My favorite books from 2017

I thought I'd share my favorites from 2017. These are the ones I gave 5 stars to... I recommend them all :)

To see all my books, follow me on Goodreads.

I've organized the books I read this year by theme:

North Korea

The Girl with Seven Names: A North Korean Defector’s Story 

by Hyeonseo Lee 

The Orphan Master's Son: A Novel 

by Adam Johnson

The first is non-fiction, the second fiction, and combined they present an in-depth and disturbing picture of life in North Korea. There is certainly no shortage of brutal regimes in the world, but the Kim dynasty has taken the cult of personality to an unbelievable extreme while leading the world in human rights abuses. In order to fund one of the world's largest militaries, domestic food production is deprioritized leading to massive famines and hardship. The best example of the deification of the Kims: every home was given two mounted portraits, one of Kim Il-sung and one of his son, Kim Jong-il. The pictures were to be hung on the wall of the main (often the only) room in the house, and no other hangings were allowed. A local party official would make frequent, unannounced inspections: If the pictures had dust, or were smudged, or were crooked, the entire family would go missing. Hyeonseo Lee, the author of The Girl with Seven Names, has spoken about her life in North Korea in a couple TED talks, it's worth it to hear firsthand what it's like to witness public executions and widespread desperation. And Adam Johnson won a Pulitzer Prize for The Orphan Master's Son--it's a great read with compelling insights into the brutal farce which is life in North Korea.

History

Destiny Disrupted: A History of the World Through Islamic Eyes

by Tamim Ansary

One Nation Under God: How Corporate America Invented Christian America

by Kevin Kruse

How the Scots Invented the Modern World: The True Story of How Western Europe's Poorest Nation Created Our World and Everything in It 

by Arthur Herman

I was very impressed by Destiny Disrupted, and posted about it a couple months ago. It's a broad narrative of the history of Islam, told from an insiders perspective and with surprising insights into Christianity and the west as well.

The theme of One Nation Under God is how business leaders, frustrated by FDR's New Deal and with zero credibility after the depression, looked for ways to "get their message out" and therefore made common cause with religious leaders in the late 1930s. A couple decades later, we get the phrase “under God” added to the Pledge of Allegiance and we made “In God We Trust” the country's official motto. I found it a surprisingly informative history of mid 20th century politics and how religion became ingrained in our public discourse in ways that were new and unique--and which continue today.

Silly me, I thought it was the Irish who saved civilization. The history of Scotland, roughly beginning in the 1600s and through to Andrew Carnegie and Woodrow Wilson (both of Scottish heritage), is fascinating and while I expect the author was somewhat selective to make a point I was still very impressed by the influence of Scottish thought and key individuals. I only vaguely knew about John Knox and the Presbyterian Church of Scotland, and knew next to nothing about the Scottish Enlightenment. Scots were influential in India, Canada, Australia as well as the US; many of the names cited I knew about but didn't realize were Scottish. Altogether an enlightening read.

Modern Times/Technology vs Humans

Drawdown: The Most Comprehensive Plan Ever Proposed to Reverse Global Warming 

by Paul Hawken

Hit Makers: The Science of Popularity in an Age of Distraction

by Derek Thompson

Blink: The Power of Thinking Without Thinking 

by Malcolm Gladwell 

Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are

by Seth Stephens-Davidowitz

The Upstarts: How Uber, Airbnb, and the Killer Companies of the New Silicon Valley Are Changing the World 

by Brad Stone 

Technology. From the steam engine (invented by a Scot!) to the internal combustion engine to the Internet and ubiquitous smartphone: Tech disrupts what came before, and never without unforeseen side effects including global warming, insidious privacy invasion, and online addictions.

We all know there are a variety of things we can do as consumers, and as governments, if we're concerned about climate change. In Drawdown, Paul Hawken lists the 100 most substantive solutions to reverse global warming, based on meticulous research by leading scientists and policymakers around the world. A coalition of geologists, engineers, agronomists, researchers, fellows, writers, climatologists, biologists, botanists, economists, financial analysts, architects, companies, agencies, NGOs, activists, and other experts have been working on Project Drawdown (http://www.drawdown.org/), so named for approaches to draw down carbon levels in the atmosphere. Each of the 100 approaches is described in terms of its potential to draw down carbon (other terms for this include decarbonization and negative emissions). By characterizing the benefit of each approach in a common metric, namely gigatons of carbon dioxide reduced, they can be compared rationally. And the ranking is surprising.  The top four items (out of 100) are: refrigeration management; onshore wind turbines; reduced food waste; and plant-rich diets. Note that for 3 of those 4 items, we can make an impact as consumers. Other approaches that didn't rank as high I as I would have imagined: electric vehicles (26); mass transit (37); LED lighting (44); and ridesharing (75). So for wannabe climate activists, this is a handy guide to best direct our collective efforts.

