The rise in mobile device security threats and the growing attack surface [Q&A]
Both government agencies and corporations are being tasked with developing strategies for protecting mobile devices from an increasing wave of attacks. CISOs and business leaders are asking themselves not only how they can use mobile devices to make employees more productive, but also how to realize the full potential of a mobile-powered business.
As leaders execute their mobile-powered businesses, they will also need to parallel these initiatives with mobile-first security strategies to address the fast-growing attack surfaces that bad actors are increasingly jumping on. We spoke to Shridhar Mittal, CEO of Zimperium to discover more.
BN: Who are these bad actors?
SM: Bad actors come in all shapes and sizes and have different motivational factors. For example, a bad actor could be someone from a nation-state who is trying to attack a government agency or a major corporation to enact IP theft or financially motivated attacks. Bad actors are constantly analyzing where the open doors are in an organization’s environment and today, these are mobile devices. On the government side, mobile devices are becoming more and more ubiquitous within agencies and as a result, easier to infiltrate. Spyware, for example, is an easy way to install malware into mobile devices. Spyware can be used to track location, turn on video and microphone, log keys, and steal passwords and messages. Most commonly, we see spyware being installed via phishing techniques, where the victim is led to a fake website that installs the spyware on their device. What's most worrisome is that more often than not, the victim will not know anything was installed. Once spyware is on the device, bad actors can do anything they want with the information and can even convert it to ransomware by encrypting the data and then extorting victims to pay for it to be decrypted. This is happening at lightning speed and every government agency and corporation, no matter its size, is at risk.
BN: What steps can CISOs and business leaders take to mitigate risk and best protect their data on mobile?
SM: A common mistake we often see is the assumption that banning an app that is known for spyware will solve the problem. There are several issues with this approach. First, CISOs have very limited visibility into which devices have an app that is susceptible to spyware installed on them. Second, a lot of this spyware is coming out as Software Development Kits (SDKs) as opposed to full apps. These SDKs can be within hundreds of other apps, and it is impossible to keep track. Third, there is zero-day spyware coming out every day, and the problem is that CISOs are only becoming privy to this after everything has been reported, meaning the spyware will have been on the device anywhere from 30-60 days.
While banning an app can seem like a step in the right direction, CISOs need an agent on these devices that can track all these apps, analyze and look at SDKs installed within, and understand what connections these apps are making. The agent will take the burden off the CISO and share necessary information as to where SDKs are connecting to and ban that connection as opposed to banning the app itself. By installing an agent that will track app and connection activity, they will be better equipped to ensure the connections being downloaded are clean and don't have spyware and malware installed. It is impossible to track all this activity without an agent doing it for you in real-time and is not a scalable strategy in the long run.
BN: What are common mistakes people make that leave them exposed?
SM: There are many common mistakes people make that leave them exposed on their mobile devices. The most common one is connecting to unsecured Wi-Fi (i.e., your local Starbucks), clicking phishing links, and downloading apps from third-party app stores. Another big mistake is jailbreaking your device to have access to specific games. When a device is jailbroken, all existing security within that device is gone. Moreover, if you have an Android device, you can turn your phone on developer mode and malware can be installed without detection. We see this day in and day out and it is impossible for CISOs to track without an agent to track activity continuously.
BN: What flaws are found in iPhone and Android software that enable bad actors to steal everything from a person’s photos, contacts, call logs, messages and real-time location data?
SM: Both Android and iPhone have new vulnerabilities that are being detected regularly and require quick security updates to new versions to avoid exploitation. The real difference between Apple and Android is that Android has an open ecosystem with multiple play stores, while Apple only has one store. Apple can control the apps that go into the app store and proliferation isn't as much as it is in Android because of the multiple play stores. Spyware, however, is just as lethal in both operating systems.
Instances of mobile security threats have grown rapidly into a lucrative ecosystem, one which cybercriminals have been quick to take advantage of to execute their cyber intrusion tactics. These mobile threats won’t slow down anytime soon, requiring both business leaders and government agencies to create mobile-first security strategies that center and prioritize these global and distributed devices now being targeted.