5 ways cyber threats can hack your company — and how to stop them5 real mobile security threats and how they impact your business

CR-1990-EN-US v2

2

Cyber threats have quickly advanced beyond clunky, misspelled, and poorly executed email hacks, and many are now sophisticated enough to dupe even the most savvy enterprise users. If one of these threat vectors can breach a single endpoint in your organization, it can quickly execute a series of undetected exploits that allow hackers to progressively gain more access — and cause damage to your organization, your reputation, and your stock price.

Companies everywhere are at greater risk of a major data breach than ever, and most are aware of the growing threat. A 2018 report found that 93% of respondents said mobile devices present a serious and growing threat that should be taken more seriously.1 Preventing these types of breaches in the era of perimeter-less enterprise computing requires a clear understanding of how these threats operate today. More importantly, it requires a zero-trust security architecture that provides end-to-end security across endpoints, apps, networks, and cloud services.

This eBook is designed to help you understand how mobile threats can easily exploit user behavior and ultimately gain a frightening level of control over your entire company. Most importantly, it explains how MobileIron Threat Defense (MTD) supports a zero-trust architecture with built in protection that blocks threats and protects your company from its most vulnerable access point — your users.

1 http://www.verizonenterprise.com/resources/mobile_security_index_2018_en_xg.pdf

Phishing

Network attack

App threat

Malicious Configuration Profiles

Device advanced compromise

Threat types:

3

What is it?

Phishing is a type of social engineering attack often used to steal user data, such as login credentials and credit card numbers, or trick users into performing an action that compromises information security. A phishing attack masquerades as a trusted source and dupes a victim into clicking on an ad or opening a message that links to a malicious site. These types of attacks are often very sophisticated and may appear to be coming from a known user, such as a co-worker or business partner. They are also very adept at cloning websites, that trick users into entering their credentials and personally identifiable information (PII).

Use case

A user reading the news on Yahoo from an iPhone is interrupted by an ad that takes over the browsing experience, also known as a forced ad redirect. In this case it masquerades as a security alert from Apple that tells the user there is a virus on the iPhone and instructs the user to install a VPN to protect the data. As soon as the user clicks “Install,” a malicious iOS profile is downloaded to the device. Malicious profiles allow an attacker to change the configuration and behavior of the device in a way that allows them to intercept and decrypt network traffic, which is often a precursor to executing a man-in-the-middle (MITM) attack.

Threat type: Phishing

Spear phishing is the #1 attack vector for 2019. This type of attack targets an

organization, business or individuals for their role in the organization (also

known as “whale phishing” when C-level executives are hacked). Phishing attacks

are designed to harvest employee credentials and gain access to corporate

intelligence, investor information, and other data that can be sold or used to

harm the company.

4

Business impact

According to a 2018 report by FireEye, mobile users are at the greatest risk for phishing emails because mobile email clients typically only display the sender’s name, which is often a trusted contact.2 As a result, mobile users are more likely to open the message and click on a malicious URL. A URL phishing attack can lead to stolen login and password credentials as well as a suspicious profile being installed on the device, which will give a hacker access to all of the user’s corporate and personal apps and data on the device. This means enterprise IT should immediately consider solutions for protecting users from these types of attacks, which are often the gateway into the enterprise.

2 https://www.csoonline.com/article/3241727/mobile-security/6-mobile-security-threats-you-should-take-seriously-in-2019.html

MobileIron protection

MTD protects against email, text, or instant messaging phishing attacks by preventing users from accessing these malicious sites. Whenever a user clicks on a link, MobileIron can instantly detect if the URL is malicious. If so, the user will receive a message on their mobile device explaining that the page is potentially malicious and therefore blocked.

Trojanized Software Updates

Web Server Exploits

Spear-Phishing Emails

Watering Hole Websites

6%3%

71%

24%

Source: Symantec 2018 Security Threat Report

Threat vectors and hacking techniques

5

What is it?

A network attack can come from internal or external sources, such as a highly organized malicious organization, foreign entity, or a professional “lone wolf.” These attackers are highly knowledgeable about network design and have the skills needed to develop new network attack techniques and modify existing tools for their exploits. For instance, an unauthorized rogue access point can be installed on an enterprise network to launch an MITM attack, which intercepts communications between a client and a server.

Use case

In this example, a hacker sets up rogue access points to attack a financial service firm. This attack works by exploiting the behavior of mobile phones, which are designed to continuously scan their “neighborhood” and connect to networks they remember including free Wi-Fi in high-traffic public spaces such as airports, coffee shops, and hotels. These rogue access points may ask a user to create a username and password in order to access it. Employee devices instantly connect to the rogue access points thinking they are trusted by the company network.