Hit Makers was pretty interesting. Ever wonder how things go viral? What makes for the best clickbait headlines? How did Rock Around the Clock become the best selling rock record of all time? How did Facebook become the world’s most important modern newspaper? This book answers those questions, and more! (Readers of a certain age may find this interesting: Rock Around the Clock sold more single records than anything by Elvis or the Beatles; the only record that's outsold it is White Christmas by Bing Crosby. But I digress.) Smart people are at work developing clickbait and other online inducements to keep you engaged. Beware.

I became a Malcolm Gladwell fan listening to his podcast, Revisionist History. Gladwell comes up with unique and often charming ways of interpreting the world around us. In Blink, he tackles how we think--especially how our instincts influence decisions good and bad. Some examples he dives into include the election of Warren Harding; "New Coke"; and the shooting of an unarmed black man by police.

In Everybody Lies, author Seth Stephens-Davidowitz makes some startling and possibly revolutionary discoveries about how elements of Big Data about us can reveal truths that would otherwise not be forthcoming. Psychologists and sociologists have known for years not to put too much trust in surveys or questionnaires; people in general aren't totally truthful on topics that they may find embarrassing or about which they're ashamed. Stephens-Davidowitz's insight is that, by way of contrast, we're collectively (and sometimes frighteningly) honest when confront with a Google search bar. His research post election revealed some things about our society that are deeply troubling. Raj Chetty, economics professor at Stanford, characterized it as "Freakonomics on steroids". Everyone should read this!

I liked The Upstarts for a couple of reasons. First, it's an inside look not just at how companies are funded in 21st-century silicon valley, but how unicorns have come to be. Second, it's more about popular, new approaches versus entrenched interests than it is about technology. It's also a book about ambition, greed, and a bad-behaving bro culture at Uber. Very relevant to our times.

Christian History and Theology

Early Christian Traditions 

by Rebecca Lyman

When the Church Was Young: Voices of the Early Fathers

by Marcellino D'Ambrosio

Christianity As Mystical Fact: And the Mysteries of Antiquity

by Rudolf Steiner 

According to Matthew: The Gospel of Christ’s Humanity

by Rudolf Steiner 

I've recently become interested in the church fathers and the history of the church. Last year I read Augustine and Aquinas; this year I started more from the beginning. It's fascinating to me to see how the Christian movement formed and grew; my recent historical fiction foray into Roman history (see below) provides an interesting counterpoint.

Early Christian Traditions is unique in many ways, chief among them that the author is the adjunct priest at our Episcopal church in Sunnyvale. I'm facilitating a book study on Wednesday nights, and have found that going through it a second time, chapter by chapter, discussing it with others as well as with the author, has really deepened my understanding if this era.

I've been reading Rudolf Steiner for about 20 years, He's generally referred to as an Austrian mystic, and he's most widely known for founding Waldorf Schools, biodynamic agriculture, anthroposophical medicine (which was my primary cancer therapy), and The Christian Community (known in Germany as Christengemeinschaft). Steiner has written about 20 books on bible commentary and Christology. This is my second time through both of the books above.

Historical Fiction: The Cicero Trilogy

Imperium: A Novel of Ancient Rome

by Robert Harris

Conspirata: A Novel of Ancient Rome

by Robert Harris

Dictator: A Novel 

by Robert Harris

This is as good as historical fiction gets. I learned a great deal about Rome, it's culture and customers as well as key historical events (there were a lot of those). I of course about Cicero, and read his great speeches in context; through all three novels the parallel plot is about Julius Caesar--probably the ost fascinating historical character there is. And, like with good fiction, I cared about the characters and what would happen next--even though the events themselves were over 2,000 years ago.

