Office 365 mobile device security

Bearing in mind that mobile phones and devices are rapidly becoming the de facto standard business systems for corporate executives, you can see why Microsoft has a big campaign to target mobile phone devices with its Office 365 offering. Office 365, provides executives with the most used business services; email communication, download and view confidential documents, research the web, contact list management, IM and conference with other users, and many others all from their mobile device, so you can see how compelling the Microsoft offering is. But how safe is the mobile phone as a business device?

In 2011, in his award winning dissertation on Google Android vs Windows Phone, Nigel Stanley, CEO of Incoming Thought Limited, analysed the security weaknesses of each mobile device to ascertain their strength against a variety of attacks. Both were found to require extra security to help bolster their protection. Since his dissertation the market has greatly moved forward to the point where malware for mobile phones and in particular the Android phone has become a major concern for corporations.

The screenshot above from Kapersky's report - Mobile Malware Evolution Part 5 found that from January 2011 to January 2012, Android malware had increased by over 250 per cent. The following is an excerpt from the report

As early as October 2011, one third of the threats targeting Android were designed to steal personal data from a user's device in one way or another (be it contacts, the call log, text messages, GPS coordinates, photos, etc.). Chinese cybercriminals are the front-runners when it comes to stealing data. What's more, they are typically most interested in information about the device itself (the IMEI and IMSI, the country, the telephone number itself) rather than the owner's personal and confidential information.

The Nickspy Trojan (Trojan-Spy.AndroidOS.Nickspy) is probably the exception to the rule here. This threat is capable of recording all of the owner's conversations on the infected device on audio files and then uploading those files to a remote server controlled by malicious users. One of the Nickspy modifications disguises itself as a Google+ app and can accept incoming calls from the telephone numbers of malicious users unnoticed (the numbers are written into the malicious program's configuration file).

When an infected phone accepts a call like this without the owner noticing, the malicious user can then hear everything happening near the infected device, including the conversations held by the device's owner. This Trojan is also interested in text messages, call data, and the device's GPS coordinates. All of this data is also sent to remote servers run by malicious users. While Nickspy hails from China, Antammi (Trojan-Spy.AndroidOS.Antammi) was created by Russian virus writers. Antammi's "cover" is a legitimate, functioning app for downloading ringtones. The Trojan can steal just about all of a user's personal data: contacts, the text message archive, GPS coordinates, photos, and more. It has also been used to send its activity logs to cyber criminals by email, and to upload the data onto their servers.

The Corporate Executive Programme is an organisation where CIOs, CISOs, and CROs meet once a year to share the major threats affecting their organisations. In the recent May 2012 summit, mobile security and the cloud was one of the top agenda items. During the summit, one keynote speaker demonstrated several pieces of malware that were able to subvert user passwords and get access to on-line banking details.

During his keynote, it became painfully obvious how susceptible mobile devices have become to both technological subversion and physical attacks. From a malware perspective, several attendees shared how they had tried to use anti-malware apps to protect their phone but eventually had to remove the apps due to the detrimental effect the apps were having on the mobile battery, which essentially made the phone practically useless in a business sense.

Essential Practices to Secure a Mobile Device

So what can be done over and above the basic defences? Office 365 Exchange Active-Sync certainly provides basic security for stolen or lost phones but it doesn't protect them from malware and Trojan attacks nor from everyday shoulder surfing or the time gap between a phone going missing and Exchange ActiveSync wiping the phone.

In an interview regarding BYOD risk and security, printed in January this year, Malcolm Harkins, CISO for Intel, discussed several security issues that needed to be addressed in Intel's widely known success with BYOD (Bring Your Own Device). According to the interview, Intel has over 30,000 mobile devices currently being used within its corporation. To help reduce the risk of malware attack and inappropriate mobile device use, Intel offers a two pronged approach. The first is technological in nature, as documented in Intel's white paper security in BYOD and the use of a mobile device management (MDM) solutions, the second, and more important approach is to handle the users' aspect. In his interview on Mobile Policy, Harkins had this to say about the mobile devices in BYOD;

I think the big highlights of it are accountability. We really want to make sure that not only the IT organization is accountable for providing the right technology footprint on those BYO devices so that we can manage reasonable controls on it, but the employees themselves have a level of accountability in understanding the risk that that brings to the company, as well as to some extent, the risk it might bring to themselves. As we layer a footprint on the device, if it's lost or stolen we'll remotely wipe it, which means that the employee's data might get wiped out as well. So again, there are obligations that we expect the employees to do to safeguard that asset, understand what the usage models are in accordance with our policies and our code-of-conduct expectations; but again, use it in a good fashion.

By putting part of the responsibility for managing the risk in the hands of the employees and explaining the impact on the employees' personal data, employees are less likely to be careless in issues such as downloading unknown applications from friends on Facebook, or using their mobile phone to access Office 365 when they are standing in the middle of a crowded train and people can potentially see confidential documents and shoulder surf for ids and passwords. Security awareness, responsibility for part of the risk, the impact on their personal data should their phones be wiped due to malware or compromise, have all been instrumental in helping employees protect their mobile devices and hence corporate data.

In this video, Nigel Stanley briefly touches on many of the subjects broached in this article.