Rogue AP attack against a financial firmMan-in-the-middle attack

Hacker sets up rogue access points

Phones connected thinking they were the financial service firm's network

MTD deteted and disconnected

Man-in-the-middle not able to scan and weaponize

devices

MobileIron Threat Defense detects and blocks here

Threat type: Network attack

6

Business impact

Mobile threats can target endpoints through a pineapple (a device that can be used to collect information from unsuspecting users on public Wi-Fi networks) or a spoofed captive portal that collects usernames, passwords, and other sensitive data from users. These types of attacks can also launch an exploit such as an MITM attack that can remain persistent on the device. This allows the hacker to go back to the device at a later time and take advantage or spread the malware to other systems and users in the network.

MobileIron protection

MTD is able to detect rogue access points and disconnect them from the network. As a result, MITM attacks can’t scan and use endpoints to harvest valuable data such as usernames and passwords, or collect potentially confidential data such as account information. See a network attack in action and learn how MTD detects and remediates the attack on the device here.

View demo video

According to McAfee, network spoofing has increased dramatically, but fewer than 50 percent of people secure their connection when using

public networks.

CSO, “6 mobile security threats you should take seriously in 2019,” Nov. 20, 2018

7

What is it?

A malicious app is harmful software that appears to be normal, such as a gaming app, and therefore hard for users to identify. It can attach itself to legitimate code and silently propagate an exploit within an organization or across the Internet. In 2017, there were almost one million fake apps in the Google Play Store, including fake versions of 77% of the top 50 free apps.3

Use case

An employee at a global bank is traveling on business and uses an outdated Android device to access company files. Although the organization has Android for Work installed on the device to protect bank data and access, the user had unknowingly downloaded a malicious app that rooted, or compromised, the entire device. The app was also able to harvest the user’s personal data, payment information, and other sensitive information.

3 BT, “Malicious apps: What they are and how to protect your phone and tablet,” June 27, 2018.

Malicious app at a global bankElevation of Privileges (EOP) via malicious app

Employee was on assignment in Africa,

on an outdated Android device

Bank was using android for Work to

protect bank data and access

User installed malicious app on the personal

side which rooted the whole device

MTD detected the EOP and decommissioned

the device

Prevented all data ont he device (or from any

source user/device had access to) from

being stolenMobileIron Threat Defense

detects and blocks here

Threat type: App threat

8

Business impact

An untrusted app can be installed on Android or iOS devices in a way that bypasses legitimate app stores. Once installed, it can create a threat vector entry that can escape the OS sandbox and create a VPN connection to a server on the dark web. Once this connection is established, often without the device user knowing, the attacker can exfiltrate sensitive personal or corporate data from the device, decrypt and redirect traffic from the device to their site, and carry out more damaging exploits in the future. This has the potential to mine corporate data and send it to a third party, such as a competitor, and expose sensitive product or business information to untrusted sources. According to the Verizon Mobile Security Index study, only 59% of surveyed companies restrict which apps employees download from the Internet to their mobile devices. This can leave a dangerous security gap that exposes corporate apps and data to a variety of app threats.

MobileIron protection

MTD can block app threats by quarantining the device when an anomaly is detected. This prevents the app exploit from accessing any data on the device or from any source the user or device could access. View an app attack in action and learn how MTD detects and remediates the malicious app on the mobile endpoint.

Only 59% of organizations restrict which apps employees download from the Internet to

their mobile devices.Verizon Mobile Security Index 2018

View demo video

In 2017, there were almost one million fake apps in the

Google Play Store, including fake versions of 77% of the

top 50 free apps.BT, “Malicious apps: What they are

and how to protect your phone and tablet,” June 2018

4 Verizon Mobile Security Index 2018

9

What is it?

Configuration profiles are designed to help vendors manage devices through MDM. However, cyber attackers have been able to exploit them to take over and infiltrate the device. Sandboxed apps can’t interact with other apps on the device, but MDM profiles can get around the sandbox to trick users into allowing elevated privileges. Think of how often an app requests access to the user’s location, photos, contacts, and more. In response, the user often says yes just to get the app on the device or to clear the request from the screen.

Once downloaded, a malicious profile can install root certificates on an iOS endpoint by bypassing security settings. This allows the malicious profile to configure system-level settings, such as Wi-Fi, VPN, email, and more. A malicious profile can execute an EOP attack to monitor and manipulate user activity and hijack user sessions. An EOP attack allows the malicious profile to access photos, files, email, text messages, and other apps that are not normally permitted.

