Prognosticators have led the industry to believe that mobile threats are “overblown” and don’t require our focus for another year or two. While it’s true, as Verizon states in their widely-referenced DBIR, that “the overall number of exploited security vulnerabilities across all mobile platforms is negligible”, it misses the point that leaked mobile data can provide all the data needed for a successful spear phishing or watering hole attack.
Let’s ask ourselves: Why is it that phishing attacks have increased by 38 percent overall in Q2 2015? That’s a 38% increase in one quarter. What data are attackers using to enable them to craft increasingly sophisticated spoofed emails in ever-larger numbers? Could it be that the “digital exhaust” of mobile usage creates a treasure trove of information—calendars, contacts, call logs, location info, and data stored in clouds—from which an attacker can write “more highly targeted and powerful threats” at scale?
According to FBI Director James Comey, “There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.” There’s no reason to believe that the ad networks, marketing frameworks and other companies that gather mobile data would be exempt from this dictum. It’s only prudent to assume that mobile data is “in the wild”, and available to miscreants who would attack our corporate infrastructures.
Here is security’s dirty little secret: Leaked mobile data represents an exponential increase in the enterprise attack surface. While it’s true that we’ve seen no headlines reporting a direct attack on corporate servers from an iPhone or Android device, it hardly follows that there’s no threat from mobile.
To learn more about mobile app risk, download our latest Enterprise Mobile Threat Report here.