“Mobile malware is not a problem.” “Enterprises, ignore mobile threats; they’re not there.” “You’re more likely to be struck by lightning than by mobile malware.”
These are the headlines I’ve heard some very influential and very important industry leaders repeat as the result of Verizon’s recent breach report. Frankly, I don’t think that many in the industry are actually reading what this report says: mobile is an issue, we can’t ignore it, and enterprises need visibility and control now.
The report clearly highlights that malware infections are low, but it also shows two issues with direct impact to consumers and enterprises alike: vulnerabilities and data leakage.
Mobile threats are more than just malware.
The Verizon report also notes that 80 percent of EnPublic apps, or those distributed through enterprise provisioning profiles, “invoke risky private APIs that are also in violation of Apple’s Developer guidelines. In the wrong hands, these APIs threaten user privacy and introduce many vulnerabilities.”
Vulnerabilities are concerning no matter what platform they affect, but many times people make the mistake of brushing them off as unimportant if they’re often not actively being exploited. FireEye recently released research showing that “150 million downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed” as of April 2015, nearly a year after the vulnerability was announced.
Once you have vulnerabilities, it’s just a matter of time that vulnerabilities like the ones mentioned above could be used as a launching point for network attacks.
The example Verizon uses to describe malware threats is “adnoyance” or adware. Adware, as Verizon directly states, “aggressively collects personal information from the mobile device it’s installed on, including name, birth date, location, serial number, contacts, and browser bookmarks. Often, this data is collected without users’ consent.”
From a consumer perspective, adware takes information without their knowledge and could sell it, store it improperly, or otherwise mishandle their data.
By default, if you’re an enterprise that supports BYOD, this kind of “annoying threat” should sound alarms. The fact that contacts and personally identifiable information is taken puts your employees and your proprietary secrets, your competitive edge, at risk.
Visibility and control
Verizon is right — mobile malware is not an enterprise’s top priority, but a mobile device is not a semi-secure piece of technology to be put in a drawer and worried about later. Verizon says it itself:
“We are not saying that we can ignore mobile devices; far from it. Mobile devices have clearly demonstrated their ability to be vulnerable. … When it comes to mobile devices on your network, the best advice we have is to strive first for visibility and second for control. Visibility enables awareness, which will come in handy when the current landscape starts to shift. Control should put you into a position to react quickly.”
Honestly, I think Verizon is spot-on. Have we not learned anything from the history of Internet security? We are ahead of the game with mobile and I don’t think there’s a person in security who would say it won’t be an issue in the future.
Security is not an “if” game, it’s a “when” game. An enterprises’ visibility into their mobile stack will only strengthen their security suit of armor. Without insight into mobile there can be no effective action when the attack comes.
So, in saying “there’s no mobile malware,” or “mobile isn’t a problem,” many are missing the point. I encourage you to actually read the report for yourself.
Shumard is a principal at Shumard and Associates, LLC and a former Cigna CISO.