Speculative Fiction/Sci Fi

Do Androids Dream of Electric Sheep?

by Philip K. Dick 

The Man in the High Castle

by Philip K. Dick 

The Mongoliad (The Mongoliad Series Book 1) 

by Greg Bear

Walkaway: A Novel

by Cory Doctorow 

Ready Player One: A Novel

by Ernest Cline 

I won't describe each book; I suspect people either like this kind of stuff or they don't. A couple points, though:

2017 is the year I became a Philip K. Dick fan. I've certainly heard of him for quite some time, and my son-in-law has a personal connection. I've always enjoyed the movies made of his books, just never got around to reading him. I have to say, his books provide a whole new level of depth and insights.

As for the Mongoliad: It's a 5-book series, and I don't plan to proceed. Not listed, but one of the authors is a favorite of mine: Neal Stephenson. Big favorite. This describes why I liked it OK, but didn't love it: "The Mongoliad began as a social media experiment, combining serial story-telling with a unique level of interaction between authors and audience during the creative process. Since its original iteration, The Mongoliad has been restructured, edited, and rewritten under the supervision of its authors to create a more cohesive reading experience and will be published as a trilogy of novels." I also read another Neal Stephenson collaboration this year called The Rise and Fall of D.O.D.O.. Maybe it was the title, but I'm now resolved to stick to solo Neal Stephenson efforts.

Obscure New Detective Series

The Coroner's Lunch (A Dr. Siri Paiboun Mystery) 

by Colin Cotterill 

Thirty-Three Teeth (A Dr. Siri Paiboun Mystery) 

by Colin Cotterill 

I'm hooked, and I have 11 books to go in the series. You might be tired of murder mysteries set in Laos in the 1970s but I can't seem to get enough. Dr. Siri has fought in the jungle with the Path Lao for 40 years; the king has abdicated, the Americans have left, and the glorious revolution is in power. Siri, now 72, is named official coroner of Laos despite the fact he has no experience other than as a doctor. Oh, yeah, he's also hosting an ancient shaman. The writing is charming, slightly literary, with a dash of whimsy. So the series is kind of a cross between Agatha Christie, the Hobbit, and a super-insightful travel guide for southeast Asia. 

Healing Thoughts

God's Hotel: A Doctor, a Hospital, and a Pilgrimage to the Heart of Medicine

by Victoria Sweet 

Hildegard of Bingen: A Spiritual Reader 

by Carmen Acevedo Butcher

The Shift: One Nurse, Twelve Hours, Four Patients' Lives

by Theresa Brown 

God's Hotel describes San Francisco’s Laguna Honda Hospital, the last almshouse in the country, a descendant of the Hôtel-Dieu (God’s hotel) that cared for the sick in the Middle Ages. Who takes care of those who can't care for themselves and have a chronic or long-term condition? This was warm, heartfelt, and more compassionate than I've ever experienced. Author Victoria Sweet was a practicing doctor at Laguna Honda, and came up with some pretty amazing insights. You can see Victoria Sweet on a TED talk, discussing what she calls "slow medicine."

In order to better improve her healing abilities, Victoria Sweet took it upon herself to study Hildegard. So did I, but I didn't learn German and go to Bingen to study it. Instead, I read and enjoyed Hildegard of Bingen: A Spiritual Reader.

I mostly read (Kindle) but on our last trip to Eugene we listened to The Shift: One Nurse, Twelve Hours, Four Patients' Lives. It takes place in the cancer ward of a major teaching hospital, and it's a real eye-opener. Nurses are the bedrock of institutional healthcare, and Theresa Brown gives an intimate, often intense, and ultimately warm tour of how life and death matters are handled.

A Great Thriller, For When You Don't Have to Get Up Early the Next Day

I Am Pilgrim: A Thriller 

by Terry Hayes 

I think this is Terry Hayes' only book; it was released in 2014. I hope he's working on more!

A Lightweight Approach to Mobile Security

In a post last week, I summarized some of the reasons that mobile security is hard for enterprises. The Gartner-defined approach known as Mobile Threat Defense, or MTD, has been widely agreed to as the best practice for mobile security. This approach, while comprehensive, represents heavy lifting for most enterprises. Let's unpack that before exploring what might represent a more reasonable, lightweight approach for getting started with enterprise mobile security.

MTD, as defined, has the following four general requirements:

1. Device behavioral anomalies — MTD tools provide behavioral anomaly detection by tracking expected and acceptable use patterns.
2. Vulnerability assessments — MTD tools inspect devices for configuration weaknesses that will lead to malware execution.
3. Network security — MTD tools monitor network traffic and disable suspicious connections to and from mobile devices.
4. App scans — MTD tools identify "leaky" apps (meaning apps that can put enterprise data at risk) and malicious apps, through reputation scanning and code analysis.

