Study finds mobile devices can threaten corporate networks
Local security experts stress the importance of policies and updated hardware.
Local businesses might want to step up their security for mobile devices using corporate networks.
Duo Security, an Ann Arbor-based cloud-access security provider, recently released the findings of a research study that focused on the security of corporate networks. The study found un-patched and end-of-life devices that haven’t been upgraded present a big risk to network security.
The research was based on data taken from more than 150 countries.
“Most companies today would never allow un-patched personal computers on their networks. Yet there is a double standard when it comes to mobile devices," said Dug Song, CEO and co-founder of Duo Security.
“Personal mobile devices are now de facto corporate devices. So companies need to review their policies on software patching and updates to reflect this new world of ‘bring your own device to work.’
“Companies can secure their networks with two-factor authentication and a wide variety of other security solutions, but un-patched devices still create significant risk for enterprise IT departments and network security,” he said.
Here are the key findings of the survey:
- About half of Apple iPhone users are currently running outdated software (version iOS 8.3, released in April 2015, or earlier), leaving them exposed to several hundred documented vulnerabilities, including the Ins0mnia vulnerability that attackers can use to surreptitiously steal data from phones using hidden applications.
- Five days after the release of iOS 8.4.1, which addressed more than 70 documented critical vulnerabilities (including Quicksand and Ins0mnia), only 9 percent of the phones had been updated to the latest release of iOS software.
- 31 percent of iPhones are still using iOS 8.2 (released in March 2015) or an even older version of iOS, meaning they lack updates that address more than 160 known critical vulnerabilities, including a Masque Attack, where a malicious app can masquerade as a legitimate app.
- Of the 700 million-plus iPhones Apple has shipped since 2008, Duo Labs research suggests at as many as 20 million of these end-of-life iPhones may still be in service but cannot be updated to current versions of iOS. This leaves organizations exposed to literally thousands of vulnerabilities — many of the highest severity.
- On the Android platform, there are still significant security risks from the recently reported Stagefright vulnerability. It is estimated about 10 percent of Android devices remain exposed to this vulnerability because they are on older versions that are no longer being updated.
Local tech experts said they agreed with the findings.
Scott Montgomery, security practice manager at Grand Rapids-based Open Systems Technologies, said the concerns are real, although he would be interested in seeing how each of the 150 countries rated individually.
As far as local businesses are concerned, he advised businesses to never provide an unsolicited Wi-Fi network for employees’ personal use and to ask employees to keep phones and personal devices up to date.
“My initial thoughts deal with the fact that most corporations we deal with — roughly 100 per year — don’t allow personal cell phones on corporate production networks. They might provide a guest wireless network for employee phones, but they wouldn’t allow them on their production networks,” he said.
“Those phones are vulnerable; they (might not) expose corporate data, but they would hurt those individuals. … The article doesn’t say anything about whether a breached cell phone would allow access to corporate data. My argument is, that would be a risk to the employee, not the organization, unless it was providing a Wi-Fi network, but usually those networks are isolated.”
Any organization that is providing a non-isolated Wi-Fi network to be used by its employees would be at risk, he said. Companies under the constant scrutiny of audit pressure — such as banks, credit unions and hospitals — would be at less risk given the higher levels of security they need to have, but smaller businesses might not have that requirement.
“I see potential corporate data could be lost, but most people are not using those phones to access corporate data; they’re using it for personal use. I don’t see it causing major security issues. It could happen, but it’s not the major issue,” he said.
“Real estate companies have many personal laptops and computers. … Organizations like that have to really have more robust management processes to make sure devices are up to date.”
Ryan Leestma, owner of Grand Rapids-based ISI, said the biggest security issue isn’t just hackers — it’s a con man.
“The easiest way to break into a company’s network or to steal their data is not by hacking their network. The easiest way is social engineering,” he said.
“If I put on a blue uniform that has the badge from an elevator company or a maintenance worker, you would be shocked at where you can gain access.”
It might be tedious for a business to spend 80 to 160 hours writing up a policy about digital security, but it needs to happen, Leestma said.
The problem with security breaches is that no one knows what’s happened until it’s too late. “Like we’re not putting locks on our front and back doors, and we don’t even know someone stole the food out of our fridge,” said Leestma.
Any company with intellectual property related to trade secrets is a target, he said.
“The number one thing you have to do first is come up with a policy. There are policies available off the shelf, and you can even find them on the Internet. The Department of Defense has a number of books that have essentially created a standard for (it),” he said.
“The second step is play to the policy. Come up with a plan to implement it, and part of that plan is going to include educating your people … and setting a standard for what types of devices can be used, what type of encryptions are in place, what type of recovery methods are available and what tools you put on your network. And I recommend that anything technical, you have a technical expert be employed.”
The issues aren’t confined to Apple products, Montgomery said.
“Under most circumstances, an iPhone is going to be more secure than an Android. The issue comes from the fact that in the Android model, anyone can publish an application to be downloaded … and there’s’ been a lot of articles written about flashlight applications,” Montgomery said.
“Because an Android doesn’t have to go through as high a level of scrutiny through Google … it’s downloading at your own risk. Apple has to approve every application that goes to its store.”