As the sophistication and volume of mobile security threats increase, mobile device users and mobile application developers need to be vigilant and stay on top of emerging mobile security threats in order to protect their sensitive data and reputation. This blog delves into some common mobile security threats and what actions may be taken to mitigate the risk of being a cybercrime victim.
What are Mobile Device Security Threats?
Mobile device security threats, also known as mobile device attacks, refer to the security risks associated with mobile devices. These include security threats relating to the loss, corruption, or theft of sensitive data on or through the mobile device or the loss or theft of the mobile device itself. A System and Organization Controls (SOC) 2 examination highlights activities that are expected to be in place to mitigate many of these threats. A combination of controls helps to mitigate the risk of mobile security events.
What are Common Mobile Device Risks?
Mobile device security threats are rising as individuals continue to work remotely and the boundaries between work and home life become blurred. For this reason, cybercriminals target mobile devices, such as personal computers (PCs) and smartphones, to extract sensitive information primarily for financial gain.
Unsecured Wi-Fi – Free public Wi-Fi is nice and convenient, but may come at an unexpected cost if someone is spying on your activity. Additionally, a nefarious individual may create a phony Wi-Fi hotspot to trick users into connecting to it in order to steal sensitive data.
SOC 2 guidance addresses the expectation that information is protected during transmission.
- The best defense is to only connect to Wi-Fi access points that you trust and/or use a virtual private network (VPN) that encrypts your connection.
- Never access sensitive information like banking, credit card, health information, or your Company’s sensitive data over public unsecured Wi-Fi.
Data Loss – Mobile applications are oftentimes the culprit of data leaks. In downloading mobile applications, users may grant more permissions than are needed for the application to function properly which allows access to their data or they may be inadvertently downloading malicious applications that release malware or spyware.
SOC 2 guidance includes expectations that the entity restricts transmission, movement, and removal of information to only authorized internal and external users.
- Before downloading mobile applications, research the mobile application reviews to reduce the threat of downloading a malicious application.
- Protect your data by limiting the permissions granted to mobile applications to only those required and by strengthening security controls on your mobile device to limit data that may be collected.
- If the mobile application was free, consider if you, the user, may be the product.
- Only download mobile applications from official stores like Google Play and Apple App stores rather than third-party app stores because there is a better chance that they are vetted and may reduce your risk of downloading a bad mobile application.
Social Engineering / Phishing – Getting suckered into clicking on a suspicious link or opening an attachment because it looks authentic remains one of the most successful tricks cybercriminals use to compromise your credentials, personal information, or Company’s sensitive data. Malware may be released that compromises your entire device and/or network. Various phishing attacks exist that fool their victims through email, text messages, or voicemail. The victim’s sensitive data that can be used for financial gain is targeted by the scammers.
SOC 2 provides the expectation that the entity internally communicates information necessary to support the functioning of internal control and implements controls to prevent or detect malicious software.
- Before responding to an unusual request by clicking or opening an attachment, verify the sender is legitimate or known to you and/or that it was something you were expecting. If in doubt, it’s best to not respond and to delete it instead.
- Be sure to install an antivirus tool, keep it running in real-time, and maintain up-to-date virus definitions.
- Security awareness training helps to keep personnel abreast of new tactics employed by cybercriminals and other security threats.
Operating Systems Not Updated – Operating systems that aren’t kept up to date on patching may expose the device to known vulnerabilities that can be exploited by cybercriminals. Cybercriminals may exploit these known weaknesses to gain unauthorized access to systems and sensitive data.
SOC 2 addresses the expectation that the entity implements controls to prevent or detect unauthorized or malicious software.
- Patches are made available periodically as vulnerabilities become known and are fixed. However, these operating system patches need to be installed to be effective.
- Companies may utilize a mobile device management (MDM) tool to push these operating system updates automatically to the managed device.
Weak Passwords – Hackers are hoping you employ poor password hygiene habits to make it easy for them to use password guessing or brute force to unlock your password in order to gain unauthorized access to systems and sensitive data.
SOC 2 addresses the expectation that the entity implements logical access architectures over information assets to protect them from unauthorized access.
- Utilizing strong passwords is one of your first lines of defense for both your personal device and work account by securing your password with appropriate character length and complexity.
- Companies may also implement multi-factor authentication, a password manager tool, and/or an identity and access management tool to help mitigate unauthorized access risk.
Theft of Mobile Device – A stolen or lost mobile device is a significant issue. In the wrong hands, the device may be compromised and sensitive personal and/or Company data may be at risk.
SOC 2 addresses the expectation that the entity restricts physical access to protected information assets.
- Encryption should be enabled on mobile devices to protect data in the event the device is lost or stolen.
