Incorporating Mobile Devices into Enterprise Security

Enterprise security hasn't kept up with consumerization—powerful mobile devices often have VPN access and email but lack mature OS security controls. Organizations need greater network segmentation, standards for mobile device lockdown, vulnerability management for mobile apps, and incident response plans that include phones.

People use the term consumerization of IT when discussing the effects of user-owned and managed devices being increasingly used within an enterprise environment. Approaches to enterprise information security haven’t yet caught up to this trend. The urgency with which we need to account for consumerization is particularly great with respect to modern mobile devices—powerful handheld gadgets such as smartphones and tablets.

Mobile Device Forensics

The majority of tools and techniques for mobile device forensics presently focus on examining the device belonging to a suspected criminal to recover evidence. Another scenario, which is currently not being addressed, is how to examine a mobile device that was infected while being used by a non-malicious employee. With the increased popularity of mobile devices, it won’t be long until an infected mobile device provides the attacker a gateway to the user’s enterprise network.

Eric Huber highlighted this trend in his must-read article on the topic of forensics in the era of mobile devices, where he noted:

“The incident response and penetration testing world will need to rapidly adjust to the mobile device era given how the criminal element will be increasingly targeting these devices.”

Adjusting the Security Architecture

Enterprises are coming to terms with the idea of employees connecting to the corporate network over a VPN from personal laptops and home workstations. However, most organizations haven’t look at the effect that the proliferation of powerful mobile devices has on the enterprise security architecture.

Mobile devices sometimes have VPN-like access to the corporate network and in most cases have access to the company’s email contents, calendar and address book. The devices are as powerful as laptops were just a few years ago. Yet, their operating system’s security has not benefited from the test of time, and lacks most of the security controls we’d expect to find in a “legacy” workstation OS.

We need to understand how to model the threat vectors related to mobile devices and how to adjust the security of the enterprise architecture accordingly. The measures will probably involve:

Greater segmentation of the company’s network
Treating any device device that users interact with, whether it’s a desktop or a mobile phone, as an untrusted node
Standards and tools to lock down the configuration of mobile devices
Practices and technologies for managing vulnerabilities in applications and the OS of mobile devices
Incident response plans that incorporate not only “legacy” IT infrastructure assets but also mobile devices

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →