We all know about the cyber threats presented by networks and connected devices, but did you know that one of the greatest threats to information security, especially for federal government agencies, comes from mobile devices?
In a study released in April 2017, the Department of Homeland Security (DHS) the authors noted that threats to mobile devices are “real and exist across all elements of the mobile ecosystem.” Because of the “enhanced capabilities [and] the ubiquity and diversity of mobile applications and … the use of the devices outside the agency’s traditional network boundaries” that a new approach to security – distinct from desktop security protocols — needs to be developed and implemented.
The primary value of a mobile device for an attacker – be they a nation state actor or malicious insider – is to use the mobile device as a backdoor into agency networks. Once access is gained, the attacker may gain the ability to exfiltrate data, or to leave malware to trigger events like a ransomware attacks to identify just a couple of likely threats to personal and national data security.
While the DHS is forming a Science and Technology directive to drive and deliver mobile application security protocols, for both users and developers, because the threat to federal agencies is both real and imminent, what are some actions that federal agencies can take now to improve mobile security?
Tim LeMaster, Director of Systems Engineering at Lookout, a leading mobile security company, noted that there are some key areas of mobile security that federal CIOs should concentrate on regardless of whether users bring their own device or use agency issued devices. “The four big threats are 1) application threats such as malware and other risky apps that can compromise sensitive data on the device, 2) device threats such as running an unpatched version of the OS or a jailbroken device, 3) Network threats such as MITM attacks, and 4) web based threats such as phishing, but really come down to a lack of visibility,” said Le Master in a recent interview with Federal Technology Insider.
The key to mitigating those threats is really visibility, the ability to tap into resources that provide comprehensive insight into over-the-horizon threats and the ability to leverage automation to ensure compliance at all times. “When it comes to mobile device and app security if you don’t have visibility, you’ve already lost,” LeMaster shared. He continued, “agencies must be able to not only secure mobile apps and endpoints at the moment they are deployed or join the network, but they must also be able to have that continuous monitoring to be on guard for new threats.”
From his experience in the field, being able to utilize over-the-horizon information about threats is another essential component to a mobile security strategy. “Leveraging a large sensor network of over 120 million devices gives me the visibility into global threats and trends. “If you have insight that can show you threats to mobile infrastructure, you can get ahead of it, and leveraging cloud-based analysis allows quick reaction to new and evolving threats without the need to update a device client to protect users.”
While no one will ever claim that ensuring the security and integrity of mobile devices and apps is an easy task – especially not for federal CIOs – being aware of the threats and of solutions that can mitigate them now is a mission-critical advantage.
Interested in learning more about next-generation solutions for mobile security? You can download a guide to understanding risk in mobile environments here.