Are some reading the Verizon breach report's mobile section all wrong?

"Mobile malware is not a problem." "Enterprises, ignore mobile threats; they're not there." "You're more likely to be struck by lightning than by mobile malware."

These are the headlines I've heard some very influential and very important industry leaders repeat as the result of Verizon's recent breach report. Frankly, I don't think that many in the industry are actually reading what this report says: mobile is an issue, we can't ignore it, and enterprises need visibility and control now.

[ ALSO ON CSO: 5 steps to take when a data breach hits ]

The report clearly highlights that malware infections are low, but it also shows two issues with direct impact to consumers and enterprises alike: vulnerabilities and data leakage.


Mobile threats are more than just malware.

According to the Verizon report, "more than five billion downloaded Android apps are vulnerable to remote attacks. One significant vulnerability is known as JavaScript-Binding-Over-HTTP (JBOH), which enables an attacker to execute code remotely on Android devices that have affected apps."

The Verizon report also notes that 80 percent of EnPublic apps, or those distributed through enterprise provisioning profiles, "invoke risky private APIs that are also in violation of Apple's Developer guidelines. In the wrong hands, these APIs threaten user privacy and introduce many vulnerabilities."

Vulnerabilities are concerning no matter what platform they affect, but many times people make the mistake of brushing them off as unimportant if they're often not actively being exploited. FireEye recently released research showing that "150 million downloads of Android apps contain OpenSSL libraries vulnerable to Heartbleed" as of April 2015, nearly a year after the vulnerability was announced.

Once you have vulnerabilities, it's just a matter of time that vulnerabilities like the ones mentioned above could be used as a launching point for network attacks.

Data leakage

The example Verizon uses to describe malware threats is "adnoyance" or adware. Adware, as Verizon directly states, "aggressively collects personal information from the mobile device it's installed on, including name, birth date, location, serial number, contacts, and browser bookmarks. Often, this data is collected without users' consent."

From a consumer perspective, adware takes information without their knowledge and could sell it, store it improperly, or otherwise mishandle their data.

By default, if you're an enterprise that supports BYOD, this kind of "annoying threat" should sound alarms. The fact that contacts and personally identifiable information is taken puts your employees and your proprietary secrets, your competitive edge, at risk.

Visibility and control

Verizon is right -- mobile malware is not an enterprise's top priority, but a mobile device is not a semi-secure piece of technology to be put in a drawer and worried about later. Verizon says it itself:

"We are not saying that we can ignore mobile devices; far from it. Mobile devices have clearly demonstrated their ability to be vulnerable. ... When it comes to mobile devices on your network, the best advice we have is to strive first for visibility and second for control. Visibility enables awareness, which will come in handy when the current landscape starts to shift. Control should put you into a position to react quickly."

[ ALSO: Mobile malware up 75 percent in 2014 ]

Honestly, I think Verizon is spot-on. Have we not learned anything from the history of Internet security? We are ahead of the game with mobile and I don't think there's a person in security who would say it won't be an issue in the future.

Security is not an "if" game, it's a "when" game. An enterprises' visibility into their mobile stack will only strengthen their security suit of armor. Without insight into mobile there can be no effective action when the attack comes.

So, in saying "there's no mobile malware," or "mobile isn't a problem," many are missing the point. I encourage you to actually read the report for yourself.

Shumard is a principal at Shumard and Associates, LLC and a former Cigna CISO.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssoftwareCSOdata protection

More about AppleCSOFireEyeVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Craig Shumard

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts