avenues for phishing, it is much harder
to scrutinise the validity of a message
on a mobile phone compared to a
desktop. The limited preview that
mobile phones tend to display can
make it far harder to spot a malicious
sender on a mobile device than on a
desktop computer. What’s worse is that
employees are more likely to first see a
message on a mobile phone.
Email isn’t the only place where mobile
users are vulnerable. Mobile web
browsers and messaging apps are also
increasingly targeted by phishers.
Man-in-the-middle attacks
Additionally, busy employees on the move
often make use of public Wi-Fi where
it’s available but this can leave them
vulnerable to another form of attack. It
can be convenient that Wi-Fi connections
are widely available for free, but not all
networks are genuine. Hackers have
been known to float spoof connections to
fake public Wi-Fi networks.
In these scenarios, unsuspecting
users log on, and by doing so they
unknowingly provide a hacker with
access to all the information transmitted
when they connect – from login
credentials to confidential documents
– unless the user’s connection is
encrypted. This is called a ‘man in the
middle’ (MitM) attack.
Stepping up mobile security
Although it is convenient to connect and
do business wherever we are, it can
cause problems that are costly and time
consuming to solve.
www.intelligentciso.com
|
Issue 07
Introducing stronger
authentication
With an increasing number of stolen
login credentials available on the black
market and rampant phishing scams, it
is critical that any mobile application has
the option for strong authentication. User
names and passwords are no longer
providing adequate security.
That said, there are some unique
considerations for mobile authentication.
Many authentication methods today –
like SMS or mobile push apps – rely on
the phone as the trusted second factor.
However, in a mobile app setting these
methods can no longer be considered
as trusted second factors as they are
tied to the device itself.
If the device is compromised, so is the
authentication method. Additionally,
one-time codes delivered via SMS
or app can be spoofed by porting a
number to a different mobile device or
can be very unreliable at the mercy of
the phone networks.
While strong authentication is about
improving the security to the mobile
application, the app is at risk if the
authentication solution itself has a
vulnerability. Therefore, it is important
for enterprises to deploy a second factor
other than a phone that can be used to
establish a trusted relationship between
the phone and the apps being used.
By using an external hardware-based
authentication solution, it can provide
a trust anchor, or ‘root of trust’, that
ensures that the authentication solution
and end user practices are secure.
Creating a security-first culture
Aside from the technical solutions
such as strong authentication,
business culture also needs to change.
Organisations must take the proper
steps to protect the fleet. For example,
employee training to help staff recognise
the risks they face off-site as well as in
the office can help to mitigate mobile
threats. Additionally, mobile devices
used for work should also be regularly
checked to ensure their operating
system, web browser, apps and any
security programs protecting them are
up to date. u
63
If hackers successfully obtain the
sensitive information they seek, it
takes organisations an average of 191
days to find the source and contain
the breach. In 2017, such attacks cost
businesses an average of US$3.62
million to remediate – a figure set to
rise after the first fines for GDPR non-
compliance are issued.
The fact that personal mobile devices
are often not considered part of
an organisation’s overall security
policy means that these devices will
be more vulnerable to attack. It is
easier to ensure that all business
and communication is conducted in
compliance with any relevant regulations
while on the company’s premises but
managing risks off-site can be more
complicated and costly. Fines and other
penalties for non-compliance can make
the cost of a successful attack spiral.