In the mobile security space, organisations face a raft of threats that need to be addressed with next-generation enterprise mobility tools, if they are to successfully protect sensitive corporate data.
We recently published anonymised, aggregated mobile security usage data, which explored the extent to which organisations are cognisant of this mobile threat landscape, and the steps they are taking to ward off breaches.
Our findings don’t make for pleasant reading. For sure, there are organisations that recognise that mobile attacks are on the rise and have adopted next-generation approaches to security for the mobile environment. But these organisations are in the minority.
Device weak links
One of the most vulnerable vectors we see are the mobile devices themselves, and this includes: shortcomings in patching, risks from apps, and consequent vulnerabilities that breach security policies.
Compromised devices are high on the risk list. The number of companies with compromised devices accessing corporate data was flat between Q4 2015 to Q2 2016. Given that the past six months saw particularly aggressive and sophisticated mobile attacks, this continued lack of security hygiene is alarming.
A compromised device is broadly defined as jailbroken devices for iOS, and rooted devices for Android. However, the definition of compromised devices is more complex. For instance, there are jailbreaking and anti-detection tools that hide the fact that a device is jailbroken.
Android is also more complex than iOS. The customisation of Android by vendors that add in features makes providing consistent security a challenge. There are also device vulnerabilities that can make data that is normally protected accessible, while side-loading can introduce un-vetted apps that may hide malware. These are just some of the potential vulnerabilities. In 2016, we saw more iOS flaws enter the market, though Apple has persisted in addressing them with patches to the OS.
Clearly these vulnerabilities can be used to gain unauthorised access to the corporate network, data, and other resources. Unfortunately, many organisations haven’t yet fully grasped the dangers.
Pressing need for protection
As such, there is a pressing need to ensure mobile operating systems are always up-to-date with the latest patches. This kind of patching tends to be user driven but what is really needed is organisational policies that centrally enforce employees to upgrade operating systems. This is more difficult with Android due to fragmentation but it can, and must, be done to ensure device security.
Most EMM platforms can enforce this policy but our research reveals that, still, only 8% of companies are enforcing OS updates in Q2 2016. This is disturbing given that mobile malware today is sophisticated and the evidence suggests it has also been driven by organised cyber-crime fraudsters.
Policy enforcement is critical to protect the integrity and security of corporate data whether it’s confidential employee and customer data or trade secrets. And policy enforcement is also fundamental to meet mandatory regulations such as PCI Security Council standards.
That said, we’ve noted some significant compliance breaches that should be ringing alarm bells. These range from missing devices that could have been lost or stolen to users disabling PINs and passcode enforcement and also removing mobile device management apps. Significantly, devices with out-of-date policies were also relatively common, that is the IT administrator has changed a policy on the console but it has not reached the device.
The vulnerabilities that these policy breaches present are significant given that during 2015, 96 per cent of mobile variants targeted Android 3, while there was also a major rise in iOS malware.
One noteworthy and alarming development is that some iOS malware no longer requires the device be jailbroken. For instance, malware such as XcodeGhost, which exploited Apple’s Xcode SDK used by developers to create iOS apps. The long and short of it was that users unwittingly downloaded malicious apps from Apple’s curated App Store. In fact, more than 4,000 apps in the App Store were infected with XcodeGhost.
These threats require aggressive enforcement of compliance policies and quarantining of non-compliant devices. This can be driven by next-generation EMM platforms but it must be layered with a mobile threat prevention platform. This will detect malicious apps, malware and app risks, and also identify device risks by correlating known vulnerabilities against the operating system.
This approach will ensure robust security that protects against the rising tide of sophisticated mobile malware threats and users tinkering with devices, whether it’s downloading apps they shouldn’t or removing password protection. In fact, it’s essential because it’s only a matter of time before we see a major data loss that results directly from poor mobile security hygiene.
Sean Ginevan, Senior Director of Strategy, MobileIron
Image source: Shutterstock/Titima Ongkantong