La Mobilephobie : Un ensemble de craintes qui touche généralement les RSSI et d'autres professionnels de la sécurité, relativement à l'adoption et au déploiement d'une stratégie de sécurité Mobile qui favorise l'accès à travers l'entreprise, le partage des données de l'entreprise ou des interactions avec les partenaires, clients et autres tiers via des appareils mobiles et les applications.

1. Mobilephobia: Curing the CISO’s
Most Common Mobile Security Fears
IBM Mobile Security
CISO E-Guide
October 2015

2. 2 Mobilephobia: Curing the CISO’s Most Common Mobile Security Fears
Table of Contents
Chapter 1: The CISO and “Mobilephobia”..............................................................................................................................3
Chapter 2: The Fear of Rogue Devices....................................................................................................................................5
Chapter 3: The Fear of Business and Personal Worlds Colliding........................................................................................7
Chapter 4: The Fear of Mobile Apps Attacking......................................................................................................................9
Chapter 5: The Fear of Hordes of Unmanaged Devices.....................................................................................................11
Chapter 6: The Fear of Missing the Warning Signs.............................................................................................................13
Chapter 7: Finding the Cure for Mobilephobia.....................................................................................................................15
For more information:...............................................................................................................................................................18

3. IBM Mobile Security 3
Chapter 1. The CISO and “Mobilephobia”
Mobilephobia: A family of fears typically impacting CISOs
and other security professionals associated with embracing and
deploying a mobile security strategy that enables access across the
enterprise, sharing of corporate data or interaction with associates,
customers and other third parties via mobile devices
and applications.
Let’s face it: Every CISO or head of IT security suffers to
some extent from mobilephobia. Unlike many “phobias”
that are linked to irrational fears, mobilephobia is based on
rational fears and real threats. While these fears may not be
debilitating to those who suffer from them, they can have
serious consequences and result in delays in embracing
mobile and deploying a mobile security strategy.
Let’s take a look at how mobilephobia manifests itself in the organization. CISOs and security executives tremble at the
mere thought of receiving a phone call or email that goes like this: “The CFO lost his smartphone at the airport. He’s got
all the data from the planned NewCo merger on it, in addition to our financials. You’ve got it covered, right?” Is this really
happening? Is it time to update the resume? Of course, every CISO wants to tell a panicked assistant to the CFO that it’s
not a problem; the company is protected and all the secrets are safe. But are they? And while the CFO might be the extreme
case, what happens when an HR staffer’s laptop that contains personal information on 1,200 employees is stolen?
Examples like this make it abundantly clear: Older and obsolete approaches to mobile security leave too many holes in
the protection.
Don’t Look Now, but the Fears Increase Every Day
What starts as “a few concerns” about mobile security is constantly increasing—every minute, every hour, every day as
the media announce another organized attack by hackers or in the worst case an actual enterprise breach. It’s not just the
millennials who are using two or three personally owned devices to access and store corporate data, it’s everyone. And
pushing the problem onto the users by asking them to “please, pretty please” load corporate security software onto their
devices has a low success rate. Mobilephobia will only increase with the coming boom in wearable technology, coupled with
huge numbers of devices in that broad category of “Internet of Things” that will be part of the mobile environment.
Hackers are smart, and with new hacking technology and stealthy tactics, they’re focusing on mobile devices thanks to the
glaring vulnerabilities these devices possess. Whether it is the device OS or an application running on the device, everyone
knows there are mobile-specific vulnerabilities. Plus, hackers are increasing your fears as they analyze the vulnerabilities and
security holes that a new generation of wearables and IoT devices will open in many organizations’ security plans. Experts
have even hacked a car already. Today’s businesses can’t pretend the problem is a minor one.
The Crown Jewels Are at Risk
As employees of all types and ranks increasingly use their mobile devices for all of their workflow, even the most sensitive
information is landing on personal or corporate-owned smartphones and tablets. It seems everyone has the keys to the

