| Executives October 17, 2017
October 17, 2017
CISOs understand that vulnerabilities in networks and other internal systems can be a major security threat, and that protecting against these should be a high priority. Mobile device vulnerabilities can have equally devastating consequences, including compliance fines and brand reputation loss.
There are four vulnerability vectors, according to the Mobile Risk Matrix - a framework for thinking about mobile threats and risks to corporate data - including the apps running on the device, the device itself, the networks the device connects to, and the Web access and content on the device. Let's look at each of these areas separately.
While security controls around data in transit from mobile apps have improved over the years, even well-known software development companies have released apps that contained security flaws, putting corporate and user data at risk.
Mobile app development cycles are incredibly short as developers often use open source tools, libraries, and frameworks to create apps and keep up with demand. With quick software development cycles come vulnerabilities.
Enterprise employees choose and download their own apps, meaning that many of these apps are not reviewed by or managed by the enterprise itself. Without this visibility or oversight, enterprises cannot control for apps that are developed by people with no understanding of the enterprise's risk tolerance or its regulatory commitments. PC applications, on the other hand, are more likely to be vetted by IT management and developed by large, more well-established software companies.
Google and Apple both regularly publish security bulletins that detail mobile firmware and operating system vulnerabilities, and the corresponding patches.
Organizations can measure the risk from device vulnerabilities by tracking their "vulnerability window," or the amount of time it takes from the release of a new patch to full adoption of that patch among their fleet of mobile devices.
Android devices typically have longer vulnerability windows than iOS. Android ecosystem fragmentation issues can pose a serious security concern for enterprises. Android's most serious security problem is the challenge of getting dozens of manufacturers and hundreds of carriers around the world to cooperate on regularly patching Android phones and tablets, according to Wired.
For example, only 0.2 percent of Android users are currently on the latest operating system Oreo, according to Google. Whereas, Apple iOS 11 adoption is up to around 46 percent, according to Mixpanel.
Mobile network vulnerabilities are based on exploitable software or hardware flaws in the network interfaces of a device or its applications that make a mobile device vulnerable to a network.
Heartbleed, FREAK, and POODLE are examples of this kind of vulnerability. Heartbleed was an SSL vulnerability that, when exploited, would allow an attacker to steal up to 64K of data at a time from the active memory of affected systems. The POODLE vulnerability forced the browser to downgrade the way the browser handles network traffic encryption to a lesser, more vulnerable version.
While nearly every endpoint security suite since Windows XP has included a firewall and host-based intrusion detection/protection solution, mobile devices don't have the same level of protection. Because these device are inherently, well, mobile, they hop from network to network and have the potential to encounter many more hostile networks than traditional laptops.
Attackers can use vulnerabilities in malformed content, such as web pages, videos, and photos, to exploit a targeted app or operating system in order to gain unauthorized access to a device and its data.
The most widely known example of this is Stagefright, a software vulnerability in the Android media processing component. An attacker could use a malicious media file (such as an mp4) to exploit the Android media processor on unpatched devices and gain deeper access to data, such as MMS messages and file downloads. It's important to understand that vulnerabilities are just one component of a much larger story of mobile risk. Lookout developed the Mobile Risk Matrix to help organizations better understand what it calls the Spectrum of Mobile Risk.
In addition to vulnerabilities, the Spectrum of Mobile Risk also takes into account threats and behaviors and configurations that can impact enterprise data on mobile devices.
As mobile devices increasingly access sensitive data, organizations lack both visibility into new risks and control over this data, leading to data compromise. Lookout solves customer problems related to mobility, including loss of sensitive data, compliance risk, and the need for a secure digital transformation.
It's only through understanding and addressing the entire Spectrum of Mobile Risk that CISOs will be able to effectively protect their organizations' growing mobile environments.
Interested in learning more about how mobile vulnerabilities impact your organization? Contact us today.
Andrew Blaich Manager - Vulnerability Research