Enterprises don’t seem to be taking mobile threats very seriously these days.
That was the message from MobileIron’s recent Mobile Security and Risk Review for the second quarter, which detailed a number of missteps and errors made by enterprises regarding mobile security. Some of these mistakes included failing to regularly update mobile operating systems and using outdated mobile security policies. MobileIron, which specializes in enterprise mobility management, also outlined in the report some of the more dangerous types of malware and attacks targeting Android and iOS devices.
SearchSecurity recently spoke with James Plouffe, chief solutions architect at MobileIron, based in Mountain View, Calif., and a technical consultant on the hit television show Mr. Robot. Plouffe discussed the findings and trends within the Mobile Security Risk and Review report, the increasing sophistication of mobile threats and why enterprises aren’t doing more to address these threats. Here are excerpts from the interview with Plouffe.
Were you shocked when you saw the information that was in the Mobile Security and Risk Review report about what wasn’t being done by enterprises to address mobile threats?
James Plouffe: I was, actually. And I think that was the big shocker. The thing that, I think, caught all of our attention when we started to look at the data was some mobile threats are extremely sophisticated. Right before Black Hat, the Godless malware dropped, and HummingBad actually was the other one that dropped about the same time. Both of those had rootkit exploits in them, so it was sort of the first time we’ve seen Android malware make an attempt at doing device compromise over the air, which is kind of interesting.
And so we sort of expect a little bit of lag time on some of these more sophisticated threats. But some of the very kind of basic stuff wasn’t being done, like maintaining OS updates. That is a very simple and free thing that you can do that protects you a lot of the time, even from the most recent revelation about the Pegasus iOS malware. That was kept under wraps for a little while.
Everybody did a pretty good job with responsible disclosure and turning around solutions very quickly. Apple issued a patch in what feels like a really quick turnaround. And OS updates are just one of those things, and it was just startling that some of that basic stuff like that wasn’t getting done. And I think there are two things at play.
One, mobile still is sort of an evolving discipline in a lot of organizations. And so, in a lot of cases — certainly not all, but some — it’s almost a second-class IT citizen, and so it doesn’t have the same level of maturity that, say, desktop management might.
And then, the other interesting dynamic just anecdotally that I’ve encountered talking to folks in different places like Black Hat and at Cisco Live a couple of weeks before that is this: More than one customer actually used the phrase, verbatim, ‘We’re just sticking our heads in the sand [on mobile threats],’ which was astonishing to me also. They knew there was a problem, but thought if they would ignore it, it would just go away. And so that sort of shed a little bit of light on the data as well. People are just sort of hoping it won’t catch them. But I think, as we’ve seen with anything in security, that’s an inevitability.
That fact that enterprises were admitting they’re ignoring mobile threats is surprising.
Plouffe: Yes, it was. And it’s obviously self-serving for me as a MobileIron employee to say this, but it’s also surprising in the sense that MDM [mobile device management] is not a new technology. It’s fairly mature at this point. And so, it’s surprising that folks would just say, ‘Yeah, we have mobile stuff going on, but we’re leaving it in the line of business.’ Or, ‘IT’s not handling that.’ It just feels very weird.
Do you think BYOD plays a factor in that? A lot of times, you’re in enterprise organizations, and they have a BYOD policy where the employee is using a personal device. And there may be security measures or policies on those devices, but they’re almost held at arm’s length, as if there’s almost a perspective that it’s not really the enterprise’s problem.
Plouffe: I certainly think that could be a factor. One of the other things that I’ve encountered, again, more anecdotally, is that it seems like a lot of BYOD programs were driven by costs, with security as a secondary consideration. But I think any organization that is saying, ‘Look, it’s somebody else’s device, so it’s not really our problem,’ is wrong. If it’s accessing your corporate data, then it absolutely is your problem, because, as an organization, you’re the custodian of that stuff.
The question of data residency and whether you own the endpoint it’s on or not, I think should be less relevant to enterprises. The question should be, ‘How do we protect our data, and by extension potentially our customers’ and clients’ data as it moves around?’
And that again comes back to the fact that the technology for doing a lot of that stuff is actually fairly mature at this point, whether you’re talking about the capabilities that Apple’s built into iOS or the things that Google and Samsung have done with Android for Work and Knox, respectively. There are a lot of ways to make sure that you can still control the flow of data, even though you might not own the endpoint where the data ultimately lands.