4. 4 Mobilephobia: Curing the CISO’s Most Common Mobile Security Fears
kingdom. This creates a number of problems for the organization. First, there are legal and compliance issues that result
from losing a device or having it become compromised. If the organization hasn’t taken care to deploy strong security, it
becomes scary pretty quickly. Second, there are potential competitive risks if the information should fall into a rival’s hands,
the worst of all outcomes.
The simple fact is that data leakage and loss on mobile devices must be expected if organizations don’t put some new security
safeguards in place to protect those jewels. The new list of certainties in today’s world now includes death, taxes and data loss
on poorly protected mobile devices. And there are so many ways devices can be compromised or data lost based on just the
known current threats. These include:
Plus, let’s not forget that hackers are always raising the ante and becoming more creative as they find new ways to gather
valuable data from mobile devices. As you can see, with mobilephobia, the fears and threats are real and must be addressed.
Fear of Falling Behind: Older Security Solutions Face Daily “Protection Shrinkage”
It’s surprising how many organizations have not fully deployed even the older security solutions that did offer some
protection years ago when they were initially designed. Even worse, for those organizations that did buy the solution du jour,
newer threats have riddled their solutions with more security holes and dramatically increased the depth of mobilephobia.
A big part of the problem is that many older security approaches were driven by point products that were designed to
remediate one specific type of threat but provided little value in stopping new threats, or even some variations on that
specific threat. Over time and as threats multiply, an organization’s “protection surface” does actually shrink.
The problems with older mobile security solutions don’t end there. First, solving one security problem at a time is not
very efficient in terms of IT manpower or costs. Second, this is a reactive rather than a proactive approach. Once an active
threat is discovered, what happens between the time a threat is let loose into the “wild” and a security solution is installed?
The simple answer is mobile devices are vulnerable. Finally, while a reactive approach is clearly inadequate for dealing with
malicious threats, it is completely ineffective for combating a common cause of data loss: human error.
What organizations really need is a proactive, integrated mobile security solution framework that offers an entire range
of protection and has the capability to add new functionality as necessary. The benefit of a more comprehensive approach
is that it provides defense in depth, where the overlapping protections of multiple products are more capable of halting a
specific threat. Simply put, it stops security shrinkage.
The integrated approach also simplifies the deployment of the mobile security solution to mobile devices, since IT is not
asking end users to install this month’s latest security product on their devices. No less, IT staff can work from a single
product with one console.
• Hijacked devices
• Stolen devices
• Jailbroken devices
• Devices corrupted by malware downloads
• Employees leaving with sensitive data
• Employees putting sensitive data in unsecured
consumer cloud file-sharing services
• Bluetooth snooping
• Fraudulent applications
• WiFi hot spot spoofing

5. IBM Mobile Security 5
Chapter 2. The Fear of Rogue Devices
It’s Scary to Lose Control
Every CISO has fear of the things he or she can’t control, and in any larger organization, there can be tens of thousands of
BYOD and mobile devices that the CISO has little, if any, control over. Mobilephobia sets in with the realization that gaining
control is only made more difficult by the problem of working with multiple operating systems. The multi-OS scenario often
results in different requirements for individual environments, OS-specific threats and varying intrinsic management capabilities.
Worse, the number of different devices that show up in an organization’s IT infrastructure increases every quarter, and it seems
like there’s no end in sight. When Apple or Samsung launch a new product or release a new version of the operating system,
the result is a huge number of devices using new software that hasn’t gone through basic vulnerability testing. That’s not exactly
reassuring. For example, a new iOS upgrade is a regular event, and the day it is launched the CISO will have to deal with the
fact that thousands of devices accessing corporate information will now use an OS version that has not been through any
security testing. There is no question this fear is based on a legitimate threat.
As the cavalcade of new devices enters the enterprise complete with new operating systems and software stacks, having some
fear over what they may be bringing with them is the mark of a reasonable person. According to a recent Veracode survey,
the average enterprise has more than 2,000 unsafe or malicious apps installed on users’ BYOD devices.1
This malware can
expose sensitive information or allow entry into corporate systems. And Gartner says that by the end of 2015, 75% of mobile
applications will fail basic security tests.2
Doesn’t sound very promising, does it?
The first step to curing mobilephobia is to develop a process that can be documented, and more importantly, implemented.
Too many mobile security policies sound good, but when it comes to actually deploying them, it becomes clear just how much
wishful thinking went into their development.
The genesis of these policies must start with the legal, compliance, and operational demands that are unique to the
organization. Not only is this the correct approach of beginning with the end in mind, but for a CISO, the phone calls that
elicit the greatest fear are the ones from the corporate counsel or the compliance office.
Implementing consistent and effective policy begins with a
process that ensures security. The starting point is to ensure
that enrollment, provisioning, and configuration processes can
all happen “over the air” and are completed using automated
background processes that make the solution “user proof.”
Mobile users who won’t or can’t load the security tools, or
otherwise leave their devices unprotected, are truly the flies in
the mobile security ointment. This over-the-air capability must
also constantly monitor devices to solve a number of potential
security issues by:
• Identifying and remediating devices that may be at risk
• Tracking who is requesting sensitive data
• Finding anomalous activity
• Automating security responses and actions for devices
and data that may be at risk

