Why Mobile Security Is Hard for Enterprises

Most enterprises support the “mobile first” movement, whether enthusiastically or begrudgingly. Many enterprises have developed mobile apps for internal use, and almost all allow employees to use their personal mobile devices to access corporate email, calendars, and other resources. Few companies have strict policies preventing use of BYOD (bring your own devices) for productivity purposes, nor do they prohibit use of social network or messaging apps while at work. Mobile use in companies has become entrenched, and it’s here to stay.

Meanwhile, startups and other high-tech firms have jumped to fill the void in mobile security solutions. In the past few years, a variety of innovative approaches have been introduced to the enterprise market that address threats related to mobile malware and data leakage. This has led industry analysts and other thought leaders to coalesce around common solution definitions to help enterprises navigate their way through the highly diverse solution landscape. The consensus seems to be that a general solution definition, defined by Gartner as Mobile Threat Defense, or MTD, is the universal answer to enterprise mobile security.

But MTD is hardly in response to a large and growing adoption of mobile security solutions by enterprises. In fact, the real question is why are the aggregate MTD revenues so low? Why have so few enterprises adopted an MTD solution?

Having seen this apparent contradiction up close, I have a theory as to why the MTD adoption is so low. Because MTD introduces a new paradigm based strictly on mobility threats, and because MTD does not leverage current enterprise security infrastructure, it represents a big challenge to enterprise security teams. MTD is another expense, sure, but the real reason it hasn’t been widely adopted is that it’s hard to deploy.

Consider some of the elements of an MTD enterprise deployment and consider how little alignment exists with current security solutions:

• Mobile app/agent deployment to all employees, and all the challenges associated with the requirement that all users must deploy this security app (help desk, battery drain, “big brother” concerns by employees)
• Remediation policies, including requiring employees to delete offending apps (including related HR policies)
• Enterprise policies regarding rooted/jailbroken devices
• EMM integration
• PII management, especially regarding EMM integration and agent deployment

On top of that, there’s a whole new taxonomy for the enterprise IT staff to master and new concepts that must be operationalized: mobile malware and its many variants (spyware, trojans and fake apps, ad fraud, click fraud, ransomware); man-in-the-middle attacks; targeted attacks, secure transport enforcement; OS vulnerability assessment; and the list goes on.

Finally, BYOD devices are far more personal, and likely to have far more personal data, than legacy desktop or laptop systems. Taking some element of control over such devices in the workplace raises big concerns for employees who have their text messages, chats, pictures, and other personal data on their device. Even the apps that are installed on the device can imply much about a user. Any mobile security deployment that’s not done in conjunction with clear and transparent HR policies will almost certainly encounter personnel issues down the road.

This is the heavy lifting of MTD: A security team has to master new concepts, terms and systems to deploy and manage MTD. Furthermore, the system has to be justified even though it doesn't leverage the current security infrastructure.

So what should an enterprise do?

-->

In upcoming posts, I will be exploring options for enterprise mobile security that leverage existing security infrastructure while providing a more lightweight but effective solution. Stay tuned!

We're All Under Attack!! Buy My Product Now!

It is generally the role of security vendors to alert potential customers as to the dangers from certain threats, namely threats that the vendors' products provide protection for. There's a fine line between education and scare tactics, and sometimes the desire to make a point can cause that line to become blurred.

Which brings us to an article published last week entitled Mobile Malware Incidents Hit 100% of Businesses. The article describes research by Check Point that may or may not confirm our worst fears: Every enterprise has experienced mobile malware attacks.

Furthermore, Check Point's research also revealed that "89% of organizations experience a least one man-in-the-middle incident stemming from users connecting to a risky WiFi network." Well, that's a relief, I was worried that the figure would be 11 percent higher.

Now, let's ask ourselves a question: Where's the enterprise breach that resulted from either mobile malware or man-in-the-middle (MiTM) attacks?

That's okay, take your time. I can wait.

Still waiting.

Maybe the answer is that mobile malware and mobile MiTM attacks represent only a negligible risk to enterprises. As we've noted previously, while there's a significant risk to enterprises from use of mobile apps that leak corporate data, mobile malware is almost exclusively a threat to consumers--not enterprises.

