Mobile Computing Risks: Part 2
I discussed the problem of lost or stolen mobile computing devices at some length in my last blog entry. But as we all know, this problem is only part of the myriad of security-related problems that these devices introduce. Another part of the risk equation for these devices is the fact that in most cases, obtaining mobile access means that users must connect to networks other than an organization’s own network. It is thus generally much more difficult to control devices that are connected in this manner. Consider, for example, the issue of performing security maintenance (let alone IT maintenance in general). Suppose that a new worm that targets one or more mobile computing devices starts to spread and that installing a new patch prevents the worm from infecting these devices. System administrators can normally readily remotely connect to devices that are connected to their organization’s network and then push the patch into these devices through remote administration tools. The same is not true of users who are on travel or who are working from home, a hotel room, or an airport, however; they will connect to networks other than their organization’s to be able to ultimately reach their organization’s network. The likelihood that system administrators or remote administration tools will be able to connect to these devices and install the needed patch is miniscule. Consequently, the probability that mobile users’ devices will become infected is likely to be considerably higher.
Another significant security obstacle resulting from mobile computer usage is that when users are away from the office, they are less able to keep in the loop concerning security alerts regarding current incidents and threats. If a new worm surfaces, for example, warning users concerning what to do (as well as what not to do) to avoid an infection can greatly reduce the probability that users’ computers become compromised. Employees at work in their offices can be given fliers or can view posters in the hallways or closed screen TV notices in various locations in the workplace. In contrast, when they are away from their offices, there is no reasonable way for them to receive such warnings.
Similarly, when users connect their mobile computing devices to networks that are not owned and operated by their organization, their devices are normally subjected to a different set of threats from those within the organization’s network. Whereas an organization can provide security controls of its choice in its own network, it is powerless to do so in networks it does not control. In some instances, the security risk level associated with connecting to another network can be extremely high. Consider, for example, the many severe risks (especially the threat of unauthorized capture of cleartext information in wireless connections) that are indigenous to open networks, such as those at Starbucks coffee houses and Internet cafes. It is also possible that mobile computing users might connect to a hostile network—a network owned and operated by computer criminals. Furthermore, there is always the danger of users connecting to open wireless networks to which they have not been granted authorized access. “Piggybacking” is illegal in only a few states in the US right now, but regardless of whether an employee of an organization who piggybacks illegally is caught, the risk of the employee having done so, being detected and identified, and having news of this activity spread in the media raises the potential for negative media exposure for that organization.
Finally, mobile users often send email to others via email servers other than the ones that their organization owns and operates. This means that their email ends up being queued and stored in email servers that are not secured in the same manner than their own organization’s email servers are, providing a prime opportunity for perpetrators seeking a path of least resistance. Additionally, business-related email is out of the control of the organization when in resides on mail servers not controlled by the organization.
Mobile computing has many advantages, ones that cannot be taken lightly, and if anything, it will continue to grow at an unprecedented rate. At the same time, however, the many risks that result from mobile computing must be considered and dealt with. Unfortunately, too many organizations are neglecting the latter.