Enterprise Attacks by Mobile Devices Not Fully Realized

While mobile devices aren’t yet direct targets for enterprise attacks, they are at least conduits, able to siphon vast amounts of data nonetheless, according to the 2011 Verizon Data Breach Investigation Report. Mobile devices used to commit data breaches increased significantly in cases closed in 2010. Leading the way were compromised POS terminals, pay-at-the-pump terminals, and ATMs.

“Historically, servers and applications, especially databases, have represented as much as 92 percent of all 900 million records stolen,” said Bryan Sartin, Director of the Investigative Response at Verizon Business, referencing data breach information collected by Verizon and the United States Secret Service between 2004 and 2010. “Yet suddenly [this year] we are almost at parity in damages, in actual records stolen, between servers and mobile devices.” He said the increased use in devices is changing not only the face of his investigation but the security counter measures and best practices put in place.

The devices cited in this year’s report are very specialized. For example, skimmers, tiny credit card readers that are placed (often in plain sight) over the existing card reader at an ATM. Along with a mini camera to record the PIN, the entire transaction can be broadcast using a small GSM radio to a remote location, perhaps half way around the world. Pay at the pump gas pumps are also vulnerable. Last year, for example, tiny devices compromised 180 gas stations from Salt Lake City to Provo, Utah.

But Sartin says traditional attitudes around locking down data on servers may not be enough to combat the increasing use of personal mobile devices in the workplace. He cited a scenario where an enterprise prohibits use of the USB port at the workstation and restricts access to sensitive files on the network. This does not, however, prohibit an employee from pulling out a mobile device and simply photographing data on the screen. In other words, unless there is a corporate policy prohibiting personal phones on campus, sensitive data may still find its way out.

Enterprises are also being targeted through spear-phishing attacks on employees often using compromised Adobe PDF or Flash content embedded within common Microsoft Office files. The security vendor RSA, for example, reported that Flash content embedded in an Excel spreadsheet lead to a March data breach of their SecureID service.

Sartin said while cases investigated by his team don’t show the mobile device as an initial point of entry in a data breach, he admitted that with increased spear-phishing attacks, that’s likely to change. “I’m surprised criminals haven’t wised up and realized this,” he said, noting the iPhone parses e-mail messages in a way that opens the door for more PDF-based spear-phishing attacks than conventional mail clients.

So what’s an enterprise to do? Verizon Business concludes that it is generally easier to control data at the source than it is to block a virtually limitless array of potential destinations. In my book, When Gadgets Betray Us, I cite Douglas Merrill, former VP at Google, who said the search company had moved away from an enforceable perimeter of layered firewalls. Today Google concentrates on protecting the data itself—no matter what device wanted access to it.

This shift in priorities not only allowed Google employees the freedom they need to experiment with new technology, but it also liberates the IT staff from endless compatibility issues when securing every new form factor that comes along. It also reflects the future: enterprises need to make similar adjustments in policy, and they will need to do so very soon. Sartin predicted that use of a mobile device for data breaches will skyrocket within the next two years and “electronic crimes will be light years beyond where we know it today.”