The secret to mobile security: Isolation
As if avoiding phishing, fake phone calls, and questionable emails wasn’t already a daily challenge to protecting personal data, "trustworthy" websites are now effective vehicles for launching malware, and no device is safe. In today’s digital world, the security of the internet has become a tricky task, especially considering nearly half of the world’s most popular websites are risky places to visit.
Consider this: the web browser serves as one of the primary conduits for delivering malware, so how can organizations protect their assets and users? Taking extreme measures, some enterprises have entertained the idea of using tablets or iPads to keep high-risk users safe from malware. But given the recent iPhone and iOS hacks, mobile devices have proven to be just as susceptible to attacks. For instance, Google's Project Zero security team recently revealed that iOS security was breached after websites in the wild had found a number of vulnerabilities. Not only were they able to break through layers of security, hackers were able to take full control of the device.
Other organizations have tried more traditional forms of isolation by requiring employees to use separate devices for work and personal use, but the reality is that restricting employees not only doesn’t guarantee security, it isn’t a sustainable strategy in the long run. The real problem boils down to browser integrity.
Regardless of what device you use to browse the web, connecting to the Internet directly, without isolation, is incredibly risky. Zero days like the remote code vulnerability in Internet Explorer (IE) Microsoft recently patched, are just further proof that any Internet of Things (IoT) device, even iOS devices, are susceptible to malware and phishing attacks. Further complicating things, unlike with desktop browsing, on mobile there are no visual cues -- you can’t hover over links to determine the source of sender or site destination -- making it more difficult to discern the true sender or trustworthiness of the URL.
Though recent research suggests improvement, the reality is that phishing still remains a top security issue. Verizon reported click-through rates on phishing simulations for data partners fell from 24 percent to three percent over the past seven years. However, 18 percent of users who clicked on test phishing links did so on mobile devices. Not only are mobile users failing to detect delinquent links, but this also sheds light on the susceptibility of other mobile functions, such as email phishing and social media attacks.
These types of attacks are all too common, and there are probably even more sites that target Android and other mobile software vulnerabilities. Ultimate browser and web security essentially comes down to determining the good vs. bad, but the reality is this: if you approach security in that manner, you only have to be wrong once to be compromised.
Isolation takes the guesswork out of security and assumes everything is bad. With a zero trust internet approach, full protection is guaranteed regardless of a website’s integrity. Mobile isolation is the only answer to this type of attack, and we’ll continue to see more headlines until that technology is more widely adopted.
Kowsik Guruswamy is CTO of Menlo Security. Previously, he was co-founder and CTO at Mu Dynamics, which pioneered a new way to analyze networked products for security vulnerabilities. Prior to Mu, he was a distinguished engineer at Juniper Networks. Kowsik joined Juniper via the NetScreen/OneSecure acquisition where he designed and implemented the industry's first IPS. He has more than 15+ years of experience in diverse technologies like security, cloud, data visualization, and computer graphics. Kowsik has 18 issued patents and holds an MSCS from University of Louisiana.