The State of Mobile Security 2019
Matthew Shaver recently published an excellent piece on the state of UEM in 2019. He covered changes that Apple and Google have made in their approaches to mobile device management, and how the industry needs to adapt to a new reality. Citing the film, “The Right Stuff,” Matthew illustrated our collective inertia in responding to a condition that has already come to be, i.e. new frameworks for device management. Matthew’s premise is that we’re paralyzed when it comes to adjusting to frameworks we already know about.
So, how should we react to the things we don’t know about, the kind that introduce themselves in a very unwelcome manner? Let’s look at this through the lens of mobile security. The premise of this article is the world has changed, the attack vectors are different than what they were in the past, and we ought to do something about it.
Who moved my cheese?
Malware, malware, malware. When the mobile security discussion was breached, if it was at all, malware was all we heard about for a very long time. Even then, malware was largely perceived as an Android issue; since Apple has always maintained a highly curated app store, it seemed like there was less of it (with the exception of some notable biggies like Xcode Ghost). But these days, Google seems to have addressed many security and malware issues with Google Play Protect and Android Enterprise. I’m not saying we don’t need to protect ourselves against malware, we do. This was epically proven when Epic Games decided to cut out the middleman and publish Fortnite directly from their website instead of Google Play. Overnight there were tons of sites hosting the app, and sometimes that app was malware.
What can malware do? It can serve up adware, collect data about users, harvest data from other apps, and, of course, sometimes it can execute a device exploit. Even if an app isn’t malware per-say, it’s important to look closely at what data apps are accessing or collecting and where they are sending that data. Mitigating malware and controlling data leakage through apps should be a part of your overall mobile security strategy, but it’s only a small piece of the puzzle.
The big issue I see is that we focused nearly exclusively on malware, and even then, only a very small percent of organizations invested in protecting against it. Meanwhile, the enterprise continued to pour hundreds of billions of dollars into protecting networks and services with firewalls and intrusion protection systems, even as those services moved to the cloud. When organizations finally did notice they were storing a lot of information in the cloud, we rebooted the old firewall idea and funneled our data through Cloud Access Service Brokers (CASBs). At the same time, even as mobile and cloud use was exploding in the enterprise, we doubled-down on our endpoint protection strategies, trying to secure PCs, which have been experiencing flat-line growth for the last five years or more. Yes, it’s still important to have secure networks, but often that’s not where the data is anymore. So, what are the biggest mobile threats today?
The Four Horsemen of the mobile apocalypse
Man-In-The-Middle (MiTM) attacks. It all sounds like a fun game, until someone starts siphoning off your data, collecting your passwords, injecting code in your browser sessions, and or redirecting your web traffic. All it takes is a $99 pineapple and some basic knowledge to execute these. It’s amateur hour out there.
Phishing. We know most web traffic now originates from a mobile browser. That same link you click on from your desktop can also be hit from Mobile Safari, Chrome, or whatever your browser-du-jour is. It’s just as easy to phish credentials from a mobile device as it is from the desktop. To top it off, mobile has a risk factor we don’t always find on the desktop. Malicious links and even code can be delivered through a SMS message.
Ransomware. Ransomware on the mobile device itself is a problem, with products like SLocker simply locking up your device until you pay. The bigger threat though is ransomware holding hostage an entire network. Mobile just magnifies the attack surface – a phone or a tablet can be a very good way to get in to an otherwise secure network.
Vulnerabilities, Roots, and Jailbreaks This could be a whole article. A book even. There are many ways to Pwn a device, from self-initiated jailbreaks, to exploits that take advantage of known vulnerabilities before they are patched, to government grade exploits like Pegasus (available for 650K to Hack 10 devices, plus a 500K initiation fee). When a device is exploited this way, it becomes the perfect spy tool. It has a camera, a microphone, and it knows all your passwords, and all of these can now be controlled by someone else.
Get yourself an IdP
As we morphed into the new “perimeter-less” world of cloud services, we had a bad habit of creating passwords with every new service (and let’s face it, often we had no choice). That spurred new identity federation and single-sign-on solutions and created a new framework for identity that could operate outside of the corporate network, the IdP. If you haven’t looked at Okta, Ping, Onelogin, Sailpoint, or even Microsoft ADFS to juggle the proliferation of passwords, you should. Keep in mind though, a password can still be phished or obtained in any number of ways. More on that later.
2FA is nice, but you still have a password
Adding on two-factor authentication can absolutely help protect your assets, but you shouldn’t declare mission-accomplished once you’ve done this. Tokens and SMS codes can still be phished and social engineering can be used to reroute phone numbers to a hacker’s device. Deploying 2FA can help desk issues and deployment challenges too, and even more importantly, lazy people don’t want to jump through hoops to access a service.
Make it easy for your users
Whatever security you do employ, it should be unobtrusive. We don’t want to inhibit productivity. Native single sign-on and seamless VPN’s that can be leveraged without needing to manually launch an app should be leveraged. Certificates should be used for authentication, and moving forward, we should also look at emerging security standards that can leverage the biometrics on a device, like FIDO 2.
A New approach to security
Forrester calls it Zero Trust. Google calls it BeyondCorp. Gartner calls it Continuous Adaptive Risk and Trust Assessment (CARTA). The essential takeaway is you never trust an endpoint until you can be sure it’s safe, and you continue to verify that the device is in compliance ALL THE TIME. This requires a layered approach to security. Leverage mobile device management (MDM) / unified endpoint management (UEM) to make sure a device is in compliance with your company’s policies. Overlay that with a Mobile Threat Defense solution to protect against MiTM attacks, device exploits, malware, and phishing. Make sure the threat defense solution is really looking at device behavior so you can successfully detect and remediate zero-day exploits. And, make sure the device is in compliance before you allow it to access company resources and data. Continuously monitor and check in to make sure the device is still safe. Rinse, lather, repeat.
Conditional Access with device integrity
Jack Madden of brianmadden.com published a great article that posed the question, “where should we implement conditional access?” The CASB industry will say they can do this by funneling all your traffic through a service broker before it hits the target resource. There definitely are some benefits in this architecture, especially when it comes to User Entity Behavior Analytics (UEBA). For instance, did someone just download a terabyte of data, and if so, did that set off any alarms? The IdP industry will also say they are the logical point of enforcement. Both have some merit, but neither of them actually know if the device that is trying to access a resource is secure. It takes a MDM/UEM footprint on the device to know if the device is in compliance and managed by the organization. Only UEM can truly know if an app is managed (meaning the app and its data can be removed) before it tries to access company data. These products can all work together to produce a zero trust environment, but they need to talk to the MDM/UEM solution. That’s the ONLY way to know if a device should be trusted to access a company resource.
We don’t have a budget for that
Companies do have security budgets for commonly accepted threats, but by and large, those budgets are dedicated to protecting the networks of the past. They continue to invest in desktop security, but they don’t have a mobile security budget. That’s fine, but let’s look at the facts. Most internet traffic is mobile. That’s not news, we know the numbers keep going up every year for mobile browser traffic (more than half of all web traffic is mobile), number of minutes spent on the device, the number of times we touch the device, the absolute anxiety we feel when we leave the device behind… Just look at your own habits and the people around you. Desktop is being relegated to the tasks that are easier to do on desktop (like a spreadsheet, PowerPoint, a long email). The rest, meaning anything that is easier to do on mobile, will happen on mobile.
Call to Action
Start ringing the alarm bell. Begin building a zero trust strategy for mobile today. Beg for budget if you need to and examine how your current MDM/EMM fits into your new zero trust framework.