Lookout Logo

Mobile Risk Assessment

This Mobile Risk Assessment helps organisations understand their risk based on mobile data access, existing controls such as EMM, and the resulting security gaps. This assessment contains four personalized sections generated from your survey response:

1. Your Mobile Risk Assessment

Mobile Risk Matrix

Your Mobile Risk Assessment is based on a framework called the Mobile Risk Matrix, outlining risk across threats, software vulnerabilities, and risky behaviors & configurations for each of the attack vectors on mobile devices.

Within this framework, we assess each box across the likelihood of occurrence and impact to the business based on your answers to the survey. The assessment will be represented using the key below:

Severe

This represents a “severe” level of risk with a high likelihood and impact to the business

Moderate

This represents a "moderate" level of risk with a medium likelihood and impact to the business

Negligible

This represents a “negligible” level of risk with a low likelihood and impact to the business

Based on your answers, your organization allows the following levels of access on mobile devices:

  • Email, corporate messaging, contacts or calendar?
  • Enterprise apps?
  • Corporate networks?
  • Multi-factor authentication or stored credentials?
  • Administrative tools?
This is considered a HIGH MODERATE LOW level of data access, based on how much sensitive data your organization allows on smartphones and tablets.

You also told us your organization has invested in controls for:

  • Jailbreak and root detection?
  • Remote device wipe or lock?
  • Lock screen requirements?
  • Mobile containers?
  • Rights management solutions?
  • Malicious apps?
  • Apps downloaded from third-party app stores?
  • Man-in-the-middle attacks over wifi or cellular connections?
  • Targeted attacks on the mobile operating system?
  • Mobile phishing attacks?
  • Risky websites?
  • App-based vulnerabilities?
  • Operating system vulnerabilities
  • Vulnerable device configurations?
  • App data leakage?
  • Rogue Wi-Fi hotspots?

This is a good first step and has reduced your risk profile across the following areas of the Mobile Risk Matrix:

2. Your Results: GDPR Compliance Risks

GDPR compliance risk for mobile is SEVEREMODERATENEGLIGIBLE

GDPR will come into effect on May 25, 2018. Companies, both those based in the EU and those that conduct business in the EU, that fail to comply with GPDR requirements could face a fine of up to 20M EUR or up to 4% of their annual revenue, whichever is greater.

Article 5 of GDPR says that "personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."

Mobile devices, even those that are corporate owned, are personal. This is the new target for attack, the new risk to an organization. Whether through malicious attack, configurations or user actions, the mobile platform has become a rich target for gaining access to sensitive data.

80% of IT executives agree that the personal data accessed on their employees' mobile devices could put their company at risk for GDPR non-compliance1

1. 2017 Enterprise Mobility Survey, Berg Research, September 2017

The results of your survey indicate the below risks for GDPR violations:

Malicious apps that can steal personal data, damage devices and give unauthorized remote access

Device vulnerabilities that can be exploited to heighten attacker permissions to spy on all communications occurring on the device, causing data loss

Apps that access location and therefore turn the mobile device into a proxy of the user’s physical location, allowing an individual to be tracked without explicit consent

Mobile Apps that insecurely handle data at-rest and in-motion, opening the door to attackers to compromise the confidentiality of personal data being transferred

Mobile devices that are connected to a network that has been compromised by a man-in-the middle attack, resulting in personal data being siphoned off the device

Mobile phishing attacks that result in personal data being exfiltrated from the device

3. Your Results: Business Risks on Mobile Devices

“The signs are clear that mobile threats can no longer be ignored.”
Gartner Market Guide for Mobile Threat Defense Solutions
Dionisio Zumerle, John Girard, August 2017

Based on your answers, your organization allows the following levels of access on mobile devices:

App Risk

  • App-based malware poses the biggest risk on mobile devices, and the trend is only rising. According to a recent Gartner report, “By 2019, mobile malware will amount to one-third of total malware reported in standard tests, up from 7.5% today."2
  • On average, 50 out of 1000 Android enterprise devices encounter an app-based threat every quarter.
  • On iOS, apps can easily bypass Apple App Store review and be installed from third-party app stores. On average, 110 out of 1000 iOS enterprise devices sideload an application every quarter.

42%of employees say they download applications outside of the main app stores (Google Play and Apple App Store)1

Real world example and impact

Threat Name

Igexin

What Is It?

