Mobility requires diligence about malware

Mobile devices in all forms are becoming ubiquitous and, for many people, they have become the primary way they access the web and communicate with others. Government’s adoption of mobile lags that of the private sector because of security concerns, but there’s little doubt that the mobile revolution is coming to the public sphere, whether government is ready for it or not.

With it will come what many people expect to be a tsunami of malware, as criminals and state-sponsored teams target government organizations and the hoards of valuable data that they possess. The only question still up for debate is when the onslaught will arrive.

A report by Kindsight Security Labs, for example, indicated a huge increase in mobile malware in 2013, with the number of mobile malware samples that Kindsight has observed up 20 times over the previous year. Actual infections increased by 20 percent, giving an estimate of more than 116 million malware-infected devices, the company said, of which 60 percent were Android smart phones.

Security vendor Symantec likewise tracked a big increase in mobile malware during the year, though it still considered the prevalence of the malware comparatively low. About 38 percent of mobile users in its survey reported having already experienced mobile cyber crime, the company said in its 2014 threat report, with lost or stolen devices being the biggest risk. Moreover, it said, the number of new malware slowed as developers worked to perfect existing malware.

“Mobile users seem to be highly susceptible to scams via mobile apps,” Symantec said, “and therefore malware need not have exploded because bad guys perhaps don’t feel they need it yet.”

However, malware will prove a major headache for government relatively soon, particularly as BYOD becomes a bigger factor.

In its “Guidelines for Managing the Security of Mobile Devices in the Enterprise” (SP 800-124) that it published in June 2013, NIST outlined a number of items for government organizations to follow:

  • They should have a mobile device security policy that defines what resources can be accessed via mobile devices, and the level of access each type of device — tablets or smart phones, for instance— should have.
  • They should develop systems threat models for mobile devices and the resources that are accessed through them.
  • Organizations should first determine the security services needed for their environment and then acquire solutions that collectively provide these services.
  • They should run pilot tests of mobile device security solutions before putting them into production.
  • They should fully secure each device before letting users access it.
  • They should regularly maintain mobile device security through such things as updates and patches.

However, these can give only general guidance to mobile security. They are an outline of the requirements needed to secure mobile devices and operating systems, said Mike Boyle, an NSA cryptographic expert, at an industry forum early in 2014. Organizations such as NSA then have to add things such as hardware-rooted security to the list.

Centralized resources such as mobile device, application and content management systems are also considered important for enterprise mobile security within agencies.

Because of the global popularity of Google’s Android operating system and the mobile devices that use it — they far outstrip the number of Apple iPads and iPhones—it’s a particular security focus for government officials. The Homeland Security Department, in an August 2013 memo, pointed out that more than 40 percent of Android users were still using older versions known to have security vulnerabilities that were fixed in newer ones.

“The growing use of mobile devices by federal, state and local authorities makes it more important than ever to keep mobile OSes patched and up-to-date,” DHS said.

Help for this looks to be on its way. Samsung, which is the most popular manufacturer of Android devices, introduced its Knox (as in Fort Knox) container technology in 2013 and has been evangelizing it to private and public organizations since.

It basically isolates applications and data in specific domains on the devices, enabling each to have its own access and authentication policies. Agency IT administrators, for example, can then use Knox to allow Samsung owners to use their devices both for their personal use and for agency applications according to their level of access privileges.

“Knox was designed to bring to the market a device hardened all the way from the device itself through the operating systems and into the application layer,” said Johnny Overcast, director of government sales for Samsung Mobile. “And that allows us to check certain boxes from the compliance perspective to allow for use by both the military and public agencies.”

Knox is sparking a lot of interest in government circles, and that will probably only grow with the future launch of the next generation of Google’s operating system, Android L, which went into beta release in the middle of 2014. Although Samsung will keep machine-specific elements to itself, many other parts of Knox will reportedly be included in Android L, significantly enhancing the operating system’s inherent security and therefore boosting its appeal for government agencies.