The threats from mobile malware have been highly documented:
Zimperium reported late last year that 60 percent of mobile devices in enterprise BYOD environments are vulnerable to known cyberthreats. About six percent surveyed recorded a critical threat event and one percent were infected with a malicious application.
And Skycure reported that 32.5 percent of devices used by executive were exposed to network attacks in the April through June 2016 timeframe. Over that same period, 22.5 percent were infected with malware that rated at least a medium severity of risk and 6.3 percent were determined to be a high severity risk.
In fact, it was this increased threat landscape and other major events in the mobile malware world, such as the Pegasus malware that infected iOS devices and the Stagefright bug that hit Android smartphones and tablets, that prompted global mining company Kinross Gold to get more serious about protecting mobile devices.
Edward Amoroso, CEO, TAG Cyber; former SVP and CSO, AT&T
“We were using AirWatch for mobile device management, but we needed something that could detect and remediate mobile malware,” says JT Pearson, manager of IT client services at Kinross Gold Corp. “When I think back, it was really the Sony case that cemented security in the minds our corporate board, and this was after we had highlighted the need for mobile security in many previous conversations.”
Kinross employees were originally BlackBerry users, but as the Canadian-based gold mining company moved its company-owned devices to Android and iOS, it needed a way to save on phone charges. Pearson says the company has mines and projects in Brazil, Chile, Ghana, Mauritania, Russia and the Unites States and it was spending excessive amounts on roaming data when its executives traveled abroad. For example, simply checking email often resulted in a $200 charge in a single day, Pearson explains.
He adds that while Wandera was originally viewed as a cost-savings tool, it became even more important to the company when the vendor added new security features and was then seen as a way to more effectively respond to the emerging threat landscape.
Now, data and content travels through Wandera's cloud-based system that compresses the data and inspects it for malware, a process that significantly reduces data use. Kinross Gold also takes advantage of some of its other security features. For example, Pearson says Kinross Gold enables hard blocks on software updates as well as caps on data usage when employees are roaming.
“If you hit 200 megabytes on any given day we'll stop you,” says Pearson. “We also block optional apps, such as Instagram, Spotify and some streaming services while roaming.”
Pearson adds that by using Wandera's compression, blocking and active management capabilities, Kinross Gold saves roughly $750,000 on its annual cellular bill for the 250 employees who have company-owned devices.
“We explained to the board that we had seen an increase in both phishing emails and attacks by macro-embedded malware in mobile devices,” Pearson says. “So when we explained that we could deliver enhanced security and also save the company significant money on its annual data use charges it just became a much easier sell.”
A more strategic approach
Patrick Hevesi, a research director on the security and risk management team at Gartner, says while tools such as enterprise mobility management (EMM) can help companies manage and update phones and mobile threat defense, and mobile threat defense (MTD) products can ward off network attacks and malicious applications, companies also need to be more strategic about how they manage mobile devices.
Hevesi says he starts by telling IT staffs to keep updates consistent. Companies also need to assess risk and decide what level of access each person's phone will have. Of course, there may always be some data and intellectual property that are so sensitive they may never be put on a mobile device, but that's not the vast majority of a company's applications.
For example, Hevesi says employees who need access to sensitive company data and require a higher level of security should always get company-issued phones that have EMM and MTD agents installed. Employees who are just doing standard business applications and checking emails can use their own personal devices, but they have to let the company at least put an EMM agent on the phone and MTD on a case-by-case basis. For lower-level employees who may be only checking email, it makes sense to install an MTD tool to protect against mobile malware.
“For most people, if you give them a choice and explain why you are putting on the added controls, they will work with the company,” Hevesi says. “The idea is to not make it a battle.”
Health insurance company Aetna has a very clear approach based on access to sensitive data it developed to manage nearly 10,000 mobile devices, a mix of iPhones, iPads and Android smartphones and tablets.
Brian Heemsoth (left), director of software and mobile security at Aetna, says employees who handle sensitive information such as personaly identfiable information (PII), medical, or credit card data receive company-issued devices that are managed by an mobile device management (MDM) platform such as MobileIron, AirWatch or IBM's Maas360. The majority of the staff – roughly 60 percent – use standard productivity tools and email, so they can run their personal iPhones or Android devices.
Heemsoth says as mobility has become more of a fact of life in corporate America, a number of trends have converged in the past few years that made his firm focus more on mobile security. First, more people travel for business today, so there's been an explosion in mobile collaborative applications. Second, people want to work on just one phone, not on a company-issued BlackBerry in addition to their own personal phone. And finally, the threat landscape for mobile malware has become more hostile than ever.
“There's been a growing trend toward people wanting to use just one device to handle both their personal and corporate communications, and we want to accommodate that,” he says. “We also want to let people use the iPads that they received as gifts over the holidays, but there has to be a way to keep everything secure.”
About a year ago, Aetna deployed Skycure's mobile threat defense application on all 10,000 of its phones. Skycure checks for malware and also will automatically reroute an employee who logs on to an insecure network via a secure VPN tunnel. The VPN tunnel acts as a secure gateway to the internet.
“Since we launched a year ago, we've seen a self-remediation rate that averages about 18 per user,” Heemsoth says. “People can easily take action in response to guidance to update their operating systems or remove third-party applications that may contain malware.”
Heemsoth adds that for company-issued devices, they've tightly integrated Skycure's mobile threat defense with MDM/EMM software, the employee and the company's security operations center.
Here's the way the integration works: When Skycure identifies malicious code, it notifies the MDM/EMM system, which then severs access to all the secure networked applications. Skycure also alerts the employee that this took place and will also send an alert to the security operations center (SOC), which will prompt the incident response team to remediate the malware.
Heemsoth advises security managers to realize that integrating best-of-breed products makes sense, but it also takes the right people who know how to work with all these tools. He acknowledges that Aetna is a Fortune 50 company with the resources to spend on top quality tools and talent. More mid-tier companies may require a systems integrator to deliver a similar capability. Heemsoth adds that tight integration into all the security tools offers the company visibility into the threat landscape that they never had before.
“That visibility into our mobile risk is what's key,” he says. “We now carry fewer vulnerabilities, experience fewer malware infections, and the proactive network security protection has been huge, especially for our workers on the road.”
Mobile: Three trends for 2017
Edward Amoroso (left), CEO of cybersecurity consulting firm TAG Cyber, and former SVP and CSO of AT&T, offers three mobile security trends to look out for in the upcoming year:
Malware will move to voice. The audio conversations of some high-profile officials will wind up on WikiLeaks sometime this year. In his view, there's no logical difference between voice and data anymore, so it makes sense that voice conversations will be the next attack vector. Security teams might be smart to consider some sort of over-the-top encryption for their mobile devices.
Expect even more serious malicious applications to proliferate. Applications such as Pegasus and Stagefright were just the beginning. Security teams will be increasingly challenged in 2017 by malware that can be jailbreaked remotely. This will require additional user awareness training on how to be more careful about clicking on potentially infected URLs with mobile devices.
Vendors are responding. On a more positive note, there are better tools now for CISOs to deploy – and they will keep improving in 2017. Leading MDM companies – such as Mobile Iron, AirWatch and IBM Maas360 – are now almost entirely security-focused. And MTD products – from the likes of Better Mobile, Check Point, Lookout, Skycure and Zimperium – can be integrated with analytics systems, such as Splunk, so security teams can detect, remediate and generate reports about the ongoing threat landscape. While nothing is foolproof, better tools will make managing a difficult threat landscape somewhat easier.