The number of threats targeting mobile devices has been increasing significantly, and more security safeguards are needed according to a recent report from the United States Government Accountability Office.
The GAO was asked to determine common mobile security threats and assess the level to which public and private entities have responded to these vulnerabilities. The GAO study analyzed mobile security reports, policies, regulations and surveys in addition to interviewing representatives from federal agencies and private companies.
The office concluded that, while mobile security best practices are in development, the Federal Communications Commission (FCC) needs to encourage the private sector to adopt a broad baseline of industry standards. Additionally, the study recommended increased action from the Department of Homeland Security (DHS) to improve cybersecurity awareness. Noting the widespread adoption of mobile devices, the report sought to specifically pinpoint the major threats facing mobile users and identify the recommended data security safeguards.
Identifying key vulnerabilities
The GAO observed in its findings that the improved capabilities of mobile devices has created a set of malware risks similar to that of traditional computers and pointed out a number of recent studies that suggest that the number and complexity of attacks are growing. For instance, its report noted that malware variants for mobile devices have risen 185 percent in less than a year, from 14,000 to 40,000, according to Juniper Networks.
In addition to enumerating varieties of cybercriminals and threats, the office outlined 10 specific vulnerabilities common to all mobile platforms.
One large set of mobile vulnerabilities revolves around authentication and encryption, according to the study. Researchers determined that many mobile users do not have passwords enabled on their devices, or that they use extremely simple passwords such as 1234 or 0000. Additionally, consumers generally use static passwords instead of two-factor authentication when handling sensitive mobile transactions. Mobile users also are prone to using unencrypted Wi-Fi networks, which can raise the risk of data interceptions.
Malware is an increasingly persistent problem for mobile users. Consumers run the risk of downloading malware-laden applications that are often disguised as games, security patches or other legitimate utilities, the study noted, a problem compounded by the facts that many mobile devices do not use security software or run out-of-date software and operating systems.
The GAO also identified a set of security problems tied to limitations placed on device connections, pointing out that many mobile devices do not have native firewalls. Mobile devices without firewalls may have unsecured communication ports that leave them vulnerable. The same problem holds true for other communication channels such as Bluetooth ports, the study said.
These vulnerabilities are of special risk to users who jailbreak their devices, thus removing several default security features. While jailbreaking can allow users to install more advanced security software such as firewalls, it can also open up devices to a wider range of malicious programs, the study said.
As part of its study, the GAO ran a comprehensive survey of the mobile security controls and practices available to individuals and organizations, identifying common protection methods for the vulnerabilities it outlined. Many were direct fixes to the threats – for instance, the standard solution for not implementing a password is to implement a password. However, a number of enterprise-level recommendations expanded upon the more obvious fundamentals.
Organizations can use mobile device management software that centralizes mobile security across all individual users to conform to policy, the report noted. It also pointed out that organizations can require that devices meet government specifications before deployment. These specifications include hardware and software security requirements.
Industry and government plans for implementation
Following the methods available, there have been initial efforts across the public and private sector to address security vulnerabilities, but the controls are not always implemented, according to the report. While the FCC has tasked several groups with identifying cybersecurity threats and private carriers reported participation in standards-setting organizations, the GAO found that many safeguards are not implemented.
The office noted that a National Cyber Security Alliance survey found 30 percent of respondents did not have mobile security features on their smartphone and that, while device manufacturers and carriers offer security settings on their devices, they seldom activate them when the user first purchases the device.
Pointing out that the FCC has the ability to encourage mobile companies to implement mobile security measures, the GAO recommended that the communications agency push the private sector to create a broad baseline of standard mobile safeguards.
The office also observed that, while the DHS has partnered with nonprofits to build awareness, it has not established any benchmarks for measuring success. The study recommended the DHS adopt practices for evaluating its success. These recommendations were generally endorsed by the federal agencies to which they were directed.
They also come on the heels of a DHS announcement that the security agency will launch a cybersecurity awareness web portal in December, just one government initiative that aims to expand cybersecurity efforts in the private sector by offering career training resources.
Security News from SimplySecurity.com by Trend Micro