Clearhouse
10 Ways to Secure the Forgotten Endpoints—Mobile Devices
Publication Date: July 10, 2018

Vijaya Kaza is Chief Development Officer at Lookout, Inc., a mobile security company included in the 2017 Forbes Cloud 100, which recognizes the best private companies in cloud computing.

Did you remember to include mobile device security in your budget? If your company is like the majority of organizations in the world, the priority of your security budget is securing your company's network, data centers, email and endpoint devices such as laptops and desktops. Too often, cyber security plans overlook a significant risk that arises from the organization's new cyber-attack surfaces: mobile devices and tablets.

Mobile devices are rapidly becoming primary enterprise computing devices for employees. In fact, more than half of internet traffic originates on mobile devices. Users likely have access to important corporate data and other cyber crown jewels through their mobile devices. On top of that, by putting the user's two-factor authentication token on these devices, they may become the key to unlocking access to corporate and other critical data including bank accounts, credit cards and medical records as well.

It would be unfathomable to leave corporate laptops and desktops without antivirus software and other endpoint protection mechanisms, yet, that is exactly what the majority of organizations are doing with mobile devices. By largely ignoring the risks they pose, companies are leaving themselves (and in turn, often their customers) unprotected. According to a survey conducted by Gartner, only 3% of enterprises have anti-malware protection on mobile Android devices and only 1% on iOS devices.

When developing a cyber security strategy that includes smart phones and tablets, keep in mind that mobile devices are configured and used differently from other traditional endpoints, and therefore should be secured differently. For example:

  • Mobile devices are widely used by employees outside of the corporate perimeter. This makes traditional perimeter security mechanisms like IPS, firewalls and email security solutions irrelevant in protecting these devices.
  • Mobile devices are often owned by the users. They are unmanaged in most cases, with users choosing which applications to run on these devices. This is in contrast to the corporate issued and controlled laptops, which are often managed tightly.
  • Mobile devices are always connected and on. This makes them more available and susceptible to attacks.
  • Mobile devices have limited battery and CPU. The security solutions that an organization uses to protect laptops and other traditional endpoints are not applicable for these devices.
Mobile devices can be targeted from many different angles:
  • Mobile devices can be jailbroken or rooted into. Bad actors can take control of unprotected mobile devices and circumvent any security measures put in place by the OS vendors.
  • Vulnerabilities in the OS can be exploited. Discovering and patching such vulnerabilities is just as important—if not more important—on mobile devices as compared to other traditional endpoints.
  • Many different types of malware specifically target mobile devices. Malware is downloaded to these devices through seemingly innocuous and legitimate apps that the users willingly download for various purposes. Mobile malware is expected to comprise one-third of total malware by 2019.
  • Even legitimate, non-malicious apps may be collecting too much personal information. Music streaming apps, games, work organizers and social media platforms often access sensitive resources on a user's phone that they are not meant to, including the device's camera, calendar and contacts.
  • Mobile devices connect to multiple public networks. As employees leave the corporate network and connect to various public Wi-Fi networks, their mobile devices are susceptible to man-in-the-middle attacks from rogue Wi-Fi access points.
  • Phishing is rapidly becoming a prevalent problem for mobile devices. Sophisticated and intelligently-crafted phishing messages come through various mobile apps like SMS and social messaging, fooling and enticing the users to click on malicious links embedded in them. Users cannot always hover on the links or check the validity of the certificates on mobile devices, making it almost impossible to determine if the links are malicious. This makes phishing a bigger challenge for mobile devices than other traditional endpoints.
These security risks have made mobile devices a prime attack surface for hackers seeking to target the data and networks of enterprise systems. Many enterprises may not be well prepared to deal with these challenges, because most do not invest in adequate measures to protect their systems on the mobile front. If your organization allows access to important corporate data from mobile devices, then these endpoints cannot be ignored in your cyber security plan.

10 Ways to Secure Mobile Endpoints
Once your organization determines the extent of its vulnerability to the security risks discussed above, the following measures can be taken to mitigate mobile threats and secure mobile endpoints:

  1. Define the mobile deployment model of your organization. Do you issue corporate owned devices to employees or do you allow employees to bring their own devices (BYOD model)?
  2. Assess the threat profile and posture of your mobile fleet. How many Android/iOS devices are in your fleet? What OS versions are running on the devices and what vulnerabilities are present in them?
  3. Develop a security strategy for mobile endpoints. Base the strategy on the deployment model, the threat profile and the risk assessment.
  4. Make mobile endpoint security a priority in the cyber security budget. Many cyber security officers feel their budgets aren't adequate. In EY's 2017-2018 Global Information Security Survey of enterprise CIOs and CISOs, 87% reported that they need up to a 50% increase in their budgets, but only 12% expected to receive more than a 25% increase.
  5. Invest in mobile threat defense solutions. The feature capabilities and maturity of these products vary between different vendors in the market. Look for products that offer holistic solutions to each of the potential security attack vectors discussed above, including device, OS, network, application and phishing protection.
  6. Look beyond solutions that offer phishing protection just for corporate email. The email security solutions only filter out potential phishing emails and malicious URLs before they hit the corporate email server, but do not protect against malicious links that may come in through various mobile apps like SMS and social messaging.
  7. Put a strong security and compliance policy in place. A good mobile threat defense solution will identify vulnerabilities that are present in the current OS and send an alert if the OS is out of date or if the mobile device is out of compliance. Incentivize users to upgrade their OS to the latest version and address any compliance violations quickly. For example, block access to corporate data from any mobile device that hasn't been updated to the most recent OS versions or isn't compliant.
  8. Stay current on mobile cyber security risks and solutions. CISOs and Security Steering Committees should review the policies and compliance stance on a regular basis to ensure the organization stays ahead of mobile security threats.
  9. Train employees to defend their mobile devices from bad actors. Conduct mock phishing campaigns and training programs for employees to educate them on phishing on mobile devices.
  10. Partner with a mobile cyber security expert. Chose a vendor to help your organization stay on top of emerging trends and new security threat discoveries and continue to evolve your security strategy.

***

Vijaya Kaza is the Chief Development Officer at Lookout, Inc. Ms. Kaza previously served as Senior Vice President of Cloud Engineering at FireEye, Inc. (Nasdaq: FEYE), and prior to that worked for 17 years in multiple executive and leadership roles at Cisco (Nasdaq: CSCO).

The views and opinions expressed herein are the views and opinions of the contributor at the time of publication and may not be updated. They do not necessarily reflect those of Nasdaq, Inc. The content does not attempt to examine all the facts and circumstances which may be relevant to any particular company, industry or security mentioned herein and nothing contained herein should be construed as legal or investment advice.