Yes, the term "malware" connotes real risk to enterprise desktop and infrastructure systems, and has been the cause of breaches from Target to Home Dept to Sony to Equifax. But mobile malware is different, and while trojans (otherwise called fake apps or camouflage apps) can perpetrate financial fraud against you or me, it has not yet shown itself to be a threat to enterprises. Mobile ransomware can lock up an individuals files and lead to temporary loss of functionality by a single user. However, mobile ransomware is not a threat to enterprises in the same way ransomware that locks up hospital servers is. Other mobile malware that perpetrates toll fraud and click fraud are annoying, but hardly existential threats to enterprises.

Mobile malware should be considered in two categories: broad-based attacks; and targeted attacks. The examples cited above, including trojans and ransomware, are broad-based attacks, aimed at a large population of users. An example of a targeted attack is Pegasus, which we know has occurred in the wild at least twice, both times against political dissidents in the Middle East and Mexico. So far, no mobile targeted attacks have been publicly reported against enterprise executives or key knowledge workers.

So what's an enterprise to do to ensure their use of mobile is secure? Think about how to protect data that's accessed by mobile devices, and be aware of concentrations of user data in the cloud resulting from mobile use. In general, it's apps that access and manipulate data, and an app-centric approach is likely to provide the most value from a security perspective.

Protect Mobile Protects Consumers--and Enterprises?

Deutsche Telekom announced a new service yesterday called Protect Mobile. How it works can be summarized by their headline: Security is now a job for... the network!

The service, developed in collaboration with Check Point Software, provides protection against network-based mobile threats. Here's a brief description of the service:

Protect Mobile protects smartphone owners from Internet dangers at home and abroad: the protective shield in the Deutsche Telekom mobile communications network identifies and deflects viruses, worms, and trojans automatically. In addition, Protect Mobile blocks dangerous websites within the Deutsche Telekom network. Apps are checked for security issues before they are downloaded. Whether during online banking, surfing the web or on social networks, with Protect Mobile, users are effectively protected against cyberattacks both on the go and in their home Wi-Fi network.

The protection is performed by the network upon enrollment (for under a euro per month). A mobile app, available from the App Store (iOS) and Google Play (Android) complements the network protection by displaying error messages, warning of risks and providing specific instructions regarding what the user should do in case of an error or a threat. Once the user is outside of the Deutsche Telekom network, the app provide on-device protection and raises alarms in case of threats and identifies them transparently. The primary goal of the app was ease of use.

This seems like a reasonable approach to providing mobile security across a broad swath of users. The security is strongest when using the Telekom network and the home Wi-Fi network. Presumably, protection when using non-Telekom Wi-Fi networks, such as in coffee shops, hotels, and airports, is provided via the Protect Mobile app. For most consumers, other than those who might be targeted by an attack, this level of protection is adequate and would prevent most mobile-based consumer threats such as financial fraud, ransomware, and identity theft.

But for enterprises within the Deutsche Telekom coverage area, if all of an enterprise's employees used Protect Mobile, it would provide relatively strong protection against most network- and device-based attacks. Does this constitute enterprise-class mobile security? Not exactly. As we've pointed out here, here and here, the stalker economy and data leakage are app-based threats--not network or device. Those kinds of threats put enterprise data at risk. For comprehensive protection, an enterprise would have to add protection against app-based threats to protect their data--and also to prepare for GDPR compliance in May.

Eavesdropper: Can You Hear Me Now?

Appthority released research today on a newly discovered vulnerability dubbed Eavesdropper. This is yet another case where enterprise data is leaked from mobile devices, in this scenario by legitimate app developers failing to secure cloud storage (specifically, by including hard coded credentials in mobile applications that are using the Twilio REST API or SDK).

Quoting from Appthority's blog,

Eavesdropper does not rely on a jailbreak or root of the device, take advantage of a known OS vulnerability, or attack via malware. 

In other words, Eavesdropper does not result from malicious code on the mobile device. The vulnerability is app developer error, pure and simple, and the exposure is not on the device but in the cloud. But this error, multiplied by hundreds of apps and millions of downloads, causes text/SMS messages, call metadata, and voice recordings to be exposed to any and all comers. Once the data is exposed, malicious actors can easily find it and launch an attack based on that data. The "attack" may be cyber or it may be in the real world, based on proprietary knowledge acquired from the exposed enterprise data.

Headlines about the latest malware threat get our attention, but there are no known malware attacks that have exposed nearly the amount of data--measured in terabytes--as Eavesdropper and HospitalGown. As we've noted previously, data leakage from mobile devices is a real, demonstrable threat but enterprises often focus on malware and legacy endpoint paradigms. A broader perspective than simply a focus on the device is required to detect and remediation such threats and protect enterprise data.

