Do you remember your first mobile phone, and the newfound feelings of connectedness and convenience that came with it?
I was one of the first in my circles to have a cellular phone. One of the coolest features my phone and network could support was the receipt of short email messages — no send capabilities. What I didn’t know at the time was how easy this made mobile communications.
From a Phone to a Communications Device…
A trip to Europe in the 1990s changed my communications world. I saw a friend pitter-pattering away on their phone and asked what they were doing. “Sending a text message,” they replied. Woah, woah, woah! You can send a message from your phone? And just like that, I did a deep dive into the Global System for Mobile communications (GSM), Bluetooth and the Wireless Application Protocol (WAP).
…and a Communications Device to a Computer
The Nokia 9000 Communicator (1998) was a machine and the Ericsson R380 (2000) was marketed as the world’s first “smartphone,” but it was the Sony Ericsson P800 (2002) that warped minds. I would confuse people when they, sitting on their desktops, could not figure out how I was on my phone chatting with them through instant messaging.
The answer was simple to me: I was no longer using a phone, I was using a computer. I made that mental jump. Twenty years later, we’re still calling these devices in our pockets phones. That’s a big part of why we have some of today’s mobile security problems; too many users are still mentally locked into thinking it’s a phone when it is so much more.
The Common Denominator Gives Malicious Actors the Advantage
Apart from rare exceptions, proprietary or device-specific operating systems are gone, something that would make attack vectors more difficult. Today, malicious actors take comfort knowing that 97 percent of mobile devices run one of two operating systems (OSs) and that malware is so effective, it can even be made to be device-specific. They get a major double score: A hugely expanded target map that is easier to access and a reduction in necessary resources needed to hit the entirety of that map.
Today’s phones are susceptible to ransomware, public/rogue Wi-Fi networks, man-in-the-middle attacks, SMS listeners and phishing attacks (or the SMS variant, smishing). Save the SMS listeners, computers are vulnerable to the exact same things, demonstrating the need for secure mobile solutions that resemble desktop or laptop fixes.
You see, with “computers,” it’s pretty ingrained into the minds of even the most basic users that you need some sort of defense in the form of an antivirus or firewall. Some even regularly update desktop or laptop OSs. But phone users haven’t reached automatic in their minds yet. Users wait days or weeks to update their OS, if at all. And with 5G deployments already underway, we’re going to become more dependent on wireless communications, not less.
A 2018 Pew study showed 95 percent of Americans own a cellphone of some kind, and 77 percent own smartphones. Couple those figures with these Pradeo “Mobile Security Report 2018” key findings and concerns are more than warranted:
- The No. 1 threat to organizations is data exfiltration through mobile applications.
- Zero-day malware grew by 92 percent in the six months prior to the report’s release.
- The most exfiltrated personal data is location coordinates and contact lists.
- Public Wi-Fi attacks represent the most common network threat.
- Vulnerable OS exploits affect a growing number of users.
Usage and Culture: The Mobile Security Wildcards
It’s quite likely many young people in today’s workforce never went from desktop to laptop to mobile. Those entering the workforce in the near future will have received their first taste of technology from something that is not a desktop or a laptop. Now, contrast that experience with a different, and older, generation of people who never used technology growing up and are suddenly forced to use it. These entirely different user experiences cause grief for the professionals tasked with securing the organization, yet these stakeholders need to work together to conduct business. And it’s these same cultural issues that make this issue so hard.
Consider that millennials grew up with the “café phenomenon” of bring-your-own-device (BYOD) and using unsecured Wi-Fi hotspots to log on to corporate networks. In addition, too many of us are guilty of clicking “I accept” without reading terms and conditions, giving apps incredible, perhaps even unlimited, permissions to the information on our devices, including hardware such as cameras and microphones.
People also store sensitive, personal data on their devices, such as credit card and Social Security numbers, or are constantly sharing pictures and posting to social media, causing information leakage. The cherry on top of all this is that we’re notoriously bad with passwords and credentials, often reusing them, and these devices are on pretty much 24/7.
This desire to run everything on the least amount of devices and services possible and have the convenience of cloud-based solutions that allow connection from anywhere and anything is a huge factor. Think about it: People use the same device to lock the doors on their house, order a pizza, have business conference calls through apps and access corporate networks.
Convenient? Yes. Secure? Not necessarily. That’s the struggle for enterprise security teams.
A phone makes voice calls, but the devices we use today are computers, ones that are always on, always connected, and always producing and consuming data. That’s where the push/pull dynamic between speed and convenience versus security and privacy comes in, and partially explains why many companies have not implemented basic best practices for mobile security.
It’s also why you have attackers going old school, using social engineering attacks to bypass the organization’s best laid plans.
How to Address the Wildcards
Here is a three-step process that could reduce some of our mobile security headaches:
- Get in the right frame of mind. It’ll be tough to change the meaning of “phone” or “computer” or to even adopt one for the other, but you can use “device” universally. Hopefully, over time, this will nudge people into the right mindset. You’re playing the long game.
- Understand usage and culture. Perhaps the most difficult phase of the three, because it’s more than tech. You need to identify these issues first or you’re reacting. You have a better chance when you understand how devices are used, so talk to your users to find out. Looking at a dashboard and network traffic only gives you part of the picture.
- Fill in the gaps with technology. All it takes is one mistake. We’re human. That’s why you need the tech to act as a safety net, just in case.
As we continue to go mobile with our devices, I’ll leave you with this prediction: There’s going to be no difference between mobile and stationary security; it will all be the same. The sooner we’re in that mental space, the better off we’ll all be.