People use the term consumerization of IT when discussing the effects of user-owned and managed devices being increasingly used within an enterprise environment. Approaches to enterprise information security haven’t yet caught up to this trend. The urgency with which we need to account for consumerization is particularly great with respect to modern mobile devices—powerful handheld gadgets such as smartphones and tablets.
Mobile Device Forensics
The majority of tools and techniques for mobile device forensics presently focus on examining the device belonging to a suspected criminal to recover evidence. Another scenario, which is currently not being addressed, is how to examine a mobile device that was infected while being used by a non-malicious employee. With the increased popularity of mobile devices, it won’t be long until an infected mobile device provides the attacker a gateway to the user's enterprise network.
Eric Huber highlighted this trend in his must-read article on the topic of forensics in the era of mobile devices, where he noted:
"The incident response and penetration testing world will need to rapidly adjust to the mobile device era given how the criminal element will be increasingly targeting these devices."
Adjusting the Security Architecture
Enterprises are coming to terms with the idea of employees connecting to the corporate network over a VPN from personal laptops and home workstations. However, most organizations haven't look at the effect that the proliferation of powerful mobile devices has on the enterprise security architecture.
Mobile devices sometimes have VPN-like access to the corporate network and in most cases have access to the company’s email contents, calendar and address book. The devices are as powerful as laptops were just a few years ago. Yet, their operating system’s security has not benefited from the test of time, and lacks most of the security controls we'd expect to find in a "legacy" workstation OS.
We need to understand how to model the threat vectors related to mobile devices and how to adjust the security of the enterprise architecture accordingly. The measures will probably involve:
- Greater segmentation of the company’s network
- Treating any device device that users interact with, whether it’s a desktop or a mobile phone, as an untrusted node
- Standards and tools to lock down the configuration of mobile devices
- Practices and technologies for managing vulnerabilities in applications and the OS of mobile devices
- Incident response plans that incorporate not only "legacy" IT infrastructure assets but also mobile devices