6. 6 Mobilephobia: Curing the CISO’s Most Common Mobile Security Fears
Theft Happens! Removing the Fear From Vanished iPhones
Of all the forms mobilephobia can take, this is probably the most prevalent. A lost or stolen device is inevitable, and those
devices immediately become “rogue” devices. British police estimate that there are 314 mobile devices stolen every day in
London alone.3
According to the Consumer Reports National Research Center, in 2014 there were 6.2 million smartphones
lost or stolen.4
Most of these phones undoubtedly were used for both personal and professional applications. And the enterprise
CISO has one more thing to worry about beyond loss or theft: users who leave or are dismissed from the organization and have
personal devices with corporate data, applications, and access. The mobile security plan must treat this as a normal occurrence
and include processes to remove the fear of attacks and date leakage from lost/invalid devices.
Rather than treating lost or stolen devices as an exception, the mitigation of threats and problems from loss or theft must
be part of a standard, automated process for managing BYOD and mobile devices. That process must be able to respond
very quickly when a device goes rogue. This requires a plan for lost devices, starting with encryption when the device is
commissioned, additional data protection for information added to the device, the ability to search for the device and render
the device harmless if it’s lost, and potentially even more remediation activities.
To lower the risks from lost and stolen devices, the process should include these common elements:
• Encrypt the device: This may seem obvious, but many
BYOD devices are not encrypted. The enrollment process
must include encryption.
• Separate personal and corporate information: The idea of
containerizing, sandboxing, or otherwise drawing a logical
distinction between the two “personalities” provides
greater protection.
• No enrollment/no access: The key to this is not to
position the mobile security management tools as the
traffic cops between users and information, but to make
the enrollment process unobtrusive and simple so that it
happens even when users aren’t forced to run scripts or
download software.
• Develop an “information architecture”: It’s important to
know what information must be protected at all costs, and
what information is less sensitive.

7. IBM Mobile Security 7
Chapter 3: The Fear of Business and
Personal Worlds Colliding
No Fear of Separation: Segregating Personal and
Corporate Data
If you are looking for the scariest form of mobilephobia,
this may very well be it. One of the most common usage
patterns on mobile devices is the commingling of personal
and corporate data and applications. When this occurs,
many users take shortcuts that expose corporate data
to threats from personal malware, poor data protection
practices, and lost/stolen devices. Much like good fences
make good neighbors, separating corporate and personal
information is an essential best practice for mobile security.
Let users wreak havoc with their own stuff, but not
the organization’s.
There are a number of reasons why separation reduces a CISO’s anxiety. One of the most obvious is that by creating this data
distinction, it becomes very clear what information should be remotely wiped if a device is lost, stolen, or belongs to an ex-
employee. When data is all jumbled together, it’s hard for IT to be sure they wiped all of the sensitive corporate information
without wiping the entire device. And blunt-force, complete device wipes can cause major headaches when irate users complain
about losing pictures of their kid’s soccer game or last year’s dance recital.
However, separating the personal and corporate worlds is only the beginning for implementing numerous types of protection.
It sets the stage for more mobile security capabilities.
With two separate logical partitions, organizations can better manage email, attachments, and interaction with personal email
accounts. The practice of using attachments to send corporate information to personal email accounts is widespread. It’s
the first thing an end user learns to do with Exchange or Outlook—and it’s hard to control. It’s also a trigger to the CISO’s
mobilephobia: the thought of thousands of users moving sensitive corporate information outside of IT’s purview. However,
using a “corporate only” sandbox, it’s now possible to stop the practice of forwarding attachments from corporate email
systems. Further, the organization can impose copy and paste restrictions as well. Eliminating out-of-control information is a
prescription for a far less stressful environment.
A corporate sandbox also allows the organization to ensure and enforce authentication of the device and the user, which
mitigates the risk of lost or rogue devices. In addition, the ability to require two-factor authentication is greatly enhanced, and
that will further reduce risks. Finally, using a corporate “personality” also provides the means of stopping a great deal of data
loss or leakage, by giving the CISO and IT more control over the image, access to information, and how information can
be shared.

