The Evolving Mobile Threat Landscape
The mobile threat landscape has changed since the coronavirus pandemic began, says Bob Stevens, vice president of Americas at Lookout. “A lot of bad actors are sending COVID-related text messages to mobile devices to try to get people to click,” says Stevens, to infect users’ devices with malware or install key loggers to gather users’ credentials. “It has gone up exponentially in this current environment.”
VPNs can help agencies encrypt data traveling between endpoints and an agency’s network and data center infrastructure, Stevens notes. However, if a device is infected with malware and becomes rooted or jailbroken without a user’s knowledge, then a VPN doesn’t matter. The malicious actor would have access to all of the native data before it has been encrypted, making the VPN “basically null and void — it’s sort of a false sense of protection,” he says.
Phishing attacks are also on the rise. “Phishing attacks can be even stronger on you at home, just because there aren’t as many security firewalls and systems in places as you would have at your office … for protecting you from that type of attack,” Wiseman tells Federal News Network.
He advises federal users to use their government email accounts as much as possible and use government-issued devices.
“And don’t slide into using your personal email accounts or your personal consumer messaging or cloud storage,” he says. “That might be easy, particularly if you’re starting to work more remotely with contractors and other parties. But that just really expands the risk factor to you personally and to your agency.”
How Agencies Can Secure Smartphones and Tablets
Most agencies do not put real cybersecurity protections onto the mobile devices they issue, Stevens says. An MDM agent only provides policy enforcement and brute-force security, such as the ability to brick or wipe a phone if it is compromised or lost. Agencies need to put software on mobile devices to get visibility into device health and security.
Many agencies have been reluctant to do so for privacy reasons, Stevens says. They have focused on securing laptops and desktops, but that just makes mobile devices a clearer target for malicious actors.
“They need to look at the mobile device as just another endpoint that needs to be protected,” he says. That means deploying security tools such as anti-malware, encryption, intrusion detection and data loss prevention.
“This is really focused on device-side threats, considerations and things you can do on the device,” Gema Howell, IT security engineer at NIST, tells FedScoop. “What we want folks to be aware of are the many changes in the industry and the solutions available to them to help secure their mobile devices that are being used during this telework time to access their enterprise resources.”
The guidelines map high-level threats to NIST’s Mobile Threat Catalogue while also addressing privacy implications, Howell tells FedScoop. Mobile applications can allow bad actors to launch attacks to gain access to sensitive information.
As FedScoop reports, the guidelines also include a more detailed outline of the mobile device deployment lifecycle:
- Identifying mobile requirements, which now involves choosing a use case
- Reviewing inventory
- Picking a deployment model — enterprise use only or BYOD
- Selecting Android, iOS or both
- Determining the needed security tools
“The previous document focused a lot on one particular technology that was available back then, which was a mobile device management solution (MDMS),” Howell says. “Today we have a lot more options.”
“If I am the bad actor, I am going to focus on the mobile devices,” Stevens says, noting that, if users have them on their persons all the time, they can be easily targeted with phishing attacks. “It will cost me a lot less to do that than going after your infrastructure, which I know you are trying to protect every day.”