November 29, 2017

min read

The Evolving Mobile Threat Landscape

Many organizations are moving much of their business to the cloud and to a mobile environment, where employees can work from virtually any location as effectively as if they were in their office. It's now common for employees including senior executives to be working mainly from tablets and smartphones.

This is the post-perimeter world, in which enterprise data is accessed through cloud services, and mobile devices that cannot be contained, controlled, or protected by traditional security. Because of this organizations are facing a multitude of mobile-based attacks that go well beyond the scope of what used to be considered the boundaries of the enterprise.

As Lookout Vice President of Security Research Mike Murray pointed out in a recent talk, what will most impact companies' ability to provide that kind of expanded work environment is their ability to secure and trust the mobile platform.

"If we cannot trust that platform, we cannot move our assets to it," Murray said. "And the truth is, that evolution is happening already. The world is moving faster than we possibly would have imagined five years ago. The mobile platform is not just our phones, but our primary compute device."

Even when people are working in the office, much of the time they are connecting to corporate resources via someone else's network. "That means your firewall is useless, your network intrusion detection sensors are useless, your web content gateway is useless," Murray said. "We have gone to a world where the perimeter is no longer defined by the controls that we deployed 10 years ago, but by wherever the user's location is."

"A Lookout customer explained to Murray that they conducted a survey of their active directory and found that 75 percent of authentication events on the corporate directory services came from mobile devices, not from PCs."

Failure to properly secure the mobile device, however, could result in data loss, significant infringement fines, and brand reputation damage. Unfortunately, it's fairly common for employee to use a smartphone at work that has access to vital corporate information assets and not even be equipped with security software such as an anti-malware program.

"Think about that for a second," Murray said. "We've moved to this world where all of our users are accessing all of our corporate data from these tiny supercomputers, and we've done nothing to secure them."

A Lookout customer explained to Murray that they conducted a survey of their active directory and found that 75 percent of authentication events on the corporate directory services came from mobile devices, not from PCs.

"If I'm a highly resourced attacker and I want to steal all of your important crowned jewels, it's no longer enough for me to break into a laptop," Murray said. "I must break into the phone too. So it's not to say that this is a target for the enterprise, this is the target for the enterprise."

To address the growing threat, Lookout created a concept called the Spectrum of Mobile Risk. The concept of the spectrum is not new, Murray noted, because it has been applied to other machines over the years. But mobile devices are simply another endpoint, and the security risks need to be addressed separately.

The Spectrum of Mobile Risk presents a way to think about malicious threats to data on mobile; the vulnerabilities mobile devices, networks, and apps may have; and the insecure behavior and configurations of mobile device users, such as bad passcodes and clicking on phishing links.

The Mobile Risk Matrix, the accompanying framework, also includes the vectors by which those risks are applied on the mobile device: the apps, the device itself, the network, and the web content.

In today's overall security threat landscape, it's the mobile device that has gained the most attention from the most dangerous adversaries.

"The most advanced actors are the ones compromising mobile devices today," Murray said. "What we see from our perspective, having access to more than 100 million mobile devices around the world and seeing over 50 million apps, is that the most serious threats are the ones that are targeting mobile first."

The mobile kill chain often starts with social engineering of some sort, Murray said. Unlike an infrastructure attack against a web server or database, a mobile attacker needs to get the mobile user to take some action, such as falling for a phishing lure.

"While phishing in a traditional enterprise has been a problem, phishing on mobile is a million times worse," Murray said. With email phishing on desktop systems, companies can deploy software on email servers and try and stop the phishing messages.

"On the mobile device, you can't catch the message," Murray said. The phishing messages can come in through text, Facebook Messenger, WhatsApp, or whatever the user happens to have on the device, and all are difficult for management to catch. Then once the attacker has gained access through the device, he can gain privileges and get access to all sorts of data, and create the perfect spying device.

"And to turn this into the perfect spy device, all I have to do is send you a message and get you to click on a link, Murray said.

With these kinds of threats security executives need to take steps to address the serious and growing mobile risk environment. The mobile device, and the services we now use with it, all poke holes in our existing concept of the "perimeter." To stay focused on the perimeter as an enterprise's security failsafe is a mistake that fails to consider the realities of work today. Mobile devices are not a future consideration, they're a forgotten endpoint. They're already accessing and sending enterprise assets around the world. Relying on a perimeter system today is an enterprise's biggest security mistake.

​​Contact​ ​Lookout​ ​to​ ​learn​ ​more​​ ​about​ ​what mobile security looks like in a post-perimeter world.