- Session lockout should be enabled after a modest period of inactivity and require login to get back in.
- Additionally, enabling the ability to remotely wipe data will allow data on the device to be promptly deleted.
Are There Any Possible Threats of Using Mobile Apps?
Utilizing mobile applications may pose potential threats if the mobile application is not properly vetted and appears legitimate but is actually spoofed – which is an imitation of the authentic application. When mobile applications are downloaded, they could actually be skimming sensitive Company data from the mobile device and unleash spyware or malware that disrupts system operations. Additionally, if vulnerabilities are exploited within credible mobile applications, the vulnerability could be used to corrupt or steal sensitive data and wreak havoc to system operations which can significantly harm a Company’s reputation and do untold damage.
What Are Some Common Security Threats for Mobile Applications?
To prevent data breaches, mobile application security is paramount. Writing code that is secure as enhancements and bug fixes are developed needs to be prioritized. Cybercriminals use fake or spoofed mobile applications to attack unsuspecting victims in an attempt to steal sensitive data for profit. Banking institutions and health service providers are targets for cybercriminals to create fake mobile applications that appear to be authentic.
Unsecured Data in Transit – When data is transmitted, cybercriminals may intercept the data by exploiting mobile security vulnerabilities such as an insecure connection.
SOC 2 guidance addresses the expectation that the entity protects information during transmission, movement, or removal.
- Establishing a secure data transmission connection utilizing strong industry-standard encryption ciphers will defend against malicious interception of data in transit.
Unsecured Data at Rest – Data breaches are costly events and may cause significant reputational damage. If a cybercriminal obtains access to the database, data may be extracted or blocked unless a ransom is paid tying up the Company’s ability to maintain operations.
SOC 2 addresses the expectation that the entity implements logical access architectures over information assets to protect them from security events.
- To protect your data, encrypt your data at rest and manage the encryption keys securely.
- Only those individuals with a required business need should have access to the data. By limiting access to the data, the risk of exploiting the permission is greatly reduced.
Weak Firewall Rules – Firewall rules that are overly permissive may expose systems to nefarious attacks.
SOC 2 provides the expectation that the entity implements logical access security measures to protect against threats from sources outside its system boundaries.
- Protect your systems by cleaning up old, outdated rules.
- Configure your firewall to deny all network access not specifically allowed by firewall rules to best protect your systems from nefarious attacks.
Poor Code & Configuration Quality – Lack of code and configuration quality may result in injection issues, lax data storage, weak encryption protocols, memory leaks, and other security issues.
SOC 2 addresses the expectation that the entity authorizes, develops, tests, and approves changes to configurations, software, data, and infrastructure.
- Putting in place system development lifecycle policies and procedures may help to steer better practices for code quality within an organization.
- Instituting peer reviews, automated testing, and static code analysis can help to identify issues before changes are released.
- Hardening servers and monitoring systems for configuration changes help to block or quickly identify unauthorized system activity.
- Implementing periodic vulnerability assessments and penetration tests helps to identify security risks to systems so that they may be remediated before they are exploited.
Weak Authentication Methodology – Brute force access takes advantage of weak authentication methodologies that are in place and compromises system security potentially resulting in data loss or corruption.
SOC 2 addresses the expectation that logical access architectures over information assets are implemented to protect from security events.
- The use of multi-factor authentication through one-time passcodes, security questions, or security tokens, etc. better enables the validation of users’ identity to restrict unauthorized access to the systems environment.
- Additionally, user accounts should be locked after a specified number of failed login attempts to thwart brute force password guessing attacks.
How Can We Prevent Mobile Security Threats?
Mobile security threats may be prevented largely by implementing the following:
- Keep your operating system up to date.
- Enable an antivirus tool.
- Enable full-disk encryption.
- Enable session lockout after a modest period of inactivity.
- Use strong passwords.
- Use a VPN.
See our article related to mobile device management for remote workforce security for greater information.
Mobile security threats aren’t going away. They will continue to be adapted and become more sophisticated over time by cybercriminals seeking new opportunities for financial gain as known vulnerabilities become mitigated. Therefore, setting up a defense-in-depth security approach is your best response to mitigate a variety of mobile security threats. System and Organization Controls (SOC) examinations provide an independent assessment of service organizations in their management of many of these mobile security threats.
For more information on SOC reporting requirements, contact us at Linford & Company. Our team of experienced professionals focuses on SOC 1 and SOC 2 assessments with service organizations located around the world.
Becky McCarty (CPA, CISA, CRISC, CIA, CFE) specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. She completed her Master’s degree in Information Systems in 1996, started working with KPMG in 1999, and joined Linford & Co., LLP in 2018. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC audit reports based on their applicable trust services criteria.