Mobile Security: Protecting mobile devices in a corporate environment. Limit the list of data that can be transferred to cloud services. How to protect yourself from threats

Today, on his personal device, the user can play, watch videos, conduct video conferences and work with confidential corporate information, however, the BYOD (Bring Your Own Device) approach is fraught with security breaches.

Difference between old and new mobile devices

When purchasing the first cell phones users were interested in the question of how many contact records it could store - storing it on a SIM card was inconvenient, but quite safe (PIN code and the ability to block access to data), and today all data is stored in shared memory, access to which for various applications is almost not protected. Many communicators allow you to encrypt personal data, but applications that have access to it easily cache it

Modern smartphones and tablets contain quite adult functionality, similar to that of their “big brothers”. Remote administration, VPN support, browsers with flash and java-script, synchronization of mail, notes, file sharing. All this is very convenient, but the market for security products for such devices is still poorly developed.

Access to mail and mailbox

Typically, access to postal services and mail synchronization are configured on the mobile device once, and if the device is lost or stolen, attackers gain access to all correspondence, as well as to all services associated with this mailbox.

Messengers

Skype, WhatsApp - all this is not alien to modern mobile devices, as a result of which all correspondence of a given person and his contact lists may be at risk.

Documents, notes

DropBox for mobile devices may well become a source of compromise of any documents, as well as various notes and events in the calendar. Capacity modern devices large enough that they can replace USB drives, and documents and files from them are quite capable of pleasing attackers. Notes are often used on smartphones as a universal password reference book; password-protected applications protected by a master key are also common. It must be taken into account that in this case, the strength of all passwords is equal to the strength of this key and the correct implementation of the application.

The address book

Sometimes information about certain people is very expensive.

Network tools

Using a smartphone or tablet to remote access to the workplace via VNC, TeamViewer and other means remote administration no longer uncommon. As well as access to corporate network via VPN. By compromising his device, an employee can compromise the entire “secure” enterprise network.

Mobile banking

Imagine that your employee uses the remote banking system on his mobile device - modern browsers completely allow this type of activity, and the same mobile device is linked to the bank to receive SMS passwords and alerts. It is easy to guess that the entire remote banking system can be compromised by the loss of one device.

The main ways to compromise information from mobile devices is through their loss or theft. We regularly receive reports of huge financial losses for organizations due to missing laptops, but the loss of an accounting tablet with up-to-date financial information can also cause a lot of trouble. Malware for smartphones and tablets is currently more of a scary myth and a marketing tool, but we should not let our guard down, because this market is developing at a breakneck pace. Let's look at what security measures exist and how they are implemented in modern mobile operating systems.

Mobile OS protection tools

Modern operating systems for mobile devices have a good set of built-in security features, but often certain functions are not used or disabled.

1. Device blocking.

Imagine that your smartphone fell into the hands of a stranger. For most users, this means that someone will have access to everything at once. It is necessary to lock the device with a password (strong or with a limited number of entry attempts), after which the data on the device is overwritten or the device is blocked.

2. Use of cryptographic means.

Encryption must be used removable media, memory cards - everything that an attacker can gain access to.

You cannot save passwords in browser password managers, even mobile ones. It is advisable to set restrictions on access to email and SMS correspondence and use encryption.

There are many applications designed to store all your passwords on your mobile device. Access to the application is achieved by entering the master key. If it is not strong enough, the entire password policy of the organization is compromised.

Unfortunately, the means to enforce a ban are only available to Windows Mobile devices, in other cases you will have to trust the user’s word. It is advisable to use software from large, well-known developers.

6. Using Exchange ActiveSync policies and anti-virus and other protection tools.

If possible, this will allow you to avoid many threats (including new ones), and in case of loss or theft of the device, block it and destroy the data on it.

7. If access to a trusted zone is granted, exercise careful control.

For users who have access to a trusted zone (internal network via VPN, remote administration tools), it is necessary to even more carefully monitor compliance with the above rules (recommend them to use IPSEC, not to store authentication data in applications). If a device is compromised, the entire internal/trusted zone may be at risk, which is unacceptable.

