Posts from the ‘Verizon Mobile Security Index 2018 Report ’ Category

May 13

How To Secure Mobile Devices In A Zero Trust World

86% of enterprises are seeing mobile threats growing the fastest this year, outpacing other threat types.
48% say they’ve sacrificed security to “get the job done” up from 32% last year.
41% of those affected say the compromise is having major with lasting repercussions and 43% said that their efforts to remediate the attacks were “difficult and expensive.”

Bottom Line: The majority of enterprises, 67%, are the least confident in the security of their mobile assets than any other device or platform today according to Verizon’s Mobile Security Index 2019.

Why Mobile Devices Are the Fastest Growing Threat Surface Today

Verizon found that 86% of enterprises see an upswing in the number, scale, and scope of mobile breach attempts in 2019. When broken out by industry, Financial Services, Professional Services, and Education are the most commonly targeted industries as the graphic below shows:

The threat surfaces every organization needs to protect is exponentially increasing today based on the combination of employee- and company-owned mobile devices. 41% of enterprises rate mobile devices as their most vulnerable threat surface this year:

Passwords and Mobile Devices Have Become A Hacker’s Paradise

“The only people who love usernames and passwords are hackers,” said Alex Simons, corporate vice president at Microsoft’s identity division in a recent Wall Street Journal article, Username and Password Hell: Why the Internet Can’t Keep You Logged In. Verizon found that mobile devices are the most vulnerable, fastest-growing threat surface there is, making it a favorite with state-sponsored and organized crime syndicates. How rapidly mobile devices are proliferating in enterprises today frequently outpace their ability to secure them, falling back on legacy Privileged Access Management (PAM) approaches that hacking syndicates know how to get around easily using compromised passwords and privileged access credentials. Here’s proof of how much of a lucrative paradise it is for hackers to target passwords and mobile devices first:

With just a single set of legitimate Office 365 access credentials, hackers can initiate spear phishing attacks from within the organization, stealing valuable customer data and initiating illegal wire transfers. Microsoft is the most phished brands in the world, due to the global popularity of Office 365. Just a single set of access credentials obtained can lead to hackers extracting a financial payback via wire transfers, gift cards, ransoms, and more.
42% of financial services companies suffered a compromise that involved a mobile device this year, with 87% classifying the event as “major.” Verizon found financial services companies are the most likely to be hacked on mobile devices, with 58% of the breach attempts being major with lasting repercussions:

Hacker’s favorite way to gain access to any business is by using privileged access credentials, which are increasingly being harvested from cellphones using malware. Hacking organizations would rather walk in the front door of any organizations’ systems rather than expend the time and effort to hack in. It’s by far the most popular approach with hackers, with 74% of IT decision makers whose organizations have been breached in the past say it involved privileged access credential abuse according to a recent Centrify survey, Privileged Access Management in the Modern Threatscape. Only 48% of the organizations have a password vault, and just 21% have multi-factor authentication (MFA) implemented for privileged administrative access. The Verizon study found that malware is the most common strategy hackers use to gain access to corporate networks. MobileIron’s Global Threat Report, mid-year 2018 found that 3.5% of Android devices are harboring known malware. Of these malicious apps, over 80% had access to internal networks and were scanning nearby ports. This suggests that the malware was part of a larger attack.

Securing Mobile Devices In A Zero Trust World Needs To Happen Now

Mobile devices are an integral part of everyone’s identity today. They are also the fastest growing threat surface for every business – making identities the new security perimeter. Passwords are proving to be problematic in scaling fast enough to protect these threat surfaces, as credential abuse is skyrocketing today. They’re perennial best-sellers on the Dark Web, where buyers and sellers negotiate in bitcoin for companies’ logins and passwords – often with specific financial firms, called out by name in “credentials wanted” ads. Organizations are waking up to the value of taking a Zero Trust approach to securing their businesses, which is a great start. Passwords are still the most widely relied-on security mechanism – and continue to be the weakest link in today’s enterprise security. That needs to change. According to the Wall Street Journal, the World Wide Web Consortium has recently ratified a standard called WebAuthN, which allows websites to authenticate users with biometric information, or physical objects like security keys, and skip passwords altogether.

MobileIron is also taking a unique approach to this challenge by introducing zero sign-on (ZSO), built on the company’s unified endpoint management (UEM) platform and powered by the MobileIron Access solution. “By making mobile devices your identity, we create a world free from the constant pains of password recovery and the threat of data breaches due to easily compromised credentials,” wrote Simon Biddiscombe, MobileIron’s President and Chief Executive Officer in his recent blog post, Single sign-on is still one sign-on too many. Simon’s latest post MobileIron: We’re making history by making passwords history, provides the company’s vision going forward with ZSO. Zero sign-on eliminates passwords as the primary method for user authentication, unlike single sign-on, which still requires at least one username and password. MobileIron paved the way for a zero sign-on enterprise with its Access product in 2017, which enabled zero sign-on to cloud services on managed devices.

