With the recent discovery of the huge Android vulnerability dubbed Stagefright, now is a good time to consider the security ramifications of your company’s mobile device management policy. Stagefright allows attackers to take over nearly any Android phone with just a text message.
Google was quick to issue patches for this vulnerability, but that doesn’t necessarily mean your users’ phones are patched. The convoluted nature of the Android ecosystem makes patching a potentially slow and hit-or-miss process. Once Google issues a patch or update, it has to trickle down to the device manufacturers and then to the individual mobile carriers before it’s finally pushed out to customers/endpoints over-the-air. (Apple devices, in contrast, instantaneously receive iOS updates directly from the manufacturer.)
The result is that specific devices may or may not be patched at a given point in time. Early-bird hackers who reverse-engineer the first available patches could have a field day exploiting unpatched phones. And it’s up to the carrier whether it will continue pushing out updates for older devices, or simply abandon them. Numerous Android devices in current use—perhaps 50% to 80%—will thus remain forever vulnerable to Stagefright hacks.
How many of those vulnerable devices will have access to your enterprise network and data? For many organizations in this era of Bring Your Own Device (BYOD), the answer is “We don’t know.” This is why a mobile device management policy that gives your IT at least a basic level of control is so critical. Anytime you allow mobile devices to connect directly to corporate resources at will, you are asking for serious trouble.
At a minimum, you need to be able to control:
- What data mobile devices can access on your network
- How often mobile devices get antivirus updates
- The ability to “brick” lost or stolen devices using some kind of remote wiping capability
For example, I’ve seen BYOD policies that simply enable users to connect their personal devices to a closed-off network where they can access social media sites, stream music or otherwise do things on their lunch breaks that they aren’t permitted to do with company-owned hardware. I’ve also seen BYOD policies that allow users to connect to the corporate network and access specific resources via a web portal. Both approaches get the job done, but could limit the productivity benefits of BYOD.
Device manufacturers can help with providing some of these controls. Apple, in particular, has a robust iOS device management framework. Samsung KNOX addresses a similar need. But most businesses will need to manage heterogeneous mobile devices, not just Android or iOS alone. Many device-agnostic MDM suites and solutions are also available from third-party vendors.
What is the best mobile device security policy for your organization? How can you straightforwardly and cost-effectively manage mobile device security given that you probably can’t patch or update employees’ devices at will? How will you protect network resources from mobile threats?
As part of its consulting practice around information security management, Pivot Point Security can help you develop and implement a mobile device policy. Contact us to talk over your current situation and concerns.