CIOs, CSOs and IT managers around the world awoke to alarming news of the largest retail data breach in U.S. history (at least 56 million credit card numbers stolen from Home Depot). This breach resurfaced last to last week as millions of email addresses were exposed by the hackers. While Home Depot security teams scrambled to sort out the data breach, which involved Windows-based laptops and devices, they distributed a few MacBooks and iPhones to executives for business continuity. However, not even iOS can guarantee mobile security as revealed by a new breed of mobile security threats discovered in the past two weeks.
Less than a month into my new role as VP of Marketing at Skycure, I have seen the state of mobile security turned onto its head. The events of this week point to the crucial need for enterprises to strengthen their mobile security posture—but do so without disrupting the benefits of BYOD and mobile collaboration.
While 98% of IT leaders, according to a Spiceworks survey, are concerned about the potential security impacts of mobile devices in the workplace, less than half of respondents reported that their organizations were using or planning to use mobile security software within a year. Delaying buy-in between business and IT stakeholders on mobile security can have dramatic consequences. It is vital that enterprises align their mobile security posture with the next generation of threats.
WireLurker and Masque Attacks
WireLurker, a malware discovered week before, challenges several views traditionally held among many IT professionals including:
- iOS devices are immune from malware that attacks Android and Windows devices: False (WireLurker has targeted iOS devices in China)
- None of the devices my employees use are jailbroken, so I am secure: False (WireLurker impacts ALL devices, whether jailbroken or not)
- The only way to get a malicious app on an iOS device is through the Apple app store: False (WireLurker can target iOS devices via USB)
- I have deployed an MDM solution. It will protect me against WireLurker and other advanced malware: False (As has been discussed extensively, MDMs are great for managing devices but not so much for securing them. WireLurker can hide in Mac OS X apps and then transfer onto iOS devices when the Mac and iOS device are connected)
Another recent development is the “Masque attack” that could let hackers replace legitimate apps with malicious copies. Unlike WireLurker, Masque attacks can be carried over Wi-Fi to steal enterprise and personal information, bank passwords, and can even go back in history to look at past information on a device. Very troubling is that Masque attacks can be carried out without installing a net new app. Masque malware acts like an update to an existing app, but replaces the old app with a malicious one to execute the attack.
Five Ways to Avoid Next-Gen Attacks
Enterprises are under a tremendous amount of pressure to protect their data. Considering that the Target breach cost an estimated $148 million, the Home Depot data breach (with millions of more stolen credit card numbers) will be watched closely by everyone. Customers and the U.S. Government will demand proactive communications and updates about the status of the data breach and recovery. With any significant data breach, enterprises must be able to explain whether they took every necessary precaution to protect sensitive data—especially in regards to mobile security and disaster response.
Here are five ways that IT departments can stay in control of their data:
- Separate MDM and Mobile Security: Mobile management and mobile security are not the same; lock down both
- One-to-Many OS: Mobile security solutions should reach across Android and iOS—the big footprint of iOS means more money, which means more motivated hackers
- Visibility is Vital: You can’t protect what you can’t see: Get visibility into everything that is happening on mobile devices without compromising user privacy
- Keep Things Simple: Complicated solutions (for example, the ones based on containerization approach) that are not user-friendly are more prone to user error/negligence and turning into “shelfware”
- Mobile Security Needs the 3 P’s: Like any other security solution, mobile security is also a combination of the 3 P’s (Product, People and Processes); ignoring any one of the P’s can defeat the overall initiative
I look forward to bringing you all of the latest mobile security news, tips and tricks and enterprise best practices from around the world. In the meanwhile, you can use the links below to download a free version of the Skycure app that will detect anytime you are under an active attack.