Most vendors propose to address requirements 1, 2, and 3 above with on-device apps, or agents. Item 4, app scans, is generally addressed through an Enterprise Mobility Management (EMM) integration or a proprietary MDM server, either of which must be deployed and managed by the enterprise IT staff (although many enterprises may already have an EMM deployed).

Requirements 1 and 2 are focused on malware detection. As I've outlined in prior posts, while mobile malware represents a real risk to individuals due to the threat of identity theft, financial fraud, ransomware and spyware, it is only a negligible enterprise threat. Requirement 3, network security, has been highlighted by vendors as critical to preventing WiFi-based man-in-the-middle (MiTM) attacks with real-time detections for SSL stripping and rogue access points. But, again, such attacks are far more of a threat to individuals than enterprises. Think about it this way: A MiTM attack against mobile devices is essentially the same as a MiTM attack against laptops, which have been used in coffee shops, hotels, airports and other public spaces for more than a decade prior to the wide adoption of smartphones. How many enterprises were breached due to MiTM laptop attacks against enterprises? None that have been publicly reported. And how many commercial solutions exists to protect laptops against MiTM attacks? None that I can find. The evidence suggests that the need for protection against mobile MiTM attacks is vendor-generated hype rather than a response to real risks to enterprises. And feedback from enterprises attempting to deploy network security approaches suggest that the current generation of products in this space are rife with false positives--a huge burden to IT staff, and something that leads to loss of trust from users.

Because MTD requires enterprises to deploy a mobile app on all users' mobile devices, it imposes challenges from both an operational and employee relations perspective (enterprises routinely receive push-back from employees due to concerns about corporate surveillance as well the many questions they will have regarding the app). Furthermore, MTD solutions remediate risks by requiring employees to delete apps that violate corporate policies their personal devices, even if those apps are not used at work. For example, an employee or contractor might be required to permanently delete a gaming, social network or messaging app that the individual might otherwise use and enjoy often. That's a tough sell, and can lead to employee resentment and dissatisfaction--and creative attempts to circumvent controls.

In summary, MTD is a heavyweight approach to mobile security due to the fact it's orthogonal to the existing security infrastructure, requires a complex integration with EMMs, introduces a new system that requires management and operational responses, and involves convincing all employees, contractors and other users to deploy a mobile app that performs on-device security functions (hopefully with minimal battery drain) and which may require employees to delete beloved apps from their personal device. This is the reason MTD can be characterized as requiring heavy lifting for enterprise mobile security.

An App-Centric, Lightweight Approach to Mobile Security
Are there other approaches to securing mobile devices in the enterprise that don't require mobile apps deployment or EMM integrations? Unfortunately, there are no commercial products that I'm aware of. I therefore believe there's an opportunity for vendors or enterprising startups to fill the solution gap between doing nothing and adopting a heavyweight solution. I'll outline the main characteristics below.

First, I think the issue of mobile security is largely an issue of mobile app security and requires an app-centric approach. The device and network threats, while real, are less of a threat to enterprises than vendors and the trade press would have us believe.

Second, the unfamiliar terrain of mobile security concepts represents a new strain for IT security staff in having to master concepts regarding EMM capabilities and operational aspects of integrations with MTD solutions.

Third, it would be ideal if a mobile security solution leveraged current enterprise security infrastructure rather than having to introduce a new platform. Most enterprise security today is based on identifying threats that come from specific external sites as identified by IP addresses. Threat intelligence, employed by many enterprises, includes a list of IPs that should be blocked, and the ubiquitous firewall is the primary security solution for accomplishing that.

If an enterprising vendor developed a mobile threat intelligence feed, that could be used to provide a reasonable level of protection within the enterprise.

The ideal feed would include endpoints and servers associated with malware campaigns which could be blocked by a firewall or other perimeter security solutions (while as noted above this is a negligible threat to enterprises, blocking those connections would be a relatively trivial task so the cost/benefit ratio is positive).

In addition, the mobile threat intelligence feed would identify apps' network connections that leak data contrary to corporate policy. Of course, each enterprise has different criteria for developing such policies, so the feed should include enough meta data so that connections could be selectively blocked based on the nature of the data leakage risk.

