Insight by Lookout

How to secure mobile devices in the age of mass teleworking

The year 2020 will be long-remembered for many reasons. Information telework – and the resulting explosion in use of mobile devices as network endpoints.

That means protection of mobile devices is more important than ever. More than securing devices and mobile workforce per se, it’s important to think of this effort as helping secure the agency enterprise itself.

As Bob Stevens, the vice president for the Americas as Lookout explained in a recent interview, agencies early in the pandemic response rushed to obtain mobile devices – smart phones and tablets, specifically – for those who suddenly needed them. Now, in a sort of second wave of activity, they are buttoning up this part of the enterprise. He said agencies are going to stick with teleworking on a large scale.

Key to understanding the best strategies for protecting mobile devices is to understand “they are outside the infrastructure. They’ve always been outside the infrastructure,” Stevens said. And yet, enterprise data comes into the devices for onboard processing and storage. Stevens said any strategy for securing mobile devices must prioritize the data.

He added, “Techniques to secure them is a defense in depth approach.” Elements of defense in depth include:

  • A virtual container on the device to isolate government applications and data from the user’s personal apps and data. “You’ll have your work inside that container where it’s protected and encrypted,” Stevens said.
  • VPN service for reaching back into the network that encrypts data in transit.
  • Anti-virus, anti-phishing and anti-man-in-the-middle attack software stack. In particular, Sevens, said, Lookout can detect when a session is being terminated by a seemingly benign WiFi connection that’s actually a man-in-the-middle attack collecting data – including credentials – coming from the device. These measures reinforce the container and add protection against unwanted root access (which can bypass the container) or jailbreaking.
  • Application monitor running on the device to ensure apps are free of malware.

“It’s really all of those things that are needed to protect the mobile devices,” Stevens said.

As for phishing, Stevens said this form of email remains the most common vector for sophisticated adversaries, such as nation-state actors, to get into a mobile device and the data it holds. Moreover, “what we know of phishing in the mobile world versus the desktop-laptop world is completely different,” he said.

“On a mobile device, phishing can happen many, many different ways,” Stevens said, including from text messages and in a myriad of apps like WhatsApp or mobile versions of social media. So a big part of minimizing the risk is training users to be alert for the mobile-specific phishing avenues.

Application monitoring, Stevens said, principally requires scanning them for viruses and other attacks, and checking to see if they are communicating only with authorized serves – and not servers in, say, China or Russia. Or whether it’s monitoring the user’s location.

Lookout’s technology, Stevens said, can scan at high speed applications users download. Applying artificial intelligence, “we can tell pretty quickly, whether it’s going to have either risky behavior or malicious behavior. And we’re going to notify both you and the organization to ensure that that no one actually uses that application.”

Also key to mobile device assurance is having visibility into all the devices being used on the network, if only to ensure that users have up-to-date operating systems that can accept the latest patches.

“It’s important to have the visibility into the operating systems you have deployed,” Stevens said, “because if you’ve got one that’s really old it could have a bunch of there’s no patch for because those companies stopped supporting those versions.”

Securing Mobile Devices in the Enterprise

The use of those devices has got to be a greater concern to all of the government agencies. And they've got to really pay attention and prioritize the securing of data. Telework happened in a big way a few months ago. Most agencies are going to stick with it for the foreseeable future, if not forever.

Phishing and the Analysis of Applications

Our back end infrastructure is set up so that when you download an app, we are analyzing that app. We can tell pretty quickly, whether it's going to have either risky behavior or malicious behavior. And we're going to notify both you and the organization to ensure that that no one actually uses that application.

Phishing Attacks, Cloud Applications and Supply Chain

We really need to start paying attention to fishing on mobile devices; it's becoming more and more prevalent today. So I think one of the things IT shops need to ensure is that they have some sort of fishing protection on their mobile devices. Because I can tell you that most of them today have nothing.

Listen to the full show: