Machine identities now outnumber humans in enterprises, according to Nathanael Coffing, co-founder and CSO of Cloudentity. Without thorough visibility and proper management of machine-to-machine communications, all those machines can become a huge security issue.

Gartner’s list of the top security risks and trends for 2021 included machine identity management for the first time. This should come as no surprise. Coffing notes that the recently discovered ThroughTek Kalay vulnerability compromised 83 million IoT devices, which better machine identity management could have prevented.

“This security flaw would have been identified earlier if the organization had full visibility and control over every machine identity connected to their SDK,” Coffing said.

In a conversation with eSecurity Planet, Coffing explained why this area is such a concern and what enterprises can do in response.

Poor Machine Identity Management Introduces Risks

If the past few years of cybercrime trends indicate anything, it’s that companies have a shocking number of vulnerabilities – and cybercriminals are getting better at exploiting them. Machine identities are one of the most prominent risks.

The rise of automation and the IoT have resulted in enterprises unintentionally expanding their attack surface. “While machines provide numerous benefits to organizations, such as the distributed ability to share and collect data, they also introduce new points of attack and added security challenges,” said Coffing.

As the ThroughTrek Kalay incident demonstrates, businesses lack visibility over their vast fleet of devices. Without complete visibility, it’s not always easy to determine what data is going to which device. That uncertainty lets software vulnerabilities and the cybercriminals that exploit them go undetected as they compromise organizations’ information.

Also read: Top Vulnerability Management Tools

Machine Identity Risks Go Overlooked

Another factor that makes machine identities so concerning is that businesses often overlook them. As Coffing points out, the ThroughTrek Kalay breach would not have been as severe had the company had a system to manage its machine identities. Unfortunately, many organizations keep expanding their IoT environments without considering their vulnerabilities.

Even in terms of IoT security, identity management is not always a part of enterprises’ strategies. Regulations like California’s SB-327 strengthen connected device security standards but don’t require identity management schemes. As a result, businesses may feel protected because of their other security steps despite these vulnerabilities remaining.

Organizations may establish an identity and access management (IAM) system that applies only to user identities. With more devices than there are users, though, that strategy stops short of what’s needed. Identity management must also include machines.

How Enterprise Security Can Adapt to Machine Identity Risks

While these risks remain prevalent, enterprise security strategies to cope with them are changing. High-profile cyber attacks have brought more attention to the issue, driving organizations to consider their machine identity management.

For now, only businesses with leading cybersecurity strategies feature thorough, companywide machine identity management. Most still lack sufficient tools in this area, even if they are increasingly aware of the risks. According to one study, 42% of organizations have a limited strategy that applies only to some applications, while 18% have none at all.

Coffing outlined several considerations for enterprises looking to adapt their security strategies for machine identity risks. Here’s how businesses can protect themselves against these emerging threats.

Digital Secrets

“With the increase in machine identities, security leaders must implement a machine IAM strategy that includes digital secrets,” says Coffing. These secrets typically take the form of a username and password, but security teams must take a different approach to credentials with machine identities. Coffing recommends cryptography and private keys.

Cryptography ensures that sensitive data traveling between devices is unreadable to machines and users that shouldn’t have access to it. Machines must have cryptographic certificates to verify their identity, and only then can they decrypt this data. This key system ensures that only authenticated, authorized devices can access any given data packet.

Coffing also suggests that as part of this strategy, companies use private keys based on open standards. Public key infrastructure (PKI) and Secure Production Identity Framework for Everyone (SPIFFE) provide a roadmap for securing cryptographic communications.

Authorization Governance Automation

One challenge enterprises face in machine IAM is growing workforce and resource shortages. The U.S. cybersecurity market currently needs 350,000 additional workers to meet demand, and many companies also lack sufficient IT budgets. Coffing suggests that cybersecurity teams embrace automation to cover these gaps.

“Without the proper automated software solutions, such as authorization governance, IT teams won’t be able to manage the massive influx of machine identities on their network,” Coffing said.

Authorization governance automation creates risk profiles for each machine identity based on real-time context. That way, businesses can account for the fact that a device can be trustworthy in one situation but not another.

Automation can handle these identity risk evaluations far faster than human workers. It also gives security teams more time to focus on other tasks, accomplishing more without additional staff.

Zero Trust Architecture

Coffing also says zero-trust security is a must for machine identity management. Just as enterprises adopt these policies for their user IAM strategies, they should expand these actions to machine identities. Systems must restrict data access and verify machine identities before authorizing them, regardless of whether or not they appear trustworthy initially.

Businesses must apply these policies to everything, not just behind-the-scenes organizational work. As Coffing said, “zero trust is enforced at every transactional decision point when users sign and request access to apps or devices, or when machines exchange data with partners and customers.”

Any data exchange with customers, partners or other third parties must rely on zero trust architecture. Just as businesses should never assume any user is safe, they shouldn’t trust any device until verifying it and only giving it as little information as necessary. These steps will hinder unauthorized network access and reduce data leakage.

Cybersecurity Strategies Must Include Machine Identities

Much cybersecurity literature today focuses on human threats, and indeed, users are still a prominent security concern. However, enterprises must not overlook the importance of machine identity management in their cybersecurity strategies.

By following these steps, companies can account for machine identity risks in their broader security infrastructure. They can then expand their device fleets with greater safety.

Further reading: How Zero Trust Security Can Protect Against Ransomware

The post How Machine Identities Can Imperil Enterprise Security appeared first on eSecurity Planet.

Mobile malware statistics

McAfee recently published a report stating that mobile malware infections in the fourth quarter of 2020 surpassed 40 million after steadily climbing earlier in the year. More than 3 million of those attacks represented new types of malware.

