ESG's Dave Gruber discusses email and other security challenges for employees using their mobile devices. This is Part 1 of 2.
Watch part 2 of this series:
Dave: Hi. I'm Dave Gruber, ESG Senior Analyst. Today we're going to be talking about email security in our continuing series. A little bit different format today as we're recording from our homes during this rather interesting time. So we hope that the format works out okay. Today we're going to be talking about securing mobile devices.
And we're going to be learning about the mobile threat landscape together with why it's so important that organizations have a strategy to protect their data and their applications access through mobile devices. I'm joined today by Aaron Cockerill, Chief Strategy Officer for Lookout Security. Thanks so much for joining us today, Aaron.
Aaron: Thank you.
Dave: Let's start by helping our viewers better understand how mobile devices differ from typical endpoint devices and why mobile devices require specialized security strategies?
Aaron: Mobile devices are different from a security standpoint for a number of reasons. The first and the most obvious is that mobile devices typically connect directly to the Internet themselves. So like your cellular phone, it connects directly to your carriers' network. That means that the mobile device is outside of the typical perimeter protections that are resident in most companies such as a secured web gateway, firewall, secured email gateways and so on.
Mobile devices typically use apps rather than the browser to access typical productivity and other SaaS services. Lastly, the operating system gives me a different level of interoperability with things like messages and so on from a user interaction perspective. Let me give you an example.
If I receive an email message with a link in it, a shortened hyperlink, on a desktop device I can hover over that link to see where the URL actually goes. On a mobile device, there's no way to do that. So the user experience is restricted which makes it easier for bad actors to trick us into social engineering and phishing.
Dave: Yeah. Interesting. Wow. You don't think about that as you use the device but it's such an everyday part of what we do. We don't think really about the kinds of differences that we've just become accustomed to. Hey, so maybe you can talk more about the mobile threat landscape itself and how it differs from the traditional endpoint threat landscape. As you know I cover endpoint security and we talk a lot about the types of attacks and things that are going on in endpoint, but they can be different in the mobile world.
What are the top threats that come to mind?
Aaron: The attacks typically take a different form. And when you talk about let's say either an attack on an individual or a broader attack on an organization, they typically now multi-step. And it's typically the mobile device is the first device in that multi-step attack. And that will frequently take the form of social engineering.
For example, corporate email only represents about 15% to 20% of the phishing attacks that a typical user will see on a mobile device. And what we're talking about here are things like being sent a link that's malicious over SMS, being sent a link that's malicious over choose your favorite messaging platform.
So it typically takes the form of some form of social engineering that's sent through some typical messaging platform that's available on a mobile device only that asks you to do something. Now that will take the form of either asking you to re-authenticate to a service that you use and, in that case, the bad actor has captured your credentials, or it will ask you to install an application that actually turns out to be malware.
Dave: What you're telling me is that in the mobile world there's more things to consider than just email because these attacks are more complex. And it's not that endpoint attacks aren't complex as well but there's a lot of different ways for attackers to come at people that are using these devices and email is just one of the important factors that we're trying to secure along the way.
Aaron: The success of an attack is typically dependent on the ability for the bad actor to make the message seem credible. And unfortunately, now that we live in this age of social networking and so on our lives are on the Internet on display for both good and bad.
And so it's relatively simple to persuade users, unfortunately, especially on mobile messaging platforms that this is a credible source. And when you get that message, then you respond to it with a high level of trust. Even today especially with COVID-19 being a terrible pandemic worldwide bad actors are taking advantage of that type of scenario.
So that's a frequent attack. You can get an email in your personal email or in your corporate email or in your SMS or other messaging platform that say, "COVID-19 has been found in your community. Insert correct name of the community. Click on here for more details." And it's, unfortunately, a very common and very successful attack of late.
We've published a blog about it at Lookout.com if you're interested.