The vendor providing such a feed would have to analyze the connections from all apps available from Google Play, the App Store, and any other sanctioned app stores. This is simpler than doing a full behavioral analysis of the apps. A higher level solution would classify connections based on the type of data being leaked. I believe the apps' network connections could be categorized as follows:

• backend: the servers that the app connects to for cloud-based computation, aggregation and persistent storage
• auxiliary:  the third-party servers that provide auxiliary services to the app, such as outside temperature or a map overlay
• marketing frameworks: the third-party servers, such as Flurry,  that provide app use analysis and some forms of surveillance to precisely identify characteristics of the user, usually for input into big data algorithms for ad networks
• ad networks: the third-party servers and related infrastructure for serving ads (and sometimes malvertising) to the mobile device

The mobile threat intelligence feed, with meta data for each IP identifying the source app and which category the connection falls into, would give enterprises enough data to provide lightweight security to their mobile devices, both COPE and BYOD.

Here are some use cases that could be addressed with such a solution:

1. Malware protection: block all connections to/from malicious sites. Note that blocking of such connections would only be performed while the mobile device is on the corporate network; when the employees go home no further protection would be active unless a VPN is used. However, this is exactly the paradigm in place for laptop protection, when employees take their laptops home. When accessing enterprise resources remotely, a VPN is almost always required, and malicious IPs would be blocked.
2. Data leakage: block all connections, based on policy criteria. For example, apps that send address books could be blocked. The enterprise wouldn't know which are the offending apps necessarily (although a mature solution would have the option to query that). Note that the blocking of those connections prevents data leakage without having an on-device agent and without requiring any action on the part of the user. The user experience would simply be that the app would fail to work normally. If it's not a work-based productivity app, the employee really has nothing to complain about except having to wait until they get home to play games or engage their social network. Maybe productivity will improve!
3. Advertising: while employees using apps that receive ads isn't generally considered a threat, does an enterprise really want content from any one of hundreds of as networks sending data into their secure environment? And while ad network malware, known as malvertising, is rare, that would be prevented by blocking all advertising connections.

Note that with such a solution most of the MTD deployment and operational challenges are not present. No EMM integration is required. No mobile apps or agents need to be deployed on all users' devices, and employees are never asked to delete apps from their device. Some personal apps that violate policy may not operate correctly while employees are at work, but that's hardly something they can complain about.

A specialized mobile threat intelligence feed could represent an enterprise's first step into mobile security. Based on how the threat landscape evolves, and how MTD solutions mature over time, there's nothing to preclude adoption of MTD at some future date.

I haven't done an exhaustive search of the many threat intelligence feeds available today. It's possible that one or more are already covering mobile connections to some extent. And I don't know for sure that existing MTD vendors aren't exploring lightweight options similar to what has been described above. Hopefully the enterprises that have opted not to procure MTD due to its cost and operational burden may find a lightweight approach to mobile security in the near future.

Another Massive Data Leakage Incident Reported

We shouldn't be surprised by this anymore, and regular readers know I've talked about the risks of data leakage on multiple occasions. This has the same characteristics as HospitalGown and Eavesdropper: the app itself is not necessarily insecure; instead, the cloud-based storage system hasn't been properly secured.

The app in this case is A.I.type Keyboard, available on both Google Play and the App Store. This threat was discovered by The Kromtech Security Center. What they learned was that the A.I.type Keyboard app leaked PII and other data from over 31 million users. The root cause appears to be that the app's backend, a 577 GB MongoDB database, was misconfigured so that all of it's data is available to anyone with an Internet connection.

What is included in the exposed 577 GB? Here's a partial rundown:

Phone number, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google+, Facebook etc.), IP (if available), location details (long/lat).

In addition, there were over 6 million records that contained "data collected from users’ contact books, including names (as entered originally) and phone numbers, in total more than 373 million records scraped from registered users’ phones, which include all their contacts saved/synced on linked Google account."

Ouch. One of the things that's a bit unusual--and pretty insidious-- is the information associated with social media profiles. This should enable a second level of privacy invasion and surveillance against the victims. Given how valuable data is to marketers as well as black hats, this data will no doubt find its way into various commercial and dark net datasets, so be used at some future date with almost zero chance of tracing it back to the offending app.

Well, at least it's not mobile malware, right? So we shouldn't worry, correct? We'll see what kind of media coverage this gets.