8. Limit the list of data that can be transferred cloud services.

Modern mobile devices and applications are focused on using many cloud services. Care must be taken to ensure that confidential and proprietary data is trade secret, were not accidentally synced or sent to one of these services.

Conclusion

In conclusion, we can say that for corporate use it is advisable to use the same platform (or better yet, the same devices) with the software installed corporate class, which can be configured and updated centrally. From the text of the article, it is obvious that it is necessary to develop and implement an information security policy for mobile devices, check its implementation, and be sure to use the Exchange server to set EAS policies. This article did not cover BlackBerry OS (due to the almost complete absence of Russian market), however it is worth noting that this platform is a corporate standard in many countries around the world.

Many modern users are increasingly choosing mobile devices as their main way of communicating with the Internet. With the help of smartphones and tablets, you can now satisfy almost any Internet need. Here you have various applications (Instagram, Twitter, VK, Facebook), a built-in camera, and the ease of portability of the device. It is not at all surprising that cybercriminals have taken aim at mobile platforms, where people inexperienced in the field of information security are gradually migrating.

Introduction

It should be remembered that the main goal of modern cybercriminals is to make a profit; the times when malware was developed for entertainment or destructive actions are long gone. Consequently, attackers are focusing on methods of making profit through mobile devices ordinary users. But what are these methods, and how can you protect yourself from them? We will look at this below.

Mobile ransomware

Ransomware has become an extremely common class of malware for desktop computers. Given this success, attackers decided to use similar schemes in the case of mobile devices. As a rule, they block the operation of the device, demanding a ransom from the victim, after payment of which they return control of the smartphone or tablet to the user.

Criminals also target call history, contacts, photos or messages, which almost always forces the user to pay the requested amount.

Among the most dangerous examples of ransomware for mobile devices is the first mobile ransomware that uses an accessibility service. Malicious program is equipped with two extortion tools at once: it encrypts data in the device’s memory and can also change the PIN code to an arbitrary one.

Using the special service Android capabilities Accessibility Service (makes the device easier to use for people with disabilities) is one of the most dangerous innovations adopted by cybercriminals. Thus, attackers successfully attack the most popular mobile platform- Android.

And a lot can be done with the help of security flaws in devices - for example, the Trustjacking vulnerability discovered in April. Trustjacking could be used by luring a user to a site containing a special code.

Sometimes the security measures developed by Google and Apple for their stores do not help either. Google Play And App Store. So, on Google Play, experts came across . After installation, the messenger loaded a second application that collected information about the device’s location, saved calls, audio and video recordings, text messages and other private information of users.

With the growing popularity of cryptocurrencies, as well as their exchange rate, attackers became interested in miner programs that extract cryptocurrency for the owner at the expense of ordinary users’ devices. In the same Google Play, researchers found legitimate programs, .

The collection of confidential data is also of interest to criminals, so they develop applications like, which can record calls made by a user on a mobile device controlled by operating system Android.

Many are of the opinion that in terms of protection against malicious applications iOS system copes much better than its main competitor. Former head of Vladivostok Igor Pushkarev, who is under investigation, somehow. According to Pushkarev, this system is extremely unworthy of protection.

Contactless payments (Tap and Pay)

Have you already heard about NFC (“near field communication”, “near field communication”)? If you explain in simple language, the technology aims to expand the contactless card standard by allowing users to pay for purchases using their mobile device. Thus, a bank account or credit card, which attracts scammers even more.

To steal user funds when using NFC, attackers resort to the “bump and infect” method, which exploits vulnerabilities in NFC. This method has proven itself in the past, allowing criminals to steal money from citizens' accounts, the use of "bump and infect" is especially common in places such as shopping centers, parks or airports.

Methods for protecting mobile devices from cyber threats

In this section we will not write anything radically new; you have probably already heard all these recommendations before us. However, we will refresh our memory on the basics of safe work with mobile devices, which guarantee ordinary users the minimum security of their information, which is simply necessary in the current situation.

