366 Chapter11·MobileMalwareMitigationMeasures simultaneously to their phone's Internet connection and the internal company network, they have created a backdoor into the network. The mobile phone Internet connection has none of the protections the normal company network does. An attacker reaching the mobile phone could use it to access that computer and then the internal network. Defensive Measures Now that we have a sufficient model of the use, risk, and nature of the attacks, we can consider our defenses. Mobile defense comes in three forms. Like most other forms of information technology, best practices can address many risks. While some of these are obvious, others are not. Some can be performed with the default device, while others may require additional software. There are also, of course, many vendors that provide various types of security software specifically for mobile devices. While not as expansive as desktop software, there is still quite a selection. Finally, there are some less traditional things that can be done that provide a defense in terms of cost or risk mitigation. This section will look at each of these approaches, explain how they work, what risks they provide mitigation of, and examine how effective they are. Best Practices Some simple best practices provide the best return-on-investment for mobile security. Many are free or at least cheap relative to other solutions and can be very effective against many threats. Of course, with any best-practice approach, the challenge is in consistent execution of the practice and verification. Ensuring compliance on a large scale (for example, a corporate workforce) can be very challenging. How can you be certain that all users are following the best practices all the time? This can be very difficult especially when the users have full access to the device and can disable features at will. This occurs to a fair extent in the desktop world as well, so it's not a new problem. Even at the other end of the scale, spectrum consistency is an issue. As an individual user, it can be hard to always remember to perform the best practices and not fall into bad habits. Policy Like any good security book, this one will tell you to start by writing a security policy. Individuals can skip this step, but corporate IT groups should not.You need to consider several things. First is an acceptable-use policy. Define what you expect your employees to do with the devices. For example, can they use them to make personal calls? Or e-mail? This is often referred to as "mixed use" (as in mixing personal and work). Consider issues from a risk perspective. Does the activity in question carry risk? How much? Is it worth the trade-off for the function it provides?