We speak to Lookout's Chief Security Officer about the mobile security threats keeping CISOs up at night.
After two decades in high-end security research, Mike Murray knows a thing or two about cyber security defences and those who try to breach them.
These days, he specialises in the securing of mobile devices, a relatively new arena driven by the rapid rise of the smartphone. But this space is already under assault by a new breed of sophisticated cyber attackers.
At a recent partner catch up, we spoke to Mike about how he’s seen the mobile security market evolve, and how CISOs should approach mobile device security.
Mathew Richards: Hi Mike, thanks for taking the time to talk to us today. Can you tell us a little bit about your role at Lookout and what elements of the role do you enjoy most?
Mike Murray: What I enjoy most, that’s a tough one… Well, I’m the Chief Security Officer here at Lookout and I’m responsible for security and what we call ‘Customer Zero’. That means I’m the first customer to review and test all that we do!
At the same time, I also run our intelligence function, including all the people who teach our product how to detect cyber threats, vulnerabilities and developing trends.
So, it’s both an engineering role and a protection and education role.
MR: We speak to several CISOs, and a lot of them identify enabling cloud and secure mobile working as the most important concern for organisations today. What do you feel are the major security concerns and challenges keeping CISOs up at night?
MM: I think it’s a few things. The first one, is the rate at which the regulatory environment has changed over the past few years. We’ve evolved regulations such as the PCI DSS and HIPAA. We’ve seen even tougher new regulations such as GDPR come into play – and as that evolution has happened, the importance of protecting our organisation’s and customer’s data has become paramount.
To give you an example, I was sitting with the CISO from a major financial institution yesterday and he said there is now no level of acceptable risk when it comes to data breach.
“Traditionally security has been seen as “the department that says no”, but there is a flip side to that story.”
That’s a big shift from the past, where companies were prepared to tolerate a certain level of risk – like the well-known example of a car company weighing the risk from a car recall versus the cost of a lawsuit. In the current environment that is not an acceptable approach when it comes to losing people’s personal data.
Traditionally security has been seen as “the department that says no,” but there is a flip side to that story. Despite this intense pressure to protect customer data, most CISOs are also dealing with pressure from business leaders to keep the wheels turning.
You can no longer survive as a modern CISO without figuring out that you’re actually there to help the business transact. Your job is not to stop transactions – it is to help the business understand the risk posture and realise what they’re doing.
It’s become a real balancing act for most CISOs, and I think that’s what’s keeping them up at night.
MR: So, in line with the regulatory evolution, and subsequent affects we’ve seen on the CISO role, can you share insights on how you’ve seen the mobile security market evolve?
MM: Well, firstly, there wasn’t a mobile security market 5-10 years ago! There is increasing awareness of the issues now, but it’s still a huge challenge for many organisations.
The biggest evolution (and there’s still a long way to go) is people’s understanding, awareness and even ‘acceptance’ of the risks posed from a lack of mobile security. People have been slow to get their head around the fact that our phones are not what they used to be.
We are not talking about a Nokia 3210 ‘brick phone’ here, or the old Motorola flip phone – these modern smartphones are essentially supercomputers in your pocket, with more power than any computer 35-plus year olds had when they were growing up.
But we don’t call it “the computer in our pocket” – if we did, all these people who are walking around with no security software on their phones would change their minds real fast. None of us would buy a laptop for £700 – £1000 and not put anti-virus on it – but all of us do it with our phones.
That understanding is changing now, as we’ve seen more threats against devices with Pegasus and nation state attacks getting reported in the news. It’s become something that the industry understands more, but there is still a long way to go.
Download 'The six biggest cyber security threats to your organisation' to gain:
MR: What other barriers are slowing development and investment in mobile security?
MM: I think a big problem is the fact that most people don’t understand that the mobile security environment is almost entirely different than the security environment for PCs. You can’t look at or treat the two the same way!
To understand that, you need to look at the history and evolution of cyber-attacks and the effect that has had on today’s CISOs and senior security managers.