You should remember the following nuances:

Maybe if we're talking about ordinary users, it would be a good idea to install it on your mobile device antivirus program. With constantly evolving malware for mobile devices, you need to treat your smartphones and tablets as desktop computer, which most users are sure to provide with an antivirus from some manufacturer.
Create more complex passwords. If you are still in the habit of using your pets' names as passwords, then urgently change this approach. Create passwords that are at least 8 characters long, and do not forget that they must contain letters, numbers and symbols. It is highly discouraged to use words that are easy to guess - for example, the name of your child or dog.
Keep your software updated. It will also be a good idea to ensure that the programs on your device are up-to-date, since upcoming updates eliminate certain vulnerabilities that could be used by attackers to gain access to your files.
Check bank statements and mobile payments. Make sure you stay on top of your transactions by regularly checking your mobile payments and bank statements for suspicious purchases made using your mobile devices.

In addition - but this is rather for the paranoid - disable unused functions. For example, it is better to keep GPS, Bluetooth or Wi-Fi turned on only when you are using them. And if possible, do not store personal data (passwords and other credentials) on your mobile device.

conclusions

It is obvious that cybercriminals have long regarded mobile devices as one of their priority targets, and the introduction of technologies like NFC, which make these devices an even more tasty morsel for scammers, adds fuel to the fire. Always remember that attackers are interested in two things: your cash, your personal data (which can then also be sold or used to steal money). Based on this, draw a conclusion about what can be stored on the device and what is better left to more secure platforms.

3.1. The use of mobile devices and storage media in the Organization's IS means their connection to the IS infrastructure for the purpose of processing, receiving/transmitting information between the IS and mobile devices, as well as storage media.

3.2. The IS allows the use of only registered mobile devices and storage media that are the property of the Organization and are subject to regular audit and control.

3.3. On mobile devices provided by the Organization, it is allowed to use commercial software included in the Register of Approved Software and specified in the PC Passport.

3.4. Mobile devices and storage media provided by the Organization are subject to the same information security requirements as for stationary workstations (the appropriateness of additional information security measures is determined by information security administrators).

3.5. Mobile devices and storage media are provided to employees of the Organization on the initiative of the heads of structural divisions in the following cases:

the need for a newly hired employee to perform his job duties;

occurrence of a production need for an employee of the Organization.

3.6. The process of providing employees of the Organization with mobile devices and storage media consists of the following stages:

3.6.1. Preparation of the application (Appendix 1) in the approved form is carried out by the Head of the structural unit addressed to the Head of the Organization.

3.6.2. Coordination of the prepared application (to obtain a conclusion on the possibility of providing the Organization’s employee with the declared mobile device and/or storage medium) with the head of the IT department.

3.6.3. Submitting the original application to the IT department to account for the provided mobile device and/or storage medium and make changes to the “List of Organization employees who have the right to work with mobile devices outside the territory of “YOUR ORGANIZATION”, as well as perform technical settings on registering a mobile device in the IS and/or granting the right to use storage media on the Organization’s workstations (if the application is approved by the Head of the Organization).

3.7. The introduction of mobile devices provided by employees of the Organization into the territory of the Organization, as well as their removal outside it, is carried out only on the basis of the “List of employees of the Organization who have the right to work with mobile devices outside the territory of “YOUR ORGANIZATION” (Appendix 2), which is maintained by the IT department on the basis of approved applications and transferred to the security service.

3.8. The introduction of provided mobile devices into the territory of the Organization by employees of contractors and third-party organizations, as well as their removal outside its boundaries, is carried out on the basis of an application form filled out (Appendix 3) for the introduction/removal of a mobile device, signed by the Head of the structural unit.

3.9. When using mobile devices and storage media provided to employees of the Organization, you must:

3.9.1. Comply with the requirements of these Regulations.

3.9.2. Use mobile devices and storage media solely to perform your job duties.

3.9.3. Notify IP administrators of any facts of violation of the requirements of these Regulations.

3.9.4. Treats mobile devices and storage media with care.

3.9.5. Operate and transport mobile devices and storage media in accordance with manufacturer requirements.

3.9.6. Ensure the physical security of mobile devices and storage media by all reasonable means.

3.9.7. Notify IS administrators of cases of loss (theft) of mobile devices and storage media.

3.10. When using mobile devices and storage media provided to employees of the Organization, it is prohibited:

3.10.1. Use mobile devices and storage media for personal purposes.

3.10.2. Transfer mobile devices and storage media to other persons (except for IP administrators).

3.10.3. Leave mobile devices and storage media unattended unless steps are taken to ensure their physical safety.

3.11. Any interaction (processing, reception/transmission of information) initiated by an employee of the Organization between the IS and unaccounted for (personal) mobile devices, as well as storage media, is considered unauthorized (except for cases agreed with the IS administrators in advance). The organization reserves the right to block or restrict the use of such devices and media.

