Have we been mis-sold a mobile malware ‘epidemic’?

iphoneJust finished an interesting story from security firm Damballa on mobile malware.

Breaking ranks with most of the rest of the industry, the vendor suggests in its new report that the amount of mobile malware on US networks is actually pretty minimal, and that if most users stick to the official app stores they should steer pretty clear of danger.

Indeed, it found in its analysis of half of the mobile traffic in America, only 0.0064% – or 9,688 devices out of 151 million – contacted a domain on the mobile black list.

This was even down on the 0.015% that did so in 2012.

Now the caveat is that this is just in the US, and only focusing on malicious network traffic rather than installs, but it’s still a pretty interesting piece of research.

It tends to fly in the face of the picture painted by many anti-malware companies, some of which perhaps are talking slightly disingenuously about malware epidemic on Android.

There undoubtedly is an awful lot of malware designed for Android. But how much of it actually makes its way on users’ devices? Especially if those users only stick to the first party app stores.

I’ve a feeling that if you took China and Russia out of the equation, for example, the Android malware problem wouldn’t be even remotely as acute.

“I do not know when if ever mobile malware (as we see it on the PC) will become a problem on mobile devices. I really think the app stores can control distribution of ‘money-making’ malware,” Damballa CTO Brian Foster told me by email.

“The risks and threats of around insecure cloud apps or insecure access to cloud apps are already here. The risk of losing your device and giving a 3rd party inappropriate access to your data is already here.”

It is those latter risks that IT managers would do well to get a handle on, says Foster.

Another part of the research worth mentioning is that only 1.3% of mobile hosts weren’t also in the set of hosts contained by historical non-cellular traffic.

This means that mobile apps are using the same hosting infrastructure as desktop applications and, as such, IT security teams can apply the same network-based security to spot domains with bad reputation scores etc.

F-Secure security advisor, Sean Sullivan, agreed that most Western netizens would be safe sticking to the authorised channels.

He admitted to me too via email that the mobile malware epidemic had been “overstated by *some* in the AV industry”.

However, he felt justified in sharing threat intelligence on new mobile malware, given that F-Secure’s customer-base stretches far and wide globally.

“We don’t just sell mobile AV – we sell mobile security with multiple security features and sell/bundle it with our other services in our cross-platform ‘SAFE’ offering,” he explained. “When you buy our PC software, you also get Android software – it’s all part of the package.”

That’s completely understandable and I think even if Vendor A doesn’t sell into markets where mobile threats are higher risk (like Asia, for example) they still have a responsibility to reveal major new discoveries.

However, unfortunately it doesn’t take much for responsible disclosure of threat intelligence to turn into FUD-y marketing hyperbole.

Advertisements

Firms Fail to Combat the Insider Security Threat

hackerThe threat of accidental or malicious employees compromising information security has been around ever since there were computer systems. But you would have thought by now that CISOs would have got a handle on it.

Not so, according to a new report from training and research firm the SANS Institute which I’ve just covered for Infosecurity Magazine.

It found that although three-quarters of IT security pros are concerned about the insider threat, a third have no means of defending against it and around a half either don’t know how much they’re spending on it or have no idea what the potential losses would be.

From JPMorgan to Chesapeake, the dangers of failing to properly mitigate internal risks are clear to see, but firms seem to be slow on the uptake.

According to Roy Duckles, EMEA Channel Director at Lieberman Software, it’s a lack of “visibility, accountability and auditability” which is to blame.

“There is an assumption that if a person or group have the ‘keys to the kingdom’ with full admin rights across an enterprise, that this is a viable and effective way to apply security policies,” he told me.

“Where most businesses fail is that due to the fact that this approach not only reduces security, but it makes it almost impossible to see who is changing what, on which systems, at what time, and the effect and risk that it has on a business.”

Firms therefore need to remove privileges where possible, introduce 2FA and prevent admins “knowing” which passwords get them into systems, he advised.

Sagie Dulce, security researcher at Imperva, told me by email that organisations lack “budget, training, technology and an incident response plan” for when a breach occurs.

He added:

“Obviously, the first things organizations must do is put some resources into the insider threat. The second thing organizations must do is prioritise: ask themselves what are the most important thing they are trying to protect?

Once they know what they are trying to protect they should consider:

  • Is it Personal Information, emails, code etc?
  • Is the data structured, unstructured?
  • Is it found on databases, file shares?
  • Who has access to this data and how (from special terminals, via VPN, 3rd party partners etc.)?”

Finally I asked David Chismon, security consultant at MWR InfoSecurity, who repeated the notion that employees should be given the minimum access necessary to do their jobs.

Investing in systems to spot insider abuse could also help protect organisations against targeted attacks which spearphish users and abuse their access, he argued.

“For example, organisations are able to detect when an employee’s account is used to try and access data it shouldn’t or if a large amount of data is being exfiltrated,” Chismon explained. “It doesn’t matter at that stage if it is the employee misusing their account or an external attacker who has compromised the network.”