How often do we hear Willie Sutton’s famous (but probably apocryphal) quote about robbing banks because “that’s where the money is?” This gets invoked in the context of information security in general and mobile devices in particular, and there’s a reason: Given the estimates from institutions like the Pew Research Center and others suggesting that there are over 2.5 billion smartphones currently in use, the money is clearly there for cybercriminals.
Indeed, as we increasingly use mobile devices for most of our personal day-to-day business, untethered from desks and clunky full-sized computers, they become increasingly attractive to bad actors. This is exacerbated by the fact that mobile devices also frequently blur the line between personal and professional use, with one IDG survey showing an 85 percent increase in users who access business applications from their mobiles. All of that makes these devices almost irresistible targets for attacks.
Let’s look at how mobile attacks are developing, and then talk about five crucial questions that any organization needs to answer in order to build a successful mobile defense strategy.
How Mobile Attacks Are Evolving
Back to the bank robber. Perhaps more interesting than pithy quotes expressing the obvious are the parallels between Willie Sutton’s tactics, techniques and procedures (TTPs) and those of attacks targeting modern mobile devices. One notable connection is mobile banking trojans: Like Sutton, these are essentially bank robbers. These began appearing as early as 2010 and continue to represent a significant percentage of mobile malware, especially in third-party app stores.
Sutton was also famous for using disguises in both his heists and his prison escapes. He is alleged to have masqueraded as — among other things — a policeman, a postman and a prison guard. Similarly, attacks against mobile increasingly rely on cloaking themselves in legitimate forms, including the impersonation of popular apps, and the abuse of Accessibility features and other permissions.
For instance, in May of this year, WhatsApp made headlines when attackers exploited a vulnerability in a built-in calling function in the app to spy on end users. While this particular attack was narrowly targeted and didn’t affect the general public, it highlights a novel approach to mobile attacks: Finding and attacking vulnerable apps that already have access to the resources or data that bad actors seek. As mobile operating system vendors continue to strengthen baseline security and restrict the interfaces that connect to sensitive capabilities, exploiting apps that already have legitimate access to those features will become a more efficient and useful technique.
It’s also worth emphasizing one major difference between the crimes of Sutton in his heyday and today’s mobile attacks: While Sutton had to go inside the banks he intended to rob, cybercrime has no such old-school need for physical proximity. And because the desired objects are digital, “valuables” may exist in multiple places, which may or may not be equally well-protected.
5 Questions for Developing a Mobile Cyber-Defense
Organizations need to develop strategies that can keep up with not only the growing number of mobile devices, but also the increasingly sophisticated attacks mounted by cybercriminals. Asking five critical questions can help you build an appropriate defense.
Where does sensitive corporate data reside?
Is your data centralized, on-premises or is it in the cloud? Do you have data housed on mobile endpoints? If you’re like most, the answer is most likely “all of the above,” regardless of established policy.
It’s hard to prevent data sprawl, so your focus could be more on how to manage it. Modern work — and the data that supports it — is highly distributed, but that doesn’t mean it is uncontrollable. A good place for organizations to start is by taking an inventory of their endpoints, as well as both their on-premises and cloud services, so they know where everything is.
How can that sensitive data be accessed?
Which devices are allowed to access that inventoried data, and how are they authenticated? Remember that if you aren’t explicitly denying access to an endpoint, you are probably implicitly permitting it. In practical terms, organizations need ways to incorporate data from both configuration management databases (CMDBs) and endpoint protection platforms (EPPs) into their authorizations schemes.
With this additional context, things like device type, asset ownership, current configuration and overall “cleanliness” of the endpoints that are being used to access data are taken into account when giving a device a green light to access sensitive data. Ideally, you want to dynamically tailor the permissions.
Also, a number of network access control (NAC) and SSL-VPN products offer capabilities like these for on-premises infrastructure, so organizations must also consider how they will marry these capabilities with their cloud authorization schemes.
Who is “behind the screen” of those devices?
How do you know that the endpoint is being used by who you think it is? This is an especially important question in cases where front-line workers share devices. Naturally, strong authentication should be your first approach.
Standard authentication relies on what someone knows (passwords) and possession of a device. Inherence factors however tend to be much stronger. When the increasingly capable biometric sensors on modern devices are coupled with authentication specifications like FIDO2, credentials are both better protected and much more difficult to spoof.
How is data protected in transit to and at rest on those devices?
At this point, encryption is (or should be) ubiquitous. While some estimates suggest that 87 percent of websites are capable of TLS and most devices now ship with encrypted filesystems, organizations still require the infrastructure to provide encrypted transport to access legacy systems and centralized management of endpoint encryption.
Unified Endpoint Management (UEM) platforms have been solving the former for over a decade. The latter can be addressed with tools like per-app VPNs, which can tunnel traffic based on user agent and destination network/port information, as opposed to the purely network-centric rules of legacy VPNs. This has the advantage of preserving user privacy while creating robust micro-segmentation.
What apps are running on those devices?
Can unknown or unauthorized apps access and potentially circumvent the controls for that sensitive data? User agents are, perhaps, the most overlooked aspect of modern data-loss prevention (DLP). The permissions that apps have and their method of installation have a significant impact on administrators’ ability to control their behavior. Because many SaaS apps are built largely on top of RESTful APIs, the backend is often indifferent to the user agent. Organizations, therefore, need a reliable method of application inventory and must extend their authorization framework to include application, as well as users and devices.
The answers to the questions above will vary widely depending on lines of business and the type of data being handled. These are important to tackle: as more sensitive information of both the personal and professional variety finds its way onto mobile devices, enterprises should expect criminals to “follow the money.” Be prepared for increasingly common, clever and sophisticated schemes being used to gain unauthorized access to your data because…”that’s where the money is.”
James Plouffe is strategic technologist at MobileIron.
Please check out all of the latest posts in our Infosec Insider Community.