Mitigating mobile supply chain threats in a post-perimeter world
- By Bob Stevens, Kiersten Todt
- Oct 11, 2019
Government agencies are creating formal mobility programs to address employees' increased reliance on mobile devices. With more government business being conducted on endpoint devices, such as smartphones and tablets, telecom supply chains have become of particular interest to malicious actors looking to infiltrate the sensitive data that agency employees access on a daily basis.
In recent years, the federal government has directed significant attention toward protecting the supply chain through policies focused on hardware, banning manufacturers from using certain third-party technology vendors. However, software vulnerabilities throughout critical IT infrastructure can also pose unacceptable risks to agencies’ mobile supply chains.
In order to fully grasp and mitigate global supply chain threats, we must understand how the technology landscape has evolved. According to a 2018 Pew Research survey, 95% of Americans now own a mobile device. The same report details that nearly three-quarters of U.S. adults own desktop or laptop computers, and almost half own tablets -- devices loaded with hundreds of applications for convenience, productivity and entertainment.
Thanks in part to the growing demand for new technology worldwide, we are seeing an increase in the use of open-source code and third-party suppliers in the mobile software development process. Wherever developers see market opportunities, attackers do as well.
Often, organizations developing applications may not prioritize security research on every third-party vendor or every piece of open-source software that goes into an application. This lack of focus creates a significant risk of leaving unaddressed vulnerabilities in the final application and a long-term security threat for anyone who installs the application on a mobile device.
For example, an agency employee using a weather app created with vulnerable code from an open-source library or one that shares usage data with adversaries unknown to the user can expose the entire agency to a threat.
Threats are also capable of manifesting themselves into approved apps that exist in today’s app stores. For example, researchers at Lookout recently uncovered a piece of adware called BeiTaAd within a number of popular applications. The plug-in can forcibly display ads on a user’s lock screen and trigger advertisements when the phone is locked.
In addition, software supply chain risks have been exacerbated by the prevalence of cloud services. Gartner predicts the public cloud service market will reach $331.2 billion by 2022. However, the recent breach of Capital One, which affected more than 100 million individuals in the U.S. and Canada, raises significant concerns about the security of storing sensitive information in the cloud.
Agencies must conduct continuous risk assessments of endpoints outside the reach of traditional perimeter-based security tools to gain visibility into the health of every device connecting to sensitive government data and reduce the risk of operating in the cloud.
While enabling mobility and improving access to data is imperative in the modern era, the ever-expanding mobile threat landscape is causing serious complications when it comes to which products are safe across the supply chain.
Mitigating supply chain risks requires visibility and policy beyond the perimeter
Agencies need visibility into the complete software supply chain to understand what an app is doing behind the scenes -- automatic updates, the addition of new code, etc. Otherwise, the network is left vulnerable to hidden threats.
In addition to obtaining complete visibility, security teams that rely on traditional perimeter defenses such as firewalls and secure web gateways must move key security functions to the endpoint. Enterprises across the public and private sectors must turn to a post-perimeter security solution to ensure that networks are protected at every endpoint.
Mobile supply chain management risk can no longer be branded as a policy and hardware issue; software must become a priority, and the tools that eliminate this issue already exist. Security teams must obtain visibility into every app and establish a zero-trust access model for each endpoint in a way that doesn’t compromise user privacy. This approach is the only way to effectively mitigate software-based supply chain risks as we continue to move beyond the traditional perimeter and risk malware’s infiltration into any device through countless channels.
Bob Stevens is vice president of the Americas at Lookout.
Kiersten Todt is managing director at the Cyber Readiness Institute.