8. 8 Mobilephobia: Curing the CISO’s Most Common Mobile Security Fears
What, Me Worry? Using Distinct “Identities” to Enforce
Compliance and Security Policies to Stop Data Loss
With a controlled and distinct corporate image or workspace
on the mobile device, enforcement of critical security policies
is much simpler. There are a number of security activities that
can be deployed much more easily:
• Cookie management/tracking
• URL filtering
• Application “whitelisting”
• Application management
• Restriction or elimination of cloud storage products
• Data migration management
• Ensure compliant use of sensitive information
• Where it can be stored
ŋŋ Enable the use of intranets
ŋŋ Ensure security is in place before information is downloaded
ŋŋ Full encryption
Even if the corporate image is locked down, the user can still play Words with Friends or upload videos to Instagram on their
personal image. This halts user complaints while eliminating the fear that malware will compromise corporate information on
the device.
The ability to restrict the “anything goes” part of the mobile device to a personal playground is key. By keeping the malware,
data loss, and other security issues outside of the corporate IT infrastructure, it lessens the risk that stupid user tricks will create
a major security event. Even though the majority of end users are not acting maliciously, mistakes and oversights create the
potential for an event. The ability to wall off attackers and threats to keep them out of the “castle” has a long track record of
success, going back millennia. The same approach works for mobile security today, and will let the CISO sleep as peacefully as
any king in his castle.

9. IBM Mobile Security 9
Chapter 4: The Fear of Mobile Apps Attacking
Apps With Too Many Permissions: Why You Should Worry
What CISO doesn’t suffer from some level of mobilephobia related to all those apps and wondering which ones will rise up and
attack the enterprise? End users hardly even glance at all of the permissions required by that new picture sharing app. They’re
not scared, but the CISO should be. For internally developed apps, the backlog is long, and the ever-increasing demand to
deploy more apps faster means dangerous apps are making it out of development or being brought in from ISVs. To make
matters worse, end users are installing their own personal apps and using them for work purposes without knowing if they are
secure. It is truly a nightmare scenario.
Many don’t realize it, but app breaches are one of the most common methods of hacking into a mobile device. According to
Gartner, 75% of all breaches on mobile devices are caused by mobile application misconfiguration.5
An excellent example of
this is the misuse of personal cloud services when they are utilized to convey sensitive corporate information, and that happens
every day in an enterprise. To make matters even scarier, the organization is often unaware of the data leakage that results from
this kind of misuse—that is, until the problem blows up. Gartner also notes that jailbroken or rooted smartphones are more
vulnerable attack platforms based on the additional privileges users have on these devices.
The potential for “attack by app” also increases as new malware is released that looks like benign applications. These are very
tricky and clever pieces of malware that can fool even the savviest end user. There are already some examples of this trend that
are currently “in the wild” and have attacked many devices. These include:
• Sandroware: Malware that looks like a security app for Android
• XAgent: Malware for iOS that collects data from the device
• Masque Attack: A bug that tricks iOS users into thinking they are downloading legitimate apps
when they are actually downloading malware
There are, of course, many, many others. In fact, new
variants are being conceived of every day, and the problem of
malicious applications isn’t going to slow down any time soon.
If application security-specific mobilephobia is not afflicting
you, it’s because you simply don’t understand the threats.
The Fear of IP Theft: Build, Secure and Protect Your
Apps “in the Wild”
Kleptophobia is commonly known as the fear of theft,
but when coupled with mobile IP it becomes a dangerous
variant of mobilephobia. Data loss is serious but the theft of
Intellectual Property (IP) can be a disaster for an enterprise.
Not only does it reflect poorly on the CISO, but it also can
put the enterprise behind the eight ball from a competitive
perspective. Compromised or unsecured applications are
primary routes for IP theft. The question a CISO needs to
answer is, “How do your apps measure up?”

10. 10 Mobilephobia: Curing the CISO’s Most Common Mobile Security Fears
The answer is often: “Not that well” or “We aren’t sure.”
Consider that companies test less than half of their mobile apps for security before they are released, according to a recent IBM
study. The pressure is so great to get mobile apps developed and deployed that many organizations don’t go the next step and
test them for security gaps. A key reason for this is that many mobile app development environments don’t support enterprise-
grade security. You don’t have to be a rocket scientist to know this is a bad thing.
Testing for security and vulnerabilities after the development is complete is also resource intensive. According to a security and
risk manager in an IBM case study, more frequent application testing done earlier often reduces the cost of fixing vulnerabilities
by up to 95 times.6
Trying to bolt on security after an app is built and distributed is a bad idea. Instead, the CISO needs to demand that the app dev
crew focus on building secure applications from the start and ensuring that the necessary security testing tools are used for any
mobile app developed in-house. And security testing shouldn’t be confined to only the in-house apps—ISV software needs to be
tested too. It may actually be surprising to learn that vulnerabilities have been found in offerings
from some of the biggest and best-known name-brand software companies.
There are also important process elements that need to be infused into the applications security testing process so the
organization can defuse security threats. Companies must use a standard and consistent set of tools for security testing. Not
only does this make it easier and more efficient for development, but it also results in more effective security. Being more
efficient also helps ensure that security doesn’t become the roadblock to getting new applications to end users on time.
Mobile security application testing tools need certain key
features to be effective. First, the tools must be able to identify
and remediate the potential for run-time control flow attacks
that exploit vulnerabilities in applications. Second, the tools
need to drive the update process for applications that are out
in the wild. The most common attack vector for many events is
to find known and unpatched vulnerabilities in older versions
of software. This is true for both ISV and in-house developed
apps. No matter how secure the apps are at launch, over time
they will become vulnerable, and organizations ignore that fact
at their own peril.
CISOs and the IT organizations struggling with mobilephobia
know that, at some point, the apps will attack. It’s the most
common mobile attack vector and no one can afford to
play ostrich. Without changing the app development, app
management, and security testing processes, one day some
innocent little icon may lead to a whole lot of trouble.

