More and more people are using remote services to access corporate and Internet-based services from a remote PC at home, or increasingly from portable smart devices like lap[tops, phones and tablets while on the move. The trend arises from the increasing numbers of home-based and remote mobile workers needing to contact head office and the availability of public WiFi services providing 24/7/365 Internet access in public spaces.
There has been much discussion among IT and IT Online Security professionals about whether this environment is a potential security risk. The answer is that it is, and network and online security professionals need to take note of this new attack vector.
PC and server anti-malware systems are sophisticated, and the product of many years of research and development. Mobile apps, not as much.
There is also a view that the open systems used in most smart devices are inherently less secure than corporate server and PC systems. It also appears that most successful attacks used open systems as the carrier to deliver their payload.
The big question appears to be whether an online app on a smart device could exploit your online presence. Again the answer seems to be yes, and the outcome depends on the app target.
To look at some of the potential threats in a little more detail:
Bring Your Own Device (“BYOD”) is a double-edged sword for most IT departments. On the one hand, they don’t need the capital to buy equipment to be issued to users, but on the other, they lose control over the configuration of edge devices.
This has several significant implications:
Users can now attach their personal device and run whatever app they like on it. They don’t have a standard IT approved configuration, and they may or may not host anti-malware and anti-spyware software configured for regular automatic updates.
Again, with no control over the configuration or use of the device, IT cannot guarantee that is isn’t hosting malware such as rootkits. When the device interacts remotely with central systems, it increases the potential for malware attack attempts on central systems from apps hosted on the attached smart device.
Data and Intellectual Property theft
If a user copies corporate data to their smart device, IT has no control over its retention or use. An everyday example is downloading of email and email attachments. Documents are also generally found on the device.
If the user leaves the company or the smart device is lost or stolen, the data and probably corporate access information goes with it. That is a clear security issue for the organisation. Without the user’s co-operation, IT has no easy way to remove the corporate data from the device. There are encryption and password protection apps, but there are, equally, apps that will break encryption and password protection.
Simply put, IT needs to be able to remotely access the smart device and reset it to factory settings.
Most environments will support devices from major manufacturers running standard apps and standard operating systems. However, users may try to attach devices that are not standard. They are often cheap clones of major brands and operate re-engineered or home-grown variants of the standard operating systems.
They may also try to use apps that come from unknown or dodgy sources.
IT departments have used lots of scarce resources to try to connect these devices when the user complains that it isn’t linking to WiFi. Sometimes, it is not possible to update or replace the operating system and firmware to correct problems. Again, non-standard security and communications systems may have loopholes that malware can exploit.
The increasing availability of WiFi in public spaces like hotels, restaurants and malls allows the road warrior to connect to corporate systems from mostly anywhere in range of the WiFi network at any time. It also provides a channel for hackers to steal corporate and personal information if the connection is not properly secured.
This brings with it the need for secure connection modes to ensure that only authorised users can reach corporate resources. A VPN is essential to provide an encrypted and secure connection, preventing sniffing of transmitted data and man-in-the-middle or piggy-back attacks.
Again, it is essential if a mobile device is lost or stolen, or if an employee leaves for IT to be able to rescind their connection credentials.