7 mobile device security threats that you should take seriously in 2019
Adaptation of JR Raphael's article.
Mobile security is at the top of any business concern today. And it's for good reason, as nearly all employees today routinely access corporate data from their smartphones. This means that keeping sensitive information out of the wrong hands is increasingly complicated. The stakes are higher than ever: the average cost of a data breach is a staggering $3.86 million, according to a 2018 report by the Ponemon Institute. That's 6.4% more than the estimated cost a year earlier.
While it's easy to focus on the sensationalist topic of malware, the truth is that malware infections on mobile devices are incredibly unusual in the real world - with the likelihood of getting infected being significantly lower than being struck by lightning, according to One Estimate. Malware is currently ranked as the least common initial action in data breach incidents, in fact, appearing behind physical attacks in Verizon's 2019 Data Breach Investigations Report. This is due to the nature of mobile malware and the inherent protections embedded in modern operating systems on mobile devices.
The most realistic mobile security risks are found in some areas that are easily overlooked, and are expected to become more urgent as we move forward in 2019:
1. Data Leakage
Do you remember the almost non-existent chances of being infected by malware? Well, when it comes to a data breach, businesses have a nearly 28 percent chance of experiencing at least one incident in the next two years, based on the most recent Ponemon survey - chances of more than one in four, in other words.
What makes the issue especially annoying is that it is generally not harmful in nature; rather, it is a matter of users inadvertently making reckless decisions about which applications are able to see and transfer their information.
Dionisio Zumerle, director of mobile security research at Gartner, suggests resorting to mobile threat defense (MTD) solutions - products such as Symantec's Endpoint Protection Mobile, CheckPoint's SandBlast Mobile, and Zimperium's ZIPS Protection. These utilities scan applications for "leaking behavior," says Zumerle, and can automate the blocking of problematic processes.
Of course, even this will not always cover the leakage that occurs as a result of a manifest user error. This is a challenge the healthcare industry is currently struggling to overcome: According to expert insurance provider Beazley, "accidental disclosure" was the leading cause of data breaches reported by healthcare organizations in the third quarter of 2018. This category, combined with internal leaks, accounted for nearly half of all breaches reported during this time period.
For this type of leakage, data loss prevention (DLP) tools may be the most effective form of protection. This software is explicitly designed to prevent exposure of sensitive information, including during accidental scenarios.
2. Social Engineering
The experimented and true trick tactic is just as worrying on the mobile front as it is on the desktop. Despite the ease with which one might think that social engineering scams could be avoided, they remain surprisingly effective.
A staggering 91% of cybercrime begins with email, according to a 2018 report from security firm FireEye. Specifically, phishing has grown 65% over 2017, says the company, and mobile users are at greater risk of falling for it because of the way many mobile email clients display only the sender's name, making it especially easy to fake messages and make a person think that an email is from someone they know or trust.
According to an IBM study, users are three times more likely to respond to a phishing attack on a mobile device than on a desktop, partly because a phone is the place where people are more likely to see a message for the first time. Verizon's latest research supports this conclusion and adds that the smaller screen sizes and correspondingly limited display of detailed information on smartphones (especially on notifications, which often now include one-touch options for opening links or responding to messages) can also increase the likelihood of phishing success.
In addition, the prominent positioning of action-oriented buttons on mobile email customers and the blurry, multitasking way in which workers tend to use smartphones amplify the effect - and the fact that the majority of web traffic is often happening now on mobile devices only further encourages attackers to target this front.
It's no longer just an email either: As corporate security company Wandera noted in its latest mobile threat report, 83% of last year's phishing attacks occurred outside of the mailbox - in text messages or in applications like Facebook Messenger and WhatsApp, along with a variety of games and social media services.
In addition, while only a single-digit percentage of users actually click on phishing related links - between 1% and 5%, depending on the industry, according to the most current Verizon data - previous Verizon surveys indicate that these naïve boys and girls tend to be recidivist offenders. The company notes that the more often someone clicks on a phishing campaign link, the more likely they are to do so again in the future. Verizon has previously reported that 15% of users who are successfully exploited will be exploited at least once more in the same year.
