Every organization is concerned about malware - how it evolves, slips past multilayered defenses and infects networks to cause both immediate and long-term damage. John Nielsen, Product Manager for IBM Mobile Security, discusses the latest malware trends and steps organizations may take to fight back against this seeming hydra of threats.
Nielsen cites IBM research that shows the number of smartphone users worldwide will rise to over 2 billion people. By 2017, the number of downloaded mobile apps will top 268 billion, offering threat actors the perfect target through which to infect networks.
Data shows the diversity of today's malware, which includes everything from adware that can lead to redirects to phishing and other malicious websites to root-level malware that gains access to the mobile device itself.
"There have been reports from security vendors who are saying...more than six new threats [are] discovered every second," Nielsen says. "We know the need is growing from an application management and a mobility management perspective, and we're hearing that from our customers...in the field also."
A recent IBM survey shows that 52 percent of respondents agree that safeguarding applications and data on mobile devices, regardless of whether they're BYOD or corporate-owned, is their greatest concern. At the same time, however, the survey reveals that less than half are taking the needed steps to alleviate that concern.
"The first step to fight this trend is to...deploy a solution to manage this diverse set of mobile devices," Nielsen says. "Once that protection is done, then more sophisticated malware and threat detection can be enabled on these devices."
Visibility also is critical in the fight against malware attacks. "A platform, such as MaaS360, [lets organizations] not only see all of their mobile devices in their environment, but they also have an overall view of the security posture of each one of those devices," including how many devices are jailbroken, using an older, potentially compromised operating system and the overall risk and reputation of the applications on these devices, Nielsen says.
In this interview about malware trends and ways organizations can counteract these threats, Nielsen also discusses:
- How organizations can balance visibility and remediation of mobile devices on networks without compromising user privacy;
- Why robust automation and oversight capabilities are essential components of effective mobile device management;
- How IBM's MaaS360 MDM solution works to help its customers battle today's malware threats.
Nielsen serves as Product Manager for IBM Mobile Security. Nielsen has 20 years of experience in endpoint enablement and security from laptops to smartphones, tablets and wearables. John is currently leading strategy and go-to market endeavors for cross-platform Mobile Device Management (MDM), Mobile App Management (MAM), admin portal UI/UX and technical integration with third-party technology partners.
Malware Trends for 2016
FIELD: Well, John, we've entered 2016. In terms of malware trends and security, what are some of the things that you believe we should be most concerned about in this new year?
NIELSEN: Yeah, great question, and I'll probably start by throwing some numbers out there. Through research of ours, IBM's and some other analysts, we see in 2016 the number of smartphone users worldwide will actually surpass two billion. By 2017 the number of mobile apps downloaded on those smartphones will increase to about 268 billion, which will generate more than $77 million of revenue for those third-party app companies. With that being said, mobile devices and mobile apps, are the perfect targets for hackers moving forward.
And as mobile grows, so will the complexity of all of the security threats that are introduced onto these devices and within these applications. There have been some reports from some security vendors in the space saying that as of right now, there are more than six new threats discovered every second from a malware perspective. And with the reported number of about 95 percent of the top apps on Android and about 85 percent of the top apps on iOS being hacked, this is obviously a trend. We know the need is growing from an application management and from a mobility management perspective, and we're hearing that from our customers and enterprises in the field. Based on a recent survey IBM conducted, about 52 percent of organizations have said that safeguarding their applications and data on these mobile devices, whether they're corporate-owned assets or BYOD assets is their largest concern. But less than half of that 52 percent have actually taken steps to respond to this problem. The first step in fighting this trend is to protect the devices by deploying a solution to manage this diverse set of mobile devices regardless of ownership. Once that protection is secured, then more sophisticated malware and threat detection can be enabled on these devices.
So from a trend perspective, we see malware really falling into numerous different categories. As of November 2015, we've been seeing increases in the use of certain types of malware. The top one is adware. It's typically something that is seen as more of a nuisance for users, but it's also been known to redirect user browsing behavior to malicious websites or known phishing websites.
Backdoor malware, which gives hackers the ability to gain access to devices to install more malware, is No. 2. Maybe that malware can be used to spy on the user through a connection with the device's microphone, the camera, or even GPS.
Third on the list is something we call banker malware. Banker malware is used to intercept authentication requests between the user's device and their bank. Not only is it used to intercept those authentication requests, whether it's username and password or a PIN and token being sent via a text message, but sometimes this type of malware actually tries to replace the user's banking app with a fraudulent one. You can understand why that would be a problem. In addition, some other types of malware are gaining in popularity. Data stealers can steal personal items, like your contact list, images and emails, much like traditional spyware. We're also seeing more advanced exploits that gain root-level access to mobile devices.
Finding Compromised Devices the MaaS360 Way
FIELD: Given all of the threats that you've mentioned to this point, how would MaaS360 let you know if a device has been compromised?
NIELSEN: We talked about the need to protect mobile devices, and one way to protect them is by implementing an enterprise mobility management (EMM) solution like MaaS360. MaaS360 can retrieve hundreds of data points from a mobile device to see if it has in fact been compromised. From a device and OS perspective, MaaS360 can discover whether a device has been jail-broken or rooted. Also from a device and OS perspective, MaaS360 can let the administrator know whether a device is encrypted or protected with a passcode, the OS version a device is running and whether that OS is up to date. It also lets IT know about any known vulnerabilities for that version of the OS vulnerabilities and whether or not they've been patched. In 2013, there was a large vulnerability on Android known as the Master Key vulnerability, and MaaS360 can report vulnerabilities like Master Key to the IT team and whether the vulnerability has been patched on a certain device, which is very important. MaaS360 can also alert IT whether users are connecting their mobile devices to insecure Wi-Fi networks.
