News By Tag
News By Place
Information Security Forum Examines the Security Challenges Associated with Mobile Applications
By: Information Security Forum
Mobile devices have become the consumer computing platform of choice, originating half of website traffic in 2017 and consumers spent twice as much time on them as desktop/laptop computers. As more currency and valuable information flows through mobile apps, the motivation and capability of malicious entities is increasing, turning security challenges into significant business issues. Hackers are leveraging these challenges to attack organizations through the hacking of mobile apps. Hacking, including tampering, debugging or reverse engineering, may be performed without detection because organizations typically lack the capability to observe attacks against many of the apps in use, particularly those running on unmanaged devices. Failure to address the security challenges associated with apps may result in serious business impacts, such as prolonged outages, exposure of sensitive information or unreliable services. However, these impacts can be managed or prevented by finding the right balance of control, enabling the effective exploitation of mobile apps.
"Mobile devices are always on, continuously network connected, and have an affinity for being lost or stolen – yet typically lack the security protection afforded to IT systems. Consequently, app security is tightly interlinked with mobile devices and the environment in which they operate," said Steve Durbin, Managing Director, ISF. "Locking down the mobile app environment may tempt individuals to side-step security controls to run their favorite, yet unapproved and insecure apps on unmanaged personal devices. However, both locking down the mobile environment or leaving it wide open can bring the same result: unapproved apps used for business. Securing Mobile Apps: Embracing Mobile, Balancing Control helps organizations find the right balance."
Mobile devices can come with different levels of security assurance. At one end of the spectrum are company-owned, managed devices that have trusted provenance. At the other end are unmanaged devices of unknown provenance, which may be owned by an employee or external party. Taking advantage of the benefits of apps, without attracting excessive risk, requires balancing business needs between applying a locked down and allowing a wide-open environment. Even approved apps can impact security, particularly if not developed securely, used on unmanaged mobile devices or they rely upon insecure cloud services.
According to the ISF, there are three important lessons to be learned:
1. Knowledge is paramount. Managing apps and their risk requires knowing which apps are processing what data, by whom, from where and for what purpose.
2. Prohibition is seldom an option; pragmatism is key. The vendor's app stores provide some security assurance about the apps they contain but cannot determine whether an app is suitable for a particular business use. Whether an app is used or not should be based upon risk, user satisfaction and the extent to which it meets business needs.
3. Service is essential. Securing the use of apps in an organization is not just about secure development, the level of IT and security operational support provided should be similar to other types of business applications.
"Mobile apps have affected the lives of many people. They have not only lowered the barrier to using powerful distributed computing services, they have smashed through it," continued Durbin. "The challenge is to service the business need for apps in a secure manner whilst providing individuals with a similar level of freedom, functionality and ease of use they are accustomed to in their personal life. Fail to get the balance right and unauthorized, high-risk apps will be used nevertheless to handle your sensitive information and support critical business processes."
Securing Mobile Apps: Embracing Mobile, Balancing Control is available now to ISF Member companies via the ISF website (http://www.securityforum.org/
About the Information Security Forum
Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organizations from around the world. The organization is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organizations and developed through an extensive research and work program. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions.By working together, ISF Members avoid the major expenditure required to reach the same goals on their own. Consultancy services are available and provide ISF Members and Non-Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF products.
For more information on ISF membership, please visit https://www.securityforum.org/