Malware Trends for 2016
FIELD: Well, John, we've entered 2016. In terms of malware trends and security, what are some of the things that you believe we should be most concerned about in this new year?
NIELSEN: Yeah, great question, and I'll probably start by throwing some numbers out there. Through research of ours, IBM's and some other analysts, we see in 2016 the number of smartphone users worldwide will actually surpass two billion. By 2017 the number of mobile apps downloaded on those smartphones will increase to about 268 billion, which will generate more than $77 million of revenue for those third-party app companies. With that being said, mobile devices and mobile apps, are the perfect targets for hackers moving forward.
And as mobile grows, so will the complexity of all of the security threats that are introduced onto these devices and within these applications. There have been some reports from some security vendors in the space saying that as of right now, there are more than six new threats discovered every second from a malware perspective. And with the reported number of about 95 percent of the top apps on Android and about 85 percent of the top apps on iOS being hacked, this is obviously a trend. We know the need is growing from an application management and from a mobility management perspective, and we're hearing that from our customers and enterprises in the field. Based on a recent survey IBM conducted, about 52 percent of organizations have said that safeguarding their applications and data on these mobile devices, whether they're corporate-owned assets or BYOD assets is their largest concern. But less than half of that 52 percent have actually taken steps to respond to this problem. The first step in fighting this trend is to protect the devices by deploying a solution to manage this diverse set of mobile devices regardless of ownership. Once that protection is secured, then more sophisticated malware and threat detection can be enabled on these devices.
So from a trend perspective, we see malware really falling into numerous different categories. As of November 2015, we've been seeing increases in the use of certain types of malware. The top one is adware. It's typically something that is seen as more of a nuisance for users, but it's also been known to redirect user browsing behavior to malicious websites or known phishing websites.
Backdoor malware, which gives hackers the ability to gain access to devices to install more malware, is No. 2. Maybe that malware can be used to spy on the user through a connection with the device's microphone, the camera, or even GPS.
Third on the list is something we call banker malware. Banker malware is used to intercept authentication requests between the user's device and their bank. Not only is it used to intercept those authentication requests, whether it's username and password or a PIN and token being sent via a text message, but sometimes this type of malware actually tries to replace the user's banking app with a fraudulent one. You can understand why that would be a problem.
In addition, some other types of malware are gaining in popularity. Data stealers can steal personal items, like your contact list, images and emails, much like traditional spyware. We're also seeing more advanced exploits that gain root-level access to mobile devices.
Finding Compromised Devices the MaaS360 Way
FIELD: Given all of the threats that you've mentioned to this point, how would MaaS360 let you know if a device has been compromised?
NIELSEN: We talked about the need to protect mobile devices, and one way to protect them is by implementing an enterprise mobility management (EMM) solution like MaaS360. MaaS360 can retrieve hundreds of data points from a mobile device to see if it has in fact been compromised. From a device and OS perspective, MaaS360 can discover whether a device has been jail-broken or rooted. Also from a device and OS perspective, MaaS360 can let the administrator know whether a device is encrypted or protected with a passcode, the OS version a device is running and whether that OS is up to date. It also lets IT know about any known vulnerabilities for that version of the OS vulnerabilities and whether or not they've been patched. In 2013, there was a large vulnerability on Android known as the Master Key vulnerability, and MaaS360 can report vulnerabilities like Master Key to the IT team and whether the vulnerability has been patched on a certain device, which is very important. MaaS360 can also alert IT whether users are connecting their mobile devices to insecure Wi-Fi networks.
Things get a little more complex at an application level. However, MaaS360 can query applications installed on a given device and determine if those applications have known malware installed - and that's across all of those different categories we talked about earlier - and provide you with discovery reports should malware be found.
Another option from an application perspective is our app list and reputation score. MaaS360 has the ability to examine every application installed on a user's device and apply a rating to those applications from one, a safe application, to 10, a malicious application. The rating is based on several security details, including:
- Whether the app can read a user's call log history;
- Whether the app can access other sensitive information, such as contact lists, on the device;
- What OS permissions the app has;
- Whether the app can send text messages or download content without notifying the user.
MaaS360's app list will alert you to known malware, but it will also tell you what your seemingly safe app is doing that may be problematic from a risk perspective. Perhaps it can do things that you don't want happening within your enterprise. You can define rules within MaaS360 that automatically take action on any device found in a noncompliant state. Those actions can range from notifying an IT admin that a device is in a compromised state to limiting access to corporate resources, such as email or file share, to uninstalling the compromised app. These rules can be automated, provide different notification options and in general very tailorable.
