New research is changing the way CISOs perceive the risks to critical data from the mobile ecosystem — and how they should secure it.
Mobile devices, even those that are corporate owned, are personal. Your CEO uses the same smartphone to send confidential emails, snap family photos, inspect customer records, get directions to meetings, and scrutinize financial reports. Every employee in your organization does the same thing. Your organization's critical data is constantly being accessed by mobile devices, and once it leaves the network you have no visibility into where it goes, and little or no ability to enforce your security policy to protect it.
Your organization’s sensitive data has made the mobile ecosystem the new frontier for a wide spectrum of risk that every CISO must now understand. Take a deep dive into all twelve elements of the Mobile Risk Matrix in the interactive table below.
Malicious apps can steal info, damage devices, and give unauthorized remote access.
App threats are specific applications created to steal information, damage a device, or provide unauthorized remote access for the purposes of surveillance and monitoring of a target.
Common examples include legitimate applications that have been trojanized or injected with malicious code, malware that gets on the device through exploitation or careless user permission, or abusive apps with masked intent.
Device threats can cause catastrophic data loss due to heightened attacker permissions.
Device threats have significant potential to cause catastrophic data loss because they break through a device's app sandbox and embed themselves deep in the operating system to achieve heightened permissions for the attacker.
The Pegasus spyware is the most relevant example of a targeted, low prevalence, high impact threat. This device threat exists on both iOS and Android and is capable of activating a phone’s cameras and microphone to snoop on conversations around the device. It can also track a victim’s movements and steal messages from end-to-end encrypted chat clients.
Critically, Pegasus only requires a victim to visit a malicious web page and does not need the targeted individual to install an app to activate.
Data is at risk of attack via Wi-Fi or cellular network connections.
Network threats are specific attacks that occur over the network connection of a mobile device.
These attacks can be executed directly by human threat actors or through malware using automated means. For most mobile devices, these attacks would occur over Wi-Fi or the cellular network.
Attack examples include Man in the Middle (MitM) attacks, certificate impersonation, SSL/TLS stripping, and SSL/TLS cipher suite downgrades.
Threats include malicious URLs opened from phishing emails or SMS messages.
Phishing attacks containing URLs that lead to malicious websites are significantly more likely to be tapped on a mobile device than they are to be clicked on a desktop PC.
Examples of web-based threats include malicious web pages that can cause downloads or directly exploit a device. Malicious URLs are most commonly delivered via phishing emails or SMS messages.
Even well known software development companies release apps that contain vulnerabilities.
Mobile apps have vulnerabilities just as PC software does, but vulnerabilities are a significantly bigger problem on mobile because most mobile apps are selected by end-users and are more likely to be built by small teams of developers. PC applications on the other hand, are more likely to be vetted by IT and developed by large software companies.
The significance of this risk is confirmed in the OWASP Mobile Top 10 report from 2016 which calls out, “Poor Code Quality” as one of the top ten risks, with a prevalence rating of “common.”
Examples of mobile app vulnerabilities can include errors in parsing code that allow maliciously formed input to cause remote code execution and takeover of the application.
The vulnerability window is the time it takes from the release of a new patch to adoption.
Mobile device vulnerabilities are defined by the growing universe of known vulnerabilities. Every month both Google and Apple release a security bulletin detailing the increasing number of patches for new device vulnerabilities during the previous month. Nearly every "software update" notification contains security updates to patch new vulnerabilities.
Vulnerabilities that are not found first by the security community can lead to zero-days that are then exploited by professional espionage organizations like what the NSO Group did with the Trident vulnerabilities and Pegasus spyware originally discovered by Lookout.
Enterprises can measure risk from device vulnerabilities by tracking their “vulnerability window,” or amount of time it takes from the release of a new patch to full adoption of that update in their mobile fleet. Generally, mobility programs based on BYOD tend to have a longer window than COPE and Android-heavy device fleets are longer than iOS. For example, iOS 10 has reached over 90% adoption in just 8 months.
Mobile devices encounter more hostile networks than laptops, and have less protection.
Mobile network vulnerabilities are based on exploitable software or hardware flaws/errors in the network interfaces of the device or its applications that make a mobile device vulnerable to a network. An example is the Heartbleed SSL vulnerability and OS network driver flaws that allow remote code execution.
In a recent talk from Black Hat Asia, researchers showed how to, "exploit an iOS device remotely via Wi-Fi without any user interaction, completely bypassing the iOS sandbox." Even more recently, Apple issued iOS patch 10.3.1 to correct a code execution flaw that could be exploited via Wi-Fi. This vulnerability could, "allow an attacker within range of a vulnerable device to exploit a stack buffer overflow flaw in iOS and would allow arbitrary code execution on the Wi-Fi."