What are some of the other things that you’ve seen from enterprises, besides the general sticking their head in the sand and not doing OS updates? Are there other specific problems, bad practices or errors they’re making with regularity that are putting them at risk?
Plouffe: We saw a fair number of customers with missing devices; about 40% of our customers had devices that had gone AWOL. When you look at stuff like the [SANS Institute’s] CIS Top 20 Critical Security Controls, one of the things they expect you to be able to do is know the location of your assets. That’s a discipline that I think should transfer very naturally from kind of the laptop management to the mobile device — although, we have to acknowledge that mobile devices are more portable. And we did see instances where about 26% of our customers had users who were removing the MDM profile [from their devices].
Now, I want to emphasize that that was the percentage of customers, not the percentage of devices. When you look at the number of devices, it’s less than a tenth of a percent of the overall devices that were affected. But that’s one of those things where you actually have employees overtly bypassing the security measures. And there are actually a number of other reasons why that might have occurred, like lifecycle management stuff where an employee says, ‘I got a new phone, so I took [MDM] off my old device and put it on my new one.’
I think that’s a scenario that organizations have to maybe revisit; maybe they were thinking about BYOD purely from a cost perspective. But if it’s BYOD, I always have the ability to opt-out of the controls my employer might put on my device. Whereas, if an organization goes for more of a corporate-owned, personally enabled device scenario, then there are steps you can take to make sure that the device is always under management and get extra measures of control as well.
So, the total number of devices that were being affected by somebody bypassing the MDM was low, but it was a problem that was affecting a lot of organizations?
Plouffe: Right. And I think what caught our attention about that was that it was a big spike from the last time we ran this report. When we did this report in [the fourth quarter] of 2015, it was only about 5% of organizations that were affected then. So, we had this kind of weird hockey-stick chart, where it was a much larger percentage of organizations, and it was a pretty steep jump from the last time we looked at it. Again, there are a lot of factors that may contribute to that number, but it definitely got our attention.
What’s the message then to enterprises when you see this type of data and you see these trends? How do you get them to take these things more seriously and to get their heads out of the sand?
Plouffe: That’s been the difficult part. I think folks sort of wrongly point back at things like the Verizon Data Breach Investigations Report that says, ‘Hey, there haven’t been any big breaches attributed to mobile [devices].’ And so they sort of think it’s not really a problem.
I think the point is we haven’t had one of those events, so people don’t necessarily freak out, but they’re forgetting that you don’t really want to have that event. You don’t want to see that headline, and you certainly don’t want to be that headline. And so, I think that’s always been the perennial struggle with any kind of security stuff — that we’re better at reacting to it than we are at being proactive. And that’s a bit of a liability.
There are definitely folks out there that are taking it seriously. But the thing I always tell folks when I’m at different conferences and other places is this: Mobile is going happen with you or to you, and so you have to figure out how you want to handle that.
The reality is that if you don’t want these devices in your environment, then there are some things that you have to do; you have to play pretty aggressive defense against them because they are easy to sneak in. If I’m only protecting my [corporate] Wi-Fi with usernames and passwords, well … I know what my username and password are, so I can bring my device in and hop on a network very easily.
And I’ve seen that happen to folks that were doing assessments where we’re working with our NAC [network access control] partners; we had scenarios where the endpoint count on the network is 40% higher than what the network admins thought it was when you start doing the device profiling. And the overwhelming majority is smart devices. And people say, ‘Well, we didn’t expect that.’ And we say, ‘Well, what were you doing to keep them out?’
So, you either have to play aggressive defense if you don’t want this stuff in, or if you are willing to embrace it, you really need to sit down and think through all these locations. Because there are a lot of things — again, fairly basic and readily available mature technologies — that can help you embrace mobile safely, but you have to be prepared to do that. And it is a little bit [of a] different animal than traditional endpoint management, but that doesn’t mean that you can’t do it right.
Stay tuned for part two of the interview with MobileIron’s James Plouffe, which will discuss the evolution of mobile device management, silver linings for mobile security and Plouffe’s role as a technical consultant on the hit television show Mr. Robot.