Conclusion

Mobile devices are the most quickly proliferating threat surface there are today and an integral part of everyone’s identities as well. Thwarting the many breach attempts attempted daily over mobile devices and across all threat surfaces needs to start with a solid Zero Trust framework. MobileIron’s introduction of zero sign-on (ZSO) eliminates passwords as the method for user authentication, replacing single sign-on, which still requires at least one username and password. ZSO is exactly what enterprises need to secure the proliferating number of mobile devices they rely on to operate and grow in a Zero Trust world.

Jul 1

Analytics Are Empowering Next-Gen Access And Zero Trust Security

Employee identities are the new security perimeter of any business.

80% of IT security breaches involve privileged credential access according to a Forrester study. According to the Verizon Mobile Security Index 2018 Report, 89% of organizations are relying on just a single security strategy to keep their mobile networks safe. And with Gartner predicting worldwide security spending reaching $96B this year, up 8% from 2017, it’s evident enterprises must adopt a more vigilant, focused strategy for protecting every threat surface and access point of their companies. IT security strategies based on trusted and untrusted domains are being rendered insufficient as hackers camouflage their attacks through compromised, privileged credentials. It’s happening so often that eight in ten breaches are now the result of compromised employee identities.

Thus, taking a Zero Trust Security (ZTS) approach to ensure every potential threat surface and endpoint, both within and outside a company, is protected, has become vital in today’s dynamic threat landscape. ZTS is an essential strategy for any digital business whose perimeters flex in response to customer demand, are using the Internet of Things (IoT) sensors to streamline supply chain and production logistics, and have suppliers, sales teams, support, and services all using mobile apps. ZTS begins with Next-Gen Access (NGA) by providing companies with the agility they need to secure applications, devices, endpoints, and infrastructure as quickly as needed to support company growth. Both NGA and ZTS are empowered by analytics to anticipate and thwart a wide variety of cyber threats, the most common of which is compromised credential access.

How NGA Leverages Analytics to Secure Every Endpoint

NGA validates every access attempt by capturing and quickly analyzing a wide breadth of data including user identity, device, device operating system, location, time, resource request, and several other factors. As NGA is designed to verify every user and access attempt, it’s foundational to attaining Zero Trust Security across an IT infrastructure. One of the fascinating areas of innovation in enterprise security today is the rapid adoption of analytics and machine learning for verifying users across diverse enterprise networks. NGA platforms calculate and assign a risk score to every access attempt, determining immediately if verified users will get immediate access to resources requested, or be asked to verify their identity further through Multi-Factor Authentication (MFA).

Machine learning-based NGA platforms including Centrify calculate a risk score that quantifies the relative level of trust based on every access attempt across an IT infrastructure. NGA platforms rely on machine learning algorithms to continuously learn and generate contextual intelligence that is used to streamline verified user’s access while thwarting many potential threats ― the most common of which is compromised credentials. IT security teams can combine the insights gained from machine learning, user profiles, and contextual intelligence to fine-tune the variables and attributes that calculate risk scores using cloud-enabled analytics services. An example of Centrify’s Analytics Services dashboard is shown below:

Visibility and Analytics are a Core Pillar of ZTS

Analytics, machine learning and their combined potential to produce contextual intelligence, real-time risk scores, and secure company perimeters to the individual access attempt level need a continual stream of data to increase their accuracy. Forrester’s Zero Trust Framework, shown below, illustrates how an enterprise-wide ZTS security strategy encompasses workloads, networks, devices, and people. NGA is the catalyst that makes ZTS scale into each of these areas. It’s evident from the diagram how essential visibility and analytics are to a successful ZTS strategy. NGA provides incident data including reports of anomalous or atypical login and attempted resource behavior. Visibility and analytics applications from IBM, Splunk, Sumologic, and others are relied on to aggregate the data, anticipating and predicting breaches and advanced attacks. The result is a ZTS security strategy that begins with NGA that flexes and scales to the individual perimeter level as a digital business grows.

Source: What ZTX Means For Vendors And Users, Forrester Research Blog, January 23, 2018., Chase Cunningham, Principal Analyst.

Conclusion

Every company, whether they realize it or not, is in a race against time to secure every threat surface that could be compromised and used to steal or destroy data and systems. Relying on yesterday’s security technologies to protect against tomorrow’s sophisticated, well-orchestrated threats isn’t scaling. Reading through the Verizon Mobile Security Index 2018 Report illustrates why Zero Trust Security is the future. Improving visibility throughout the network and reducing the time to breach detection, stopping malware propagation and reducing the scope and cost of internal and regulatory-mandated compliance requirements are just a few of the business benefits. Analytics and machine learning are the fuel enabling NGA to scale and support ZTS strategies’ success today.