The future always holds promise and peril, as new technologies surpass and replace old technologies, and new risks become apparent. Mobile device security is an essential component of many organizations. Mobile devices have proliferated widely across organizations of every size, for very good reason. Mobile devices can drive productivity, improve efficiency, and equip personnel with the tools they need to accomplish their business remotely. At the same time, mobile devices pose a significant threat to an organization’s network, cyber assets, and data.
Mobile devices are themselves constantly changing, presenting challenges for organizations that are looking to mitigate their level of risk. Mobile devices also require unique security considerations. Organizations must craft mobile security policies that incorporate industry-recognized best practices along with the right tools to test mobile devices for vulnerabilities, then decide how to build an effective vulnerability management program to incorporate alongside the policies.
At the same time, security policies intended to identify and minimize the risk associated with mobile devices must be grounded in an understanding that while the threats of today are important to guard against, so too are the threats of tomorrow.
In the spirit of treating mobile device security as an ongoing effort, we’ll share some mobile security trends that should prove influential for 2019. Projecting the future is always tricky, particularly when discussing security threats and their possible solutions. Rather than attempt to do this, we’ll identify some broad trends in mobile that are sure to shape how mobile security is approached in 2019.
These trends include an evolving and ever-widening attack surface that must be accounted for, as well as an increased use within the industry of threat modeling to detect emergent threats to mobile device systems.
Securing the supply chain will also take on increasing importance moving forward as the risk of bad actors in the supply chain continue to grow. As always, the trend of persistent vulnerabilities in the proliferation of different mobile applications will continue to be a driving force in mobile security, as these apps pose a great risk to organization’s data and networks. Countering this will require an “always-on” approach to cybersecurity by organizations, alongside the use of mobile threat monitoring and mobile penetration testing to ensure that vulnerabilities are identified early and addressed before they can be exploited by bad actors.
One of the challenges that organizations have faced when it comes to mobile security is the rapid expansion of the attack surface. Mobile device security is a very different beast than securing networked assets such as desktop computers, routers, or servers. It requires a fundamentally different approach. Security teams must develop strong access controls for mobile devices and ensure that when data is transmitted to and from a mobile device the transmission is secured. On top of that, mobile device security requires organizations to deploy real-time detection and mobile security software that can quickly identify unauthorized access when and where it occurs. Alongside a pre-developed response plan and ongoing efforts such as mobile penetration testing, these facets of a comprehensive mobile device security architecture implementation are essential.
The security efforts we’ve described represent mobile device security best practices, but many security professionals are wondering if those will be enough in the coming years. One challenge that cybersecurity teams will face in 2019 and beyond is an increasing proliferation of mobile devices in enterprise organizations. While this has already been occurring, many organizations have approached mobile device integration with some trepidation. As adoption of mobile devices in enterprise environments continues to grow in the coming year, organizations will have to develop new security efforts to ensure they maintain an appropriate level of risk.
The adoption of a 5G network protocol is expected to begin in 2019. One impact of this, beyond simply introducing new devices into an enterprise environment, is an expansion of the attack surface. To be sure, 5G enabled phones and mobile devices, while beginning to appear in 2019, will only slowly be incorporated into enterprise environments over coming years. Early adopters may also serve as test subjects for security threats, but organizations should begin preparing for the integration of 5G enabled devices into their networks over subsequent years. A key consideration of 5G is that with the higher bandwidth and lower latency that it provides, bad actors will be able to leverage this network power to stage new types of attacks.
While 5G holds promise for increased productivity and enhanced communication, it also holds peril for organizations that don’t adequately anticipate threats and proactively address them. The same can be said for the use of Artificial Intelligence (AI). Machine learning is all the rage right now, and the promise of AI is slowly being realized in some industries. Yet, AI poses substantial risks for enterprise organizations. These risks aren’t only relevant for mobile device security, but they are perhaps more acute. As more business is being done on mobile devices, more sensitive data is stored on, or transmitted through, mobile devices and the networks they utilize. Securing these devices has already presented significant challenges. These challenges will grow exponentially should the power of AI begin to be utilized by bad actors to stage attacks.
Although it sounds far-fetched, the use of machine learning to identify vulnerabilities and exploit them is right around the corner. In many ways, AI systems have already demonstrated that this is possible given their use tackling complex systems, such as the use of AI in autonomous vehicles. How much of a stretch is it to think of machine learning being turned towards the problem of penetrating an enterprise security system? The answer is, it’s not much of one. It should be noted that, while there is apprehension about the perils that AI poses within the cybersecurity realm, there is also promise in that machine learning is already being integrated into cybersecurity threat identification and deterrence. The idea that attacking and defending AI systems may be a dominant force in enterprise cybersecurity in the coming year or years seems implausible to some, but you can expect to see AI playing an increasingly important role in security, whether helping organizations defend against security threats, or helping bad actors stage attacks, within the coming years. One challenge for security professionals will be turning machine learning towards mobile device security, while also securing mobile devices against attacks powered by deep machine learning. This last challenge may prove to be substantial, given the difficulty that already exists in securing mobile devices.
