Mobile Security Threats: Guidance for SOC 2 Compliance

As the sophistication and volume of mobile security threats increase, mobile device users and mobile application developers need to be vigilant and stay on top of emerging mobile security threats in order to protect their sensitive data and reputation. This blog delves into some common mobile security threats and what actions may be taken to mitigate the risk of being a cybercrime victim.

What are Mobile Device Security Threats?

Mobile device security threats, also known as mobile device attacks, refer to the security risks associated with mobile devices. These include security threats relating to the loss, corruption, or theft of sensitive data on or through the mobile device or the loss or theft of the mobile device itself. A System and Organization Controls (SOC) 2 examination highlights activities that are expected to be in place to mitigate many of these threats. A combination of controls helps to mitigate the risk of mobile security events.

What are Common Mobile Device Threats?

Mobile device security threats are rising as individuals continue to work remotely and the boundaries between work and home life become blurred. For this reason, cybercriminals target mobile devices, such as personal computers (PCs), smartphones, and tablets to extract sensitive information primarily for financial gain

Unsecured Wi-Fi

Free public Wi-Fi is nice and convenient but may come at an unexpected cost if someone is spying on your activity. Man-in-the-middle attacks may eavesdrop on your communications or modify the data being transmitted. Additionally, a nefarious individual may create a phony Wi-Fi hotspot to trick users into connecting to it in order to steal sensitive data.

SOC 2 guidance addresses the expectation that information is protected during transmission.

The best defense is to only connect to Wi-Fi access points that you trust and/or use a virtual private network (VPN) that encrypts your connection.
Never access sensitive information like banking, credit card, health information, or your Company’s sensitive data over public unsecured Wi-Fi

Data Loss

Mobile applications are oftentimes the culprit of data leaks. In downloading mobile applications, users may grant more permissions than are needed for the application to function properly which allows access to their data or they may be inadvertently downloading malicious applications that release malware or spyware. Malware performs malicious activity on your device without your knowledge and may allow an attacker control over your device. Spyware gathers sensitive information and monitors your activity on your device without your knowledge.

SOC 2 guidance includes expectations that the entity restricts transmission, movement, and removal of information to only authorized internal and external users.

Before downloading mobile applications, research the mobile application reviews to reduce the threat of downloading a malicious application.
Protect your data by limiting the permissions granted to mobile applications to only those required for it to function and by strengthening security controls on your mobile device to limit data that may be collected.
If the mobile application was free, consider if you, the user, may be the product.
Only download mobile applications from official stores like Google Play and Apple App stores rather than third-party app stores because there is a better chance that they are vetted and may reduce your risk of downloading a malicious mobile application.

Social Engineering / Phishing / Smishing

Getting suckered into clicking on a suspicious link or opening an attachment because it looks authentic remains one of the most successful tricks cybercriminals use to compromise your credentials, personal information, or Company’s sensitive data. Malware or spyware may be released that compromises your entire device and/or network. Various types of cyberattacks exist that fool their victims through email (phishing attacks), text messages (smishing attacks), social media, or voicemail. The victim’s sensitive information (e.g., passwords, account information, etc.) that can be used for financial gain is oftentimes what is targeted by the scammers.

SOC 2 provides the expectation that the entity internally communicates information necessary to support the functioning of internal control and implements controls to prevent or detect malicious software.

Before responding to an unusual request by clicking on a link or opening an attachment, verify the sender is legitimate or known to you and/or that it was something you were expecting. If in doubt, it’s best to not respond and to delete it instead.
Be sure to install a comprehensive antivirus and antimalware tool, keep it running in real-time, and maintain up-to-date definitions.
Security awareness training helps to keep personnel abreast of new tactics employed by cybercriminals and other security threats.

Operating Systems Not Updated

Operating systems that aren’t kept up to date on patching may expose the device to known vulnerabilities that can be exploited by cybercriminals. Cybercriminals may exploit these known weaknesses to gain unauthorized access to systems and sensitive data.

SOC 2 addresses the expectation that the entity implements controls to prevent or detect unauthorized or malicious software.

Patches are made available periodically as vulnerabilities become known and are fixed. These operating system patches need to be installed timely to be effective.
Companies may utilize a mobile device management (MDM) tool to push these operating system updates automatically to the managed device.

Weak Passwords

Hackers are hoping you employ poor password hygiene habits to make it easy for them to use password guessing or brute force to unlock your password in order to gain unauthorized access to systems and sensitive data.

SOC 2 addresses the expectation that the entity implements logical access architectures over information assets to protect them from unauthorized access.

Utilizing strong passwords is one of the first lines of defense for both your personal device and work account by securing your password with appropriate character length and complexity.
Companies may also implement multi-factor authentication, a password manager tool, and/or an identity and access management (IAM) tool to help mitigate unauthorized access risk.
Implement unique passwords across your accounts so that if one password is compromised, other accounts won’t potentially be compromised as well.

Theft of Mobile Devices

A stolen or lost mobile device is a significant issue. In the wrong hands, the device may be compromised and sensitive personal and/or Company data may be at risk. Moreover, mobile device hardware is valuable and may be sold on the black market.

SOC 2 addresses the expectation that the entity restricts physical access to protected information assets.

