The RAS team recently came up with the idea to go over some general cybersecurity topics at the ten thousand foot level as part of our “Back to the Basics” series. Something that impacts 99.99% of our readers is mobile device security practices, so we wanted to take a moment to talk about why we need good mobile device security practices and provide some ideas to address that.
This week, I was reading yet another article on a cybersecurity attack campaign directed, for the most part, against Android mobile devices called “Dark Caracal.” Those of you who watch PBS’s Wild Kratts will know that’s an odd homage to a wild cat native to Africa and central Asia, but you will all find yourselves in good company if you’re left scratching your head about the name. A report on the campaign was released by EFF and Lookout last week that described the attack process and what devices were found to be targets of the attack. The researchers involved found that the attack involved a social engineering component to entice targets to download malicious apps designed to look like the real thing with mal-ware attached. Once targets downloaded the apps, the group behind the attack were able to gather personal information about them, “listen-in” on messages, and steal password information.
LEARN MORE ABOUT OUR RISK ADVISORY SERVICES
There are all sorts of attacks just like the one I mentioned above, but they tend to be on a smaller scale and get less attention. However, with the exponential increase in our use of mobile devices to conduct personal and business affairs, small-scale attacks can be just as devastating to individuals and organizations. With that in mind, I wanted to suggest some ways to practice good mobile device security:
- Passcode/biometrically protect your phone. This one is really easy to do, and doesn’t require much know-how to do it. Just remember to change your passcode periodically; much like passwords, passcodes don’t have an indefinite shelf-life.
- Enable encryption on your device if it doesn’t already come enabled. Most iPhones and Androids come encrypted now, and you only need to add a passcode, but older phones will need to be manually encrypted in the phone settings.
- Update your device as soon as updates become available. Device manufacturers are usually aware of issues and vulnerabilities in their devices before the general public, and they address those through the periodic updates they release. So next time you see a notification pop up that an update is available, connect it to a power source and accept it. A lot of devices have an option to accept the update when it pops up but to delay the install until later, so you can accept the update, plug it in before you go to bed, and let it do its thing.
- Turn services off that you aren’t actively using. Bluetooth, location services, and personal hotspots can be great, but turn them off when you aren’t using them so they don’t end up exposing you unnecessarily.
- Use public Wi-Fi with caution. I wrote about the recent “Krack Attack” in my last article, and this harkens back to that. Even public Wi-Fi that’s password-protected could still be risky, even more so because an attacker could get close enough to a public Wi-Fi router to successfully deploy a “Krack Attack” on it. If you need to use a public Wi-Fi for some reason, download a trustworthy VPN tool to provide some protection for your network activities.
- Download apps only from trusted sources. This is less of a concern for iPhone users, since Apple keeps a pretty tight rein on places iPhone users can purchase apps from, but Android device users have a comparable source (Google Play) where they can download apps from. If you choose to download apps from other sources, you should thoroughly research those sources to determine how risky those downloads might be.
- Install anti-malware on your phone. When we think of anti-virus/anti-malware tools, we tend to think of them only in connection with our larger computing devices, but there are a number of tools out there that can be downloaded to phones.
- Use a customizable Mobile Device Management (MDM) tool. This really applies to organizations that allow their employees to access their e-mail from their own, or organization-owned, devices. Once you’ve installed an MDM tool, make sure you have it configured based on industry best practices (requires passcode, wipes after a certain number of failed logins, forces phone encryption if the phone isn’t already encrypted, etc.).
Based on what we’ve been seeing in the news and in the industry in general, attacks targeted specifically to mobile devices are on the rise and are only going to grow more sophisticated. Taking steps to protect your mobile devices now makes it less likely you’ll be dealing with a data breach from this threat vector later.
About the Author
Laura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.