SlideShare una empresa de Scribd logo

Three Steps to Mitigate Mobile Security Risks

Rapid7
Rapid7

Read this whitepaper to learn about the mobile security landscape, key mobile security risks, and how to mitigate these risks in order to protect company data. To download a free Mobilisafe demo, click here: http://information.rapid7.com/mobilisafe-demo.html?LS=1428723&CS=Web

Tecnología
1 de 4
Descargar para leer sin conexión
Three Steps to Mitigate Mobile Security Risks White Paper
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Bring Your Own Device Growth In a January 2012 market research study, 71% of the businesses surveyed said that mobile devices have caused an increase in security incidents. The “Bring Your Own Device” (BYOD) trend started in late 2009 and caught on with users faster than IT expected, especially as iOS and Android devices became dominant. Today, a majority of companies have employees bringing their own smartphones and tablets to work. While there have been clear employee productivity gains from BYOD, a negative by-product is the significant growth in data security risk. In a January 2012 market research study by Checkpoint Software, 71 percent of the businesses surveyed said that mobile devices have caused an increase in security incidents, citing significant concerns about the loss and privacy of sensitive information stored on employee devices, including corporate email (79 percent), customer data (47 percent), and network login credentials (38 percent). Given that the BYOD trend is set to accelerate, this white paper will help you better understand the underlying risk associated with these devices and provide a simple step-by-step approach to mitigate their risks. The paper relies on data garnered from more than 130 million device connection events, and this mobile device usage data was collected from companies involved in the trial program for Mobilisafe’s Mobile Risk Management product. IT managers significantly underestimated the number and kinds of mobile devices connecting to their network. Cause of the Risks A key conclusion from this study was that IT managers significantly underestimated the diversity of mobile devices connecting to their network. Even though these IT managers had serious concerns about data risk from these mobile devices, they did not feel they had adequate tools to determine those risks and respond to them. Some key supporting data from the study: • On average, more than 80 percent of employees were already using smartphones and tablets • A new device model was introducted to a company for every seven employees • 56 percent of iOS devices were running outdated firmware • 39 percent of total authenticated devices were inactive for more than 30 days, prompting concerns and conversations with employees about lost, sold or otherwise misplaced devices with employee credentials and sensitive corporate data
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Pervasiveness Of The Risks The study also showed that businesses were exposed to high severity vulnerabilities from the increased usage of these mobile devices. IT managers could not keep up with the rate of discovery of severe vulnerabilities these devices brought to their corporate network, and lacked a standardized approach to mitigate these risks given the complexity of the mobile ecosystem, consisting of manufacturers, Operating System (OS) providers and carriers. Some key supporting data from the study: • 71 percent of devices in the study contained high severity operating system and application vulnerabilities • A new vulnerability was mapped on average to mobile devices every 1.6 days, which is 4x faster a discovery rate than in 2011 • 38 different OS versions in the study contained high severity vulnerabilities • There would be a 4x drop in the percentage of devices with severe vulnerabilities if the devices were updated to the latest available firmware In today’s BYOD world, companies need to shift from a legacy control-­oriented approach to a risk management-­oriented approach. As mobile device usage grows, the security risk to company data from these devices also increases. Application and operating system vulnerabilities on mobile devices are already being exploited to compromise security models that protect company data, and sensitive data is at risk of being leaked off the device and company servers are at risk of being attacked by mobile devices already authenticated to access company resources. One of the most severe examples of a mobile device vulnerability was DroidDream, which was packaged inside seemingly legitimate applications available on the Android Marketplace. In 2011, more than 250,000 devices were affected by DroidDream, and it worked by gaining root access to Google Android mobile devices in order to access unique identification information for the phone. Once compromised, a DroidDream infected phone could also download additional malicious programs without the user’s knowledge as well as open the phone up to control by others. Another significant example was a vulnerability discovered in second half 2010, with the Apple iOS PDF reader. Within the reader, a security hole could be exploited by a malformed PDF, allowing an external party to take control of the device.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Mitigating The Risks As vulnerabilities increase in frequency and severity, there is a natural inclination within IT to establish rigid rules and policies for device usage around data encryption, secure email and mobile browsing so that no data leakage can occur. Unfortunately, this is not feasible with the BYOD phenomenon. Given that these devices are personally owned, employees download non-­ validated applications onto the device, and connect frequently via unsecured networks. Corporate data is also frequently stored on the device, and in many cases the OS itself enhances security risk. All these create security risks that require a fundamentally new way for organizations to approach mobile device security. In today’s BYOD world, companies need to shift from a legacy control-­oriented approach to a risk management-­oriented approach. Employees should be given the freedom to utilize the device of their choice, but at the same time, share the responsibility to ensure corporate data is secure. It is with this in mind that we recommend IT implement the following three steps for an effective mobile security approach within their companies: 1. Establish full visibility for all devices and users connecting to the company network. Understanding the pervasiveness of mobile devices and mobile device diversity within the organization is a key first step for an effective mobile security approach. For mobile devices, this information has to be very specific including name, model, manufacturer, operating system type and version so each device can be accurately assessed for the risk it presents to the organization. 2. Continuously monitor and assess the vulnerability risk of each device. Mobile vulnerabilities are growing at a rapid rate. 2012 has already seen 4x the number of vulnerabilities when compared to 2011. There is a corresponding growth in exploits for these vulnerabilities, jeopardizing sensitive data on mobile devices. By continuously monitoring and assessing each device for new or known vulnerabilities, it is possible to proactively identify devices susceptible to security risks. 3. Focus on actions that mitigate vulnerability risk. IT should start with defining mobile access policies for employee devices. Policies can be based on a wide variety of criteria, including specific device attributes, vulnerability exposure, and employee profile. An effective mobile security approach relies on policies that are easy and straightforward to communicate and follow. IT should start with defining mobile access policies for employee devices. One of the simplest ways to mitigate risk from mobile device usage is to ensure each device has the latest available version of firmware. This eliminates known security holes but typically isn’t completed in a timely fashion, or at all. An effective mobile security approach incorporates regular communication to employees of how to update their devices with simple, easy to follow steps. Coupling this with access controls to limit how long employee devices with outdated firmware are allowed to connect to company data is a powerful step in mitigating risk to company data from mobile devices. Conclusion The data from the study confirmed that companies are exposed to severe vulnerability risk from mobile devices being used for work, and highlighted that IT managers are facing significant challenges identifying and addressing the increased number of risks. Historical approaches focused on control are no longer relevant, and IT needs to instead utilize a mobile security approach that starts with the three‐step process outlined in this paper. With this new approach, IT can effectively mitigate the security risks arising from mobile device usage at their organization, while employees can have the freedom to utilize the device of their choice.