If you think about the threat evolution over the last 25 years for PCs, you can probably split it into three main stages. We saw the first attacks against the PC from roughly 1995 – 2003, with a bunch of really noisy, unsophisticated attacks such as SQL Slammer, Code Red and the ‘I love you’ virus.
These attacks had no real motive behind them, they were just there. The security industry’s response to that was anti-virus tools with Norton and McAfee, the first checkpoint firewalls and the first intrusion detection systems (IDS).
From 2003 – 2010, you started to see cyber-crime get a little more advanced with the first data breaches – and the industry responded with web app firewalls, data leak prevention and a few other tools.
Then, from around 2010 to present day, we’ve seen the development of what we call advanced persistent threats (APT) or ‘the nation state’ actor. Attacks like GhostNet, Stuxnet Worm and Deep Panda – really advanced stuff.
“If you can hack the mobile device, you can get access to the microphone, camera, location, app usage, messages, you name it. A hacked phone can give the attacker access to many areas of a person’s life.”
It’s taken cyber criminals and the security industry 20 years to work up to that – from really loud, obnoxious attacks, to slightly less loud, obnoxious cyber criminals, to the modern-day highly skilled, and highly resourced (sometimes government backed) attacker.
When you talk with CISOs and most C-Suite enterprise executives about mobile threats, they say: “Well, I don’t see any cyber-crime activity on my company mobile devices at a low-level so I’m not going to look further.”
That’s a huge mistake – but it’s understandable given people’s experiences over the last 20-25 years. They aren’t looking at the problem the right way – they’re looking for the pattern we had with PCs; the loud, obnoxious sequel slammer type, rather than looking for APT first.
The problem with mobile threats is that your adversary is really good at this – so unless you’ve invested in the proper tools, you’re not going to find the breaches.
MR: So, what is it about mobile devices that makes them a priority target?
MM: Advanced hackers go for mobile first because a hacked mobile device is so much more valuable than a hacked laptop or desktop device.
We use PCs to store files, yes, but the mobile phone has become our primary access device and it’s ALWAYS with us, to the extent that it’s now our primary method for 2-factor security authentication.
Think of your typical business meeting, you’ll turn your laptop off or leave it on your desk, but you’ll have your phone with you on the table.
If you can hack the mobile device, you can get access to the microphone, camera, location, app usage, messages…you name it. A hacked phone can give the attacker access to many areas of a person’s life.
This risk is also then accentuated by the fact that people view mobile devices as almost disposable nowadays, since all their important information is not stored on there – it’s in the Cloud. They know that if they lose their device, they can be up and running with a new phone from a back-up with minimal hassle.
If people think their phone is disposable, then they’re not thinking about the need to secure or protect it. If people realised the extent to which hackers can access personal data, they would see the phone as more valuable – and secure it properly.
“When you talk with CISOs and most C-Suite enterprise executives about mobile threats, they say: ‘Well, I don’t see any cyber-crime activity on my company mobile devices at a low-level so I’m not going to look further.’
That’s a huge mistake.”
MR: We know that phishing (and spear phishing) is the number one attack vector for cyber-attacks. Can you tell us why mobile phones are particularly vulnerable to this form of attack?
MM: The biggest vulnerability organisations and users have to phishing attack on mobile is the fact that attackers can easily bypass all the years of hard work companies like Google and Microsoft have put into anti-phishing protection!
When you look at a mobile device, the best way to ‘fish’ someone is not through email – it’s through a text message or through Facebook Messenger or WhatsApp.
What can your enterprise do to stop a WhatsApp phishing message? Absolutely nothing – no protection. And in 99% of those hacks, if you’re talking about a more sophisticated adversary, what that link will do is pop open a browser and run a zero-day exploit against the browser. The browser will then crash, and they will install all the spyware directly to the operating system. So, there’s nothing a user can ever do to uninstall as they have no access to the OS to fix it.
