The WannaCry ransomware attack targeted computers across the globe, but imagine if it had locked up everyone’s phones. Consumers and businesses alike would be scrambling to pay ransoms to protect some of their most private and personal records. Most people can go a day or so without their PC, but can barely function for an hour or two without their phone.
Because mobile devices can and do operate outside the “perimeter,” they present substantially more and different threats. So much so that CISOs across the globe are starting to take a hard look at their exposure. To quote the DHS study:
“The enhanced capabilities that mobile devices provide, the ubiquity and diversity of mobile applications, and the typical use of the devices outside the agency’s traditional network boundaries requires a security approach that differs substantially from the protections developed for desktop workstations.“
The DHS report commends some of the work being done to improve the security of mobile devices, such as Android’s Security Enhanced Linux (SELinux). Likewise, Apple has an excellent record of continual improvements to their iOS security architecture. Apple makes much of the iOS security architecture publicly available via whitepapers and public presentations that are available online.
I recently caught up with Kirsten Bay (CEO) and Eric Green (Cyber Strategist) for Cyber adAPT, one of the contributors to the DHS study. They have been studying mobile security for years and know the gravity we all face through a widespread malware epidemic across mobile devices. Kirsten commented “the vast size of the mobile device market (4.7 billion unique users) and the extent that mobile computing is taking over the way people conduct business have made it the most attractive target for hackers going forward.”
To Kirsten’s point, the DHS study shows how much the government is using mobile devices so one can imagine in the business world it’s even more prevalent — and therefore dangerous. Today’s hackers are opportunistic and malicious, and definitely in it for financial reasons. The basic concept of “following the money” means that we really are in the calm before the storm.
“Many well informed CISOs and other security professionals know they need to ‘do something,’ but have been procrastinating implementing a solution,” said Eric. “Others feel that an MDM or EMM solution is enough, when in reality it’s only a good start.”
Again, to quote DHS:
“MDMs and EMMs can be used to institute policies on mobile devices, many of which can help prevent harmful app behaviors. When combined with threat intelligence, they can respond to threats and take a variety of corrective/mitigating actions. Implementation of whitelisting/blacklisting will also limit exposure to disallowed apps.”
Eric recommends that organizations look specifically for an IPSEC VPN, along with monitoring all traffic for threats, combined with an MDM capability, which is what Cyber adAPT offers.
I try not to be an alarmist, but as I talk with fellow cybersecurity professionals, all too often I hear the phrase “It’s not a question of IF, it’s a question of WHEN.” This one we all know is coming. The DHS report puts out lots of good recommendations and frameworks available to the public — every security professional (and most everyone one else in IT) should at least take a look at it. There should be no excuse for CISOs not preparing their organization today to secure their mobile users and their devices.
Author: Tony Parillo