iPhone, iPad become apple of cyber criminals' eye

The more Apple devices are used in enterprises, the more attractivethey become to cyber criminals

Apple devices -- ever more popular in the workplace -- are about to become more popular with cyber criminals.

That is one of a number of findings in security vendor Zscaler's Q1 State of the Web Report that should be unsettling to enterprises that permit employees to "bring your own device," or BYOD.

The biggest mobile targets of malware so far have been devices powered by Android, since it is in the widest use and is an open platform.

But that may change soon. Zscaler's report said in a survey covering 200 billion transactions, Apple iOS web traffic jumped from 40% in the last quarter of 2011 to 48% in the first quarter of 2012, surpassing Android, which dropped to 37%.

More iOS traffic means more Apple devices in use at enterprises, which is likely to make them more attractive to cyber criminals.

[See also: Companies slow to react to mobile security threat]

And a significant majority of enterprises allow BYOD: A survey released in April by the SANS Institute found that 61% of more than 500 companies surveyed allowed BYOD. A press release announcing the survey included as part of its headline: "Lack of awareness, chaos pervades with BYOD."

The so-called "consumerization of IT" is an apparently unstoppable trend. And most businesses don't want to stop it, because of the advantages that collaboration and social networking with mobile devices can bring to the enterprise. Still, increasing security threats could undermine those advantages.

Blake Turrentine, CEO of HotWAN and trainer at Black Hat, has been a penetration tester for more than 12 years. His continuing mantra is, "most everything you do on a smartphone can and may be monitored," although he does qualify that by saying he believes Apple iOS devices that are kept up to date with the latest firmware are relatively secure.

Rachel Ratcliff Womack, a vice president with the digital security firm Stroz Friedberg, told The Bottom Line's Herb Weisbaum on MSNBC that most people carry both business and personal information on their mobile devices. "It brings those two worlds together in a very convenient package for criminals to target," she said.

And the damage malware can do is the same as on other devices: steal personal information, drain bank accounts and spy on users.

"[Yet] users may view these devices as eminently secure, when in reality they are just waiting to receive more attention from cyber criminals," James Lyne, director of technology strategies at the online security firm Sophos, told Weisbaum.

In the face of these impending threats, multiple security surveys find both employees and employers appear to be relatively blase about them. SANS reported that only 9% of companies participating in its survey said they were "fully aware" of all the devices accessing their networks. Another 50% were "vaguely or fairly" aware. Nearly a third of the companies said they had no management policy for employee mobile devices.

Some of this may be inevitable. Turrentine says he doubts that enterprises can control their employees' personal devices. "Users control their own phones," he says, acknowledging that this is "a big [security] hole." The proliferation of smartphones, alone with their ever-expanding capabilities means "the attack surface is expanded," he says, noting that Apple devices are prized because of their cutting-edge functionality.

And he agrees that security is not the priority it should be at all levels -- users, enterprise leaders and the manufacturers themselves. The pressure on the makers of devices is not for better security but more functionality. "They're racing so fast to come up with more capabilities, because the mobile market is changing so rapidly," he says.

Meanwhile, Mike Geide, senior researcher at Zscaler ThreatlabZ tells Network World that employees regularly try to bypass their companies' security policies, even using anonymous proxy servers to get to unauthorized web sites.

Turrentine says even relatively savvy smartphone users seem blissfully unaware of the ways they are exposing their confidential information. He says he visited a Verizon kiosk in a shopping mall and talked to some of the workers there who were doing things like, "downloading questionable third-party apps and also doing online banking."

The good news, he and others say, is that a solution is not terribly complicated. The best thing users can do is to make sure they have the latest versions of apps and the operating system of their device. Turrentine says the latest iOS is fairly secure, noting that it took the jailbreak community 10 months to break the iPad 2.

Beyond that, Lyne tells The Bottom Line that users should have a robust password, use encryption, and be very careful about what apps they install.

"Think before you download," he says.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleNBCSamsungSANS InstituteSophosVerizonVerizonzScaler

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place