"We see an overall increase in mobile susceptibility driven by increased overall mobile computing and the continued growth of BYOD's work environments," says John "Lex" Robinson, information security and antiphishing strategist at PhishMe - a company that uses real-world simulations to train workers to recognize and respond to phishing attempts.
Robinson notes that the line between work and personal computing also continues to narrow. More and more workers are viewing multiple mailboxes - connected to a combination of work and personal accounts - together on a smartphone, he observes, and almost everyone conducts some kind of personal business online during the work day. Consequently, the notion of receiving what appears to be a personal email alongside work-related messages does not seem at all unusual on the surface, even though it may, in fact, be a stratagem.
The stakes just keep rising higher. Apparently, cybercriminals are now even using phishing to try to trick people into giving up two-factor authentication codes designed to protect accounts from unauthorized access. Returning to hardware-based authentication - whether through dedicated physical security keys such as Google's Titan or YubiKeys' YubiKeys' Yubico or through the security key option on the Google device for Android phones - is widely regarded as the most effective way to increase security and decrease the chances of a phishing-based acquisition.
According to a study conducted by Google, New York University and UC San Diego, even on-device authentication alone can prevent 99% of mass phishing attacks and 90% of targeted attacks, compared to an effectiveness rate of 96% and 76% for these same types of attacks with the 2FA codes most susceptible to phishing.
3. Wi-Fi Interference
A mobile device is as secure as the network over which it transmits data. In an age when we all constantly connect to public Wi-Fi networks, this means that our information is often not as secure as we might assume.
Why worry? According to a Wandera survey, corporate mobile devices use Wi-Fi almost three times as much as they use mobile data. Almost a quarter of devices have connected to open and potentially insecure Wi-Fi networks, and 4% of devices have encountered a man-in-the-middle attack - in which someone maliciously intercepts communication between two parties - in the most recent month. McAfee, in turn, says that network spoofing has increased "dramatically" in recent times, yet less than half of people care about protecting their connection while traveling and relying on public networks.
"Today, it's not hard to encrypt traffic," says Kevin Du, professor of computer science at Syracuse University, which specializes in smartphone security. "If you don't have a VPN, you're leaving too many doors on your perimeter open."
However, selecting the right enterprise-class VPN is not so easy. As with most security-related considerations, a tradeoff is almost always necessary. "The delivery of VPNs needs to be smarter with mobile devices, since minimizing resource consumption - especially battery power - is critical," says Zumerle of Gartner. An effective VPN should know how to activate only when absolutely necessary, he says, and not when a user is accessing something like a news site or working on an app that is known to be secure.
4. Deatualized Devices
Smaller smartphones, tablets, and connected devices - commonly known as the Internet of Things (IoT) - pose a new risk to corporate security because, unlike traditional work devices, they often offer no guarantee of timely and continuous software updates. This is especially true on Android, where the vast majority of manufacturers are embarrassingly ineffective at keeping their products up to date - both with operating system (OS) updates and the smallest monthly security patches between them - and also with IoT devices, many of which are not even designed to get updates.
In addition to the increased likelihood of attacks, extensive use of mobile platforms raises the overall cost of a data breach, according to Ponemon, and an abundance of work-related IoT products only causes that number to rise further. The Internet of Things is "an open door," according to cybersecurity company Raytheon, which sponsored a survey that showed 82% of IT professionals predicted that unsafe IoT devices would cause a data breach - probably "catastrophic" - in their organization.
Once again, a strong policy goes a long way. There are Android devices that receive continuous, reliable, and timely updates. Until the IoT landscape becomes less of a wild west, it's up to the company to create its own safety net around it.
5. Cryptojacking Attacks
A relatively new addition to the list of relevant mobile threats, the cryptojacking is a type of attack in which someone uses a device to mine the cryptographic currency without the owner's knowledge. If it all sounds like a bunch of technical bullshit, just know this: The encryption process uses your company's devices for someone else's gain. It leans heavily on your technology to do so - which means that the affected phones are likely to have a poor battery life and may even suffer damage due to overheating of the components.
