| Executives February 24, 2021
February 24, 2021
By Steve Banda
We’re all familiar with what happened in 2020. Amid the coronavirus pandemic, organizations worldwide were forced to send their workforces home. Along with the private sector, federal, state and local government agencies and departments across the United States implemented telework programs.
Now that we’ve been living with telework for a year now, I wanted to understand how it has affected the government sector. I dug into the telemetry data within the Lookout Security Graph, which includes analysis of millions of devices, apps and websites.
You can find the details of my research in the U.S. Government Threat Report Lookout just published. Through my research I found that all levels of government are increasingly exposed to credential-harvesting mobile attacks as well as risks from adware and outdated operating systems.
One of the easiest ways cybercriminals can compromise your organization is to socially engineer your employees into giving up their login credentials. In my analysis, I found that credential-harvesting attacks represented 70 percent of all mobile phishing attacks targeted at government employees, which is an increase of 67 percent compared to 2019. Overall, I found that 1 in 15 government employees were exposed to a phishing attack in 2020.
Let me break this down a bit. This surge and preference for credential-harvesting attacks illustrate that adversaries are focusing on phishing your employees on their mobile devices as entry points into your infrastructure. If you look back to August 2020, we saw over 100 high profile Twitter accounts compromised due to a successful spear phishing attack. Keep in mind that it only takes one successful attempt for your organization to be breached.
You may ask “why are mobile phishing attacks a concern?” It’s because the user interface of tablets and smartphones make it difficult for you to spot phishing attacks. The training we receive to spot phishing attacks teaches us to hover our mouse over links or a sender’s email address to check for telltale signs. But you can’t do that on tablets and smartphones. Due to their small screens and simplified user experience, all that information is hidden. And because we use and trust these devices a lot more, we are also less careful when using them.
In addition to phishing, I found two other major threats U.S. government agencies and departments are increasingly facing: outdated operating systems (OSs) and risky apps.
Let’s start with outdated operating systems. I found that 99 percent of all government Android users were using an outdated OS in 2020, which is very alarming. I understand that IT professionals often think of OS updates as a potential compatibility issue for their software. But you need to keep in mind that every security patch or OS version comes with hundreds of fixes for vulnerabilities. By not upgrading your devices, employees are unnecessarily exposing their organization to exploits that have already been discovered, and fixed.
The other major challenge I uncovered were app threats that data shows to have surged by nearly 20 times. This was a unique situation, although no less distressing. Let me explain.
In 2020, the cybersecurity community began digging deeper into software development kits (SDKs) used for advertising. These SDKs are meant to make surfacing advertisements in apps a lot easier. But they also added a lot of backdoor vulnerabilities into apps. As a result, adware was recategorized as a high risk. While the surge didn’t actually happen overnight, it reflects the prominence of vulnerabilities within the countless apps that we use for personal and professional purposes.
I just covered three major challenges U.S. governments are increasingly encountering. The overall lesson to be learned is that mobile threats cannot be ignored. Remember that smartphones, tablets or even Chromebooks have just as much access to your data as desktops and laptops and frequently have no endpoint security.
Your traditional perimeter security can’t protect against mobile threats under normal circumstances and even more so as your employees continue to telework. As you think about cybersecurity strategies like Zero Trust, which the National Institute of Standards and Technology (NIST) recommends, ensure mobile is part of it.
To learn more about the challenges facing U.S. government agencies and departments, check out the U.S. Government Threat Report.
Steve Banda Senior Manager, Security Solutions