By: Ronald Wilson
Date: December 13, 2020

Mobile devices are to communication as breath is to life. In today's business mobile devices have become a norm to conduct business. Rather employees are using their own personal laptops at home or business tablets in the office, mobile devices are constantly being utilized to conduct daily business tasks such as sales personnel traveling to remote locations to meet with clients, or a Senior executive using their mobile phone replying to emails before a conference meeting. More businesses are requiring access to employees beyond the office environment.

As business demands grow, availability and communication leave businesses in a vulnerable state. Exploiting these vulnerabilities depend on which threat your business in susceptible too. Financial institutes are prone to having private and account information compromised versus an educational institute prone to having research and personal information compromised.

Today over 7.92 billion mobile connections exist within networks worldwide. (Kemp, Kepios,"Digital Around the World", .) Devices powered by satellite radios, high powered frequencies and distributed mesh networks, result in numerous avenues of communication. As data travel across various mediums of communication inquisitive minds create unique pathways to intercept data. Data tracked by Verizon Mobile Security Index 2020 Report identify methods attackers compromise mobile devices such as applications, USB connections or phishing emails. These methods are then used to pivot through business networks and gain even greater information. Information is the primary target of most attackers. Its relevancy not only apply to the business attacked, but also other organization systems, login credentials, accounts, or monetary gain. Attackers use information to compromise other systems, or sale to others and make an unlawful profit.

How

The first question to ponder is how does information become compromised by unauthorized individuals. Intercepting data is not a tangible action easily accomplished. It involves discrete, psychological, insightful and detail planning. Attackers carefully write code to perform specific tasks and abstract the necessary informative details to bypass security and penetrate a device. Gathering mobile device and environmental information is the key detail of an attack. Information is not limited to just private or financial data. It includes login credentials, software version/type, or applications used to unveil details concerning the targeted device.

Credentials are a key source of information used to gain unapproved authentication. From a security perspective credentials suffice authentication, but when used alone as a security control are susceptive to theft or misused behaviors. All mobile devices with installed applications are capable of requiring credentials to operate and access information. With over 520 billion users utilizing mobile devices, at least one application is installed on each device. Applications enhance mobile device vulnerabilities. Therefore, credentials become a popular avenue for attackers who desire to compromise devices. With the power of modern-day computers and special arithmetic software, credentials can be manipulated in many ways to permit access to an application directly communicating with the mobile device.

Approach

Once a device is compromised the attacker is able to maneuver several different ways within the network its connected with. Businesses continue to experience damage to operations such as downtime, loss of data, damage to reputation, Regulatory penalties, or loss of business. The type of attacks used are not new to security analyzers. However, the approach and psychological manner in which threats are presented to the end user creates complexity in controlling the outcome.

The methods and anatomy used to gain access to an application allow an intruder freedom into the network causing more damage not only to the single mobile device compromised, but other devices and information which may be present simultaneous on the same network. Each device connected becomes exposed to outside attacks. As an attacker piggyback their way into a business network they pivot to other devices with more sensitive information.

A genuine concern for businesses around the globe is becoming a victim of compromised data. Reports from Verizon identified successful mobile attacks in four categories which caused interruption in business continuity. Over 46% of businesses have experienced an attacker pivoting their way to other devices inside the company. ("Mobile Security Indexb", 2020 Report)



As mobile devices and remote operators become today's norm, larger masses of users propose a greater weakness to businesses. For example, travelers with mobile devices are constantly targeted as vulnerable avenues for several reasons. The most important reasoning succumbs to dependency on WIFI for their mobile device to operate. Most travelers expect WIFI to be available not only at their destination, but in transit to various destinations. Therefore, various connections are made to networks along the way. Once an attacker has connected to the mobile device each connection is used as an opportunity to intercept data and gather information. Once a connection to the business network is established further damage such as pivoting to other devices is feasible.

