Assessing the Need for Heightened Mobile Device Security Awareness
Prioritizing the safety and security of mobile devices must be top of mind for organizations of all sizes and sectors. More than half (55 percent) of employees polled in a recent ThreatX survey admitted to solely using their personal mobile devices for working from vacation destinations during the summer months.
In addition, 25 percent said that they were not concerned about ensuring network connections were secure when accessing company data; only 12 percent of surveyed employees said they used a VPN when traveling and working remotely. This alone puts both their personal and corporate data at significant risk.
The findings of that survey are a microcosm of a larger issue at hand. The proliferation of mobile devices has amplified cyber risk to new heights, where most people today are walking around with a high-impact vulnerability in their pocket and don’t even realize it. Whether you were at work, a coffee shop, the gym, or out to dinner with friends, if your cell phone was on and searching for wireless networks, all it would take is a series of clicks through a WiFi repository database to retrace your exact steps. Compounded at scale, this gives threat actors the ability to connect the dots about someone’s daily routine and uncover personally identifiable information that could place them in harm’s way.
It Can Happen to Anyone
It makes sense why mobile device security may not be much of a concern to everyday citizens living ordinary lives. “I’m not important enough to be targeted, right?” OK, maybe—until a hacker steals your credit card information by exfiltrating data from a public WiFi network. Or that stalker you blocked on Instagram a few weeks ago figures out your favorite running trail. In reality, no one should assume they are safe. Because they aren’t.
And for those working for government agencies or high-profile private sector organizations, vulnerable mobile devices can insert employees directly into the crosshairs of nation-state actors seeking new victims for ransomware, insider threat, and sabotage campaigns. As a former federal agent with the U.S. Department of Homeland Security for more than 20 years, I witnessed these scenarios play out time and time again. If I had a dollar for every mission where we leveraged poor mobile security hygiene to continuously track an adversary, I’d be a rich man today.
We should all embrace the role mobile devices and wireless networks play in our digitalized lives. It will only grow in the years to come as digital transformation continues to accelerate. This heightens the importance for organizations to educate employees on the need for effective mobile security.
Following best practices like using two-factor authentication, strong passwords, encryption, and antivirus software are all important tools in the toolbox. However, it must always start with awareness. Employees who receive continuous awareness training are five times more likely to notice and avoid malicious links. If you make a concerted effort to train them on the risks associated with mobile devices, they’ll be much more inclined to take the right steps to protect your organization.
Effective awareness training on mobile device security first requires personalization. One-size-fits-all frameworks that are static and dull will never foster the collective buy-in organizations need today. For training to drive results, especially with employees who have grown up in a social-mediatized society, it needs to be easily digestible and tailored to their personal interests. Forcing employees with non-cyber backgrounds to undergo highly technical training courses only further exacerbates the complexity of the cyber threat landscape.
Consider producing short, comedic video segments mimicking characters from popular TV shows like Succession or The Office. Or create a sports-related social engineering quiz comparing NFL teams to various threat actor tactics, techniques, and procedures. Regardless, tapping into the passions of your people is the best way to deliver meaningful messages that resonate.
The (WiFi) Name of the Game
Exploitable WiFi network names are another vulnerability adversaries target to identify and monitor potential victims. Most people (and organizations) have a habit of naming their WiFi network something funny or unique. But you don’t want it to be unique—you want it to blend in.
Government agencies, for example, should never label WiFi service set identifiers (SSIDs), the sequence of characters that name a WiFi network, in correspondence with the specialty units using them. This gives adversaries a direct location of where that unit is hosting operations or holding sensitive data files.
On a more humanized level, let’s say Jim, a hypothetical 54-year-old CEO of a global medical device manufacturer, just so happens to be a huge fan of the New York Yankees. Jim’s biography on the company’s website concludes with “In his personal time, Jim is a loving father of three and avid New York Yankees supporter” to help humanize the face of a billion-dollar company. On his public Facebook account, he’s wearing his favorite Derek Jeter jersey at a Sunday afternoon ballgame. Everyone familiar with the organization knows Jim bleeds blue and white—including the ransomware gang targeting it.
A threat actor employed by that gang subsequently picks up on Jim’s diehard Yankees fandom from afar. Then, when scanning sensitive files stolen from the organization during a data breach, one WiFi network name in particular stands out above the rest: GoYankees1969. The threat actor knows Jim, at age 54, was born in 1969, and also knows he’s a diehard Yankees fan. By connecting the dots, the actor has now uncovered Jim’s home address, family information, credit history, location data and more—all of which can be exploited for sophisticated sabotage and monetary gain.
These situations play out every day, heightening the criticality of ensuring WiFi SSIDs, whether via home network or mobile hotspot, shouldn’t be linked to anything in your personal life.
For instance, the U.S. Drug Enforcement Agency (DEA) once asked me to go to one of their facilities and host a professional development class on digital forensics and the Dark Web. An hour into the presentation, I paused the class for a 15-minute break. A friend of mine attending the class came up to me during the break and said, “Hey, you were in Seattle last month, right? Staying at that Marriot right by the courthouse?”
I had been using a Verizon mobile hotspot at the time, and because he knew the hotspot’s VPN name, my friend was able to trace my location history data through a WiFi repository. Had it not been a friend and instead someone with malicious intent, the ability to determine an individual’s “pattern of life” can pose a threat to their physical safety.
In conclusion, promoting best practices for effective mobile device security should be at the top of every organization’s awareness training playbook. By implementing the right processes and protocols to help safeguard mobile technology, security leaders can position themselves to proactively prevent adversaries from capitalizing on the increased risk of a mobile digitalized world.
Matt Edmonson is an open source intelligence (OSIN
T) principal instructor with the SANS Institute. Edmonson has been doing OSINT professionally for the past decade. He stood up two OSINT units that are both still going strong and have led or assisted in hundreds of investigations. He has also developed an OSINT course which he’s taught to law enforcement and government personnel across the world. Additionally, he’s consulted with and assisted numerous private sector companies, including several in the Fortune 100.
© 2023 Matthew Edmonson, SANS Institute
