BYOD security: Are agencies doomed to a permanent game of catch-up?

With the growing popularity and usefulness of mobile devices, the era of Bring Your Own Device in the workplace is either imminent or already upon us, depending on whom you’re talking with.

“BYOD is here, and everyone is working to make sure we can deliver things” through that channel, said John Harrison, group manager at Symantec Security Response.

That does not mean that your personal smart phone or tablet automatically will become a trusted part of the enterprise, but it will be increasingly difficult for administrators to keep them out. In many cases, it already is too late to try.

Related coverage:

Android app test demonstrates dangers for mobile devices

Tony Bennett left his heart, others leave mobile devices in San Francisco

“Some things you just can’t do,” said Gary Schluckbier, director of the secure products group at Motorola Solutions. “In some enterprises, banning personal mobile devices is one of them.” There always will be a risk trade-off in which usefulness must be balanced against threats, he said. “There are user cases where BYOD makes a lot of sense. In others, it doesn’t.”

The threats that make mobile devices a risk to the enterprise already are appearing. The amount of new malware being identified by security companies has shot up exponentially this year, and both government and industry are working to develop secure software and hardware for mobile devices. Despite these efforts, however, those in the industry offer little hope that they will be able get out in front of this threat curve.

Security is historically reactive, said Anup Ghosh, CEO of the security company Invincea. The same trends that have kept us playing catch-up with desktop and laptop security will continue in the mobile world, he predicted. “We’re seeing the same movie run over and over again,” Ghosh said.

That does not mean the outlook necessarily is gloomy, however. “Security will always follow, but the process can be quick,” said Mark Cohn, chief technology officer of Unisys Federal Systems.

Whether it will be quick enough remains to be seen. The pace of change in the computing environment is accelerating. For decades the desktop dominated, and then it was joined by the laptop. But no sooner has the laptop become a full-fledged partner than it is being pushed out by the tablet and smart phone.

Cohn predicts that, within a year, the desktop, tablet and smart phone will be the triumvirate of enterprise computing, and within another year the desktop is likely to be eliminated as a dominant platform. Eventually, a smart phone enabled with a Bluetooth keyboard and cloud storage could reign alone.

This shifting and convergence has not gone unnoticed by the bad guys. Malicious code for mobile devices has grabbed headlines in the past year, and McAfee’s latest quarterly threat report showed a sharp spike in new mobile malware, from fewer than 500 samples in the last quarter of 2011 to more than 6,000 in the first three months of 2012.

Android’s double-edged sword

The Android operating system is far and away the largest target for malware, accounting for more than three-quarters of the samples identified. In most cases, the code comes from outside the official Google app store for Android, McAfee researchers said. What makes Android attractive to criminals is the same thing that makes it attractive to developers and consumers.

“The Android is a platform that other people can use to make a product,” said Adam Wosotowsky, messaging data architect and research analyst at McAfee. “It allows for more creativity. For that reason, it’s more flexible.” Security features can be disabled and third-party applications easily installed.

On the other hand, because Android is open it also can be hardened. The National Security Agency has released a hardened version, Security Enhanced Android based on SELinux, an open-source project to identify and close security gaps in Android. Operating system aside, mobile devices in general offer a target-rich environment for hackers, in part because of the compact form factor.

“The platform is highly integrated, changes all the time and has a lot more attack surface,” said Motorola’s Schluckbier. Because many functions that might be separated on a larger device are combined on a single chip for a handheld, “we’re just starting to scratch the surface on threats.”

With malware, as with teenagers, a sudden growth spurt does not equate with maturity, researchers said. “It’s still in its infancy,” Wosotowsky said of mobile malware. “The number of malware samples we see for PCs is explosively higher than we see for smart phones.”

“So far, the underground economy is still figuring out how to monetize mobile threats in the way they have monetized desktop and laptop threats,” said Symantec’s Harrison.

In the United States, use of smart phones for financial transactions is not yet widespread, and common money-making scams for PCs — such as downloading fake antivirus programs or video codecs — are not as successful on mobile devices because most users are not yet thinking of putting antivirus software on their handhelds, and nobody wants to pay for new applications for a smart phone anyway.

Malicious apps

Malicious applications are the most common means of delivering malware to a mobile device, particularly unvetted software offered through third-party Android marketplaces. These Trojanized apps usually are corruptions of legitimate applications rather than built from scratch, Harrison said.

“We have seen some built from scratch,” Harrison said. “But hackers are lazy. Why go to the trouble? Android apps are totally easy to reverse engineer, compromise and upload. People seem to flock to them.”