Threat type: Malicious Configuration Profiles

Traveling employee wants to connect to a hotel Wi-Fi or neighborhood hotspot

like Xfinity Wi-Fi.

Employee tries connecting to Wi-Fi and prompted for username and password.

He opts to install a configuration profile.

The bad actor sells the data on the dark web to the highest bidder.

A bad actor performs a MITM attack harvesting credentials and stealing data.

Use case

An employee is traveling on business and wants to connect to a hotel Wi-Fi or a neighborhood hotspot like Xfinity Wi-Fi. He is prompted to enter his username and password and opts to install a configuration profile for unsecured Xfinity Wi-Fi so he is not constantly prompted to re-enter his credentials. The hotel Wi-Fi and Xfinity Wi-Fi are shared wireless networks to which all hotel guests can connect. The next time the employee connects to Xfinity, it’s compromised by the bad actor who performs an MITM exploit. The user has unknowingly installed a malicious profile that allows an exploit kit to route all of the victim’s traffic through the attacker’s server to steal data.

10

Business impact

By installing root certificates on victims’ devices, a malicious profile can seamlessly intercept and decrypt SSL/TLS secure connections that most applications use to transfer sensitive data. As a result, a malicious profile could take over a user’s corporate email account and apps such as Slack, Zoom, and LinkedIn to send messages, change settings, steal information assets, and worse.

MobileIron protection

MTD alerts the user about unsecured Wi-Fi connections and can also detect if a suspicious profile has been downloaded on the device. Once detected, the admin can mark the profile as untrusted and quarantine the device. This allows any managed apps to be removed from iOS or hidden on an Android device. Any settings provisioned by MobileIron, such as corporate Wi-Fi, can also be removed or hidden when a suspicious profile is detected as a threat. However, MobileIron only allows corporate apps and data to be removed; all of the user’s personal data remains intact.

11

What is it?

A device advanced compromise can take root control of the device, which allows an attacker to remotely command and control key functions on the device. Some examples include EOP, OS exploit, and system tampering.

iOS system tampering at consulting firmSystem Tampering

Consultant in Costa Rica downloaded iOS gaming app from a 3rd

party store, TutuApp

TutuApp prompted him to download a

configuration profile “for the game”

Houdini app mounted the file system as

read/write

MobileIron detected and notified the admin, who decommissioned the device and reset to

factory settings

User could have lost all data (including client data)

on the device, and enabled a full compro-

mise via an exploit

MobileIron Threat Defense detects and blocks here

Threat type: Device advanced compromise

Use caseAn employee at a global consulting firm downloads a gaming app from a third-party app store, TutuApp. This app store prompts him to download a configuration profile to install the very large app. The installer app, Houdini, also enables device-wide management capabilities and mounted a file system as read/write — without the user knowing.

12

Business impact

This type of advanced compromise can enable the attacker to control key device functions, such as turning on the microphone or camera, without the user’s knowledge or consent. The attacker could also steal the user’s corporate credentials, which would allow the attacker to impersonate the user and send messages to anyone, including the CEO and entire company, clients, partners, and personal contacts. The user may not even know the device has been taken over with bad things done on his behalf.

MobileIron protection

MTD can prevent this type of attack by detecting the system tampering threat on the mobile device. The system administrator sees this on the management console and is then instantly notified so he can decommission the device and reset it to factory settings. Access to corporate email and apps can also be removed to prevent the hacker from infiltrating other devices and potentially sending messages with a malicious link on the user’s behalf. See how this type of attack works and learn how to prevent it here.

View demo video

13

Ensure trusted endpoint security in a zero-trust world

Without visibility across all of your mobile devices as part of your endpoint security posture, you’re missing about one-third of all your company’s endpoints. With MobileIron, you can ensure complete, built-in threat detection and remediation across the devices, apps, and networks in your perimeter-less work environment, without even needing Internet connectivity. MTD ensures security in a zero-trust environment with the ability to:

• Protect your company data (and your customers’ data) by enabling 100% user adoption of mobile threat protection.

• Gain visibility into threats on your managed and unmanaged mobile devices with the MTD dashboard and forensics data.

• Manage mobile threat data with your existing cybersecurity practice by aggregating it via SIEM and correlating it together to deliver insight across the entire security posture.

With MobileIron Threat Defense, you don’t have to leave company security in the hands of your users. For more information, please go to www.mobileiron.com/threatdefense .