Security training or MDM – you choose

IT service desk culture is full of sarcastic problem descriptions – PICNIC, ID-ten-T, PEBCAK. All of them serve as reminders that the root cause of many issues is user error, not systems failure. This is particularly true in information security, a point I’ve covered more than once before.

So why bring it up again? Because there’s a particularly nasty piece of Android malware on the loose at the moment which exploits user psychology to get itself root privileges on the phone. The full description is here, but the short version is that it exploits the accessibility features of the phone to bypass all the confirmation prompts, and works the user’s conscience to encourage to enable accessibility in the first place.

This is a clever variant of the usual phishing approaches, which tend to appeal to greed and lust, rather than altruism. Your first line of defence, as usual, is better security awareness training – I published a basic outline on here earlier this year. I still believe that wetware trumps hardware, but I’m increasingly recommending that clients also adopt a mobile device management (MDM) system.

MDM systems give you extensive and granular control over mobile devices, including the ability to control which apps are installed, and to force – or prevent – updates to apps and to the underlying device operating system. You also get better control over the data on the device, including remote inspection and remote wipe, and the ability to track the device.

The upside is a significant reduction in the risk from mobile devices. The downside is that MDM is quite intrusive from the user’s perspective; it works well for corporate-issued devices that are intended only for business use, but can be difficult to implement in a BYOD environment because of user resistance. As regular readers will know, I’m not that keen on BYOD in the first place, and this is one of the reasons why.

MDMs also cost money, of course, and take time and skill to implement and maintain. If you don’t have the budget, now would be a good time to think hard about the possible costs arising from a mobile breach and make sure that whoever signs the cheques knows what risks they’re accepting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s