11. IBM Mobile Security 11
Chapter 5: The Fear of Hordes of Unmanaged Devices
Jailbroken and Rooted Devices Are Scary
Similar to agoraphobia, the fear of crowds, every CISO worries about the hordes of unmanaged mobile devices accessing the
corporate network. Because they are unmanaged, IT has no idea if they are compromised in any way, infected with malware, or
from some bad actor who is impersonating a legitimate user. The worst of the lot are the devices that have been jailbroken or
rooted by the end user, defeating many of the inherent security capabilities.
Jailbroken or rooted devices that attempt to connect to the network demand special attention due to the level of threat they
represent. It is critical to identify them immediately and treat them as the increased security threats they really are. Just recently
a new threat, KeyRaider, has surfaced for jailbroken iPhones. Once a device is compromised, device-based security has to be
viewed as unusable. Passwords no longer provide protection, and even a remote wipe may not protect the enterprise. It is
critical that the security solution can identify and limit or deny access to these jailbroken/rooted mobile devices as quickly
as possible.
The most important question is how to protect the corporate crown jewels from these hordes without compromising the users’
ability to do their work. The starting point is to develop a consistent and secure approach for access. A single solution for secure
access control and authentication provides consistency and a single point of management that is much more efficient than a
federated approach. This consistency has to extend to all of the different types of access methods. The use of a single point of
management will ensure that no matter how users want access, they are getting it securely. And as the last chapter discussed, the
organization must test for and ensure that all the apps have good mobile security.
Change is one certainty in mobile security, and adaptive access policies that allow the protection to meet multiple mobile
security challenges is a capability an enterprise shouldn’t live without. Using context-aware policies provides the flexibility to
offer more protection for the data that the organization fears losing the most. By offering multiple levels of protection based on
the sensitivity of the data, it’s possible to focus mobile security where it’s most needed.
Adapting to different levels of risk is another way to bring
dynamic security to mobile users. Risk can be driven by a
number of aspects that include:
• Access from an unusual source or location
• Devices that have become compromised (including
jailbroken/rooted devices)
• Multiple simultaneous access requests from the s
ame identity
• Unusual data request patterns
A mobile device can easily become contaminated with mobile
malware. A device may appear to be functioning normally to
the user even when it has active malware infestations. Mobile
security has to provide the peace of mind that malware is being
stopped before it can infect core systems.

12. 12 Mobilephobia: Curing the CISO’s Most Common Mobile Security Fears
They Are Who We Thought They Were: Authentication Eliminates the Fear of Fraudulent Users
As a variant of xenophobia, the fear of strangers, mobilephobia focuses on a fear of accurately identifying devices and users.
Among the most important aspects of mobile security is the ability to ensure that users who are accessing your networks and
systems are actually legitimate users and not scammers or hackers. The old-fashioned approach of security determined by user
names and passwords is antiquated. User authentication that provides a much higher level of surety must be part of the mobile
security solution.
Yet improving authentication can’t come at the expense of
driving users crazy. If authentication becomes onerous, users
will either find a work-around, or go back to the tried-and-
true practice of writing down login information and putting
it on a sticky note or otherwise physically compromising
authentication. The authentication system needs a high level
of security, but the complexity must be hidden from the users.
This is where single sign-on can be a huge benefit. The use
of more rigorous authentication that must be entered for
every application or transaction won’t work. The most
common form of more rigorous authentication is two-factor
authentication. Typically this requires two things: something
the user knows, and something the user has. We all remember
the old days when many of us had to carry around an RSA
token as the “something you have” factor. Clearly that’s not a
modern solution.
Today, mobile authentication is moving quickly toward tokenless authentication using one-time passwords delivered via text
or SMS. There is also a growing interest in biometrics as more smartphones have fingerprint readers, but this is likely a future
technology as the percentage of mobile devices with fingerprint readers is small, and the technology is not yet fully dependable.
One important operational aspect of single sign-on is to ensure that it works in a consistent manner across devices and
geographies. If single sign-on acts differently on different devices, it quickly becomes frustrating for users, and that means waves
of trouble tickets for support.
Authentication solutions must also be as dynamic as the mobile environment. To stay ahead of the curve, there are important
solution requirements that make the user experience a simple and straightforward activity instead of a frustrating and complex
one. The starting point is to ensure you have an accurate and valid employee/contractor/partner directory. This literally
becomes the master list of who should even have a chance of accessing systems. This requires strong links to HR and directory
systems. The second aspect of a dynamic authentication solution is the ability to support new device types soon after they are
launched. Not every new device should be brought into the fold, but, clearly, the inability to support the newest Samsung phone
for a month after launch is going to be a problem.
The new mobile reality is one of hordes of constantly changing devices that may or may not be compromised, demanding
immediate access to the network and systems. Although the device barbarians may be at the gate, organizations need to
let in only those that are deemed legitimate. This scenario demands both access control/management and improved user
authentication. Without both systems in place, things become downright scary.

