Scot Kight is a Mobility Expert with Check Point Software. With over 20 years of industry experience, Scot has extensive knowledge of the wireless and mobile ecosystems and lifecycles. A strategic thinker, Scot leads teams, solves complex challenges everyday and he has been the recipient of numerous awards. 

What are the biggest mobile security challenges today, and do they target specific industry sectors?

The largest industry challenges to mobile device security come down to the lack of focused strategies around the use of mobile devices for corporate data/systems access.  This leads to a dramatic misinterpretation of current security posture, allowing for low effort attacks such as phishing and social engineering to establish hooks into systems and to steal information with little to no tracking/response. We find similar experiences through all industry sectors.

For instance, we find this in many cases where MDMs are used as “security solutions”. While MDMs are extremely useful, they are designed to provide management of applications and policies and do not evaluate for proper on device security.  This leads to a belief that the devices and users are secured, when vast holes exist within the corporate infrastructure that should be filled with a true security solution that understands and supports the current BYOD/COPE standard in conjunction with underlying management engines.

C-levels often try to bypass mobile security due to concerns about privacy infringement, or usability. How can organizations balance mobile security, privacy, and ease-of-use?

This is an extremely important question. Critical evaluations of security policies are required to implement security correctly in corporate environments, even in cases where privacy becomes a driving force as we attempt to extend and improve ROI related to providing work capabilities to employees. 

As an example, many companies have provided dedicated corporate owned devices, implemented devices with forced separations between work and private data, or used secured apps on devices to try to allow for some level of device data control and while limiting privacy impacts. These basic policies are then considered complete, and further evaluation of security impacts are no longer undertaken.

Unfortunately, these policies have some specific drawbacks that still leave significant vectors of attack or allow for information loss.  Most of these methods are still open to attack at the user level, but we have seen concrete evidence of attacks at the device level to get around any data separation, in a way that would not be tracked by the system. They also can suffer from a potentially difficult (cost or effort) implementation that users will not participate in. 

It is imperative that we consider the true total impact of the data that can be exposed by user behavior, malicious practices, social engineering, or simple phishing on mobile devices.  Providing a solution, such as SandBlast Mobile, which can evaluate devices and device behavior in a safe/secure/private manner should be considered a minimum for allowing access to corporate data.  This can easily be tied to minimum compliance and provide large amounts of data to assist in the overall security posture of the company.

We all know that there is a tradeoff between security and privacy, but it does not have to be painful. SandBlast Mobile offers a comprehensive and easy to deploy methods to make sure the security controls are applied while educating user about mobile threats.

What types of policies would you recommend that CISOs implement to protect enterprises from mobile attacks?

Check Point recommends providing device focused security solutions and establishing compliance minimums for all devices containing or able to access any internal/material corporate data. 

These systems should provide forensic information to assist in discovery of attack attempt and to protect the user/device from all attack vectors, yet be limited in terms of direct access to both user and corporate data.

For mobile devices we recommend SandBlast Mobile, integrated into existing corporate infrastructure like MDMs and SIEMs, as a minimum.  It offers total protection against phishing, malware, network, botnet and other attack vectors, while only requiring access to device metadata.  It can also be implemented easily, especially with the new Zero Touch features, to get able to access company information with a minimum amount of input required.

What types of endpoint issues have arisen in the wake of the pandemic?

Our customers have seen a dramatic transition in devices used for access to corporate data. In the past, mobile use was relegated to specific needs or convenience.  Users rarely used mobile devices while in the office, preferring corporate issued endpoints. Outside of the office mobile was considered the secondary method of operation, with the use of laptops or other company secured endpoints as primary.

Today, the use has changed to focus totally on accessing systems via external endpoints, with mobile making up an ever-increasing portion of those endpoints.

Cyber criminals have quickly adapted to these trends and mobile ecosystems are no longer mobile islands, like in the past. Cyber criminals are using every tactic to lure users to do what they want, like providing passwords, sharing corporate data, or even installing malicious applications.

What do you think of the security and privacy features in coronavirus contact tracing apps?

The coronavirus has changed the world and exposed many details underlying our mobile interconnectedness. When it comes to coronavirus tracing apps specifically, there are many misconceptions around how they work, what risks are associated with them, and the security risks they raise.

First and foremost, the basic operation of a contact tracing app needs to be detailed.

In a very high level overview, each running the app will have a semi-random ID assigned to them. This ID will be used to create instances of a sharable token including location, time and other details, but not enough information for someone else to know any information about who provided said token. 

Any time a device running a tracing app is within Bluetooth connection distance of another device with the same application, this token is shared to the other application and a copy of the other user’s token is downloaded to the device.

At no point does the device know exactly who it gave its token to, nor does it know who a token came from.

  1. The tokens above are then combined and used to create more tokens that can be shared to the next device discovered.
  2. Under certain circumstances, this information will be fed into a system which creates an anonymous trigger for one of the shared IDs. These triggers are checked by the application to see if a match is made. If so a map of contacts is created and shared with the service.
  3. Each step of this process is private, no user information is shared and all IDs are ephemeral and not directly tied to a user.

Check Point finds that, for apps that are written properly and utilized correctly, the data is private, useful, and is a benefit for all, as long as the device is properly secured and the applications sourcing is verified.

The above information could be abused by hackers or other bad actors by creating malicious versions of the software, hacking the network or systems running those systems or by just providing false/misleading info. 

What else should Cyber Talk’s audience know about current mobile threats that we haven’t asked about?

The mobile ecosystem (including applications, developers, devices, operating systems etc.) is constantly evolving and becoming more core to our everyday routines. Already, the devices and apps touch just every single aspect of our personal and work lives and we need to keep this fact in mind when making decisions about our security posture. 

The security community is also constantly working on protections covering the impact and risks our communal data assets. While there is no silver bullet to protect mobile devices, if we apply a decent set of minimum standards, combined with working to ensure users understand the risks and rewards of the tools and data we have provided to them, we can keep ourselves, our systems, and our companies safe in this new frontier.