In a study of 50 of the world's top 100 banking mobile applications, every single one was vulnerable to multiple security threats. It’s a surprisingly short, unprotected trip from a mobile app into a corporate network to valuable assets and capital. It’s baffling to think that even the world’s largest corporations are unable to take mobile threats seriously.
Why Mobile Security Is Important Today
In a typical organization today, 60% of devices containing or accessing enterprise data are mobile. When considering how often corporate leaders use their mobile phones to respond to customer emails, quickly chat about an incident on instant message or open a shared cloud application to review a contract, it’s not surprising to see statistics like these. It is simply more convenient to stay up to date using a device that is with you all the time. And corporations are okay with it: 75% of enterprises have a bring-your-own-device policy in place.
In fact, there are more bring-your-own-mobile-device environments in enterprises than there are company-owned or custom (point of sale) devices. The many risks they bring are only growing. Attackers have a gold mine of targets, from device storage to network tapping to authentication tokens, business applications, microphone, camera, GPS and accelerometer functionality. The opportunities to turn a mobile device into a spy camera and data collection tool are prebuilt into the device. Complexity naturally favors the attacker, and mobile devices are adding a pervasive new layer of complexity to corporate environments.
What Do Mobile Threats Look Like?
Mobile threats can be boxed into four distinct categories: user behavior, application, device and network threats. Let’s break these down with simple examples of each.
User Behavior Threats
Despite being labeled “User Behavior,” user behavior threats aren’t necessarily the fault of the user. Users will always gravitate towards convenience, and security professionals and developers must prepare for that. The most pervasive examples of user behavior threats manifest as users break policy, use corporate devices for personal use and click on malicious links.
Over two-fifths of senior professionals who experienced a mobile-related compromise said it involved phishing. The first thing people think of when phishing comes up is phishing emails. However, the majority of mobile phishing attacks come from outside emails, on messaging apps, games, social media and other platforms.
As anyone who has received a text like this can attest, the hardest-to-ignore phishing scams often come via text message and result in identity theft or identity abuse.
Application threats split one of two ways: malicious apps or enterprise apps developed with poor coding practices. Malicious apps run rampant on the Google Play Store. Even on the iOS App Store, where there are some of the strictest regulations on mobile apps, many malicious apps have successfully made it into the store.
Device threats are mainly rooted in a reliance on MDM (mobile device management) and a lack of Hardware Root of Trust. Two examples of how this might happen come from devices going missing and users choosing not to update the operating system. For reference, at least 57% of Android devices are running an operating system at least two versions behind, which equates to 507 known vulnerabilities per device. Many people choose not to update their operating system out of convenience, but it can have painful security consequences.
Public WiFi networks are the bane of a security professional’s existence. More than 80% of employees use public WiFi for work tasks, even when officially banned. We can’t force people to respect policies; telling them “don’t do that” isn’t going to work. We need to find another way that makes it simultaneously easier and more secure.
So How Does This Translate into Real-World Impact?
This translates into real-world impact in three ways:
- By giving malicious actors access to a device so they are then able to steal, change or destroy sensitive data.
- By giving malicious actors an entry point into a larger environment, like a cloud app, database, server, peer system, network, data center or many others.
- As a launching point to attack others in your social networks, or as an asset for later as part of a larger operation like DDoS (distributed denial of service), monitoring of message queues, etc. This case will not be elaborated on at length here, as there are many paths this can take.
The first case is relatively simple. When attackers gain access to your phone, they can use it to steal sensitive data like usernames, passwords, credit card information and more.
The second and more compelling case is when a mobile device is used as an entry point into the corporate network.
Picture it: A security analyst gets an alert for attempted ransomware in a corporate environment. Her investigation shows her that the malware moved laterally across the network, dropped a ransom note and tried to lock files across multiple machines. With existing controls, the ransomware was prevented immediately. She could see the majority of the attack tree but finding the root cause of the incident proved elusive.
What can she do in this instance? Remediate what she can see and move on, without understanding where the attack actually started? What if this attack started from one of those insecure mobile banking apps that are so prevalent?
For a lot of teams, all they can do is remediate what they can see and move on. They don’t have the tools to fully resolve an incident like this.
Those who have the option may use other tools separate from their existing controls, like mobile threat detection or mobile EDR (endpoint detection and response). But they still have to manually connect the dots between the attack they see on the network through existing controls and the attack they see through secondary tools. Siloed security tools inevitably add more time to remediate and more room for analyst error.
The best approach that security leaders can take when addressing mobile security is to recognize that whether it is a laptop, a workstation or a mobile device, it is still an endpoint. An endpoint is an endpoint is an endpoint. When we consider how to defend mobile devices, the best approach is to integrate it into our existing tools so we can have a single, unified view of an attack and insight into endpoints with common telemetry … just like the attackers do.