Hackers Swarm to Mobile Devices

Know Your Threats

Stephen Nardone

As IT struggles to get out in front of enterprise security risks, mobile devices are adding another wrinkle to defense plans as they become an increasingly active attack vector.

Not long ago, IT’s primary security mission was centered on locking down the desktop and creating a tight perimeter around the network to safeguard enterprise data assets. Then came the influx of smartphones and tablets and everything changed. Thanks to rise of the Bring Your Own Device (BYOD) movement, Gartner is predicting the primary endpoint breach to be tablets and smartphones by 2017, with the majority of transgressions tied to mobile application misconfiguration and misuse, not traditional technical attacks.

The potential for exploits has caught the attention of many, including the Government Accountability Office, which issued a report raising concerns about the state of security on mobile devices while making recommendations for better controls. The 2012 findings, which estimated the number of malicious software variants aimed at mobile devices rising from 14,000 to 40,000 in less than a year, placed much of the blame on inconsistent use of controls on the devices along with users’ general lack of awareness of security risks in a mobile environment.

To keep the problem in check, security experts recommend a slew of best practices, from adopting formal Mobile Device Management (MDM) policies that cover the use of passwords and enforce two-factor authentication, to supporting functionality like remote disabling in the event a device is stolen or lost. Providing employees with adequate security training is also a critical tool in the fight against mobile malware. With that in mind, here is a rundown of some of the more common threats that IT organizations – and their users – need to keep in their sights:

Mobile malware – There are a variety of distinct variants, some targeted at stealing financial information, while others initiate actions such as deploying ransomware on a device as a means of hijacking stored images and files. Other common malware strains take the form of communications hacks, where attackers leverage SMS to fool mobile users into clicking on malicious links to gain access, similar to phishing scams in email.

Another growing threat is the rise of “malvertising,” or using mobile ads to direct users to malicious sites or exposing them to malicious code. A 2014 report by Bluecoat found malvertising to be the single biggest threat vector for mobile users, responsible for infiltrations one out of every five times.

Losing physical access – Lost or stolen phones are a major factor in mobile exploits. Without the proper passwords, personal identification numbers (PINs), or biometric capabilities deployed on a device, an attacker can easily gain access to personal information not to mention any corporate data crown jewels loaded on the device. The No. 1 rule for IT organizations is to create and, most importantly, enforce, standards for proper password protection and encryption in addition to requiring users to agree to a total remote wipe of their employee-owned phone if it is misplaced or stolen.

Unauthorized modifications – “Jailbreaking” or “rooting” are common actions users take to remove some of the inherent limitations of a device so they can add unauthorized features. The problem is this process changes how security is handled on the device, increasing the likelihood of a security breach. IT organizations need to be sure users are aware of the potential risks while enforcing strict policies that prohibit such behaviors.

Data leakage in the cloud – As cloud-based tools become a corporate standard, there is growing concern about data leaks, especially when syncing data between devices. IT needs to be clear on what enterprise data can and can not be stored in cloud environments while also instructing users to refrain from using the same password for every cloud service.

In order for mobility to fully transform business practices and make users more productive, it needs to operate under the same security scrutiny as the rest of the enterprise. Otherwise, mobility poses risks few businesses can afford.