Mobile Devices Demand Executive Diligence
Mobile devices demand diligence at the CISO level. In fact, like the mobile device’s counterpart, workstations and laptops, many loaded malware campaigns begin with phishing attempts. One of the understated risks is that the mobile breach could allow for expansive lateral movement.
Cyber Security Hub developed a market report to explore the perceptions, challenges and tactics for organizations to effectively manage mobile security risk. In a previous report identifying mobile security’s challenges, we wrote: “Phishing campaigns tend to be mobile mainstays – they capitalize on human gullibility and can inflict serious damage on various endpoints once firmly planted.”
Doug Cahill, Senior Analyst with ESG Global Research, told : “On phishing, I feel like we’ve been seeing the same movie for a few years now. Adversaries typically prey on human gullibility – on users that operate endpoint devices.”
The key here is post-phish, however. Telecom Asia reporting also united some of the most utilized mobile attack methods. These included public Wi-Fi exploits, phishing attacks, MATM attacks, vulnerable OS compromise, modified settings exploit and root/jailbreak exploit.
Weaknesses in these areas of the mobile device, or persistent black-hat effort, ultimately perpetuate mobile infection – be it with malware from a suspicious mobile URL or a compromised app.
Information Age’s Aaron Hurst wrote about a number of mobile weaknesses, and the usual suspects in mobile infection. One of those methods was drive-by downloads.
The drive-by consists of a piece of malware hidden within a website that appears innocuous. The hope is that a weakness in the user’s computer or device will allow for a click and subsequent infection. To do this, hackers typically use exploit kits that sniff out vulnerable websites. Once the site gets the go-ahead by an unsuspecting visitor, the malware is downloaded on the user’s device. It then contacts another computer to initiate further coding to access the device.
Mobility Devices As A Microcosm Of The Threat Landscape
While it’s tough to predict what the exact future of enterprise mobility (and its security, in particular) looks like, it will certainly ebb and flow with the wider threat landscape, so the same attack mechanisms plaguing computers and laptops.
Helping us determine what the mobile security space could look like, and specifically contention around malware, we spoke with CDM Smith Principal & Director of Global Information Security, Jim Livermore. The security expert said, “Hackers view mobile devices as an effective attack vector to gain unauthorized access to applications and data. As such, they will continue to refine their approach.”
He pointed to ad and click fraud as a “growing concern”; here, hackers compromise advertisements on mobile devices and bait users into clicking ads of interest. Then, unknowingly, they’re deploying spyware and malware on the device.
“Hackers can also create malicious apps that look legitimate and have them approved for download in the phone’s app stores,” Livermore added. “Users then download them thinking they are good apps and in turn download malicious code to their phones.”
The CDM Smith executive added that mobile botnets continue to be a threat – and can result in wide-scale control of an infected device. So, awareness around botnet threats is warranted.
In closing, mobile security is a profound domain in and of itself. Of course it fits neatly into wider security efforts, but it is clear that CISOs and security experts alike are focusing their attention on bolstering endpoint defense, and researching ways in which today’s threat actors are exploiting them. This dynamic, it seems, will prevail.
Debunking Mobile Security Myths
Mobility is a security concern that organizations must deal with. Read the full Cyber Security Hub market report, “Securing The Enterprise From Mobile Malware” to learn more about debunking myths about mobile security as well as tips on shoring up mobile defenses.