Although encryption originated on the desktop, it saw an outbreak on the mobile phone from late 2017 to early 2018. Undesired cryptocurrency mining constituted one-third of all attacks in the first half of 2018, according to an analysis by Skybox Security, with a 70% increase in prominence during that time compared to the previous half year period. And mobile-specific encryption attacks exploded absolutely between October and November 2017, when the number of affected mobile devices increased by 287%, according to a Wandera report.
Since then, things have cooled a bit, especially in the mobile domain - a move helped in large part by the ban on crypto-currency mining apps from Apple's iOS App Store and Google Play Store associated with Android in June and July, respectively. Still, security companies observe that attacks continue to have some level of success through mobile sites (or even just dishonest ads on mobile sites) and through apps downloaded from unofficial third-party markets.
Analysts also noted the possibility of cryptojacking via Internet-connected set-top boxes, which some companies may use for streaming and video casting. According to security firm Rapid7, hackers have found a way to take advantage of an apparent loophole that makes the Android Debug Bridge - a command line tool intended only for developer use - accessible and ready for abuse in such products.
For the time being, there is little response - apart from carefully selecting devices and maintaining a policy that requires users to download applications only from the official window of a platform, where the potential for code encryption is greatly reduced - and, realistically, there is no indication that most companies are under any significant or immediate threat, especially given the preventive measures being taken in the industry. Still, given the buoyant activity and growing interest in this area in recent months, it is worth keeping an eye on the progress of 2019.
6. Poor Password Management
One would have expected us to be over this, but somehow users are still not protecting their accounts properly - and when they carry mobile phones that contain company accounts and personal signatures, this can be particularly problematic.
A recent search by Google and Harris Poll found that just over half of Americans, based on the search sample, reuse passwords on multiple accounts. Equally worrying, nearly one-third are not using two-factor authentication (or don't know if it's being used - which can be a little worse). Only a quarter of people are actively using a password manager, suggesting that the vast majority of people probably don't have particularly strong passwords in most places, as they are presumably generating and remembering them on their own.
Things only get worse from here: according to a 2018 LastPass review, half the profissionals use the same passwords for personal and work accounts. And if that's not enough, an average employee shares about six passwords with a co-worker during the course of his job, according to the analysis.
Don't think that all this has nothing to do with anything. In 2017, Verizon found that weak or stolen passwords were responsible for more than 80% of hacker-related violations in businesses. From a particular mobile device - where workers want to quickly enter multiple apps, websites, and services - think about the risk to your organization's data if only one person is carelessly entering the same password they use for a company account at a prompt on a random retail site, chat app, or message board. Now, combine this risk with the aforementioned risk of Wi-Fi interference, multiply by the total number of employees on your site, and think of the layers of likely points of exposure that are rapidly adding up.
Perhaps the most annoying of all is that most people seem completely oblivious to their omissions in this area. In the Google and Harris Poll survey, 69% of respondents gave themselves an "A" or "B" in effectively protecting their online accounts, despite subsequent responses indicating otherwise. Clearly, you can't rely on a user's own assessment of the issue.
7. Physical device violations
Last but not least, it is something that seems especially foolish, but remains a disturbingly realistic threat: a lost or unaccompanied device can be a major security risk, especially if it does not have a strong PIN or password and full data encryption.
Consider this: In a Ponemon 2016 study, 35% of professionals indicated that their work devices had no mandatory measures in place to protect accessible corporate data. And worse, nearly half of respondents said they didn't have a password, PIN, or biometric security guarding their devices-and about two-thirds said they didn't use encryption. Sixty-eight percent of respondents indicated that they sometimes shared passwords between personal and work accounts accessed through their mobile devices.
Things don't seem to be improving. In its analysis of the 2019 mobile threat landscape, Wandera found that 43% of companies had at least one smartphone, on their list, without any screen lock security. And among users who created passwords or PINs on their devices, the company reports that many chose to use the four characters code when they had the opportunity.
The lesson is simple: leaving the responsibility in the hands of users is not enough. Don't make assumptions; make policies. You'll thank yourself later.
Translated from: https://www.perallis.com/news/7-ameacas-de-seguranca-em-dispositivo-movel-que-voce-deve-levar-a-serio-em-2019