Late last year, market researcher IDC reported that by 2015 more U.S. Internet users will access the Internet through mobile devices than through PCs or other wireline devices. Judging by the eager embrace of smartphone and tablets since then, I’d guess their prediction may be conservative.
And unquestionably, this kind of mobility in business is a game-changer both in terms of how we do business and how we do information security.
That’s because mobility means your end-users have become the weakest link in your data security chain, so attacks are shifting from the server side to the client side.
According to one Symantec report , 2010 saw a 93% increase in the volume of Web-based attacks — and during a single three-month stretch in 2010, 65% of the malicious URLs Symantec observed on social networks were shortened URLs.
Note these two common ways hackers now exploit mobile devices and their users:
- Shoulder-surfing: A non-technical attack made possible by highly visible screens that enable crooks to observe log-in details during the authentication process, simply by standing close enough to see your employee’s smartphone or tablet screen.
- Search engine poisoning: Described as an extreme form of black hat search engine optimization, hackers exploit popular search terms (e.g.,’ death of Osama bin Laden’ or ’Haiti earthquake’) by flooding search results with links to bait pages that redirect unwary users multiple times, generally until they land at an irrelevant page that serves as a malware vector. These sites, which may be legitimate but compromised, are part of extensive malware delivery networks and are optimized so they rank high in search results — and their creators are becoming adept at hiding their malicious payloads from search engine crawlers by presenting a clean Web page.
Data loss prevention solutions can help. DLP discovers, monitors, controls, and secures sensitive data (in use and at rest) on your network, on employee desktops or laptops, and/or data residing on end-user systems and network servers.
Also, you need to train your employees to recognize various methods of social engineering and their vectors, such as clicking on email attachments from unknown senders or installing unfamiliar smartphone apps.