Why Mobile Security Is Hard for Enterprises

Most enterprises support the “mobile first” movement, whether enthusiastically or begrudgingly. Many enterprises have developed mobile apps for internal use, and almost all allow employees to use their personal mobile devices to access corporate email, calendars, and other resources. Few companies have strict policies preventing use of BYOD (bring your own devices) for productivity purposes, nor do they prohibit use of social network or messaging apps while at work. Mobile use in companies has become entrenched, and it’s here to stay.

Meanwhile, startups and other high-tech firms have jumped to fill the void in mobile security solutions. In the past few years, a variety of innovative approaches have been introduced to the enterprise market that address threats related to mobile malware and data leakage. This has led industry analysts and other thought leaders to coalesce around common solution definitions to help enterprises navigate their way through the highly diverse solution landscape. The consensus seems to be that a general solution definition, defined by Gartner as Mobile Threat Defense, or MTD, is the universal answer to enterprise mobile security.

But MTD is hardly in response to a large and growing adoption of mobile security solutions by enterprises. In fact, the real question is why are the aggregate MTD revenues so low? Why have so few enterprises adopted an MTD solution?

Having seen this apparent contradiction up close, I have a theory as to why the MTD adoption is so low. Because MTD introduces a new paradigm based strictly on mobility threats, and because MTD does not leverage current enterprise security infrastructure, it represents a big challenge to enterprise security teams. MTD is another expense, sure, but the real reason it hasn’t been widely adopted is that it’s hard to deploy.

Consider some of the elements of an MTD enterprise deployment and consider how little alignment exists with current security solutions:

• Mobile app/agent deployment to all employees, and all the challenges associated with the requirement that all users must deploy this security app (help desk, battery drain, “big brother” concerns by employees)
• Remediation policies, including requiring employees to delete offending apps (including related HR policies)
• Enterprise policies regarding rooted/jailbroken devices
• EMM integration
• PII management, especially regarding EMM integration and agent deployment

On top of that, there’s a whole new taxonomy for the enterprise IT staff to master and new concepts that must be operationalized: mobile malware and its many variants (spyware, trojans and fake apps, ad fraud, click fraud, ransomware); man-in-the-middle attacks; targeted attacks, secure transport enforcement; OS vulnerability assessment; and the list goes on.

Finally, BYOD devices are far more personal, and likely to have far more personal data, than legacy desktop or laptop systems. Taking some element of control over such devices in the workplace raises big concerns for employees who have their text messages, chats, pictures, and other personal data on their device. Even the apps that are installed on the device can imply much about a user. Any mobile security deployment that’s not done in conjunction with clear and transparent HR policies will almost certainly encounter personnel issues down the road.

This is the heavy lifting of MTD: A security team has to master new concepts, terms and systems to deploy and manage MTD. Furthermore, the system has to be justified even though it doesn't leverage the current security infrastructure.

So what should an enterprise do?

-->

In upcoming posts, I will be exploring options for enterprise mobile security that leverage existing security infrastructure while providing a more lightweight but effective solution. Stay tuned!

We're All Under Attack!! Buy My Product Now!

It is generally the role of security vendors to alert potential customers as to the dangers from certain threats, namely threats that the vendors' products provide protection for. There's a fine line between education and scare tactics, and sometimes the desire to make a point can cause that line to become blurred.

Which brings us to an article published last week entitled Mobile Malware Incidents Hit 100% of Businesses. The article describes research by Check Point that may or may not confirm our worst fears: Every enterprise has experienced mobile malware attacks.

Furthermore, Check Point's research also revealed that "89% of organizations experience a least one man-in-the-middle incident stemming from users connecting to a risky WiFi network." Well, that's a relief, I was worried that the figure would be 11 percent higher.

Now, let's ask ourselves a question: Where's the enterprise breach that resulted from either mobile malware or man-in-the-middle (MiTM) attacks?

That's okay, take your time. I can wait.

Still waiting.

Maybe the answer is that mobile malware and mobile MiTM attacks represent only a negligible risk to enterprises. As we've noted previously, while there's a significant risk to enterprises from use of mobile apps that leak corporate data, mobile malware is almost exclusively a threat to consumers--not enterprises.

