Understanding Behavior and Unknown Vulnerabilities in Mobile and Social Environments

Posted by Tom Bain on May 29, 2012 at 10:03 AM

No one has to tell you that with the increased usage of mobile and social applications, or social applications on mobile devices reaching an all-time high, this opens up a can of security concerns. (OK I just told you that). And there’s lots of buzz, from a security standpoint, on different types of attack examples and how organizations are going to need to implement a strategy -- soon. (see my post from RSA)

However, the most threatening of security risks to the enterprise outside malicious or unknowing insiders are clearly malicious third-party applications that often use sensitive user data. These applications take control over mobile devices for personal data retrieval, UI impersonation, unauthorized dialing and payments, or unauthorized network connectivity.

In social media networks, people are more willing than ever to share their personal information, either in third party applications or on their profile. Especially in social networks, malicious software has become more subtle when compared to standard web applications, inciting the users to answer personal questions that may actually compromise private accounts in addition to accounts relative to their employer. URL shortening or obfuscation on Twitter, Facebook, or LinkedIn are  popular methods that hackers are using to hide the real destination of URLs, which can ultimately lead to malware content that propagates.

Aside from risks posed by malicious means, existing vulnerabilities might pose unintentional risks, like unpatched applications or vulnerable default apps on mobile devices or tablets. In addition, there is always risk associated when it comes to individuals acknowledging what constitutes proper control when sharing sensitive information about their company or on their company’s network.

A few quick ways IT security professionals should respond to these increasing threats to enforce security controls on mobile devices and social media networks might include:

  • Encrypting of data on all mobile devices
  • Forcing secure connectivity on unsecured public networks
  • Identifying social networking security threats and creating policies designed to protect data and reputation
  • Learning best practices while using mobile devices and social media to avoid security threats

We just released a new series of mobile and social media security courses on our TeamProfessor eLearning platform that can really help companies who haven’t started to think about how they counter the mobile and social threats they are probably already facing (and potentially are unaware).

For more technical information on mobile application risks and best development practices, we recommend taking the Fundamentals of Secure Mobile Development course, or, if you are interested in exploring best practices in understanding the key issues around Web 2.0 security, take a look at The Fundamentals of Web 2.0 Security, both available now.  For non-technical personnel, or really anyone in ANY organization, a 30-minute training course on the security challenges posed by mobile and social media platforms, I’d recommend Security Awareness - Mobile and Social Media.

 

Topics: security awareness, online security safety, mobile security, social media

Tom Bain

Written by Tom Bain