Mobile is changing the IT security landscape for businesses and companies looking to protect their corporate information. With the proliferation of remote working and BYOD, bad actors are increasingly experimenting with mobile operating systems as a new platform for attack, as was made evident by XcodeGhost targeting iOS devices and the recent non-removable Android malware hijack. Here we take a closer look at the big issues.
1. Mobile security is now a mainstream issue, especially for businesses, why is that?
It’s simple – where are your employees working? Whether your company has a CYOD or a BYOD policy, mobile devices are a de facto workplace tool, they’re a part of new employees’ starter packs. Keeping these devices secure is a growing challenge.
Just consider the nature of mobile devices: they’re always “on” and have a consistent set of features which makes them an ideally designed surveillance tool, including microphones, high resolution cameras, embedded GPS and multiple network types - including Wi-Fi, cellular and Bluetooth. The average smartphone also has the capacity to hold gigabytes of data. This data is often highly sensitive and valuable, especially when you consider the prominence of BYOD programs and mobile devices entering the workforce for enterprise and governments alike.
Attackers are rational, economic actors. They see opportunity to attack this rich and growing platform. Unfortunately, it’s just that simple.
2. What are the types of threats, breaches, and vulnerabilities that you have seen this year?
Mobile is a highly dynamic industry and as the use cases and value of these devices continues to evolve, so do their threats. This year, we’ve seen everything from data exfiltrating Trojans and surveillanceware to aggressive adware that collects contact data to launch phishing attacks and root enablers that compromise OS integrity.
In fact, Fortune 500 companies are already experiencing these malicious threats on their devices. Lookout ran a study of mobile devices associated with the global networks of 25 Fortune 500 companies across the UK and US and found that 5 per cent of Fortune 500 devices encountered a serious mobile threat over the past year. By ‘serious mobile threat,’ this does not include chargeware or adware, but instead focuses on Trojans, surveillanceware and root enablers.
3. What does this mean for businesses?
The fact that these threats are already happening on corporate networks, often unbeknownst to the company, highlights one of the main weaknesses we’re seeing today: There are serious gaps in existing models of security, which are failing to account for the scale, complexity and intelligence of mobile threats. In other words, there’s a lack of visibility into the mobile threats that enterprises are experiencing.
Essentially, it means that businesses must change from this reactive model of security, where they wait until they’re hacked, to a proactive security posture, where they’re actively and vigilantly protecting their business.
4. How can businesses take more responsibility for protecting corporate data?
There’s an analogy I like to use. If your local bank only invested in securing the main doors, it might protect against the robbers that use predictable entry points. But what if access to the bank vault was becoming easier via air ducts and pipes or their computer system? At the very least you’d want that bank to install surveillance cameras to keep an eye on those attack points.
Similarly, the modern workforce requires holistic, modern and intelligent security solutions. For mobile, businesses currently rely heavily on Mobile Device Management (MDM) as an important piece of their mobile security programme. However, MDM is not enough to protect your corporate data and mitigate risk. MDM focuses more on device configuration meaning it can configure policies to enforce security, but the technology itself generally lacks the advanced security features that are required to proactively tackle mobile threats in this increasingly complex environment.
With a more comprehensive security solution for the mobile workforce, CISOs can have visibility of potential threats and malware and intelligently identify devices that have been rooted or jailbroken. Businesses should also educate employees about ways they could accidentally be putting corporate data at risk, via use of public Wi-Fi, phishing emails or not staying on top of software updates.
5. What are the big threats that businesses should be aware of next year?
Don’t underestimate what your employees are capable of doing on their mobile devices and the associated risks. People are doing things to get around security measures at increased rates, including jailbreaking their iPhone or rooting their Android. There’s also sideloading, where you install an application from an uncertified app store or source onto your mobile device. Android has always allowed sideloading, in the name of its open platform. Apple has also opened up its platform to sideloading, but as a nod to enterprises, making it easier for large companies to distribute homegrown apps to their employees.
What’s the risk? As we’ve learned on the Android platform, third-party app stores are often unvetted and applications submitted to these stores may be pirated, tampered with, or contain malicious code. It’s generally a much less-regulated environment where “shadier” apps can exist unchecked.
As enterprises begin to truly embrace mobile productivity, it seems the iOS ecosystem is opening up a bit to work better for them. This is not a bad thing for the ecosystem. But it highlights the need for deeper security controls and less of a reliance on the app stores, and even the operating systems, for protection alone.
6. BYOD is huge now, but is it true that Apple’s iOS is more secure than Google’s Android?
Historically, iOS was certainly perceived as more secure than Android. However, that all changed this year when we saw a number of threats to iOS. With XcodeGhost for example, app developers unwittingly added malicious code to their applications after using a repackaged version of Apple’s development environment Xcode. The impact: for the millions of people who’ve downloaded apps with the malicious code, that code can steal sensitive data and trick people into sharing PII. Businesses were found to be running the malicious version of XcodeGhost on their networks too.
Gert-Jan Schenk,Vice President of EMEA at Lookout
Image Credit: Shutterstock/wk1003mike