Your security architecture is ineffective without mobile protection

Security professionals spend their careers fine tuning enterprise architectures to keep attackers out and corporate data safe.

They employ firewalls, intrusion prevention systems, network monitors, encryption, access and identity management tools, anti-malware software, endpoint security, and more. It takes a lot of effort — in fact, whole teams within an enterprise — and resources to deploy and manage these tools.

It turns out that for all of this effort, security leaders and organizations around the world are actually leaving a window open in their overall architecture. When an enterprise does not protect the mobile devices accessing sensitive corporate data, they leave open a critical access point to the data they’ve spent so much time and energy protecting through other means.

Ignoring mobile sets an enterprise up for failure

Consider the multitude of endpoints any enterprise has: servers, PCs, even printers and copy machines are on a security manager’s agenda to protect. Mobile devices are just as important as any of these devices.

Enterprise employees use their mobile devices to do work. In fact, 95 percent IT and security leaders say mobile devices are at least “very important” to their employee’s productivity, according to a joint survey from analyst firm ESG and Lookout. Fifty-eight percent of respondents called mobile devices “critical” in their role as employee productivity tools.

You’ve likely heard the laundry list before, but employees are accessing and sending emails on their phones; they are taking pictures of whiteboard sessions and sending the image to themselves; they are using applications to take notes, book travel, or submit expenses; they are joining key meetings via teleconferencing solutions with mobile apps. Work is no longer relegated to the desktop or laptop.

The Presidential Commission on Enhancing National Cybersecurity stated in a report to the White House, “Mobile technologies are heavily used by almost every organization’s employees, yet security for mobile devices is often not considered as high a priority as security for other computing platforms. In short, the classic concept of the security perimeter is largely obsolete.”

The endpoint is shifting and without protection for it, enterprises’ security architecture fails.

Examples of real-life targeted mobile threats

If you think mobile threats are still a thing of the future, consider Pegasus and ViperRAT.

Pegasus is a highly sophisticated piece of spyware that uses three previously unknown vulnerabilities called “Trident.” When strung together, these three vulnerabilities would allow an attacker to break out of the browser sandbox, jailbreak the device, and install the spyware. From there, the spyware can turn on the camera and mic, intercept text messages, and alter the existing apps on the device to spy on any encrypted or unencrypted data. This is the most sophisticated mobile attack the Lookout research team seen yet and marks a new era of mobile hacking.

ViperRAT is also a very sophisticated threat, adding to the mounting evidence that targeted mobile attacks against governments and enterprises are a real problem. It is an active, advanced persistent threat (APT) that sophisticated threat actors are using to target and spy on the Israeli Defense Force. It collects a significant amount of sensitive information from the device, and the attackers seem most interested in exfiltrating images and audio content. The attackers are also hijacking the device camera to take pictures. In aggregate, the type of information stolen could let an attacker know where a person is, with whom they are associated (including contacts’ profile photos), the messages they are sending, the websites they visit and their search history, the screenshots that reveal data from other apps on the device, the conversations they have in the presence of the device, and a myriad of images including anything at which device’s camera is pointed.

If you think there isn’t a possibility your organization is being targeted, think again. Hundreds of businesses big and small are breached every month. In the first month of January alone attackers compromised over six million accounts. This can spell major brand headaches for a company and cause significant losses in both revenue and public trust for an enterprise’s products.  

A wealth of information

Sixty-four percent of IT security leaders say it is very likely sensitive corporate data is present on their employees’ mobile devices, according to the survey

Mobile devices are a wellspring for criminals. Today’s security professionals take great pains to protect their endpoints, set up appropriate monitoring, and manage teams who control these systems. In the end, however, enterprises are wasting their time and money when mobile devices are not protected.

It’s like locking all the doors but dangling the nice jewelry out of the upstairs window. No one thinks that’s a good idea.

 About the Author: Mike Murray is the VP of Security Research & Response at Lookout. He is responsible for the global organization that drives detection of threats and vulnerabilities for its network of over 100M devices. He leads a global team of security research engineers, software developers and has helped build a professional services organization to bring the benefits of the company’s research and threat intelligence directly to customers. Lookout protects mobility for some of the world's largest enterprises, critical government agencies, and tens of millions of individuals worldwide. The company has achieved this by partnering with leaders in the mobile ecosystem globally.