3.12. Information about the use of mobile devices and storage media in the information system by the Organization's employees is logged and, if necessary, can be provided to the heads of structural divisions, as well as to the Organization's Management.

3.13. If an Organization employee is suspected of unauthorized and/or misuse of mobile devices and storage media, the internal audit conducted by a commission, the composition of which is determined by the Head of the Organization.

3.14. Based on the clarified circumstances, an incident investigation report is drawn up and submitted to the Head of the structural unit for taking measures in accordance with the local regulations of the Organization and current legislation. The incident investigation report and information about the measures taken are subject to transfer to the IT department.

3.15. Information stored on mobile devices and storage media provided by the Organization is subject to mandatory verification for the absence of malware.

3.16. In case of dismissal or transfer of an employee to another structural unit of the Organization, the mobile devices and storage media provided to him are confiscated.

January 12, 2017 at 10:00

Information security on mobile devices - a consumer perspective

Mobile devices are rapidly becoming the main way we interact with the world around us - the ability to constantly stay connected is an integral part of our lives today, our phones and all kinds of wearable devices expand our capabilities when buying products, obtaining banking services, entertainment, video recording and photography important points our lives and, of course, the possibility of communication.

At the same time, thanks to mobile devices and applications, brands have gained fundamentally new way to make themselves known, and this in turn led to phenomenal levels of growth mobile technologies over the last decade. Unfortunately, the rapid growth of mobile technology penetration is also leading to increased opportunities for cybercriminals.

Today, more and more highly valuable services that require careful attention to security are available to users through mobile devices (including, for example, mobile banking, payments and mobile IDs). Accordingly, hackers are well aware that by leaking authentication data through a mobile device, they can gain unauthorized access to high-value online resources. In particular, hackers will try to gain access to financial information, credentials for accessing social networks, to contract data in networks mobile communications. One way or another, sometimes this may be enough to fully carry out identity theft. This threat is becoming especially relevant now, when we are seeing an increase in the number of new mobile applications– According to a study by the Application Resource Center (Applause), 90% of companies intend to increase their investment in mobile application development by the end of this year.

There is an undeniable need now to protect corporate resources, including intellectual property of companies and personal data of users, especially given the large number of devices in use today on which it can run malicious code. If we do not pay due attention to this, then in fact we leave end users and, in particular, companies at the center of attention of attackers, who today have more and more resources at their disposal and who are increasingly resorting to the latest technologies. They are experts in spreading malware software, they deliberately use unofficial application repositories and embed malicious code in messages Email, send malicious SMS and infect browsers, and they are ready to take advantage of any weakness or vulnerability without any hesitation. That's why application providers should be wary of such threats and do what is necessary to help consumers feel secure by offering solutions that provide strong protection against these vulnerabilities.

But how do we understand which security technology is needed in a particular case? How do we understand what is most in demand among end users and what poses the greatest threat to them? How do we know which security solutions they will use? What exactly will be most convenient for them? These are all important questions that need answers, which is why we decided to conduct a study surveying more than 1,300 adult smartphone users in six of the world's largest markets: Brazil, the UK, South Africa, Singapore, the Netherlands and the US.

After the survey, we summarized and analyzed the data obtained, compiling the results into a report. 66% of those surveyed say they would make more transactions if they knew their mobile devices had security in mind, to the point that a whopping 70% of end users would be willing to have digital IDs on their smartphones, but only if provided that all applications on their phones are fully protected from hacker attacks and vulnerabilities.

Other interesting survey results:

How to protect yourself from threats?

It is obvious that the growth potential has not yet been exhausted. The only question is to ensure security for those who are ready to expand the scope of their smartphones. Our research with answers to how this can be achieved and recommendations for achieving consumer trust is available

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.