When we hear of mobile malware (especially on Android) growing 163 percent or infecting 32.8 million devices in 2012, it’s easy to understand why having a security strategy and solution for employee-owned devices is essential. However, what can sometimes get lost, especially for organizations looking to bolster their security posture, is how to prioritize security across your environment.
To be clear: establishing a perimeter defense in your network is important – very important. But if you’re a company that hasn’t already covered the basics, where should you begin? Many companies are now realizing that security is not just about holding the enemy at the gates, it’s also important to understand when the enemy is already within them. A good security posture starts by assuming you are compromised and then asking the hard questions: “Would I even know if I were compromised? What is the enemy doing? How can I stop them once they are inside?”
Security doesn’t start with BYOD – that’s just one aspect of a much larger picture. Should you really be focused on the doors to your house when the foundation is crumbling? Enterprise security shouldn’t be built like an M&M – crunchy on the outside, soft on the inside – it should be crafted more like a jawbreaker – hardened from the inside out. Of course, you want everything hardened, but you can’t tackle all aspects of your infrastructure at once. You need to prioritize based on risk and value. Attackers are after intellectual property and they have a particular appetite for credentials to help them come and go as they please. Build concentric circles of defense starting with your critical infrastructure, then extend to your application and database servers, and then encompass other sensitive systems like finance and your highest risk end-user systems (e.g., remote users, publicly accessible systems, etc.).
Also, what is a perimeter these days? When it comes to securing mobile devices and cloud computing, your corporate assets are being accessed from around the world, in Internet Cafes and homes, and by devices that don’t travel through any “known” perimeter (3G/LTE networks, etc.). Authors of advanced malware are currently targeting endpoints and servers with more regularity than mobile devices. Mobile attacks tend to be focused on small financial gains, not stealing intellectual property. So what we saw in the past with hackers changing dial-up modem settings to expensive toll lines and pocketing the cash, we now see with mobile hacking and expensive premium SMS messages; cybercrime – not cyberespionage.
Mobile devices still represent security vulnerabilities because of the unprotected credentials and company documents they store. The data on these mobile devices could always be used in more advanced attacks on desktops or servers in the future. So it should be part of your strategy to secure employee-owned devices that are not under your primary control. All I’m saying is start at the center where the data and systems are easily identifiable and there are proven technologies that exist to stop advanced threats from executing in your environment. As you extend your security layers, you will be left with a security posture that’s more sour than sweet for cyberattackers.