device security as part of the organizations’ overall security
program.
Deploying Retina CS is critical for enterprises that plan to embrace the bring-your-own-device to work
approach. Retina CS helps enterprises move efficiently and effectively through the three key steps as
defined above so that they can monitor, control and determine what each mobile device is that
accesses the corporate network and the risk that each device imposes.
To successfully ride the “consumerization of IT” wave, organizations must prepare now to identify
what devices are being let in and the risks they bring with them.
Next Steps
Get Retina CS Community, for free
Retina CS Community, a free security console for up to 128 IPs provides centralized vulnerability
management, vulnerability assessment for BlackBerry mobile devices, and Microsoft and third-party
application patching. Download Retina CS Community for free now.
Find out more about eEye Mobile Device Security Solutions
eEye Mobile Solutions Overview
Retina CS Overview
Contact eEye today at 866.339.3732 or [email protected]
About eEye Digital Security
Since 1998, eEye Digital Security has made vulnerability management simpler and more effective by
providing the only unified vulnerability and compliance management solution that integrates security
risk discovery, prioritization, remediation, and reporting into a complete offering. Consistently the first
to uncover critical vulnerabilities and prevent their exploit, eEye leverages its world-renowned
research and development to strategically secure customer assets. Thousands of mid-to-large size
organizations, including some of the most complex IT environments in the world, rely on eEye
solutions to protect against the latest known, unknown, and zero-day vulnerabilities.