MR: Are the users themselves more susceptible to phishing attacks on mobile versus on laptop? Does this accentuate the problem?
MM: Yes, they are – and yes it does. I think the industry has done a really good job of training users not to fall for phishing over the years, teaching people to make sure that the site looks right, to check the certificate bar, to hover over a link to check it before you click etc…
All of these techniques work on a laptop, but NONE of them work on a phone. You can’t hover over a link and lots of websites look completely different on mobile because you’re working with smaller screens and sites are built with responsive designs.
“What can your enterprise do to stop a WhatsApp phishing message? Absolutely nothing – No protection.”
So, you can’t just tell people to ignore an email nowadays just because the site looks different on mobile to what you’re used to – it’s going to cause problems for legitimate business. The old rules are blurred now, and users are getting caught out more often until the industry can complete a re-education process to counter the mobile phishing threat.
MR: We speak to clients who tell us, “I’ve got an MDM solution; I’ve got Apple iOS,” or that the operating system on the phone is security enough. What do you say to that?
MM: I hear this a lot, and it’s a huge generalisation and a dangerous one. You often see people assuming that just because something is protected with encryption, that it means all of the security is taken care of.
Or, in the MDM (mobile device management) case, they will have a couple of features that do some security things and the assumption is, well, they do some security stuff, so they do everything. But you wouldn’t assume that if you went McDonald’s because they serve food, that they also make Michelin starred meals, right?
It essentially stems back to what I was saying earlier about the lack of value people and the industry attribute to the mobile phone as a supercomputer in your pocket. If you don’t believe that this is a device you need to protect – because you’re used to it being a phone – then base protection seems good enough.
Don’t forget that the attackers hacking into mobiles are the best of the best. It’s going to take the same amount of investment and technology to keep these guys at bay as you’re used to spending on endpoint security. It’s just that the awareness isn’t there yet.
“Teaching people to make sure that the site looks right, to check the certificate bar, to hover over a link to check it before you click etc…
All of these techniques work on a laptop but NONE of them work on a phone.”
MR: What can you tell us about the Lookout Security Cloud and how this puts you in a unique position to identify threats?
MM: With the Lookout Security Cloud, we have built up a vast amount of data on valid phone configurations, iOS configurations and applications. We have a database of 70 million apps (up from approx. 65 million apps the year before) and telemetry on 170 million devices.
This enables us to provide a data-driven approach to our clients, looking at complex patterns that indicate known and novel threats, software vulnerabilities, risky mobile behaviours and configurations and track them in real-time across our global sensor network.
It really does enable us to see those evolving threat actors first.
MR: Lookout are partnered with Microsoft. Can you describe the relationship and integration between Microsoft’s MDM technologies and the Lookout solutions?
MM: Our partnership is incredibly strong – they are actually an investor in Lookout technology. We were the first to be integrated with Intune and we maintain a very close integration with Windows Defender ATP. We really think that Microsoft’s a leader in the MDM security space.
We see about a hundred customers and partners a year in the UK and what they are all saying is that Intune is leading the way in the access of non-managed devices.
The more customers we speak to, the more that we hear that they don’t want to have devices under management (as it’s a personal data protection headache). They want to protect their apps without enrolling the phone to MDM, they want the user to prove their own phone security credentials to access enterprise systems in a BYOS (bring your own security) set-up.
Banks and insurance companies are already making big advances down this road with their own staff. This is something that Microsoft has been an early adopter of and we’re working closely with them – and we’ll be the first vendors to deliver security that works that way.
That’s where the industry is going – especially as we get more privacy conscious; the idea that an organisation’s going to manage a device that has all of your personal information is a non-starter for a lot of organisations, and with Lookout and Microsoft being the first ones down that road, I think it’s going to be really exciting.
Next, download our free e-Guide to discover the six biggest cyber threats in 2019 or find out how to safeguard your data and applications with conditional access and MFA.
Simply request a free Vision Call. We can help you with solution ideas, technology education, best practice advice and more.Request Vision Call
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.