May 26 2020

How to Enhance Mobile Endpoint Security as Users Telework

IT leaders can use ongoing remote work deployments to bring additional security controls to smartphones and tablets.

Federal agencies have found moving to virtual meetings and other telework arrangements to be valuable, and agencies have also deployed tens of thousands of new mobile devices to help users. That increased device footprint also means there is now an increased attack surface for malicious actors. 

Agencies’ mobile devices are often not secured to the same degree as desktops and laptops, experts say. With more users teleworking, those smartphones and tablets represent a heightened risk for everything from phishing attacks to malware and data theft. 

To secure those endpoints, IT leaders need to lean on recently updated guidelines from the National Institute of Standards and Technology on mobile device security and ensure that they are using true security tools and not simply mobile device management solutions

“Unfortunately, right now, we’re seeing a big surge and all types of attacks,” David Wiseman, BlackBerry’s vice president of secure communications, tells Federal News Network. “And these are typically by pretty sophisticated entities that have put systems in place and now they really started to ramp them up.” Wiseman notes that users on home Wi-Fi networks are easier to target, and teleworking means that there are fewer IT staff members at headquarters to monitor mobile devices. 

The Evolving Mobile Threat Landscape

The mobile threat landscape has changed since the coronavirus pandemic began, says Bob Stevens, vice president of Americas at Lookout. “A lot of bad actors are sending COVID-related text messages to mobile devices to try to get people to click,” says Stevens, to infect users’ devices with malware or install key loggers to gather users’ credentials. “It has gone up exponentially in this current environment.” 

VPNs can help agencies encrypt data traveling between endpoints and an agency’s network and data center infrastructure, Stevens notes. However, if a device is infected with malware and becomes rooted or jailbroken without a user’s knowledge, then a VPN doesn’t matter. The malicious actor would have access to all of the native data before it has been encrypted, making the VPN “basically null and void — it’s sort of a false sense of protection,” he says. 

Phishing attacks are also on the rise. “Phishing attacks can be even stronger on you at home, just because there aren’t as many security firewalls and systems in places as you would have at your office … for protecting you from that type of attack,” Wiseman tells Federal News Network. 

He advises federal users to use their government email accounts as much as possible and use government-issued devices. 

“And don’t slide into using your personal email accounts or your personal consumer messaging or cloud storage,” he says. “That might be easy, particularly if you’re starting to work more remotely with contractors and other parties. But that just really expands the risk factor to you personally and to your agency.”

MORE FROM FEDTECH: Find out how SIEM tools enhance federal cybersecurity.

How Agencies Can Secure Smartphones and Tablets

Most agencies do not put real cybersecurity protections onto the mobile devices they issue, Stevens says. An MDM agent only provides policy enforcement and brute-force security, such as the ability to brick or wipe a phone if it is compromised or lost. Agencies need to put software on mobile devices to get visibility into device health and security. 

Many agencies have been reluctant to do so for privacy reasons, Stevens says. They have focused on securing laptops and desktops, but that just makes mobile devices a clearer target for malicious actors. 

“They need to look at the mobile device as just another endpoint that needs to be protected,” he says. That means deploying security tools such as anti-malware, encryption, intrusion detection and data loss prevention. 

In April, NIST released its revised mobile device security guidelines, focusing on mobile device characteristics, threats, security tools and deployment lifecycle.

“This is really focused on device-side threats, considerations and things you can do on the device,” Gema Howell, IT security engineer at NIST, tells FedScoop. “What we want folks to be aware of are the many changes in the industry and the solutions available to them to help secure their mobile devices that are being used during this telework time to access their enterprise resources.”

The guidelines map high-level threats to NIST’s Mobile Threat Catalogue while also addressing privacy implications, Howell tells FedScoop. Mobile applications can allow bad actors to launch attacks to gain access to sensitive information.

As FedScoop reports, the guidelines also include a more detailed outline of the mobile device deployment lifecycle: 

  • Identifying mobile requirements, which now involves choosing a use case
  • Reviewing inventory
  • Picking a deployment model — enterprise use only or BYOD
  • Selecting Android, iOS or both
  • Determining the needed security tools 

“The previous document focused a lot on one particular technology that was available back then, which was a mobile device management solution (MDMS),” Howell says. “Today we have a lot more options.”

“If I am the bad actor, I am going to focus on the mobile devices,” Stevens says, noting that, if users have them on their persons all the time, they can be easily targeted with phishing attacks. “It will cost me a lot less to do that than going after your infrastructure, which I know you are trying to protect every day.”

Sitthiphong/Getty Images