The Three Ways Your Mobile Device is Putting Your Company at Risk
The explosion of mobile devices has changed the way people live and work. Enterprises want to take advantage of the productivity benefits mobile devices present without compromising an organization’s sensitive IP. With more business being conducted on the go, outside of the office, on cellular and WiFi networks than ever before, organizations need a new approach that overcomes traditional security limitations to secure mobile devices.
Mobile Security Challenges
Cyberattacks are estimated to cost the global economy $3 trillion in lost productivity and growth by 2020. Organizations must balance security requirements with user access demands. Is the productivity benefit of providing access to corporate services via mobile device greater than the very real risk that a single-cyberattack could compromise an enterprise’s brand, profits and customer relationships?
92% of employees use their personal mobile devices for work. They roam freely, download apps, send personal email, browse the web, and utilize social media with the same device they use to access corporate applications and sensitive data. These personal devices are controlled and operated by the user, not the enterprise. The challenge for today’s enterprises is to protect these roaming devices and the sensitive content they access without compromising the user experience, draining the battery, or violating a user’s right to privacy.
As a security researcher at Samsung, my core job was to detect code vulnerabilities and essentially hack mobile devices (as well as other smart devices). While hacking has become increasingly difficult on traditional PCs, mobile devices are still relatively unprotected and enable hackers to pivot through these devices to access internal networks easily. Malicious actors are switching from attacking PCs to performing targeted attacks on employees’ mobile devices. The best defense strategy should focus on protecting the “front lines,” the mobile devices that are leading your business outside the company’s fortressed network. Based on my security experience I’ve summarized the three ways your mobile device is putting your company at risk.
1) Falling victim to Mobile Spear-Phishing attacks
The traditional Spear-Phishing approach that was used to hack many enterprises via PC, applies to mobile devices, too. Hackers will socially engineer an email to trick a user into opening a malicious attachment like .doc or .pdf file or clicking on a malicious link that contains a client-side vulnerability. Once the device is compromised, the attacker can connect to corporate resources using the device and leverage email, VPN and CRM access to lead to a data-stealing stealing catastrophe. Educate users about how to identify a targeted phishing attempt and advise against clicking questionable links or opening attachments from unknown senders. By following basic email precautions and deploying security for mobile devices, organizations can protect users from being compromised by mobile spear-phishing attacks.
2) Getting compromised by network-based attacks
Next generation attacks prey on iOS and Android devices traveling across public and private networks all over the world. Existing network security solutions lack the visibility required to protect mobile devices once they leave the corporate network, and in most case — inside the corporate network as well. Through a basic network attack, such as a Man-in-the-middle chained with an additional Client-Side vulnerability (e.g browser attack), a hacker can infiltrate a mobile device. This simple attack can redirect traffic, regardless of whether a user clicked on a link to a malicious webpage. The hacker can wait dormant on the device until it reconnects to the corporate network. Once the device is reconnected, the attacker can pivot his way through the organizational network and continue to repeat this attack until the entire network is compromised.
3) Relying on solutions not optimized for mobile devices
Attacks can target mobile devices via multiple ways including email, browser, apps, network and other vectors – as discussed in the mobile threat landscape whitepaper. As such, organizations need to protect the whole mobile device for malicious behavior, not just one vector. Threats are dynamic, constantly changing and evolving to evade traditional technology. Organizations need to adopt a solution that protects against both known and unknown threats. Signature-based solutions such as antivirus and app reputation are not immune to simple and known evasion techniques such as time bomb (download & execute), polymorphic malware or virtual machine awareness.
Relying on just signature-based technologies to provide enterprise class protection is risky. Enterprises need to deploy a solution that runs efficiently on iOS and Android mobile devices and also provides complete protection against both known and unknown threats. Enterprises should adopt solutions that don’t rely on sending end user data to the cloud, because it can compromise a user’s experience, violate privacy, drain the battery and will not protect the device at all once it is not connected to the Internet (hotel/airport WiFi, foreign country, etc). Organizations that seek to protect smartphones should focus on solutions that do not require a constant connection to the Internet in order to be protected like VPN based solutions.
In order to maximize the productivity benefits of mobile devices enterprises need to first ensure that their mobile device is not putting the company at risk. Organizations need complete, continuous, optimized protection for major platforms like iOS and Android. There you have it, the first part of my guide to understanding how mobile devices have changed the security landscape for enterprises today. I am planning to do a series of posts that explains the security gaps and what existing mobile security solutions miss due to architectural limitations. Now it’s your turn – I’d love to hear what you think is most important to consider when building a mobile defense strategy in the comments.