Recomendados

Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityRapid7
 

Recomendados

Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
 
Combating Phishing Attacks
Combating Phishing AttacksCombating Phishing Attacks
Combating Phishing AttacksRapid7
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7
 
IT Security in Higher Education
IT Security in Higher EducationIT Security in Higher Education
IT Security in Higher EducationRapid7
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?Rapid7
 
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.
Rapid7 Report: Security Flaws in Universal Plug and Play: Unplug, Don't Play.Rapid7
 
The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityRapid7
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...Rapid7
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionRapid7
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessRapid7
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionRapid7
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIORapid7
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Más contenido relacionado

Más de Rapid7

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...Rapid7
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionRapid7
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessRapid7
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyRapid7
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionRapid7
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceRapid7
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraRapid7
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIORapid7
 

Más de Rapid7 (12)

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
[INFOGRAPHIC] The Credit Card Criminal's Playbook: A Retail Data Breach Attac...
 
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for ProtectionOpenSSL Heartbleed Vulnerability Explained & Tips for Protection
OpenSSL Heartbleed Vulnerability Explained & Tips for Protection
 
How to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's EffectivenessHow to Manage Your Security Control's Effectiveness
How to Manage Your Security Control's Effectiveness
 
Penetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD MethodologyPenetration Testing Techniques - DREAD Methodology
Penetration Testing Techniques - DREAD Methodology
 
Life's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL InjectionLife's a Breach: Yahoo Gets Burned by SQL Injection
Life's a Breach: Yahoo Gets Burned by SQL Injection
 
Rapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government SectorRapid7 Report: Data Breaches in the Government Sector
Rapid7 Report: Data Breaches in the Government Sector
 
Rapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance GuideRapid7 NERC-CIP Compliance Guide
Rapid7 NERC-CIP Compliance Guide
 
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI ComplianceBest Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
Best Practices to Protect Cardholder Data Environment and Achieve PCI Compliance
 
Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 
How to Sell Security to Your CIO
How to Sell Security to Your CIOHow to Sell Security to Your CIO
How to Sell Security to Your CIO
 

Último

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Último (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Three Steps to Mitigate Mobile Security Risks