Interpreting Mobile Malware Headlines for Enterprises

Another week, another onslaught of scary mobile malware headlines. Whether it's a fake app on an app store (WhatsApp this week), a triple whammy attack, or just a theoretical exploit that hasn't yet occurred in the wild, the headline informs us that millions if not billions of users are at risk.

But are enterprises at risk? Yes, but rarely from mobile malware.

JR Raphael posted an interesting article at CSO that suggests we may be asking the wrong question if we're asking what's the best Android security app to protect ourselves from mobile malware attacks. In suggesting why third-party security is rarely the right answer, Raphael lists several points, including this:

Even if you do happen to encounter Android malware, it's highly unlikely to compromise corporate data

Mobile malware represents a threat, but mostly to the individual user. Not to the enterprise. Why? It's mostly because the major mobile platforms, Android and iOS, are really quite secure. As a result, attackers have limited options. The major mobile attack vectors are:

• ransomware
• trojan or fake app
• spyware
• toll and ad fraud

Toll and ad fraud are mostly an annoyance, but the other attacks can result in a ransom payout (or lost data), financial fraud, or identity theft. Such attacks can cause my privacy to be violated or my bank account to be emptied, but represents no threat to my enterprise's finances or infrastructure. Unlike in the enterprise desktop environment, cross-platform attacks that jump from the compromised endpoint into the soft underbelly of the enterprise infrastructure are rare and relatively unsophisticated. Therefore, while mobile malware represents a serious threat to consumers, there are no known cases where a mobile malware has led to a major enterprise breach.

It's unfortunate that we use the same term for mobile and desktop attacks. "Malware" in the mobile context refers to attacks with a blast radius of one; "malware" in the desktop context is an existential threat, with a potential enterprise-wide blast radius. Protecting against such exploits has been and continues to be the top priority of any enterprise, and we've seen cases where a enterprises business prospects are harmed and executives' careers are damaged.

So does this mean there's no threat resulting from mobile use in the enterprise? Hardly. As noted in prior posts, employee use of mobile devices in the workplace can lead to data leakage of privacy and corporate data that could reveal confidential initiatives, plans and strategies. But malware is not the threat here, it's mostly legitimate public store apps gathering far more data than most people realize. Stay tuned as we develop those concepts in future posts.

Mobile Data Leakage Versus DLP

Seth Hardy over at Appthority has an interesting post this week, discussing how a focus on malware protection can cause enterprises to miss the threat of data leakage from legitimate public store apps. And a new case study from Lookout, describing how their solution addressed customer objectives that include reducing customer data leakage risks, also addresses this emerging threat vector.

I see this as a positive trend, as more vendors and enterprises focus on what's important: protecting corporate data.

In talking about mobile data leakage, I find that people often confuse that with data loss protection (DLP). The issues are similar, in that they focus on data loss, but they address completely different problems. It's worth a brief outline of each threat scenario to clarify:

When enterprises talk about defense in depth, DLP often represents the last line of defense. If an attack breaches NGFW, IDS/IDP and CASB protections and eludes breach detection systems, it will ultimately attempt to exfiltrate data. DLP solutions are designed to detect and possibly block the exfiltration, and among other features it may recognize bulk transfer of SSNs or credit card numbers that have been aggregated in an internal data set. The large data set was the ultimate target of the attackers, who had to circumvent a number of enterprise defenses to access it.

Mobile data leakage is different. In this case aggregation takes place outside of the enterprise infrastructure in a backend server or a cloud storage system. The data set in this case may contain personally identifiable information (PII) for thousands of employees, or it may contain sensitive corporate information. This could be the backend for an app that was deployed enterprise wide, such as CRM, ERP, endpoint security, or an internal productivity app. If a malicious actor intends to access such sensitive information, it's far more feasible that a cloud server could be breached than that thousands of mobile devices could be successfully attacked with malware. And in this example, the enterprise-wide app has already done the heavy lifting of collecting such information into a single file system or database. There's ample evidence that mobile app developers can be lax when it comes to cloud-based storage security, so the threat is amplified due to the ease with which the database can be breached. That's why mobile data leakage is a rising concern.

The biggest challenge for enterprises is that use of mobile devices creates new threats to corporate data. Attackers usually choose the path of least resistance, and exposed data in the wild represents an easy exploit.