WIFI dependency is capable of leading to other vulnerabilities which occur when your mobile device (particularly phones or tablets) needs to be re-charged. Trustjacking is a term used to inflict malware on a device connected to a public USB charging station. Once the user accepts your device to sync with a public portal, your device become an exploitable object. (read more at https://wilcomputeittechnologies.com/Blogs/)

To remain available devices must maintain an electric charge. Once a mobile device accesses a public charging station, Trustjacking become a threat due to the requirement of accepting a USB charge. Research from IBM in 2019 identified three ways business travelers were exposed to cyber-attacks and resulted in compromising data:

    Public WIFI: 42% 
    Charging Devices 40% 
    Auto Connect 39% 
   ______________________
    IBM News Room, Cambridge, Mass. 
    "IBM Security: Cybersecurity 
    Threats Growing in Travel 
    and Transportation 
    Industries", 
    May 21, 2019
     
    

As an employer/employee desire to remain available, one of the three categories discussed above are primary sources providing an attacker access to mobile devices. An attacker anticipates the desire of mobile devices remaining available, in order to access and compromise the devices’ data or information.

The strategic process of an attacker’s method varies depending on their skills and experience. In most instances, users are never aware of these methods and become victims of compromised devices. With over 7.92 billion mobile connections throughout the world, an attacker’s playing field is massive. Opportunities of a successful attack are enhanced by the multiple avenues an attacker is capable of compromising a device.

Another avenue of compromising a device is through exploiting vulnerable applications installed on the mobile device. Many applications require system or admin privileges and once compromised the attacker is able to control a mobile device with the highest level of privileges granted. With administrative level privileges, an attacker is able to laterally move to other devices and access privileges throughout the network, causing more jeopardy to businesses. An organization with large or small networks hold valuable information to the business, partners, and associated clients. Accessing unauthorized information forfeit the security and accountability of the organization and causes a great risk in direct and indirect cost to the organization.

Cost

Organizations are consuming more accountability for protecting the data and information of others. Personal information, consumer information, competitive data, etc. account for majority of the information stored by businesses. The responsibility of the organization’s system is sustaining the privacy and security of the information. This has resulted in more Governmental Regulations governing organizations systems and regulations. Several national and international Regulations such as NIST, SOX, and GDPR provide guidelines, best practices, and penalties for businesses electronically storing data. Regulations may vary according to industry, country, or state. However, there are common practices which stand in the court of law and if a business has not adopted its guidelines and become breached, the business is held liable for information in their possession.

Allegations and lawsuits follow data breaches leading to direct cost to finances, loss of reputation, and other indirect costs to the business. Direct cost of compromised data relates to economical loss for a business. One organization noted a 5% increase in mobile procurement and management due to breaches. (Constantin, March 2019 "One in Three Organizations Suffered Data Breaches Due to Mobile Devices")

In 2019 over 53.8 billion global files were analyzed from 785 organizations by Varonis Data Lab. Within the United States 1.15% of those files were analyzed ( ̴618.7 million), averaging 156,023 exposed of sensitive data. If each business exposed, deploy at least one mobile device their chances of a data breach is increased by 1%.

Small to medium businesses makeup a significant portion of the United States economic market. The cost of data breaches has immobilized and devastated businesses beyond repair. Reports from Poneman 2019 indicate the cost per record with 500 to 1,000 employees are estimated approximately $3,533 vs. $204 per employee for large corporations with 25,000 or more employees. Therefore, smaller organizations cost of a breach are significantly larger due to smaller capital income and budgets. The Total Cost of a data breach in the United States is approximately $8.19 M.

The top five highest targeted industries throughout the globe analyzed by Ponemon include Health, Financial, Energy, Industrial, and Pharmaceuticals. Assuming each industry contain at least one employee with mobile access to a device, more risk liability is assumed by the business. Attackers strategically target these devices with one fact in mind to exploit available weaknesses in numerous ways.

Depending on the type of mobile device platform and software, associated weaknesses are exploited by attackers. With one goal in mind, compromise important information. Protecting data is becoming the key purpose of not only large corporations, but small and medium businesses as well. Each data record compromised is associated with an industry. Breached records not only include a cost and lawsuits, but also replacement of equipment, enhanced security, training, customer notification, man hours, loss of branding and loss of customer/clientele. As a result, this creates long-term deficit for a business to incur over time.

With devices so small they can fit in the palm of your hand society has adapted to a more convenient manner of communication. However, this makes an attractive source for "good" and "evil". The good include access to an abundant number of resources, transferrable information, sharing of business plans, academia research, and so many other conveniences. The "evil" include unapproved transfer of information, stolen credit and banking information, unexpected cost, flux in lawsuits, loss of business and many other negative outcomes. The most effective way of overcoming evil is illuminating and knowledgeable information provided to the public.