The recently launched Verizon Data Breach Report 2015 gathered many news headlines because of its bold statement that security threats to your mobile phone are generally "overblown." The report highlights that the total number of security vulnerabilities that have been used for exploits, regardless of platform, is "negligible" — whatever device you use, you probably aren't at risk as long as you use common sense.
This claim has ruffled many feathers — not least because the media and many security companies have for some time loved to jump on the bandwagon about the supposed security risk to the device we all carry around in our pockets every day.
It’s long been popular to talk about mobile malware and how our mobile phones are at risk of being infected but despite a few high profile ‘hacks’—which were in reality more social engineering attacks than real hacks—nothing substantial has yet been seen in the cybersecurity world.
As Verizon said in the report: ‘we found hundreds of thousands of (Android) malware infections, most fitting squarely in the annoyance-ware category’. But further analysis revealed: ‘An average of 0.03% of smartphones per week—out of tens of millions of mobile devices on the Verizon network- were infected with “higher-grade” malicious code.’
Of course if your phone is in that 0.03 per cent or it belongs to the Chief Executive of your bank or supplier you should still be worried.
So while Verizon might be downplaying the mobile threat, I do agree that while cyber-attack techniques generally are getting more sophisticated – most compromises depend on simple tried and tested techniques like phishing, social engineering and simple hacks to get into the network.
As Cisco’s own 2015 Annual Security Report highlighted, most companies are still not doing a good enough job patching their computers, websites and servers. For example we found that despite all the publicity around the Heartbleed vulnerability in 2014 – 56 per cent of the businesses we looked at were running applications older than 56 months old and so were still vulnerable to Heartbleed.
The reality is that while new threats and headlines catch our attention and dazzle us all – the majority of cyberattacks taking place today around the world are using tried and test techniques which exploit often well-known risks and vulnerabilities.
Undoubtedly some cybercriminals are using techniques to target mobile devices but their efforts are dwarfed by the huge number of other more ‘mainstream’ attacks being used against existing non-mobile applications and networks.
In addition to the high volume ‘mainstream’ attacks, there is a more worrying dark side that comes from very well funded cybercriminals and foreign governments who invest millions in vulnerability research to identify previously ‘unknown’ vulnerabilities (Zero Day) and build and use highly sophisticated exploits that are tested against security technologies before that are launched at their highly targeted victim. Their intent is to steal intellectual property to sell or gain economic advantage
But all of that doesn’t mean we should be complacent with our mobile security. We know that cybercriminals follow the money and when one door is shut, they look at other opportunities to exploit. The same can be said for mobile. As businesses continue to embrace mobility and the benefits the Internet of Things brings, cybercriminals will turn their attention more seriously to those platforms.
So now is the time to follow best practice and to implement Bring Your Own Device (BYOD) policies that clearly define the proper use of employee-owned devices in the enterprise and embed security at the core of our policies and networks.
We know that in order to maintain control of the network:
- First, identify technologies that provide visibility into everything on the network – devices, operating systems, applications, users, network behaviours, files as well as threats and vulnerabilities. With this baseline of information they can track mobile device usage and applications and identify potential security policy violations.
- Second, enterprises should leverage technologies that help apply security intelligence to data so that they can better understand risk. From there, it’s possible to evaluate mobile applications to determine if they are malware and even identify vulnerabilities and attacks targeting mobile assets.
- Third, identify agile technologies that allow the company to adapt quickly and take action to protect systems in rapidly changing mobile environments. Enterprises need to create and enforce policies that regulate what data can be transmitted to BYOD users.
- For employee owned devices it may be useful to lock down your organisation’s network or computers (laptops, desktops, servers) with capabilities like application control. Consider approved applications that can be used by employees to remotely access their desktop computers back in the office form their tablet while travelling. While they may not be able to limit the installation of an application on the device, they can prevent it from running on corporate-owned computers.
In the meantime, cybersecurity professionals need to keep their attention firmly on the existing threats to their environments and not be dazzled by the headlines. But at the same time, they need to ensure they are ready for when that situation changes and concerns becomes reality.