Things get a little more complex at an application level. However, MaaS360 can query applications installed on a given device and determine if those applications have known malware installed - and that's across all of those different categories we talked about earlier - and provide you with discovery reports should malware be found.
Another option from an application perspective is our app list and reputation score. MaaS360 has the ability to examine every application installed on a user's device and apply a rating to those applications from one, a safe application, to 10, a malicious application. The rating is based on several security details, including:
- Whether the app can read a user's call log history;
- Whether the app can access other sensitive information, such as contact lists, on the device;
- What OS permissions the app has;
- Whether the app can send text messages or download content without notifying the user.
MaaS360's app list will alert you to known malware, but it will also tell you what your seemingly safe app is doing that may be problematic from a risk perspective. Perhaps it can do things that you don't want happening within your enterprise. You can define rules within MaaS360 that automatically take action on any device found in a noncompliant state. Those actions can range from notifying an IT admin that a device is in a compromised state to limiting access to corporate resources, such as email or file share, to uninstalling the compromised app. These rules can be automated, provide different notification options and in general very tailorable.
How MaaS360 Guarantees User Privacy
FIELD: The features you've described sound very useful on an administrative level. But let's talk about privacy. Would it be problematic on a privacy level to use this ability to remove apps remotely or even to wipe a mobile device?
NIELSEN: We get that question a lot, both from large enterprises and some of our smaller customers. Most companies, when deploying an EMM platform, have a policy that their users must accept before gaining access to corporate resources via their mobile devices. Now, this policy typically gives the employer the right to take action on a device if that device is deemed out of compliance for any reason. Now, with that being said, many employees' first thoughts are: "Hey, this is Big Brother. What they can see on my device from a privacy perspective, and what can they do to my device from an action perspective?"
Now, with that being said, there are privacy controls within the MaaS360 platform that admins can put in place to give their users peace of mind. For example, MaaS360 does not capture data such as your phone call history and SMS message history. Nobody has access to that information besides the user. MaaS360 also provides administrative control to determine what other type of personal data can be captured from the device and disable access to that information. You can disable administrative access to such information as an employee's personal app inventory, their location and other PII indicators like phone number and Wi-Fi connection. This information is not collected from the user's device and will give them that peace of mind of: "Hey, my device is under corporate management, which is a requirement for me to get my job done; but my employer doesn't have access to to my sensitive content, my pictures, my phone calls or any of my personal content on the device."
Limiting Access to Malicious Websites
FIELD: And MaaS360 does have the capability to prevent users from accessing malicious websites, even with the privacy controls, correct?
NIELSEN: Yes. MaaS360 offers a number of different options, based on policy that the admin team can define to limit the chance that users can access those sorts of sites. And that's accomplished through the MaaS360 Secure Browser. Secure Browser lets admins block things like file downloads and more importantly, set up category-based URL filters that would prevent users from accessing compromised websites, known malware, phishing and fraud sites and other websites that are known to install unwanted software on their devices without user consent.
You're probably thinking: "That's great, but there are billions of websites out there; how do you keep up with that information to ensure that my users can't access those?"
Well, the MaaS360 platform processes over 12 billion Internet transactions per day to maintain that database of about 140 million of the most relevant URLs that your users would want to access. Based on that database of categories, sites and whatever else is happening on the Internet, we're able to provide a very accurate URL protection platform to really limit the likelihood that users will access those malicious websites.
Oversight? Set It and Forget It!
FIELD: John, most enterprises that I speak with have to manage hundreds if not thousands of mobile devices. When you get to that scale, to what degree is oversight an issue?
NIELSEN: From an oversight perspective, not much is really needed after the initial setup because MaaS360 provides a "set-it-and-forget-it" policy engine. We have customers that have rolled out and enabled management on thousands of devices a day within their enterprise, and once that deployment takes place, automated alerting rules and scheduling can be defined so IT admins can keep up-to-date with the security posture of their environment without accessing the admin portal. As a result, security folks know what's happening in real time based on the security posture.
In addition to some of the tools within the platform, MaaS360 also integrates with other security information and event management systems (SIEM), such as IBM's QRadar platform, to provide even more automation and real-time notification from a security event perspective. Essentially once the platform is up and running, very little oversight of daily operational usage of the platform is needed to ensure that you're protected.
Visibility Is the First Step
FIELD: John, one final question for you: Once your customers have had a chance to deploy MaaS360, what do you find to be their experience? Can you describe a general use case?
NIELSEN: First of all, they tell us they can sleep better at night. They feel protected, and a lot of that stress is alleviated.
Outside of that, the first thing we really hear about is visibility into their environment, and it's really an "Aha" moment for a lot of our customers. Once they roll out MaaS360, not only can they see all of their mobile devices in their environment, but they also have an overall view of the security posture of each one of those devices. For example, they learn how many devices are running an older, maybe compromised, operating system; how many devices have been jailbroken or rooted' and even the overall risk and reputation of the applications in the environment.
Typically, a company starts slow. Visibility is the first step - understanding what the mobile environment looks like and what potential risks are out there. Once that is known, a policy and action framework can be built to limit the corporate security risk without compromising usability of employee devices so they can really get their job done. The MaaS360 platform contains a number of best practice security policies that can be implemented based on the IT admins working with our team, their vertical, industry size and the types of regulations in their industry, whether it's healthcare and HIPAA or financial regulations, school districts and things like that. So it's really getting that peace of mind from an IT perspective that, their devices are being managed and, more importantly, the security posture of those devices. Whether it's a vulnerability perspective or a malware perspective, they now know what's out there.