Yes, the term "malware" connotes real risk to enterprise desktop and infrastructure systems, and has been the cause of breaches from Target to Home Dept to Sony to Equifax. But mobile malware is different, and while trojans (otherwise called fake apps or camouflage apps) can perpetrate financial fraud against you or me, it has not yet shown itself to be a threat to enterprises. Mobile ransomware can lock up an individuals files and lead to temporary loss of functionality by a single user. However, mobile ransomware is not a threat to enterprises in the same way ransomware that locks up hospital servers is. Other mobile malware that perpetrates toll fraud and click fraud are annoying, but hardly existential threats to enterprises.

Mobile malware should be considered in two categories: broad-based attacks; and targeted attacks. The examples cited above, including trojans and ransomware, are broad-based attacks, aimed at a large population of users. An example of a targeted attack is Pegasus, which we know has occurred in the wild at least twice, both times against political dissidents in the Middle East and Mexico. So far, no mobile targeted attacks have been publicly reported against enterprise executives or key knowledge workers.

So what's an enterprise to do to ensure their use of mobile is secure? Think about how to protect data that's accessed by mobile devices, and be aware of concentrations of user data in the cloud resulting from mobile use. In general, it's apps that access and manipulate data, and an app-centric approach is likely to provide the most value from a security perspective.

Protect Mobile Protects Consumers--and Enterprises?

Deutsche Telekom announced a new service yesterday called Protect Mobile. How it works can be summarized by their headline: Security is now a job for... the network!

The service, developed in collaboration with Check Point Software, provides protection against network-based mobile threats. Here's a brief description of the service:

Protect Mobile protects smartphone owners from Internet dangers at home and abroad: the protective shield in the Deutsche Telekom mobile communications network identifies and deflects viruses, worms, and trojans automatically. In addition, Protect Mobile blocks dangerous websites within the Deutsche Telekom network. Apps are checked for security issues before they are downloaded. Whether during online banking, surfing the web or on social networks, with Protect Mobile, users are effectively protected against cyberattacks both on the go and in their home Wi-Fi network.

The protection is performed by the network upon enrollment (for under a euro per month). A mobile app, available from the App Store (iOS) and Google Play (Android) complements the network protection by displaying error messages, warning of risks and providing specific instructions regarding what the user should do in case of an error or a threat. Once the user is outside of the Deutsche Telekom network, the app provide on-device protection and raises alarms in case of threats and identifies them transparently. The primary goal of the app was ease of use.

This seems like a reasonable approach to providing mobile security across a broad swath of users. The security is strongest when using the Telekom network and the home Wi-Fi network. Presumably, protection when using non-Telekom Wi-Fi networks, such as in coffee shops, hotels, and airports, is provided via the Protect Mobile app. For most consumers, other than those who might be targeted by an attack, this level of protection is adequate and would prevent most mobile-based consumer threats such as financial fraud, ransomware, and identity theft.

But for enterprises within the Deutsche Telekom coverage area, if all of an enterprise's employees used Protect Mobile, it would provide relatively strong protection against most network- and device-based attacks. Does this constitute enterprise-class mobile security? Not exactly. As we've pointed out here, here and here, the stalker economy and data leakage are app-based threats--not network or device. Those kinds of threats put enterprise data at risk. For comprehensive protection, an enterprise would have to add protection against app-based threats to protect their data--and also to prepare for GDPR compliance in May.

Eavesdropper: Can You Hear Me Now?

Appthority released research today on a newly discovered vulnerability dubbed Eavesdropper. This is yet another case where enterprise data is leaked from mobile devices, in this scenario by legitimate app developers failing to secure cloud storage (specifically, by including hard coded credentials in mobile applications that are using the Twilio REST API or SDK).

Quoting from Appthority's blog,

Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware. 

In other words, Eavesdropper does not result from malicious code on the mobile device. The vulnerability is app developer error, pure and simple, and the exposure is not on the device but in the cloud. But this error, multiplied by hundreds of apps and millions of downloads, causes text/SMS messages, call metadata, and voice recordings to be exposed to any and all comers. Once the data is exposed, malicious actors can easily find it and launch an attack based on that data. The "attack" may be cyber or it may be in the real world, based on proprietary knowledge acquired from the exposed enterprise data.

Headlines about the latest malware threat get our attention, but there are no known malware attacks that have exposed nearly the amount of data--measured in terabytes--as Eavesdropper and HospitalGown. As we've noted previously, data leakage from mobile devices is a real, demonstrable threat but enterprises often focus on malware and legacy endpoint paradigms. A broader perspective than simply a focus on the device is required to detect and remediation such threats and protect enterprise data.