The bottom line for enterprises is that there is a risk from mobile network vulnerabilities, primarily from public Wi-Fi (though is not a requirement for some exploits).
Malformed content, such as videos, and photos can enable unauthorized device access.
The best way to understand web and content vulnerabilities is that any malformed content, including web pages, videos, and photos, can trigger specific vulnerabilities to exploit targeted application or OS/system level components to gain unauthorized access to a device.
The most widely known example is Stagefright, a web vulnerability exploited by an .MP3 or .MP4 video file to access the media processing libraries of Android that could lead to exploitation over any number of vectors such as MMS messaging or through arbitrary channels like file downloads over the web where various media files will be processed.
Another example is the web browser vulnerability in the case of Trident that exploited Safari in iOS to deliver the Pegasus spyware payload.
Mobile exploits also tend to rely on end users that are undereducated on mobile security to tap the malicious emails or MMS messages that exploit web vulnerabilities.
Mobile apps have the potential to leak data such as contact records.
App behaviors and configurations have the potential to lead to leakage of enterprise data to which the insecure application has access. Data leakage, in addition to having a high impact to the enterprise itself, can also pose a significant regulatory compliance risk. Examples include applications that both access sensitive enterprise data and public cloud based storage services that are not under enterprise control, or applications that would have access to data with compliance requirements such as credit cards or records with personally identifiable information without adequate protections in their use, transmission, and storage.
USB debugging for Android or installing apps from non-official app stores.
Risks from device behaviors and configurations can come from employees using jailbroken or rooted mobile devices or be as simple as not enabling a passcode on the device.
Other examples of device configuration risks include enabling USB debugging for Android, installing apps from non-official app stores, and certain options set by enterprise configuration profiles on iOS.
Misconfigured routers, unknown captive portals, or content filtering.
Network risks associated with behaviors and configurations are best highlighted by the example of employees using public Wi-Fi. The more "promiscuous" end-users are with connecting to public Wi-Fi, the greater the risk to enterprise data. Taking advantage of "free" Wi-Fi in airports, hotels, or coffee shops, can easily lead to a connection to non-SSL websites, which means, for example, not being encrypted when logging into mobile banking.
Traveling employees may be rushing and may never know if they connect to a malicious Wi-Fi network, unknown captive portal, or a network that decrypts traffic for content filtering.
As with many of the mobile spectrum of risk components, users not being aware and not taking proper care of how they use mobile devices can lead to significant enterprise data leakage.
Websites that don’t encrypt credentials or leak data.
Risks linked to behaviors and configurations around web and content can be summed up by an action enterprise employees do regularly: opening email attachments from unknown people or clicking links in SMS messages or other messaging apps.
Those attachments and messages may contain any type of content, but tend to be media files that - when accessed - expose the organization to unacceptable risk with the potential to exploit a vulnerability or endanger compliance.
The next steps for extending your security program to mobile start with thinking through each element of the Mobile Risk Matrix and developing a strategy to manage that risk in the context of your organization.
The example to the left shows a global 2000 bank at high risk from network threats over rogue Wi-Fi connections encountered by traveling employees, and by auto-rooting Android malware app threats.
Read the case study to see how this global 2000 bank got visibility into their risks then mitigated them with Lookout Mobile Endpoint Security.
Many mobile risks require user interaction to execute, and the most likely interaction that can lead to a breach is a socially-engineered phishing attack.
Phishing on mobile has shown to be more effective than on the PC because traffic typically does not flow through a secure network gateway (as enterprise PC traffic often does) and mobile browsers obscure website URLs both by hiding the address bar while a user is scrolling and limiting the number of characters displayed in the address bar by the width of the screen.
A key insight is that mobile devices can increase the chance of success for social engineering and phishing attacks across a number of the mobile risks described on this page.
The Mobile Risk Matrix, developed by Lookout, helps organizations understand the Spectrum of Mobile Risk, and the prevalence and impact of mobile threats and vulnerabilities.
Read this exclusive research to gain insights into mobile risk from Lookout's uniquely massive global threat intelligence data.
Complete this online mobile risk assessment to get insight into your current level of mobile risk based on your mobility policies and existing controls such as EMM. This assessment is based on a framework called the Mobile Risk Matrix, outlining risk across threats, software vulnerabilities, and risky behaviors & configurations for each of the attack vectors on mobile devices.
Get a custom assessment of GDPR and business risks to personal data by answering 20 questions about the state of mobility in your organization.
The world has changed. Yesterday everyone had a managed PC for work and all enterprise data was...
In the past year, Gartner has provided guidance on the differences between Enterprise Mobility...
Read this case study to learn how a Forbes Global 2000 bank achieved secure mobility with Lookout....
Request a demo and see what Lookout can do for you.