13. IBM Mobile Security 13
Chapter 6: The Fear of Missing the Warning Signs
Analytics Driven by Dynamic Data Reduce the Risk
Last but not least, we have the mobilephobia variant that plagues many a CISO related to the fear of missing key information
about threats, especially when they’re being overwhelmed by a huge quantity of data from logs, network activity and other
sources. While identifying a threat may literally be a one-in-a-million proposition, it is that one missed alert that potentially
sinks the ship. Mining this data can be hampered by a lack of operational efficiency due to the use of older or less capable tools.
Compliance issues can also arise when key data is missed.
Mobile security has one other “degree of difficulty” that
fuels a demand for better security analytics, and that is the
constant change in mobile technology and usage patterns.
Accompanying all of the change is the problem of end users
bringing all kinds of devices, new device types, and apps that
come from literally anywhere into the IT infrastructure.
It’s downright scary if the organization is not using analytics to
get better at finding the threats and building responses
to them.
The speed of change and the need for fast responses require
that an organization’s security analytics tools provide answers
quickly. This is critical to shrinking the vulnerability window
and reducing new threats. Analytics must also focus on
configuration errors and vulnerabilities to identify them for
rapid remediation.
Yet the area of greatest concern is the need to identify new threat vectors and technologies that may be the source of future
attacks on mobile security. Given the speed with which an attack can impact mobile devices, faster threat intelligence is essential
to cutting the time advantage enjoyed by bad guys. In addition to speed, security analytics tools must be sophisticated enough
to outwit the hackers who are intimately aware of the steps enterprises are taking to blunt their attacks. Two key aspects of
sophistication include developing a broader perspective of the data input stream to identify potential threats, and implementing
threat tracking that is truly global.
Of course, all of this intelligence about mobile threats must be integrated as part of an overall SIEM (security information and
event management) solution that provides a comprehensive plan for a security event. There are a number of reasons why this
integrated approach to SIEM is the route to more confidence. These include:
• Disappearing perimeters reduce the distinction between mobile and traditional infrastructure in the enterprise.
• Mobile is often an entry point for malware, but that malware is often intended for other systems.
• Remediation must occur across the entire infrastructure, not just mobile or not just the on-premise systems.

14. 14 Mobilephobia: Curing the CISO’s Most Common Mobile Security Fears
Doing the Data Crawl: Best Practices for Data Collection and Analytics to Allay the CISO’s Fears
It’s clear that improved analytics and better use of data can reduce security risks, but for many CISOs the question becomes
what solution should be deployed. The benefits of both efficiency and protection vary based on how the solution is designed.
The most important attribute is the amount of leverage that the solution provides for the security team. The amount of
incoming data is exploding, so the ability to effectively leverage the input and analysis done by the team to evaluate larger
and larger amounts of data is the difference between finding a threat and missing it entirely. Therefore, organizations need to
choose a system that increases automation in four specific areas: threat identification, policy management, tool management,
and identification of unusual or abnormal device behavior. Bringing these issues to the fore for human analysis allows the
security teams to optimize their time.
Analytics driven by real data can also help prioritize the identified security events. After all, not every security event should
set a CISO’s hair on fire. Deciding which security events are top priorities and which are lesser events shouldn’t be left up to
“judgment”—that’s kind of scary. A big part of developing a better prioritization scheme is to ensure that the analytics link to
contextual data to provide better insight. Without context, it’s far too easy to miss a real threat, or to over-respond to an isolated
incident that has been blown out of context.
Given how dynamic the mobile environment is, monitoring of
key data sets has to include configurations and vulnerabilities.
If organizations don’t check regularly, they’ll find some nasty
surprises when they do rescan the mobile environment.
Users in general, and mobile users in particular, are pretty
poor at keeping software and devices up to date. The excuse
that “I’ll wait until I’m on a network to download updates” is
a constant refrain. Organizations simply can’t rely on users
to keep IT protected by regularly updating devices, so they
need to find those who are most vulnerable and make sure
their devices are upgraded. Automating the twin processes
of identifying misconfigured or vulnerable devices and then
pushing or automatically installing the needed fixes must be
part of a security analytics solution. With the right choice of
more advanced tools that simplify the process and increase
efficiency, organizations can finally use the data they have to
dramatically improve mobile security.