The most successful fraudulent money-makers for mobile devices to date — and they don’t make a lot of money — probably are click fraud and premium billing for text schemes. But the growth in malware development going on today means that more serious threats are likely to appear as users become more comfortable in a mobile online world and criminals gain experience in the arena, Harrison said. “Once they figure out what’s working, we will see wider use.”

“Your cell phone is a little computer,” Wosotowsky said. “It is not immune to the problems associated with big computers. Eventually, there won’t be much difference between your PC and your cell phone. At that time, it [the cell phone] will certainly be the top target” for malware writers.

How long do we have before this happens? “We are starting to see the inflection point right here,” Harrison said. “We’re in the early stages.” Optimal security for a mobile device would be embedded in hardware, and that is where Motorola, an equipment manufacturer, is focusing it security efforts.

“Where we start is low in the device,” Schluckbier said. It also is hardening the operating systems adding features to Android and Windows Mobile. The company recently announced its Assured Mobile Environment in the AME 1000 Secure Mobile Telephony solution for Windows Mobile, which includes hardware-based cryptography and certificate management for voice.

The AME 1000 incorporates a crypto chip and Apriva Voice software and gateway, together with NSA Suite B voice encryption on its ES400 enterprise smart phone, which operates on both CDMA and GSM networks. Motorola plans to expand it to the Android OS as well.

One of the biggest physical threats to mobile data is the risk of losing the device. “You’re mobile, and the loss of data is only as far away as a thoughtless moment,” Schluckbier said.

Mobile military

The military recognizes the value of mobile devices, not only for use “behind the wire” in headquarters and garrison environments but also “outside the wire” in field deployments where they can provide constant communications with data and situational analysis both to commanders and to front-line troops. Fielding these devices in a combat environment entails considerable risk, especially since it often entails use of non-military carrier networks. The military and intelligence communities are countering this by hardening the Android operating system and developing their own secure apps.

Still, “most of the security has to do with loss-of-device scenarios,” said Invincea’s Ghosh.

Most of these protections fall within device management and range from simple controls, such as requiring password access and encryptiing file systems, to the more complex abilities such as remotely wiping a device that is unrecoverable.

“Today they use enterprise-issued devices,” Ghosh said of military and civilian government use. This traditionally has meant the BlackBerry, but the balance is shifting to the Android. “The range of applications available for BlackBerry is more limited. The federal workforce is very similar to the commercial; they want the latest in technology and they want to be able to use apps.”

Although hardened devices and operating systems are beginning to appear for government use, the bulk of the devices being used for work are consumer-grade, off-the-shelf phones and tablets that lack these security enhancements. And without secure devices, the current focus on mobile security will have to be on securing the data, security experts say.

“We are in the early days of the mobile security solution,” said Symantec’s Harrison, and the immediate goal is to be able to secure data — or at least avoid endangering it — on the devices.

“We have to have trusted users, trusted services and trusted platforms,” to ensure the security of data, said Unisys’ Cohn. But so far trusted identities have not been extended to mobile devices. Authentication still is based on website functionality developed for PCs, and there is little strong authentication for the mobile device and the device user that would ensure that information is being shared with the proper people under the proper circumstances.

Federal cyber strategy

The Obama administration’s National Strategy for Trusted Identities in Cyberspace envisions an identity ecosystem of commercial tools that could be adopted by government to achieve this goal. The ecosystem could allow the reuse of a limited number of credentials for many purposes, enabling the kind of strong but convenient authentication required for secure, widespread use of mobile computing. This system of shared, federated and widely trusted credentials does not yet exist on a large scale.

In the meantime, one method of mitigating the threat of mobile malware is to segregate system elements and functions so that code is less able to cross boundaries. Segregation also allows effective management of a device and the enforcement of policy. The ability to functionally separate enterprise from personal apps on the same device could allow personal devices to be more securely used in the workplace. Encrypted tunnels could be required for trusted enterprise apps, and access to file systems could be restricted to applications that are tagged for enterprise use.

Whitelisting — allowing only the installation of trusted applications on a device — also can help ensure that devices are operating securely.

Absolute security is impossible, however, and no amount of hardening, segregating or authenticating will completely eliminate the risks of mobile computing, especially in an environment that is developing so rapidly.

But don’t expect development to slow down to wait for security to catch up.

“Every major innovation in computing has come through a progress that was not managed coherently but was the result of independent effort from multiple players,” Cohn said. It is expensive to develop hardware and software that goes beyond the security that is “good enough for consumers,” he said, and demand for security will not direct the investment stream in the future.

“Maybe that is the price we pay for the fact that we allow innovation to occur.”