Increased Use of Threat Modeling
While the purpose of this article isn’t to share mobile device security tips but rather to identify mobile security trends for the near future, one tip that many organizations should take to heart is the importance of using threat modeling. Threat modeling will play an increasingly dominant role in helping organizations secure mobile devices in the coming years. Let’s dive into what makes threat modeling different than how many organizations currently approach cybersecurity, and how those differences translate to securing mobile devices.
The current approach to cybersecurity that many organizations take is to create a series of security best practices or to adopt a cybersecurity framework, implement that framework, and then assume that their data and systems are protected. This is an oversimplification obviously, given that most cybersecurity frameworks include provisions to continually assess and reassess the levels of risk that organizations are facing. However, what is important is that a characteristic of what we have described is that it is viewed as a static endeavor. This is in contrast to the reality that cybersecurity is far from static, and is defined by the fact that it is constantly changing. This is not to say that implementing cybersecurity best practices isn’t an essential component of an adequate cybersecurity strategy in today’s world. Rather, this must be augmented in recognition of the fact that cyber threats, and defenses, are constantly in flux.
One thing that we project will increase in coming years is the use of threat modeling to allow enterprise systems to identify risks and minimize them before they become breaches. Threat modeling is a type of risk assessment that models what attackers and defenders may do to gain or prevent access to specific data or applications. There are many different types of threat modeling, so we won’t break this down comprehensively. However, threat modeling is essential for securing mobile systems. The sheer proliferation of applications on mobile devices, each with their own security vulnerabilities, represents an enormous attack surface that can be difficult for security professionals to minimize to an acceptable degree. Threat modeling allows organizations to continually assess and adapt their cybersecurity efforts based on the identification of the highest risk attack vectors against mobile systems. Given the pace of change that is present in mobile systems, this continual assessment and reassessment is an essential component of a comprehensive cybersecurity strategy. Increasingly, threat modeling will be used to identify key vulnerabilities in mobile devices as more and more mobile devices are incorporated into business operations.
Securing the Supply Chain
The specter of bad actors finding their way into the supply chain has always given security professionals chills, but these fears hadn’t been realized. Although efforts have been made in recent years to enhance security in the supply chain, these efforts have been on an ad-hoc basis. A fairly recent story about the possibility of an unauthorized chip being integrated into Supermicro motherboards, which are used in servers around the world by a variety of companies in different industries, sent shockwaves through the security community. The ramifications of a hardware vulnerability that had yet to be detected but was potentially proliferated through any number of industries sent companies scrambling to identify if their servers, and by extension, their data, may be affected. Shortly after the story broke, Supermicro released the results of an audit finding that no such chip was found in their supply chain. Yet, despite this good news, many organizations began looking towards their supply chains with a renewed level of scrutiny.
For mobile device security, securing the supply chain will become a predominant focus in the years to come. There are two broad systems of mobile devices; Apple and Android. Apple operates within a vertically integrated supply chain, so the chances of a hardware vulnerability making it through the production process are limited when compared to Android devices, which are manufactured using tens of thousands of different manufacturers. This presents significant challenges for organizations that rely on Android mobile devices for employees operating remotely.
What will this mean for organizations moving forward? At a basic level, it means that many organizations will incorporate cybersecurity and IT teams into the vendor selection process. Organizations should take a hard look at the vetting process that vendors undergo. This includes how supply chain vendors themselves vet personnel, and how they select service providers for their own operations. An outsourced supply chain is a regular component of business-as-usual for most of today’s organizations and is an essential aspect of how organizations remain profitable and competitive. At the same time, outsourcing your supply chain introduces an enormous amount of cybersecurity risk that, unfortunately, many organizations fail to adequately account for.
Our mobile security trends for 2019 may paint a dire picture of mobile securing in the coming year for some organizations. However, mobile security threats we have discussed and the reaction to those threats across the industry have been developing for some time. The promise and peril of new technologies will always be a thing so long as innovation continues. The challenge will be for organizations to continue to identify key areas of risk and minimize those risks to an acceptable level. Securing mobile devices in today’s world is an increasingly challenging endeavor and one that requires a high degree of expertise to accomplish. Not only must organizations implement cybersecurity best practices, but they must also introduce efforts to constantly monitor mobile devices and aggressively test mobile networks and applications for vulnerabilities. This highlights the importance of working with a managed security service provider that has experience securing mobile devices. If you are interested in learning more about mobile device security and cybersecurity solutions, please contact RSI Security today.
- Millman, Rene. “Get a Handle on Mobile Security.” Computer Weekly, March 13, 2018, 26.