From laptops and tablets to smartphones and the Internet of Things, we are constantly and ubiquitously connected. There were 4.7 billion unique mobile users in 2015 globally, according to the Global System for Mobile Alliance (GSMA). And that number is expected to grow–by 2020, 5.6 billion, or 70 percent of the world’s population, is expected to have a mobile subscription.
This 24/7 connectivity mind-set goes beyond general personal use and into the work life. A 2015 survey by Lookout, a mobile security solutions provider, found 50 percent of Federal employees read work emails from their personal device, and 49 percent use these devices to download work documents. In addition, 24 percent send work documents to personal email accounts.
Using personal devices to access sensitive data or private networks opens government agencies up to a floodgate of malware, advanced persistent threats (APTs), and other cyber menaces. The recent Department of Homeland Security mobile device study warns that Federal government mobile devices could become an avenue to attack back-end computer systems containing the data of millions of Americans and sensitive information related to Federal government functions. However, securing mobile devices isn’t easy–the study also notes these endpoints require a substantially different set of security protections from desktops.
“When it comes to the Federal government, hackers and other malicious entities targeting intelligence agencies have completely different motives and processes than those targeting consumer agencies,” says Bob Stevens, vice president of Federal systems at Lookout. “From spyware to man-in-the-middle attacks, hackers have a wide range of tools to compromise the mobile devices of Federal employees.”
Lookout released a white paper, “The Spectrum of Mobile Risk: Understanding the full range of risks to enterprise data from mobility,” which outlines the various types of threats and vulnerabilities targeting mobile devices. One is that many users are not updating their devices’ operating systems, leaving them vulnerable to a number of known threats that have been patched with manufacturer updates. According to the white paper, 57 percent of its customer base that use Apple devices have not updated their iOS operating systems to or above version 10.3, and 92 percent of those who use Android, specifically Samsung Galaxy S6, devices have not updated their operating systems to the latest version. Additionally, Lookout found many smartphone applications have access to capabilities that could violate corporate policies or pose significant compliance risks. For example, 30 percent of apps access contacts, 30 percent access GPS, 31 percent access a calendar, 39 percent access a device’s microphone, and 75 percent access the camera.
Additionally, the DHS study warns that despite being a minor share of the overall market, Federal employees may be more prone to attacks than their private sector counterparts.
“Certain adversaries can benefit from tracking and surveilling executives and/or other Federal employees to learn more about their decisions, track movements, and communications,” said Robert Palmer, deputy chief technology officer at DHS.
DHS provided the following recommendations to address the challenges of mobile usage within the U.S. government:
- Enhance Federal Information Security Modernization Act (FISMA) metrics to focus on securing mobile devices, applications, and network infrastructure.
- Update National Protection and Programs Directorate’s (NPPD) definition of critical infrastructure to include mobile network infrastructure.
- Revise the Continuous Diagnostics and Mitigation (CDM) program to address the security of mobile devices and applications with capabilities with other network devices (e.g., workstations and servers).
- Continue the DHS Science and Technology applied research program in Mobile Application Security to enable the secure use of mobile applications for government use.
- Establish a new program in mobile threat information sharing to address mobile malware and vulnerabilities, including ways to handle Common Vulnerabilities and Exposures (CVE) generation for mobile and mobile threat information sharing.
- Coordinate the adoption and advancement of mobile security technologies into operational programs such as Einstein and CDM to ensure that future capabilities include protection and defense against mobile threats.
- Develop cooperative arrangements and capabilities with mobile network operators to detect, protect against, and respond to threats (e.g., rogue IMSI catchers and SS7 Diameter vulnerabilities) that impede government communications confidentiality, integrity, and availability.
Beyond the report’s recommendations, there are actions both government agencies can take now to combat these malicious mobile threats. One is having complete visibility into the mobile ecosystem and scanning any device connecting to the network and its applications. Agencies also need an all-encompassing layered security approach. This includes not just one mobile device management (MDM) solution, but also adding on mobile application management (MAM) solutions to secure Federal-managed devices and mobile-specific Intrusion Defense Systems (IDS) and Intrusion Prevention Systems (IPS) to secure personal devices and protect Federal networks from mobile-based attacks.
“As the use of mobile devices grows, it is critical that our strategy behind the devices and communications matures as well,” Palmer noted. “We also agree with the study that mobile security for government employees traveling abroad requires a different security posture and policies and procedures need to be further developed to address this challenge.”
“When it comes to understanding mobile threats, Federal agencies and enterprises need to adopt a new mind-set,” Stevens said. “[A]ll other on-device security and management relies on the assumption that the device itself has not been compromised. For a holistic approach, reworking the way we approach how secure our mobile devices are is the essential first step toward total mobile security.”