Zimperium Blog

Cutting Through the Weekly Mobile Security Noise: We are all in this together

This week in cyber security we have seen that in the face of attacks from seemingly every angle the best way to fight back and move forward may be as a united front. While the concept might not seem far-fetched considering that it only takes one weak link (perhaps a smart device or a risky mobile app) to compromise an entire organization, the truth is security is often very siloed. Here’s a look at the stories this week that caught our eye from crowdsourcing cyber-security to Operation Pawn Storm:

Crowdsourcing—Potential Jackpot for Cyber-Security?

Dominic Baulto took an interesting look at what might seem to some as the most far-out approach to security, crowdsourcing. President Obama, in his State of the Union speech, alluded to this, highlighting the importance of integrating intelligence in order to combat cyber threats. As a result, the next big innovation in the world of cybersecurity may not be a new piece of code or a new software tool to detect a threat, but rather, a fundamentally new approach in how we think about leveraging partnerships between the private and public sector to protect our nation’s cyber networks.

Heavy Lifting—IoT’s Impact on Enterprise Security

Conner Forrest explores how the connected universe brings with it some heavy baggage to enterprises. There are a multitude of security and privacy challenges to address when considering a foray into IoT, but a good place to start is in defining what your company means by Internet of Things. Despite all the talk about IoT, there is still quite a bit of confusion around what, exactly, constitutes the Internet of Things. “The first big problem that many enterprises face is having their own definition of what they mean by the Internet of Things,” said Gartner analyst Earl Perkins. “So that they can then actually define how they want to approach it from a cyber-security perspective.”

Risky Business—BYOD pitfalls

With 50 percent of firms demanding that employees make use of BYOD by 2017, there is no denying there are pitfalls that both employers and employees need to bear in mind when embarking down this avenue. One such issue are companies that adopt BYOD will demand that devices are set up so they can be remotely wiped in the event that they are lost or stolen. But what happens if employees have one too many tries at guessing the passcode on your iPad in order to play Angry Birds, which sets off alarm bells in the IT department, and the endpoint software — or an individual — mistakenly interprets this as an intrusion attempt, and then goes on to remotely nuke the device? The bottom line is that BYOD can and does work, but it is, at best, a pre-prepared compromise struck between employer and employee, with the employer holding the upper hand in most cases. A clearly defined BYOD policy helps everyone know what’s going on, and is a vital tool in smoothing relations between both sides.

Operation Pawn Storm

Last week we saw reports of a new type of spyware is in the wild and targeting iOS devices. The spyware is part of a malware campaign security industry people are calling “Operation Pawn Storm.” The spyware is actually an app — the security firm Trend Micro has dubbed the app XAgent — that attempts to install and run on iOS devices. Once installed, the malicious application can collect text messages, contact lists, pictures, geolocation data, and information from installed apps on an iOS device. It reports the data back to a control server. It can also collect the user’s Wi-Fi status. Fortunately, for iOS 8 devices, looks like there are multiple notifications that the phone is trying to install an app.

Cool in a crisis—Breach Response

Data on 70 million customers stolen, 76 million accounts affected, 44 lawsuits filed, 1.1 million customers exposed, 7 million business accounts compromised. That’s just some of the alarming damage done by data breaches at Target, Home Depot, Nieman-Marcus and JPMorgan Chase in 2014. And the fallout didn’t stop at those numbers. The year that can be viewed as the one where IT security finally got taken much more seriously by upper management was also characterized by C-suite shake-ups, security department reorganizations, lawsuits, high-level pink slips, disappointing financials and plummeting customer confidence. In other words, data breaches caught the attention of, well, the world – as did the way they were (and were not) handled. But it was the revelation before Thanksgiving when Sony Pictures was crippled by a breach that derailed the company’s operations for a full week that eclipsed other major hacks, and served as a lesson to Corporate America on how not to handle crisis communications by bungling relations with key stakeholders (e.g., employees, former employees, creative talent, theater owners) and damaging reputation nearly every step of the way.