A malicious ad SDK found in popular apps in the Google Play Store that exfiltrated PII to China. The threat is enabled via remote code pushed from Igexin-controlled servers.

What Can It Do?


  • Send SIM serial number, International Mobile Subscriber Identity (IMSI), or voicemail number to a remote location
  • Send details about installed applications to a remote location
  • Send details about currently running applications to a remote location
  • Download and execute malware after “clean” app is installed
Threat Name
 

Sideloaded Apps

What Is It?

Lookout has seen an increase in apps installed outside of the official app stores, which bypass Apple and Google review and can easily be installed on non-jailbroken devices.

What Can It Do?


  • Use private APIs to access data that Apple and Google would not allow
  • Trick the user into submitting their login credentials
  • Install a VPN to harvest personal data from the device
1. Enterprise Mobility Survey, Berg Research, September 2017
2. Gartner Market Guide for Mobile Threat Defense Solutions, Dionisio Zumerle and John Girard, August 2017

Device Risk

  • Device risks have significant potential to cause catastrophic data loss because they can break through a device's app sandbox and embed themselves deep in the operating system to achieve heightened permissions for the attacker.
  • The risks can come from threats, as well as vulnerabilities in the operating systems and risky device configurations.
  • Looking at a subset of our active Android users over the past year, 1 in 100 devices encountered a rooting Trojan. Moreover, 5 in 1000 of our enterprise protected Android devices are rooted.
  • On iOS, 1 in 1000 of Lookout enterprise protected iOS devices are jailbroken.

39%of the 699 CVEs patched between iOS 9 and iOS11 could enable remote code execution (RCE).

Real world example and impact

Threat Name
 

Pegasus

What Is It?

This advanced spyware was utilized on both iOS and Android and represents the most sophisticated targeted attack on mobile devices to date. Critically, Pegasus only requires a victim to visit a malicious web page and does not need the targeted individual to install an app to activate.

What Can It Do?


  • Capable of activating a phone’s camera and microphone to snoop on conversations around the device.
  • It can also track a victim’s movements and steal messages from end-to-end encrypted chat clients.

Network Risks

  • Network risks take advantage of weakness in how web sites or applications establish TLS/SSL sessions over Wi-Fi, cellular, or other networks. These attacks can be executed directly by attackers or through malware using automated methods.
  • In your survey, you stated that some of your employees travel to foreign countries that would concern you from a security standpoint. As such, connecting to rogue Wi-Fi networks poses a higher risk.
  • Across Lookout customers over the last year, around 10 in 1000 enterprise devices encountered a man-in-the-middle threat.

64%of employees say they connect to public Wi-Fi networks on the go1

Real world example and impact

Threat Name
 

Executive encounters a man-in-the-middle attack

What Is It?

During a trip to Asia, an executive of a Lookout customer encountered a man-in-the-middle attack on their iPad connecting to a fake Wi-Fi network. Many inexpensive Wi-Fi devices now exist which make it easy to set up these rogue access points.

What Can It Do?


  • Get in line to the network traffic
  • Trick the user into installing configuration profiles that enable the attacker to see encrypted data-in-transit
  • Steal sensitive data such as login credentials and files sent over email
1. Enterprise Mobility Survey, Berg Research, September 2017

Web & Content Behaviors Risk

  • Phishing attacks containing URLs that lead to malicious websites are significantly more likely to be tapped on a mobile device than they are to be clicked on a desktop PC.
  • Examples of web-based threats include malicious web pages that can cause downloads or directly exploit a device. Malicious URLs are most commonly delivered via phishing emails or SMS messages.
  • Across Lookout customers over the last year, 1 in 10 devices have visited a phishing URL.

35%of employees say they open links on their mobile device even if they are not 100% sure they are safe1

Real world example and impact

Threat Name

Mobile Safari ransomware

What Is It?

Scammers abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying.

What Can It Do?


  • Ransomware has been used to extort organizations into paying to restore access to data
  • Browser-based attacks like this can create confusing and intimidating experiences that could coerce a user into entering in corporate credentials
Threat Name

Pallas mobile APT

What Is It?

Nation state actors (known as Dark Caracal) conducted the most globally active mobile-specific spy campaign Lookout has ever seen. The threat relied on social engineering via Facebook and WhatsApp messages and fake app stores in order to compromise target systems, devices, and accounts, the goal of which is to eventually drive victims to a watering hole controlled by Dark Caracal.

