A good friend of mine is fond of saying “The first thing to do in any crisis is panic, but once you’ve got that out of the way you need to figure out what you’re going to do next.” That phrase has always resonated with me because, while alarmism might be our natural instinct, it’s usually not very helpful. Mobile malware is perplexing because we can’t seem to collectively decide whether it warrants actual panic or is just a minor irritant. The Verizon Data Breach Investigation Report (DBIR) humorously quips “I Got 99 Problems and Mobile Malware Isn’t Even 1% of Them”. While no high-profile breaches have been directly attributed to mobile (yet), it’s entirely possible that we’re overlooking how mobile may already be fitting into the Cyber Kill Chain®.
Indeed, while we may be quick to shrug off things like contacts being read and exported as mere annoyances, we shouldn’t forget that Step 1 is Reconnaissance. The more that can be learned about a potential target, the better equipped bad actors are to mount an effective attack. Symantec’s 2015 Internet Security Threat Report (ISRT) indicated that “there was an eight percent increase in targeted attacks via spear-phishing campaigns, despite an overall decline by twelve percent in the number of spear-phishing e-mails sent” and also noted that “Attackers have taken more time to plan and coordinate attacks before launching them, paying particular attention to reconnaissance.” In this context, mobile doesn't need to be the attack vector if it can help make traditional attacks more likely to succeed. To be clear, the report does not make any claims about mobile data exfiltration as a reconnaissance tool for targeted attacks nor does it make any connection between mobile and the apparent increase in spear-phishing efficiency, but it would be foolish to ignore the possibility. Moreover, just because it might not be happening today is no reason to expect that it couldn’t or wouldn’t: history has clearly shown us that attackers are nothing if not creative and highly adaptable.
Nor should we expect mobile to remain relegated to supporting roles in cyber attacks. One of the other findings presented in the ISRT was a 32% increase in the number of mobile vulnerabilities disclosed from 2013 to 2014. 2015 has also brought the disclosure of a number of very high profile and dangerous vulnerabilities and the availability of corresponding exploits. When this increase is combined with the “always on” connectivity of mobile and the nearly three-fold increase in the number of devices people carry, it creates a very large potential attack surface. Other analyses sound similarly cautionary notes about the potential risks posed by the ever-increasing access mobile devices have to corporate data and the trend toward mobile as the primary computing endpoint. The danger is compounded when organizations rely on inadequate tools such as ActiveSync only to protect their mobile fleets.
Setting aside the differences of opinion surrounding the severity of the problem, it’s probably still safe to say that the current state of the mobile threats pales in comparison to the traditional IT threat landscape. Mobile is — at least for the moment — ahead of (or at least less interesting and useful to) our attackers. As such, we’re in the rare position of being able to prepare for— rather than react to— the need for greater security.
Like any exercise, securing modern endpoints begins with good fundamentals. As previously discussed, mobile endpoints offer a much sturdier security foundation than their legacy counterparts, but there are still important steps that should be taken to fortify against potential attacks:
- Understand the scope of mobile device access to critical data and provide additional controls when necessary: without a clear picture of what data is accessible, it’s impossible to adequately protect it.
- Ensure you have tools in place to validate the integrity of the device/OS: a compromised OS means that none of the innate security features can be relied upon.
- Dynamically enforce access control: there’s not much left of the traditional network perimeter these days, but there are mature technologies that can restrict or deny access based on device status and they should be part of every mobile deployment.
- Protect against risky apps: It’s impossible to manually evaluate the Software Development Lifecycle (SDLC) of the nearly 3.5 million apps available in the commercial app stores, yet apps represent one of the most likely attack vectors. Leveraging tools to understand their inner workings will help to reduce exposure.
- Break your mobile security out of its silo: mobile security tools that integrate with the rest of your IT and security infrastructure help you understand threats in context and protect your assets uniformly.
We shouldn’t expect the detente to last, but neither should we squander the opportunity. We can skip the panic but we must seriously evaluate how this new class of devices fits into our larger IT environment, what that means for both our risk profile and our risk appetite, and continue taking concrete steps to protect our tools to prevent them from becoming weapons.
Stay tuned to the MobileIron Rethink: Security blog for all the latest news and analyses of enterprise mobility, mobile security threats and countermeasures, and more.