Encryption should be enabled on mobile devices to protect data in the event the device is lost or stolen.
Session timeout should be enabled after a modest period of inactivity and require the user to provide their credentials to log back in.
Additionally, enabling the ability to remotely wipe data through the use of a mobile device management tool will allow data on the device to be promptly deleted should the need arise.

Are There Any Possible Threats of Using Mobile Apps?

Utilizing mobile applications may pose potential threats if the mobile application is not properly vetted and appears legitimate but is actually spoofed – which is an imitation of the authentic application. When mobile applications are downloaded, they could actually be skimming sensitive Company data from the mobile device and unleash malware or spyware that disrupts system operations. Additionally, if vulnerabilities are exploited within credible mobile applications, the vulnerability could be used to corrupt or steal sensitive data and wreak havoc on system operations which can significantly harm a Company’s reputation and do untold damage.

What Are Some Common Security Threats for Mobile Applications?

To prevent data breaches, mobile application security is paramount. Writing code that is secure as enhancements and bug fixes are developed need to be prioritized. Cybercriminals use fake or spoofed mobile applications to attack unsuspecting victims in an attempt to steal sensitive data for profit. Banking institutions and health service providers are targets for cybercriminals to create fake mobile applications that appear to be authentic.

Unsecured Data in Transit

When data is transmitted, cybercriminals may intercept the data by exploiting mobile security vulnerabilities such as an insecure connection.

SOC 2 guidance addresses the expectation that the entity protects information during transmission, movement, or removal.

Establishing a secure end-to-end encrypted data transmission connection utilizing strong industry-standard encryption algorithms will defend against malicious interception of data in transit.

Unsecured Data at Rest

Data breaches are costly events and may cause significant reputational damage. If a cybercriminal obtains access to the database, data may be extracted or blocked unless a ransom is paid tying up the Company’s ability to maintain operations.

SOC 2 addresses the expectation that the entity implements logical access architectures over information assets to protect them from security events.

To protect your data, encrypt your data at rest and manage the encryption keys securely.
Only those individuals with a required business need should have access to the data. By limiting access to the data, the risk of exploiting the permission is greatly reduced.
Remember to log out when finished using an application or moving away from a website.

Weak Firewall Rules

Firewall rules that are overly permissive may expose systems to nefarious attacks.

SOC 2 provides the expectation that the entity implements logical access security measures to protect against threats from sources outside its system boundaries.

Protect your systems by cleaning up old, outdated firewall rules.
Configure your firewall to deny all network access not specifically allowed by firewall rules to best protect your systems from nefarious attacks.

Poor Code & Configuration Quality

Lack of code and configuration quality may result in injection issues, lax data storage, weak encryption protocols, memory leaks, and other security issues.

SOC 2 addresses the expectation that the entity authorizes, develops, tests, and approves changes to configurations, software, data, and infrastructure.

Putting in place secure software development lifecycle policies and procedures may help to steer better practices for code quality within an organization.
Instituting peer reviews, automated testing, and static code analysis can help to identify issues before changes are released.
Hardening servers and monitoring systems for configuration changes help to block or quickly identify unauthorized system activity.
Implementing periodic vulnerability assessments and penetration tests helps to identify security risks to systems so that they may be remediated before they are exploited.

Weak Authentication Methodology

Brute force attacks take advantage of weak authentication methodologies that are in place and compromise system security potentially resulting in data loss or corruption.

SOC 2 addresses the expectation that logical access architectures over information assets are implemented to protect from security events.

The use of multi-factor authentication through one-time passcodes, security questions, or security tokens, etc. better enables the validation of users’ identity to restrict unauthorized access to the systems environment.
Additionally, user accounts should be locked after a specified number of failed login attempts to thwart brute force password guessing attacks.

How Can We Prevent Mobile Security Threats?

Mobile security threats may be prevented largely by implementing the following:

Keep your operating system up to date on patching.
Install an antivirus and antimalware tool.
Enable full-disk encryption.
Enable session timeout after a modest period of inactivity.
Use strong passwords.
Use a VPN.

Summary

Mobile security threats aren’t going away. They will continue to be adapted and become more sophisticated over time by cybercriminals seeking new opportunities for financial gain as known vulnerabilities become mitigated. Therefore, setting up a defense-in-depth security approach is your best response to mitigate a variety of mobile security threats. System and Organization Controls (SOC) examinations provide an independent assessment of service organizations in their management of many of these mobile security threats.

For more information on SOC reporting requirements, contact us at Linford & Company. Our team of experienced professionals focuses on SOC 1 and SOC 2 assessments with service organizations located around the world.

This article was originally published on 8/24/2021 and was updated on 12/28/2022.

Becky McCarty (CPA, CISA, CRISC, CIA, CFE)

Becky McCarty has over 20 years of experience in internal controls, audit, and advisory services. She specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. Becky completed a Bachelor’s degree in Business Administration (Accounting) and a Master of Science degree in Management Information Systems. She worked 6 years with KPMG LLP commencing in 1999, worked several years in the energy industry, and joined Linford & Co., LLP in 2018. Becky also served 9 years on the Board of Directors for a home healthcare nonprofit. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC compliance efforts based on their objectives and/or applicable trust services criteria.

Mobile Security Threats: What You Need To Know For SOC 2