The Android platform is experiencing a phenomenon that Windows users have known for years: malware onslaught. As I showed you in my recent, "Should security concerns slow BYOD trend? Probably.," article, Android devices are being targeted at an alarming rate. In fact, this Android malware threat has grown so quickly that some security researchers and security analysts predict that more than one million high-risk Android apps will enter enterprises this year.
The two primary factors leading this Android landscape decimation:
- Android's popularity.
- Its open source code.
I'm afraid that it's true. Android's popularity and open nature are also its undoing.
Malware writers and proliferators look for two things in their quarry: a large attack surface and low-hanging fruit, such as exposed source code.
Malware is malicious software that can take many forms: viruses, worms, trojan horses and spyware.
Although the Windows source code isn't exposed, Windows had a lot of low-hanging security vulnerability fruit ripe for the picking and a huge attack surface. Android's sheer popularity, familiar Linux underpinnings and exposed source code makes it easy prey for those bent on creating software-based havoc for millions of innocent users.
Infonetics conducted a survey that covered enterprise mobile security and found that,
- Approximately 1/3 of the respondents allow BYOD.
- More than 2/3 said "rogue" devices are driving new mobile security efforts.
- More than 3/4 said they have purchased or have researched mobile security software.
- Almost all enterprises will experience major security incidents by 2015.
The number one factor that enterprises are using to base their mobile security solution purchases on is cost.
Allow me to editorialize and maybe even "preach" for a moment on this topic.
If security threats are raising your awareness, why is cost the number one factor in your decision making? I know that costs have to be watched as carefully as front door security but seriously, you need to cut corners in some other areas and not in security. Perhaps you should cut out the catered lunches, trips to Las Vegas conferences, private jets, boxed seats at sporting events and other corporate fluff and perks before you go "cheap" on security.
Security is not the place to be penny wise and pound foolish.
OK, I'm stepping down from my soapbox.
One easy thing to do for mobile security is to require that anyone who attaches to a corporate network do so via a SSL VPN. The VPN guarantees that communications between the device and the corporate network are encrypted and can't be hijacked. VPN software is generally free and included on some mobile platforms.
A recent study conducted by Verizon's RISK Team and several international police organizations yielded some interesting results on malware and security breaches:
- 98% of all breaches were externally sourced.
- Only 4% of security breaches were internally linked to employees.
- 58% of data theft is tied to "hacktivist" groups.
- 81% of breaches involved some form of hacking.
- 69% incorporated malware.
- 79% of victims were targets of opportunity.
- 96% of attacks were not highly difficult.
- 94% of data compromised involved servers.
- 85% of breaches took weeks or more to discover.
- 92% of incidents were discovered by third parties.
- 97% of breaches were avoidable through simple or intermediate controls.
- 96% of victims subject to PCI DSS had not achieved compliance.
I want to draw your attention to the statistic that states "69% incorporated malware." That means that more than 2/3 of the current attacks launched are using some form of malware. That is not a small bit of information. It means that malware, that is malicious software that can take many forms: viruses, worms, trojan horses and spyware, is making its way into your company's devices.
The other interesting statistic that you should ponder is that "92% of incidents were discoved by third parties." Third parties such as security consultants, software vendors, hardware vendors and service engineers are finding the breach before anyone in your company does. Additionally and related, 85% of breaches took weeks or more to discover.
The threat is real. But it isn't just a threat, it is real data being stolen, real data being destroyed and real costs impacting your business.
If you're allowing BYOD in your company, implement security measures now. Hire a top notch security consultant and check your current status. Chances are very good that your data has already been compromised. If it has, you need to know.
Every device that has been connected to your network also needs to be checked for malware and compromise. The numbers that I've given you should convince you that there's a real problem at hand. Android devices are especially vulnerable to malware infections because of the number of App Stores from which users can pull apps. Google Play is reliable but there are many others that are not.
You should have mobile security software in place that dictates which App Stores are allowed. You should also require users to install software on their Android devices that checks for malware. It's also a good idea to have your users encrypt their Android devices.
Here's your bucket list of things to do to help prevent security breaches:
- Setup MDM/MAM software to manage mobile devices and security.
- Require VPN connectivity for all devices.
- Require device passwords.
- Require device encryption.
- Require anti-malware software.
- Implement ACLs and Firewalls.
- Audit data files.
- Setup alerts on logfiles.
This list will decrease your exposed attack surface by 90% or more. You can't remove all threats of compromise but you can certainly lower your risk to a more comfortable level.
What kinds of measures are you taking to lower your attack risk? Do you think that using Android devices is too risky? Talk back and let me know.