  • 1. Three Steps to Mitigate Mobile Security Risks White Paper
  • 2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Bring Your Own Device Growth In a January 2012 market research study, 71% of the businesses surveyed said that mobile devices have caused an increase in security incidents. The “Bring Your Own Device” (BYOD) trend started in late 2009 and caught on with users faster than IT expected, especially as iOS and Android devices became dominant. Today, a majority of companies have employees bringing their own smartphones and tablets to work. While there have been clear employee productivity gains from BYOD, a negative by-product is the significant growth in data security risk. In a January 2012 market research study by Checkpoint Software, 71 percent of the businesses surveyed said that mobile devices have caused an increase in security incidents, citing significant concerns about the loss and privacy of sensitive information stored on employee devices, including corporate email (79 percent), customer data (47 percent), and network login credentials (38 percent). Given that the BYOD trend is set to accelerate, this white paper will help you better understand the underlying risk associated with these devices and provide a simple step-by-step approach to mitigate their risks. The paper relies on data garnered from more than 130 million device connection events, and this mobile device usage data was collected from companies involved in the trial program for Mobilisafe’s Mobile Risk Management product. IT managers significantly underestimated the number and kinds of mobile devices connecting to their network. Cause of the Risks A key conclusion from this study was that IT managers significantly underestimated the diversity of mobile devices connecting to their network. Even though these IT managers had serious concerns about data risk from these mobile devices, they did not feel they had adequate tools to determine those risks and respond to them. Some key supporting data from the study: • On average, more than 80 percent of employees were already using smartphones and tablets • A new device model was introducted to a company for every seven employees • 56 percent of iOS devices were running outdated firmware • 39 percent of total authenticated devices were inactive for more than 30 days, prompting concerns and conversations with employees about lost, sold or otherwise misplaced devices with employee credentials and sensitive corporate data
  • 3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Pervasiveness Of The Risks The study also showed that businesses were exposed to high severity vulnerabilities from the increased usage of these mobile devices. IT managers could not keep up with the rate of discovery of severe vulnerabilities these devices brought to their corporate network, and lacked a standardized approach to mitigate these risks given the complexity of the mobile ecosystem, consisting of manufacturers, Operating System (OS) providers and carriers. Some key supporting data from the study: • 71 percent of devices in the study contained high severity operating system and application vulnerabilities • A new vulnerability was mapped on average to mobile devices every 1.6 days, which is 4x faster a discovery rate than in 2011 • 38 different OS versions in the study contained high severity vulnerabilities • There would be a 4x drop in the percentage of devices with severe vulnerabilities if the devices were updated to the latest available firmware In today’s BYOD world, companies need to shift from a legacy control-­oriented approach to a risk management-­oriented approach. As mobile device usage grows, the security risk to company data from these devices also increases. Application and operating system vulnerabilities on mobile devices are already being exploited to compromise security models that protect company data, and sensitive data is at risk of being leaked off the device and company servers are at risk of being attacked by mobile devices already authenticated to access company resources. One of the most severe examples of a mobile device vulnerability was DroidDream, which was packaged inside seemingly legitimate applications available on the Android Marketplace. In 2011, more than 250,000 devices were affected by DroidDream, and it worked by gaining root access to Google Android mobile devices in order to access unique identification information for the phone. Once compromised, a DroidDream infected phone could also download additional malicious programs without the user’s knowledge as well as open the phone up to control by others. Another significant example was a vulnerability discovered in second half 2010, with the Apple iOS PDF reader. Within the reader, a security hole could be exploited by a malformed PDF, allowing an external party to take control of the device.
  • 4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com Mitigating The Risks As vulnerabilities increase in frequency and severity, there is a natural inclination within IT to establish rigid rules and policies for device usage around data encryption, secure email and mobile browsing so that no data leakage can occur. Unfortunately, this is not feasible with the BYOD phenomenon. Given that these devices are personally owned, employees download non-­ validated applications onto the device, and connect frequently via unsecured networks. Corporate data is also frequently stored on the device, and in many cases the OS itself enhances security risk. All these create security risks that require a fundamentally new way for organizations to approach mobile device security. In today’s BYOD world, companies need to shift from a legacy control-­oriented approach to a risk management-­oriented approach. Employees should be given the freedom to utilize the device of their choice, but at the same time, share the responsibility to ensure corporate data is secure. It is with this in mind that we recommend IT implement the following three steps for an effective mobile security approach within their companies: 1. Establish full visibility for all devices and users connecting to the company network. Understanding the pervasiveness of mobile devices and mobile device diversity within the organization is a key first step for an effective mobile security approach. For mobile devices, this information has to be very specific including name, model, manufacturer, operating system type and version so each device can be accurately assessed for the risk it presents to the organization. 2. Continuously monitor and assess the vulnerability risk of each device. Mobile vulnerabilities are growing at a rapid rate. 2012 has already seen 4x the number of vulnerabilities when compared to 2011. There is a corresponding growth in exploits for these vulnerabilities, jeopardizing sensitive data on mobile devices. By continuously monitoring and assessing each device for new or known vulnerabilities, it is possible to proactively identify devices susceptible to security risks. 3. Focus on actions that mitigate vulnerability risk. IT should start with defining mobile access policies for employee devices. Policies can be based on a wide variety of criteria, including specific device attributes, vulnerability exposure, and employee profile. An effective mobile security approach relies on policies that are easy and straightforward to communicate and follow. IT should start with defining mobile access policies for employee devices. One of the simplest ways to mitigate risk from mobile device usage is to ensure each device has the latest available version of firmware. This eliminates known security holes but typically isn’t completed in a timely fashion, or at all. An effective mobile security approach incorporates regular communication to employees of how to update their devices with simple, easy to follow steps. Coupling this with access controls to limit how long employee devices with outdated firmware are allowed to connect to company data is a powerful step in mitigating risk to company data from mobile devices. Conclusion The data from the study confirmed that companies are exposed to severe vulnerability risk from mobile devices being used for work, and highlighted that IT managers are facing significant challenges identifying and addressing the increased number of risks. Historical approaches focused on control are no longer relevant, and IT needs to instead utilize a mobile security approach that starts with the three‐step process outlined in this paper. With this new approach, IT can effectively mitigate the security risks arising from mobile device usage at their organization, while employees can have the freedom to utilize the device of their choice.