Bob Stevens is vice president of Lookout.
The National Institute of Standards and Technology is holding a workshop May 16 to discuss changes to its Cybersecurity Framework, which has proven to be an excellent tool to manage cyber risk. While the conversation surrounding the framework focuses on securing endpoints, the importance of securing mobile endpoints is often overlooked.
The NIST framework is a voluntary document that we see both public and private sectors use to strengthen their defenses and protect themselves from attack. Thus, I believe expanding on what is defined as an endpoint could help push organizations and agencies in the right direction when it comes to addressing mobile security.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Mobile is quickly becoming a part of the government’s critical infrastructure. Mobile devices are in the hands of almost every U.S. government employee today. While employees are using them to access emails, collaborate with colleagues on the go, and remotely participate in meetings, they are also using them to authenticate.
Two-Factor Authentication and the Mobile Device
At the heart of a government’s cybersecurity is its ability to confirm the identity of the person accessing information. In addition to common access cards and other physical forms of authentication, mobile devices—through their deep integrations with two-factor authentication—are becoming the ways through which we confirm identities.
Mobile device two-factor is good. It’s a convenient “thing your employee has” as opposed to a “thing your employee knows,” such as a password, in a multifactor authentication setup. People generally have their phone on them and IT doesn’t have to worry about a separate token to distribute. It also, however, makes the mobile device a central target.
Attacking the Mobile Device to Gain Greater Access
Threats like Pegasus show us why mobile devices need immediate protection. Pegasus is a highly sophisticated and targeted espionage tool that allows adversaries to steal emails, texts, messaging app communications, photos, locations, audio, and much more. In the process of compromising a target’s device, it silently jailbreaks it, altering the operating system’s functions at its core.
Pegasus is one of many families of mobile threats, including Droidjack, that jailbreak or root a device in order to gain full control over it—a tactic we will likely see mature threat actors use to infiltrate critical systems. Other malware threats, like MilkyDoor, use a combination of application repackaging and proxying to establish a botnet of infected devices for defrauding advertising networks, a variation on DressCode and NotCompatible seen in 2016 and 2012, respectively.
However, the challenge of securing the mobile environment is not limited to these threats aimed at mobile technology. The apps and devices themselves include vulnerabilities that can increase the likelihood of a security incident occurring significantly.
A recent report from the Presidential Commission on Enhancing National Cybersecurity noted, “Mobile technologies are heavily used by almost every organization’s employees, yet security for mobile devices is often not considered as high a priority as security for other computing platforms.”
If every government employee is walking around with access not only to personal conversations but also to government data and sensitive systems protected by multi-factor authentication, then it’s more imperative than ever government agencies begin protecting mobile against app-, network-and device-based threats while providing visibility and control over data leakage.
The mobile device is an endpoint just like any other. To the benefit of Cyber Framework readers, we believe NIST should clarify its definition of endpoints to include mobile devices. Failing to address it leaves us in a worse position, not a better one.