Mobile devices: the next internet security target 

Malnets are a lucrative source of income for distributors and they are becoming more sophisticated everyday. How can your business stay ahead of the distributors to protect your business?

Keeping corporate networks secure has never been more difficult, complex or overwhelming.

In the past six months there has been a 200 per cent increase in malware networks. Known as “malnets”, malware networks have delivered more than two thirds of malware attacks worldwide and are virtually impossible to shut down.

The rise of large malnets has turned malware into a highly lucrative business model that uses a combination of both mass-market and targeted threats to infect users or steal sensitive or proprietary information. And while the IT community grapples to keep up with computer security threats, cyber criminals are increasingly turning their attention to the vulnerabilities presented by mobile device platforms.

The new corporate network

Businesses are increasingly allowing mobile devices to access the corporate network. In fact, by 2016, 350 million employees globally will use smart phones at work and 200 million of these will be employee-owned devices.

Whether it’s through corporate mobile initiatives to improve workforce productivity, bring your own device policies to offer employees greater flexibility, or guest device programs to enable a closer working relationship with partners or customers; businesses must deal with two major challenges. Firstly, they must overcome exposure to web-based threats and inadvertent data loss via native mobile and mobile browser applications. Secondly, they must ensure employees follow corporate security policies.

While both business and employees make strides to embrace the shift to a more mobile workforce, many IT managers believe the productivity and flexibility benefits offered by mobile devices are inextricably linked with an increase in web security threats.

They are right to be concerned. Web-based threats are device agnostic, targeting users on desktops, laptops and mobile devices alike.  The increase in mobile devices with access to the corporate network provides cybercriminals with a new high value target for malware attacks and creates a potential security risk for businesses.

How malnets work

Malnets are extensive malware networks circulating on the internet, designed to deliver mass-market attacks on a continuous basis. They are developed, managed and maintained by cybercriminals seeking to steal personal information or transform end-user systems into botnets. 

To create additional complexity, malnets use this self-perpetuating process to launch multiple, varied and simultaneous attacks. For example, while a large search engine poisoning attack is targeting millions of different search terms, a concurrent spam attack could be generating millions of malicious emails. Each attack will use different trusted sites and incentives to lure users.

Since these malnet infrastructures last beyond any one attack, cybercriminals can quickly adapt to new vulnerabilities and repeatedly launch new malware attacks. By choosing the most popular places on the internet, such as search engines and social networking sites, malnets are able to infect multiple users with relative ease.

Why conventional security is failing

With the rise of mobile devices in the workplace, securing the corporate network now means securing the user. Yet there are significant gaps between the security that employees are willing to accept and IT managers expect on mobile devices accessing corporate data.

There are several risks associated with allowing mobile devices to access the corporate network:

1. Application security gap

Most existing mobile security solutions lack a control point over mobile browser applications and the operations within native mobile applications. For example, organisations must block the entire Facebook native app, rather than blocking employees from posting content within it. Comparatively, companies that choose to reduce controls face a high risk of inadvertent data loss and are unable to enforce acceptable use policies

2. Web-based threats

Web threats indiscriminately target all devices, regardless if they are desktop computers or mobile devices. These threats are also now able to reuse successful desktop tactics against devices.  Current information shows there are eight malnets circulating on the internet that target mobile users, three of which target mobile users exclusively.

3. Employee evasion of corporate IT policies

A recent global mobility survey conducted by IDC revealed a large expectation divide between IT managers and employees regarding the level of security that should be applied to mobile devices. For example, many IT managers see the risk of malware spreading from a mobile device to the corporate network as very high, while the overwhelming majority of employees feel their mobile devices are very secure.

Defending your network

For businesses trying to protect their users and data in an increasingly complex threat environment, a new type of security is required. Businesses must look for a unified security solution, which will extend the security perimeter of the corporate network by delivering global threat protection and universal policies to all users across the organisation.

While malnets are nearly impossible to kill, there are steps you can take to protect your organisation. One of the major issues faced by companies is that traditional anti-virus defences often fail to pick up malnet attacks until after the damage is done. Traditional signature-based defences are unable to keep up with the frequency with which these attacks are launched. The security industry must move to a proactive defence that can stay one step ahead of malnets.

Negative Day Defence offers a proactive approach to network security.  By identifying the malnets delivering the attacks and blocking them at the source, businesses are able to prevent new attacks before they are launched. This new type of proactive cyber-defence, combined with a robust business security policy, represents the future of internet security.

What businesses can do to increase mobile device security

To date, companies have struggled to find ways to balance the benefits offered by mobile devices and the threats they present to the corporate network. Today’s complex online environment demands a security solution that has the ability to meet an employee’s desire for access, balanced against the IT department’s need for protection against threats and a control point for native mobile and mobile browser applications.
When looking for a corporate network security solution that extends to mobile devices, there are several things you should look for:

1. Advanced defences: By blocking the threat delivery mechanism rather than specific threats, the Negative Day Defence protects users well in advance of the deployment of malnets. And since the Negative Day Defence blocks everything associated with known malnets, businesses are also protected against any other attacks delivered by these malicious infrastructures. Importantly, a security solution must protect against device-agnostic threats that indiscriminately target users on laptops, desktops, smartphones and tablets.

 

2. Granular application and operation controls: Most mobile device-level solutions simply block entire applications and offer no control over mobile browser applications. Look for a mobile device security solution that provides granular application and operational controls across both types of applications – native mobile and mobile browser.  These granular controls will allow you to set flexible IT policies that prevent inadvertent data loss and ensure consistent enforcement across the extended environment – closing the application security gap.

3. Contextual policies: Look for a mobile device security solution that supports a robust policy framework that intelligently applies policies based on user, device, location and content.  A flexible solution will allow your business to create policies that can accommodate both personal and business usage without compromising security.

Now is a crucial time for businesses to address these security challenges. Cyber criminals are increasing their strength using the advanced technology provided by malnets, while employees add to vulnerabilities on the corporate network with mobile devices. Enterprises understand the dangers of allowing access to corporate data from employee-owned devices, but haven’t yet determined the best approach to mitigate those risks.

Businesses today must look for a network security solution that leverages the same policy and protection infrastructure across deployment modes, ensuring consistent protection and policy enforcement regardless of location or device. Using this model, businesses will be able to combat and close the mobile security gap associated with mobile and remote users.

Image credit ©iStockphoto.com/Erik Khalitov