What Can It Do?


  • Aggressive spyware that can exfiltrate secure messages, voice, and photos
  • Trick the user into sharing excessive permissions that are monitored and collected
1. Enterprise Mobility Survey, Berg Research, September 2017

4. Reducing Your Risk With Lookout

“Lookout is positioned as a Leader in this IDC MarketScape for the MTM security software market.”
IDC MarketScape: Worldwide Mobile Threat Management Security Software 2017 Vendor Assessment,
September 2017
Lookout Badge

With Lookout

TOGGLE TO COMPARE YOUR RISK WITH AND WITHOUT LOOKOUT

Without Lookout

TOGGLE TO COMPARE YOUR RISK WITH AND WITHOUT LOOKOUT

Vectors
Compnents of Risk
Apps
Device
Network
Web & Content
Threats
App threats

Malicious apps can steal info, damage devices, and give unauthorized remote access.

Device threats

Device threats can cause catastrophic data loss due to heightened attacker permissions.

Network threats

Data is at risk of attack via Wi-Fi or cellular network connections.

Web & content threats

Threats include malicious URLs opened from phishing emails or SMS messages.

Software Vulnerabilities
App vulnerabilities

Even well known software development companies release apps that contain vulnerabilities.

Device vulnerabilities

The vulnerability window is the time it takes from the release of a new patch to adoption.

Network vulnerabilities

Mobile devices encounter more hostile networks than laptops, and have less protection.

Behaviour & Configurations
App behaviour & configurations

Mobile apps have the potential to leak data such as contact records.

Lookout Mobile Endpoint Security makes it easy to get visibility into the entire spectrum of mobile risk, apply policies to measurably reduce that risk, and integrate into your existing security and mobile management solutions.

Apps
App Threats
Check
App vulnerabilities
Check
App behaviors & configurations
Check

App Risk

Apps are the predominant way that sensitive data is accessed on mobile devices, with risks spanning across both iOS and Android. Lookout’s app analysis technology is powered by intelligence from over 50 million iOS and Android apps, giving you visibility into app-based risks such as:

  • Trojans and spyware that can exfiltrate data from the device
  • Vulnerabilities in app data transfer and storage
  • Risky app behaviors that pose a compliance risk
  • Sideloaded apps that bypass official app stores
Network
Network threats
Check
Network vulnerabilities
Check
Network behaviors & configurations
Check

Protection from network-based risks

Often taking the form of a man-in-the-middle attack, these network threats are typically executed by spoofing a Wi-Fi hotspot to intercept network traffic and decrypt sensitive data. By analyzing network connections from our global sensor network, we effectively mitigate false positives while detecting high impact threats, including:

  • Man-in-the-middle attacks
  • Host certificate hijacking
  • SSL Strip attacks (e.g., KRACK attacks)
  • TLS protocol downgrades
  • Rogue Wi-Fi networks
Device
Check
Network threats
Device vulnerabilities
Check
Device behaviors & configurations
Tolerable

Protection from device-based risks

If the device is compromised with software vulnerabilities, the built-in security of the operating system can be bypassed. Lookout creates a fingerprint of each mobile device and compares it against the 150 million devices in our security platform to identify anomalies and risks, such as:

  • Behavioral anomalies
  • Advanced root or jailbreak
  • Operating system vulnerabilities
  • Device configuration risks
Web & content
Web & content threats
Check
Web & content vulnerabilities
Check
Web & content behaviors & configurations
Check

Protection from web & content-based risks

Securing web & content risks often equates to stopping the entire kill-chain early by protecting against phishing attempts or remote exploits. Lookout protects against:

  • Malicious files being sent over email or SMS such as Stagefright
  • Attacks that exploit web vulnerabilities such as Trident (part of the Pegasus kill chain)
  • Drive-by-downloads of malicious files from websites
  • Remotely-exploitable vulnerabilities from outdated mobile operating systems

In addition to technology investments, an organization can reduce their mobile risk exposure by establishing:

  • Processes for mobile devices that are formalized and documented- the NIST 800 series can be helpful here.
  • Training for employees to avoid risky behaviors or configurations of their smartphones, and how to recognize suspicious activity on mobile.
  • A close working relationship between IT and InfoSec departments to balance the productivity gains of mobile with security risks.
1
Your Assessment
2
GDPR Risks
3
Business Risks
4
Reducing Risks