Interpreting Mobile Malware Headlines for Enterprises

Another week, another onslaught of scary mobile malware headlines. Whether it's a fake app on an app store (WhatsApp this week), a triple whammy attack, or just a theoretical exploit that hasn't yet occurred in the wild, the headline informs us that millions if not billions of users are at risk.

But are enterprises at risk? Yes, but rarely from mobile malware.

JR Raphael posted an interesting article at CSO that suggests we may be asking the wrong question if we're asking what's the best Android security app to protect ourselves from mobile malware attacks. In suggesting why third-party security is rarely the right answer, Raphael lists several points, including this:

Even if you do happen to encounter Android malware, it's highly unlikely to compromise corporate data

Mobile malware represents a threat, but mostly to the individual user. Not to the enterprise. Why? It's mostly because the major mobile platforms, Android and iOS, are really quite secure. As a result, attackers have limited options. The major mobile attack vectors are:

• ransomware
• trojan or fake app
• spyware
• toll and ad fraud

Toll and ad fraud are mostly an annoyance, but the other attacks can result in a ransom payout (or lost data), financial fraud, or identity theft. Such attacks can cause my privacy to be violated or my bank account to be emptied, but represents no threat to my enterprise's finances or infrastructure. Unlike in the enterprise desktop environment, cross-platform attacks that jump from the compromised endpoint into the soft underbelly of the enterprise infrastructure are rare and relatively unsophisticated. Therefore, while mobile malware represents a serious threat to consumers, there are no known cases where a mobile malware has led to a major enterprise breach.

It's unfortunate that we use the same term for mobile and desktop attacks. "Malware" in the mobile context refers to attacks with a blast radius of one; "malware" in the desktop context is an existential threat, with a potential enterprise-wide blast radius. Protecting against such exploits has been and continues to be the top priority of any enterprise, and we've seen cases where a enterprises business prospects are harmed and executives' careers are damaged.

So does this mean there's no threat resulting from mobile use in the enterprise? Hardly. As noted in prior posts, employee use of mobile devices in the workplace can lead to data leakage of privacy and corporate data that could reveal confidential initiatives, plans and strategies. But malware is not the threat here, it's mostly legitimate public store apps gathering far more data than most people realize. Stay tuned as we develop those concepts in future posts.

Mobile Data Leakage Versus DLP

Seth Hardy over at Appthority has an interesting post this week, discussing how a focus on malware protection can cause enterprises to miss the threat of data leakage from legitimate public store apps. And a new case study from Lookout, describing how their solution addressed customer objectives that include reducing customer data leakage risks, also addresses this emerging threat vector.

I see this as a positive trend, as more vendors and enterprises focus on what's important: protecting corporate data.

In talking about mobile data leakage, I find that people often confuse that with data loss protection (DLP). The issues are similar, in that they focus on data loss, but they address completely different problems. It's worth a brief outline of each threat scenario to clarify:

When enterprises talk about defense in depth, DLP often represents the last line of defense. If an attack breaches NGFW, IDS/IDP and CASB protections and eludes breach detection systems, it will ultimately attempt to exfiltrate data. DLP solutions are designed to detect and possibly block the exfiltration, and among other features it may recognize bulk transfer of SSNs or credit card numbers that have been aggregated in an internal data set. The large data set was the ultimate target of the attackers, who had to circumvent a number of enterprise defenses to access it.

Mobile data leakage is different. In this case aggregation takes place outside of the enterprise infrastructure in a backend server or a cloud storage system. The data set in this case may contain personally identifiable information (PII) for thousands of employees, or it may contain sensitive corporate information. This could be the backend for an app that was deployed enterprise wide, such as CRM, ERP, endpoint security, or an internal productivity app. If a malicious actor intends to access such sensitive information, it's far more feasible that a cloud server could be breached than that thousands of mobile devices could be successfully attacked with malware. And in this example, the enterprise-wide app has already done the heavy lifting of collecting such information into a single file system or database. There's ample evidence that mobile app developers can be lax when it comes to cloud-based storage security, so the threat is amplified due to the ease with which the database can be breached. That's why mobile data leakage is a rising concern.

The biggest challenge for enterprises is that use of mobile devices creates new threats to corporate data. Attackers usually choose the path of least resistance, and exposed data in the wild represents an easy exploit.