15. IBM Mobile Security 15
Chapter 7: Finding the Cure For Mobilephobia
As Mobile Grows, So Do Security Threats
As daunting as the current state of mobile security appears to be, it’s only going to get more complex, and threats will become
more widespread, clever and technically elegant. The attackers are not standing still, and neither should organizations. In fact,
the hackers are actually ahead of mobile security in many enterprises, because many organizations are still not using the latest
and most effective mobile security solutions. Relying on older and less robust security solutions is risky. While organizations
may feel protected, the fact is that they are not really secure. These factors ensure that mobilephobia is healthy and growing in
the enterprise, but it doesn’t have to paralyze you.
Finding a cure to mobilephobia is not simple. It’s a complex
issue, because mobile security has numerous attack surfaces
that resist point solutions or security tools that only focus
on one aspect of the problem. It’s time for a better approach
that is designed to suppress both known current and future
threats. There are three key elements an enterprise-grade
mobile security plan must provide to help calm the CISO’s
mobilephobia fears:
• Complete: A comprehensive solution that covers
the entire “threat cycle”
• Seamless: An integrated solution that does not
leave gaps
• Scalable: A dynamic solution that continually
evolves to stop new threats
IBM Mobile Security is uniquely positioned to securely and holistically manage the mobile enterprise. It provides a complete
approach to mobile security by allowing customers to implement a mobile security strategy that addresses devices, data,
applications and users. These seamless solutions connect to a customer’s existing environment allowing them to implement
any or all of the portfolio based on their requirements. The mobile security portfolio is designed to deliver an exceptional
experience. These highly scalable security solutions, along with a unique threat intelligence platform, that fuses context and risk
awareness, maximize mobility management while significantly improving security posture.
As a technology leader, IBM has developed a comprehensive framework that addresses the imperatives of enterprise mobility:
• Protect the device
• Secure content and collaboration
• Safeguard applications and data
• Manage access and fraud
• Extend Security Intelligence

16. 16 Mobilephobia: Curing the CISO’s Most Common Mobile Security Fears
Underlying these four imperatives is an additional layer of protection and visibility through IBM’s security intelligence
platform. Only by addressing all four imperatives can an organization deliver a holistic mobile strategy that protects its assets
and reputation.
Protect Devices
With IBM®
MobileFirst™
Protect, organizations can balance the enterprise security and employee privacy demands of BYOD
programs. The solution offers dual-persona management for enterprise applications, secure email, web browsing and document
sharing—helping separate work and personal data via containerization. Devices can be enrolled and secured in minutes with
this on-demand, software as a service solution. It also supports self-service enrollment, customized over-the-air configuration
and automated policy enforcement. With integrated threat management, MobileFirst Protect can detect and prevent mobile
malware; it can provide visibility into device security to help safeguard your enterprise data.
Secure Content and Collaboration
MobileFirst Protect enables organizations to deliver a consumer experience on mobile devices with trust. It provides secure
access to corporate content—including behind-the-firewall resources such as Microsoft SharePoint and cloud repositories such
as Box—while also reducing the risks of data leakage. Individual users or documents can have their own security policies to
restrict the copying, pasting and sharing of sensitive data that is controlled. In addition, organizations can monitor the status
and usage of specific documents, users and devices.
Safeguard Applications and Data
IBM Security AppScan®
enables organizations to secure native and hybrid mobile applications. It helps IT staff identify
and remediate mobile application security risks on mobile devices as well as the servers accessed by mobile applications.
AppScan leverages extensive research into mobile operating systems—including Google Android and Apple iOS—to provide
comprehensive security analysis. In fact, more than 40,000 mobile application programming interfaces have been added to the
AppScan security knowledge base. AppScan runs on popular mobile development platforms, such as Apple OS X, which helps
developers to identify application security risks early in the software development lifecycle.
Arxan Application Protection for IBM Solutions extends AppScan vulnerability analysis capabilities to mobile application
hardening and runtime protection. It enables developers to incorporate application protection into their workflows without
modifying source code. When the Arxan solution is deployed in combination with AppScan, organizations can more securely
build, analyze and release their mobile applications into production.
IBM MobileFirst Protect Application Security enables an application container for your enterprise and third-party
applications with full operational and security management for iOS and Android platforms. You can enforce authentication,
set up single sign-on across applications and configure data leak prevention controls. The solution enables you to improve
efficiency and security with application-level tunneling for secure access to corporate data, compliance checks and automated
enforcement actions.
Manage Access and Fraud
IBM Security Trusteer®
solutions dynamically detect the risk factors of the underlying mobile device. This information is
delivered to the native or web-based mobile application, as well as the application back-end services, to help secure transactions
from devices to the back office. Application functions can be restricted based on mobile risk assessments, or organizations can
require additional authentication if certain risk factors are detected. Furthermore, mobile transaction risk can be correlated with
cross-channel risk factors to detect complex fraud schemes.