How MaaS360 Guarantees User Privacy
FIELD: The features you've described sound very useful on an administrative level. But let's talk about privacy. Would it be problematic on a privacy level to use this ability to remove apps remotely or even to wipe a mobile device?
NIELSEN: We get that question a lot, both from large enterprises and some of our smaller customers. Most companies, when deploying an EMM platform, have a policy that their users must accept before gaining access to corporate resources via their mobile devices. Now, this policy typically gives the employer the right to take action on a device if that device is deemed out of compliance for any reason. Now, with that being said, many employees' first thoughts are: "Hey, this is Big Brother. What they can see on my device from a privacy perspective, and what can they do to my device from an action perspective?"
Now, with that being said, there are privacy controls within the MaaS360 platform that admins can put in place to give their users peace of mind. For example, MaaS360 does not capture data such as your phone call history and SMS message history. Nobody has access to that information besides the user. MaaS360 also provides administrative control to determine what other type of personal data can be captured from the device and disable access to that information. You can disable administrative access to such information as an employee's personal app inventory, their location and other PII indicators like phone number and Wi-Fi connection. This information is not collected from the user's device and will give them that peace of mind of: "Hey, my device is under corporate management, which is a requirement for me to get my job done; but my employer doesn't have access to to my sensitive content, my pictures, my phone calls or any of my personal content on the device."
Limiting Access to Malicious Websites
FIELD: And MaaS360 does have the capability to prevent users from accessing malicious websites, even with the privacy controls, correct?
NIELSEN: Yes. MaaS360 offers a number of different options, based on policy that the admin team can define to limit the chance that users can access those sorts of sites. And that's accomplished through the MaaS360 Secure Browser. Secure Browser lets admins block things like file downloads and more importantly, set up category-based URL filters that would prevent users from accessing compromised websites, known malware, phishing and fraud sites and other websites that are known to install unwanted software on their devices without user consent.
You're probably thinking: "That's great, but there are billions of websites out there; how do you keep up with that information to ensure that my users can't access those?"
Well, the MaaS360 platform processes over 12 billion Internet transactions per day to maintain that database of about 140 million of the most relevant URLs that your users would want to access. Based on that database of categories, sites and whatever else is happening on the Internet, we're able to provide a very accurate URL protection platform to really limit the likelihood that users will access those malicious websites.
Oversight? Set It and Forget It!
FIELD: John, most enterprises that I speak with have to manage hundreds if not thousands of mobile devices. When you get to that scale, to what degree is oversight an issue?
NIELSEN: From an oversight perspective, not much is really needed after the initial setup because MaaS360 provides a "set-it-and-forget-it" policy engine. We have customers that have rolled out and enabled management on thousands of devices a day within their enterprise, and once that deployment takes place, automated alerting rules and scheduling can be defined so IT admins can keep up-to-date with the security posture of their environment without accessing the admin portal. As a result, security folks know what's happening in real time based on the security posture.
In addition to some of the tools within the platform, MaaS360 also integrates with other security information and event management systems (SIEM), such as IBM's QRadar platform, to provide even more automation and real-time notification from a security event perspective. Essentially once the platform is up and running, very little oversight of daily operational usage of the platform is needed to ensure that you're protected.
Visibility Is the First Step
FIELD: John, one final question for you: Once your customers have had a chance to deploy MaaS360, what do you find to be their experience? Can you describe a general use case?
NIELSEN: First of all, they tell us they can sleep better at night. They feel protected, and a lot of that stress is alleviated.
Outside of that, the first thing we really hear about is visibility into their environment, and it's really an "Aha" moment for a lot of our customers. Once they roll out MaaS360, not only can they see all of their mobile devices in their environment, but they also have an overall view of the security posture of each one of those devices. For example, they learn how many devices are running an older, maybe compromised, operating system; how many devices have been jailbroken or rooted' and even the overall risk and reputation of the applications in the environment.
Typically, a company starts slow. Visibility is the first step - understanding what the mobile environment looks like and what potential risks are out there. Once that is known, a policy and action framework can be built to limit the corporate security risk without compromising usability of employee devices so they can really get their job done. The MaaS360 platform contains a number of best practice security policies that can be implemented based on the IT admins working with our team, their vertical, industry size and the types of regulations in their industry, whether it's healthcare and HIPAA or financial regulations, school districts and things like that. So it's really getting that peace of mind from an IT perspective that, their devices are being managed and, more importantly, the security posture of those devices. Whether it's a vulnerability perspective or a malware perspective, they now know what's out there.