I was recently involved in developing a new e-guide, “Curing the Cause of Common Mobilephobia,” which focuses on the most common fears CISOs and organizations contemplate when they consider deploying a mobile security strategy.

As I researched these fears, I came across some interesting facts and statistics. What I tend to find with data is that the more I look and think about a stat, the more interesting angles I find within the data point. This happened when I started delving into the challenges of deploying a mobile security strategy and the need to manage a multi-OS bring-your-own-device (BYOD) environment, so I’ll share some of those thoughts with you here.

The Fear of Rogue Devices

For a security expert, there are few things scarier than losing control. After all, managing security is all about controlling and eliminating the variables in order to identify anomalies and reduce risk. To excel in a security role, you really have to be somewhat of a “control enthusiast,” and the nature of mobile and especially BYOD is such that the CISO loses some of that control.

BYOD means that the CISO no longer has a homogeneous environment with a complete inventory of devices and a nice clear view into each. End users are now in control of the device and make decisions about the make and model, what level of security to implement, what apps to install and even when or if they will install app patches or upgrade the operating system (OS). This leaves the CISO with the challenge of managing and securing a multiplatform and multi-OS environment, which is very different from how the CISO manages laptops and other remote devices.

With remote devices, the CISO deploys a standard hardware platform with a standard image and locks down that device. It can then be monitored remotely, with upgrades and changes pushed to it as needed. That is simply not the case with mobile devices.

What Do We Really Mean by Multi-OS?

This is where it gets interesting. In September, Apple released iOS 9 to the market. This was a highly anticipated launch, and end users couldn’t wait to get their hands on it. According to a press release from Apple, more than 50 percent of Apple devices had upgraded to the new OS in less than one week, which was the fastest rate of adoption for any release. The CISO suddenly had a significant number of devices accessing the enterprise with no idea what risks the new OS might introduce.

Less than two months later, the number of devices upgraded has grown to 66 percent, as measured by the devices accessing the Apple App Store. On the surface, that seems scary enough, but as I consumed that stat I came up with an interesting angle on this situation. While 50 percent, and now 66 percent, of the Apple devices in the market were suddenly running iOS 9, that means that the other 50 percent (now 34 percent) are running something else. The immediate thought is iOS 8, right? But that isn’t necessarily the case.

Many of those users that didn’t immediately upgrade to iOS 9 never upgraded to iOS 8, either — or, for that matter, any of the previous iOS iterations. When I looked at the Android platform I found a similar situation with adoption rates. The most recent Android report I could find was from before Android Marshmallow. It indicated that only about 23 percent of devices had been upgraded to Lollipop, with 38.9 percent running KitKat and 30.2 percent running Jelly Bean. Talk about a wide distribution of systems to support!

Embrace a Mobile Security Strategy That Eliminates Fear

Worrying about operating systems and mobile security strategies is not an irrational fear!

While a new OS represents its own challenges, the fact of the matter is that the CISO also has to worry about all previous versions of the system and the devices that have never been upgraded. These devices running older versions of the operating system may be even more dangerous than the newest upgrade since the older versions could have known security vulnerabilities.

Watch the on-demand webinar to Learn more about Surviving the Mobile Phenomenon

More from Endpoint

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The X-Force Vulnerability and Exploit Database shows that the number of zero days being released each year is on the rise, but X-Force has observed that only a few of these zero days are rapidly adopted by cyber criminals each year. While every zero day is important and organizations should still devote efforts to patching zero days once a patch is released, there are characteristics of certain…

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…