Welcome to our “Understanding Cybersecurity” series of blogs! This series is focused on providing explanations of cybersecurity terms and concepts in layman’s terms. We want to demystify the world of cybersecurity, one topic at a time. Our team believes that a unified cybersecurity community is the best way to defeat cybercrime. One of the main issues we run into when speaking with organizations is the lack of a common vocabulary when it comes to cybersecurity. This series should help act as a reference point for both technical and non-technical readers.
Cell phones have come a long way in the past two decades. From the first PDA to flip-phones, technological progress seemed to be slow and steady until the market was disrupted in 2007. Once smart phones were on the scene, everything about mobile devices rapidly changed. Nowadays, mobile devices are at an all-time high for popularity and functionality. Unfortunately, this meteoric rise in capabilities and access has led to a corresponding increase in cybersecurity risks and threats. With a tool as broadly used as cell phones, almost the entire population is at risk.
Cybercriminals have been targeting mobile devices at an unprecedented rate. Threat actors have exploited the fact that the extensive capabilities associated with mobile devices equate to personal computers. Threats that were once relegated to enterprise workstations now plague the mobile ecosystem, causing great financial loss each year. With cybersecurity, knowledge is power. We hope that this blog can expose readers to the threats and preventative measures in mobile device usage.
In order to better understand ways to protect oneself from these risks, we need to take a look at some of the threats that face the everyday mobile device user.
Malware for Mobile Devices
Most mobile devices contain application stores with a “closed ecosystem.” This method of obtaining new software allows certification teams to verify the integrity of applications before allowing users to download. In theory, this process would prevent all but the most subtle malware from infecting non-jailbroken devices. The reality is that this process is overwhelmed by the sheer quantity of applications, updates, and re-releases on the respective application stores. This ecosystem is closed only in the sense that profits must be shared with the providing host. Malware can and will make its way onto application stores.
Unsecured Wi-Fi and Mobile Access
Wi-Fi is rarely as safe as most people believe, especially in regard to mobile devices. By constantly being “on the move”, mobile devices are faced with a unique challenge of interacting with a huge array of mobile hotspots and wireless access points. Disregarding the more advanced risks associated with poorly configured wireless access, a major threat to all mobile users is the risk of a “Man in the Middle Attack.” This attack is essentially somebody spoofing the access point that you intended to connect to and reading (and potentially editing) all unencrypted traffic that is being sent or received on your device.
Phishing attacks have reached a critical mass for severity. At a certain point, an attack method becomes so successful and easy to execute that other, more advanced attacks begin to fall out of favor. Phishing is extra relevant to mobile devices due to the “on the go” nature of mobile device usage.
Our assumption is that the average person is less careful when clicking links on mobile since they believe that their phones are immune to viruses. While a large portion of malware in phishing emails might not affect the mobile devices, there are still countless other risks associated with phishing that apply to mobile devices.
Spyware and Mobile Botnets
Spyware is a form of malware that monitors activity on a device and reports back to a centralized location. Spyware is extremely common on less-than-reputable mobile applications due to the fact that it can go unnoticed while delivering constant data to cybercriminals. This data can then be used to do things such as form malicious advertisement campaigns, take over accounts, or perform corporate espionage. This similar type of attack can actually infect your device with software that allows attackers to perform their attacks using your mobile device resources, generally called a mobile botnet.
The most obvious “attack” of all - simply stealing a mobile device - presents a massive cybersecurity threat. Many users find PINs and Passwords inconvenient and cumbersome, allowing attackers to gain easy access to a device that they have stolen. All sorts of data and nefarious actions can be taken with stolen mobile devices.
Now that we have looked at some of the most common attacks, what can we do to protect against these threats?
Watch What You Download
When downloading applications from sanctioned sources, be sure to check reviews and version update notes. Excessive permissions are also a cause for concern – if your timer application requires access to core system files, there may be a problem. Try to download apps that are “popular,” with a high number of downloads and positive reviews. This will not help against all spyware and malware, but it should reduce the risk. Never use jailbroken devices or unofficial application sources unless you are extremely familiar with the risks and willing to do extra research and invest into security software. Mobile Anti-Virus is gaining popularity – these tools can help provide an additional layer of defense but should never be a replacement for common sense.
Use Familiar Networks
Traveling with a mobile device is a given. Be sure to triple-check all connections that you are trusting with your device – wireless access point spoofing attacks often impersonate popular connection locations such as airports or hotels. If you notice something strange about the signal quality, naming convention, or even number of available networks then it is best to ask a staff member what the proper network is for connectivity. When utilizing public Wi-Fi, never type any credentials into websites or applications that are not encrypted.
Use Passwords, PINS, and Multi-Factor Authentication
We understand the fact that passwords, PINs, and MFA can be a nuisance. But the amount of time spent recovering from a successful attack or stolen device can greatly outweigh the entire sum of extra time spent entering a PIN on your device. Keeping devices locked can greatly reduce the risks associated with a stolen device. Equally important is keeping your accounts secured with Multi-Factor Authentication. Your phone will generally be your “second factor,” so keep it safe.
Keep Your Phone Up to Date
Patches, patches, patches. Keeping a device patch can generally feel like an endless battle with slow downloads and inconvenient restarts. However, the reason patches are deployed is generally to fix bugs that can lead to massive security risks. Keeping a device updated reduces the chances of falling victim to an attack by a staggering amount. Check your app stores and system settings for updates on a regular basis to stay ahead of the attackers.
Learn How to Detect Phishing
Awareness is the best prevention. Phishing will likely be the most drastic threat faced by most mobile device users. When a company or personal email receives a phishing attack, there are a few signs that you can look for in order to reduce your chances of falling victim. Check that you are familiar with the contact and sender – if the address doesn’t look right, it probably isn’t right. Look for typos or grammar mistakes within the emails as these are very common in phishing. Most importantly – never click a link or reply to an email without taking the time to verify the details surrounding the email. Security awareness training is available through a huge variety of sources – look into phishing awareness to help prevent yourself from falling victim to this extremely common attack.
Mobile devices are powerful tools that have enabled drastically improved productivity within organizations. With proper usage and dedicated cybersecurity awareness, these devices can be a safe and efficient tool. Practice proper cybersecurity hygiene and avoid taking shortcuts when utilizing your phone.