Check Point published mobile security research showing that 46% of respondents experienced employees downloading at least one malicious app during 2020. Another finding was that 97% of organizations dealt with mobile threats that used various attack vectors.

Types of mobile malware

There are several different forms of mobile malware, including some that specifically target handheld gadgets.

• Adware: Though not all security professionals consider adware malicious, this threat category presents users with unwanted advertisements and may track their activities without consent. Security researchers at Kaspersky determined that it accounted for 61.43% of mobile malware detected in Q1 2021.
• Trojans: As is the case on desktop, trojans provide a backdoor, enabling an attacker to execute code or control a device remotely. One such Android malware type identified in early 2021 can gather and exfiltrate data ranging from phone contacts to text messages and browser data while remaining hidden from users.
• Keyloggers: Keyloggers, which also sometimes include screenscrapers, sit on a user’s device, logging all keystrokes in an attempt to find valuable information.
• Bank trojans: This type of malware is particularly attractive to mobile attackers, as it combines a trojan with a keylogger. In March 2021, security researchers detected a new bank trojan they named Vultur. The team confirmed it has keylogging and screen-recording capabilities.
• Ransomware: Though not nearly as common as it is on the desktop, ransomware  is a type of malware that will encrypt a user’s data and hold it for “ransom” until the attacker is paid.

How mobile malware infects users

There are a variety of mechanisms by which different forms of mobile malware infect and exploit mobile devices.

• Attacking known vulnerabilities: This is perhaps the most obvious form of attack, when attackers simply go after known issues. The challenge is that not all users can update their mobile operating systems as quickly as attackers put out mobile malware.
• Permissions abuse: Different forms of malware (often adware) can get on mobile devices when applications are granted unnecessarily high permission levels. One recent investigation of the top 1,020 Google Play Store apps found that many asked for potentially dangerous permissions. For example, 77% wanted to read external storage.
• Malware preinstalled on phones: Some mobile malware comes on phones out of the box. One report warned how this problem often affects developing nations and residents who use low-end devices. It also recently cropped up in the German market when new phones included mobile malware that could send malicious WhatsApp messages.
• Distribution through app stores: The vast majority of malware and malware-integrated apps come from third-party app stores. A 2020 report found that the Xiaomi app store was the most likely place to come across dangerous mobile apps. More well-known sites — such as Apple’s App Store and the Google Play Store — have stringent quality controls, and are less frequently impacted.

Mobile attacks beyond malware

While malware can often be a payload in a mobile attack, non-malware-based attacks often hit mobile users.

• Authentication attacks: Many different types of authentication attacks aim to steal user credentials or trick users into inputting their credentials into a fraudulent web page or app.
• Man-in-the-middle (MiTM): In a MiTM attack, the data stream from the app to the back-end web service is not properly configured for encryption, enabling an attacker to potentially intercept mobile traffic. This type of attack can occur in a Wi-Fi hotspot, for example.

Creating a mobile device policy

There are several different ways to keep mobile devices and users safe from mobile malware. For organizations, the best approaches often involve implementing a formal Bring Your Own Device (BYOD) or Enterprise Mobility Management (EMM) system.

Learn more about BYOD and EMM in the eSecurityPlanet guide to EMM.

When employers review BYOD device policies with their workforces, the coverage should explain how these devices and their content could pose dangers to a workplace network. Employee awareness helps minimize possible malware infections, whether workers clock in from an employer’s office or at home.

Educating employees on mobile threats

There are a few key things employees need to be understood when it comes to mobile malware. Following cybersecurity best practices is a business necessity since it reflects positively on companies and could lead to new customers.

Additionally, while it is possible to become infected with malware via the authorized, official Apple App Store or Google Play, it is significantly less likely. Users can also take precautionary measures to further reduce the risk. Jailbroken or rooted phones and getting software from unknown third-party sources is typically how most mobile malware exploits users.

It’s also useful to tell employees how certain industries may be more at risk for mobile malware than others. A 2020 report showed how three out of four phishing attempts targeting pharmaceutical employees also delivered malware to victims. Additionally, of those attacks, 35% tried to steal credentials.

Keeping your network safe from mobile malware

Mobile trojans can be used in some cases to create a zombie botnet that will attack a local network. Just like any other device connected to the network, mobile devices should always be monitored and logged for potentially malicious activities.

Beyond just monitoring, the implementation of a Network Access Control (NAC) solution that provides both pre-admission and post-admission monitoring of activity is recommended.

Mobile malware solutions

Unlike desktop software, which can come from any source, the default (and recommended) method to acquire mobile software is via an authorized app store. Both Apple and Google scan all applications in their respective app stores to detect any potentially malicious apps. Going a step further, Google Play Protect is a feature that periodically checks users’ phones for malware and alerts them.

Mobile malware solutions, much like their desktop counterparts, do anti-virus and anti-spyware/adware scanning. Some provide additional scanning to prevent or limit the risk of phishing, and some provide permissions warnings when an app is attempting to do something that requires more permissions than it should.

These are some of the vendors offering mobile security software and solutions:

• AVG Antivirus
• Kaspersky
• Eset
• Norton Security
• McAfee Mobile Security
• Bitdefender
• Malwarebytes
• Fortinet
• Avast
• Comodo Cybersecurity
• BullGuard
• IBM Security
• Sophos
• Lookout

Start fighting back against mobile malware

This overview emphasizes why mobile malware is a growing threat. Fortunately, IT professionals can successfully manage the risks by remaining aware of attack methods and taking proactive measures against them.

The post Mobile Malware: Threats and Solutions appeared first on eSecurity Planet.