This week IBM researchers released their X-Force 2011 Mid-Year Trend and Risk Report, highlighting rapidly evolving security threats across mobile platforms.
Report authors gathered their intelligence by analyzing a large portfolio of publicly disclosed data breaches and by monitoring a daily average of nearly 12 billion global security events through the first half of 2011. Drawing upon this wealth of information, researchers were able to reveal a number of important insights regarding the current state of mobile data security.
"For years, observers have been wondering when malware would become a real problem for the latest generation of mobile devices," said IBM X-Force threat intelligence and strategy manager Tom Cross. "It appears that wait is over."
The most notable takeaway from the study may be the team's projection that mobile security exploits will have doubled between 2010 and 2011. Analysts suggested that mobile device vendors may be partially responsible for this trend, as many have overlooked crucial security updates in their haste to get new products to market. Third-party application markets were highlighted as a key source for vulnerability.
However, the rise in mobile malware can also be attributed to the ongoing evolution of cybercriminal tactics. As more and more consumers have purchased mobile devices, hackers have inevitably followed their targets to the new platform. And as technology manufacturers and consumers continue to lag behind the curve on data security best practices, cybercriminals are profiting like never before.
With consumers relying on smartphones and tablets for an ever-expanding range of functions, they are bringing a wealth of sensitive data along with them. According to recent research from Confident Technologies, 97 percent of survey respondents reported accessing email from their mobile devices. Additionally, three quarters indicated that they use social networking applications and approximately half of respondents use their smartphone or tablet for online banking or stock trading purposes.
"Internet-enabled smartphones and tablets are quickly becoming the device of choice for everything from accessing work email, to social networking and even banking and shopping," said Confident CEO Curtis Staker. "However, people's lax security habits have made the mobile platform the new frontier for hackers, malware and fraud."
Aside from these common security threats, the IBM report also suggested that the percentage of "critical vulnerabilities" has tripled so far this year. These data crises were defined as more serious and pervasive attacks capable of compromising large networks and perpetrating high profile attacks such as those carried out by Anonymous and LulzSec.
Also known as Advanced Persistent Threats, these tactics are used by hackers to collect strategic intelligence from multiple levels of high-profile organizations including financial institutions and government agencies. The recent success of APTs has also drawn attention to the emerging practice known as "whaling."
This evolution of the common spear phishing attack targets end-users with a higher level of authority, such as a company executive with access to privileged information. Hackers are now conducting more extensive research on potential targets to create more convincing traps in their malicious emails.
"Although we understand how to defend against many of these attacks on a technical level, organizations don't always have the cross-company operational practices in place to protect themselves," added Cross.
To level the cybersecurity playing field, enterprise IT managers may be best served by a comprehensive mobile device management strategy that encompasses a balance of strong technical solutions and explicit policies.
According to Venture Beat, Cross suggested several simple but effective mobile device security steps every employee should be aware of. First, strong password and PIN protection provides a first line of defense in the event a smartphone or tablet falls into the wrong hands. Application management will also be critical. When possible, users should avoid downloading third-party apps. But regardless of the source, employees should always install security updates when prompted.
Unfortunately for enterprise IT managers, employee mobile device habits do not always match up with best practices. With that thought in mind, centralized and authoritative controls may be warranted to protect both the network itself and end-user data. Accounting for all mobile devices running on the company network and deploying endpoint security software will be a good first step. But according to PC World, effective usage policies may be an IT administrator's best friend.
Establishing a clear stance on mobile applications may stop a number of problems before they start, according to the source. Governing what can and cannot be downloaded on devices may seem harsh, but mobile devices should be protected from threats just like any other business productivity platform. Creating a testing protocol for new applications may also be wise as it allows companies to take advantage of innovations in a secure manner. Finally, dictating explicit guidelines regarding a device's end of life data sanitization may help patch a significant security loophole.
Security News from SimplySecurity.com by Trend Micro