17. IBM Mobile Security 17
IBM Security Access Manager helps organizations deliver secure access to mobile and web applications with authentication and
authorization services, single sign-on and session management. It helps improve identity assurance with built-in support for
flexible authentication schemes, such as the use of one-time passwords and RSA SecurID tokens. It also helps enforce context-
aware access by integrating with IBM Security Trusteer Mobile Software Development Kit and IBM MobileFirst Platform
runtime security features. In addition, it supports device fingerprinting, geographic location awareness and IP reputation
techniques. IBM Security Access Manager can also help shield mobile applications from many of the common web application
security risks.
Extend Security Intelligence
With attacks on devices, applications and transactions growing more numerous and more sophisticated by the day, security
information and event management solutions can help organizations identify trends across the millions—or even billions—of
security events collected every day, so they can prioritize the events that require immediate action.
IBM Security QRadar®
SIEM uses event correlation to help organizations quickly identify potential offenses and eliminate
false-positive results. Unusual user, application and network activity can trigger automatic alerts to security teams, who can then
investigate the potential offenses and proactively manage the remediation or mitigation QRadar SIEM is part of IBM QRadar
Security Intelligence Platform, a unified architecture for integrating real-time SIEM, log management, anomaly detection, and
configuration and vulnerability management.
The IBM Mobile Security portfolio meets the current and identifiable future needs of the enterprise for mobile security. It truly
allays the fears of the CISO and provides the certainty that enterprises need to fully embrace mobile computing.
To learn more about IBM Mobile Security please contact your IBM representative or IBM Business Partner,
visit www.ibm.com/security/mobile or download one of these documents:
The IBM Whitepaper: Secure the mobile enterprise
https://ibm.biz/BdXaWg
The Ponemon Study: State of Mobile Application InSecurity:
https://ibm.biz/BdXRfB
The IBM Whitepaper: Mobile is the New Playground for Thieves: How to Protect Against Mobile Malware:
https://ibm.biz/BdXPh2

18. 18 Mobilephobia: Curing the CISO’s Most Common Mobile Security Fears
© Copyright IBM Corporation 2015
IBM Corporation
Software Group
Route 100
Somers, NY 10589
Produced in the United States of America
August 2015
IBM, the IBM logo, ibm.com, IBM Security AppScan Standard, IBM Security AppScan Source, IBM Security AppScan Enterprise, IBM Application
Security Analyzer, Arxan Application Protection for IBM Solutions, and Cigital Application Security Testing Managed Services from IBM are
trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be
trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country
in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED,
INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY
WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the
agreements under which they are provided.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be
part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party.
References
1 “Average Large Enterprise Has More Than 2,000 Unsafe Mobile Apps Installed on Employee Devices,” Veracode, March 11, 2015
2 “Gartner Says More than 75 Percent of Mobile Applications Will Fail Basic Security Tests Through 2015,” Gartner, September 14, 2014
3 “314 Mobile Phones ‘Stolen in London Every Day,’” BBC, January 2013
4 “Smartphone Thefts Drop as Killswitch Usage Grows,” Consumer Reports, June 11, 2015
5 “Gartner Says 75 Percent of Mobile Security Breaches Will Be the Result of Mobile Application Misconfiguration,” Gartner, May 29, 2014
6 “A web and mobile application provider,” IBM, May 2015
WGM12354USEN-00
Please Recycle