Mike Murray, Vice President of Security Intelligence at Lookout, emphasized the real and unacknowledged security vulnerability inherent in mobile devices.
At the outset of his thought leadership presentation at the 2017 Chief Information Security Officer Leadership Forum held on November 7 in New York, Murray stated, “We’ve spent a lot of the past 10 years defending ourselves against nation-state attackers. We’ve done a pretty good job, but we’ve forgotten one platform,” he noted. “We’ve moved from a data-center architecture to a cloud architecture. The perimeter has disappeared. The employee is as productive on an airplane or in Starbucks as she is in a corporate location. The user has gone mobile, and, as a result, the base of assets has moved to a much more malleable threat surface. That threat surface is as likely to be on someone else’s network as on yours,” Murray said.
“We’ve built our security infrastructure over the last 25 years to be a sophisticated set of controls—which we’ve put around our PCs. When I ask people about how they’re protecting their employees’ mobile devices and tablets, I usually get a blank stare.”
“When I ask people about how they’re protecting their employees’ mobile devices and tablets, I usually get a blank stare.”
Murray pointed out that the threat surface on mobile is 11 out of 10. Mobile devices are the primary enterprise target. “Not only is the mobile device an access point for corporate data, it’s the key to all privileged access. We’ve done almost nothing to secure that device. Mobile is now a required part of the attack chain, because if I, as an attacker, want to do anything sophisticated on your network, I need access to the two-factor authentication tokens,” he explained.
“Not only is the mobile device an access point for corporate data, it’s the key to all privileged access. We’ve done almost nothing to secure that device.”
“Attackers have learned that mobile devices are a fertile target—especially sophisticated, nation-state-level attackers. They have comprehensive mobile security programs and are attacking mobile devices globally. The reason for this is simple—the mobile device is the perfect espionage tool. It has all your communications with every channel in your world—work and personal—as well as access to every WiFi network you’ve ever connected to.” In addition, the device is almost always connected and has:
• voice
• camera
• email
• location
• passwords
• contact lists
“The level of compromise that I see is shocking,” stated Murray. “Generally, 5 percent of devices in an enterprise have something on them that’s malicious. The reason people aren’t freaking out about mobile security is because nobody knows how many users are infected. If you did know, you’d realize this is a problem. It’s becoming endemic,” he said, “but what’s nice about the mobile attack chain is it looks the same every time. Most attacks start with phishing of some sort, not with a vulnerability. When we talk about phishing in the PC world, we only need to protect our email. However, in the mobile world, we need to protect our email, text messages, Snapchat, Facebook, Instagram, Twitter, and on and on.”
“What’s nice about the mobile attack chain is it looks the same every time. Most attacks start with phishing of some sort, not with a vulnerability. When we talk about phishing in the PC world, we only need to protect our email. However, in the mobile world, we need to protect our email, text messages, Snapchat, Facebook, Instagram, Twitter, and on and on.”
Murray summarized with, “We’re seeing this actively. The NSO Group sells mobile spyware called Pegasus to governments around the world. This company has the most sophisticated spyware I’ve ever seen. When you’re targeted, you get a text message with a link in it. For example, in one case, an individual was notified that their daughter was in a car accident and taken to the hospital (the daughter’s name was in the message) and to click the link for directions to the hospital. With one click, everything goes sideways. Your phone is no longer yours.”
ABOUT MIKE MURRAY:
Mike Murray is the VP of Security Intelligence at Lookout. For nearly two decades, Mike has focused on high-end security research, first as a researcher and penetration tester and then building and leading teams of highly skilled security professionals. He previously led Product Development Security at GE Healthcare, where he built a global team to secure the Healthcare Internet of Things. Prior to that, he co-founded The Hacker Academy and MAD Security, and has held leadership positions at companies including nCircle Network Security, Liberty Mutual Insurance, and Neohapsis.