The Unknown Threats Will Get You, Every Time

Craig Dunaway didn’t see it coming.

His company, restaurant chain Penn Station, had done everything possible to secure its sensitive data and that of its customers. Even still, Dunaway, the president of Penn Station, would learn in 2012 about an unusual security breach.

Malware secretly uploaded to Penn Station’s network had been stealing credit card information from point-of-sale (PoS) terminals at 80 of its 238 locations. Penn Station learned of the breach, which had been going on for weeks, only after a customer called to report a compromised credit card shortly after dining at a one of its restaurants.

“I wish I would have known how sophisticated and how ramped these attacks are,” Dunaway later said. “I think there is no substitution for putting your point-of-sale system on lockdown.

Webinar: How to Keep Mobile Threats at Bay

Enabling and Securing iOS and Android in the Enterprise

Securing today’s powerful mobile devices and the data on them is critical for the enterprise, but more than half of decision makers in a recent IDC survey had security and compliance issues during mobility rollouts. Join guest presenter Rob Westervelt, research manager for security products at IDC and Michael Shaulov, head of mobility at Check Point to learn why it’s more important than ever to have security for iOS and Android that provides continuous mobile protection for apps, networks, and operating systems.

> Register for Americas Session

> Register for Europe Session

Even though PoS systems handle millions of encrypted transactions per day, if there’s a will to steal data, there’s always a way. And the cost of a breach can be staggering. Target spent more than $252M on its massive PoS system breach in 2013, also caused by malware secretly uploaded to its network. Then in 2014, Home Depot became the next PoS malware victim which could eventually cost the retailer billions.

Without appropriate security measures designed to protect new technologies from unknown threats, breaches are pretty much inevitable. So if the tools exist to help protect sensitive information, and if recovery is far more costly than protection, why are smartphones and tablets in the workplace today, like PoS systems then, left under-protected or not protected at all?

In its 2016 Data Breach Investigations Report, Verizon claims there’s no “significant real-world data” about breaches to make mobile security a priority concern. Coming from Verizon, that perspective isn’t at all surprising. Last year a whopping 70% of Verizon’s $129B revenue came from its wireless business which grows steadily year over year as its wireline business withers.

Security vendors paint a scary picture of a mobile landscape wrought with malware and other cyber threats but, torches and pitchforks aside, there’s quite a bit of data that mobile attacks could bring us to our knees. If not this year, then soon.

Let’s take Verizon’s research from last 2015 that said a mere 0.03% of mobile devices on its network were victims of “truly malicious exploits.” (A number Verizon said is “negligible.) If we assume that rate is the same across all networks globally, and if there are about 7.8B mobile connections on the planet (more than the number of people, by the way), that’s 2.3M infections that we know about.

If the population of Houston, Texas had the flu, would you be concerned?

Never mind the unknown infections caused by users who have no clue about phishing scams, the dangers of rooting and jailbreaking, or the risk of getting apps from unofficial sources. It’s not inconceivable to think there are millions of people happily using their devices for work and play without a care in the world that the sensitive information on the device is exposed. Moreover, if there’s no regulatory requirement to disclose a breach publicly, why would any organization do so, and how would we ever know?

So 2.3M infected mobile devices may be a negligible concern for Verizon, which has a growing wireless business to protect, but for a security professional, that’s a lot of risk.

The breadth of infection is one concern, but what about the depth? Threats to the security of mobile devices haven’t just increased in number, they’ve matured in sophistication too. Cantankerous malware has given way to a new breed of malicious code on both iOS and Android that avoids detection and removal through adaptation.

Today’s mobile malware scoffs at simple mobile anti-virus and glides through solutions that determine whether an app is reputable or not. Making matters worse, the feverish pace of development pushes to market hundreds of new devices, apps, and variations of operating systems, all with varying degrees of unknown vulnerabilities just begging to be exposed by cyber criminals.

It’s true there hasn’t been a sensational mobile breach that’s put any organization under the security microscope – yet. At least not one that we know about. However, there also hadn’t been a breach of PoS network security before 2012, or of laptop and PC security long before that.

It’s cliché but true: It’s not a matter of if a major mobile breach is coming, it’s a matter of when. That’s why gaps in mobile security should strike chords of fear in the hearts of every security professional, and for C-suites everywhere that have to cover the costs and the public fallout of a breach. If you already know what’s coming tomorrow, so what might you do today to prepare yourself?

Just ask Craig Dunaway, I’m sure he’d know what to do.

Jeff Zacuto is a San Franciscan, gadget geek, and senior mobile security marketer at Check Point Software Technologies. His 15 years of experience with mobile technology, security and compliance gives him a unique perspective on the needs and expectations of IT and security professionals, end users and corporate executives.