recommended reading

It’s Time to Recognize (and Secure) Mobile Endpoints

Production Perig/


By Bob Stevens May 16, 2017

recent posts

Bob Stevens is vice president of Lookout.

The National Institute of Standards and Technology is holding a workshop May 16 to discuss changes to its Cybersecurity Framework, which has proven to be an excellent tool to manage cyber risk. While the conversation surrounding the framework focuses on securing endpoints, the importance of securing mobile endpoints is often overlooked.

The NIST framework is a voluntary document that we see both public and private sectors use to strengthen their defenses and protect themselves from attack. Thus, I believe expanding on what is defined as an endpoint could help push organizations and agencies in the right direction when it comes to addressing mobile security.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Mobile is quickly becoming a part of the government’s critical infrastructure. Mobile devices are in the hands of almost every U.S. government employee today. While employees are using them to access emails, collaborate with colleagues on the go, and remotely participate in meetings, they are also using them to authenticate.

Two-Factor Authentication and the Mobile Device

At the heart of a government’s cybersecurity is its ability to confirm the identity of the person accessing information. In addition to common access cards and other physical forms of authentication, mobile devices—through their deep integrations with two-factor authentication—are becoming the ways through which we confirm identities.

Mobile device two-factor is good. It’s a convenient “thing your employee has” as opposed to a “thing your employee knows,” such as a password, in a multifactor authentication setup. People generally have their phone on them and IT doesn’t have to worry about a separate token to distribute. It also, however, makes the mobile device a central target.

Attacking the Mobile Device to Gain Greater Access

Threats like Pegasus show us why mobile devices need immediate protection. Pegasus is a highly sophisticated and targeted espionage tool that allows adversaries to steal emails, texts, messaging app communications, photos, locations, audio, and much more. In the process of compromising a target’s device, it silently jailbreaks it, altering the operating system’s functions at its core.

Pegasus is one of many families of mobile threats, including Droidjack, that jailbreak or root a device in order to gain full control over it—a tactic we will likely see mature threat actors use to infiltrate critical systems. Other malware threats, like MilkyDoor, use a combination of application repackaging and proxying to establish a botnet of infected devices for defrauding advertising networks, a variation on DressCode and NotCompatible seen in 2016 and 2012, respectively.

However, the challenge of securing the mobile environment is not limited to these threats aimed at mobile technology. The apps and devices themselves include vulnerabilities that can increase the likelihood of a security incident occurring significantly.


A recent report from the Presidential Commission on Enhancing National Cybersecurity noted, “Mobile technologies are heavily used by almost every organization’s employees, yet security for mobile devices is often not considered as high a priority as security for other computing platforms.”

If every government employee is walking around with access not only to personal conversations but also to government data and sensitive systems protected by multi-factor authentication, then it’s more imperative than ever government agencies begin protecting mobile against app-, network-and device-based threats while providing visibility and control over data leakage.

The mobile device is an endpoint just like any other. To the benefit of Cyber Framework readers, we believe NIST should clarify its definition of endpoints to include mobile devices. Failing to address it leaves us in a worse position, not a better one.


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.