New Year resolutions for mobile security.

A Personal Perspective on Security Resolutions for 2018

It was our original intent to put together a brief recap of the year in cyberattacks, breaches and exploits. But “brief” hardly seemed possible when we started digging in. Mexican journalist attacks, BlueBorn, KRACK, Broadcom WiFi chip bugs, WannaCry, Loapi, the Equifax hack and all the other DDoS, MITM, malware, ransomware, spearphishing and spoofing attacks made the list, but these are just starters.

Hundreds of compromises made headlines in 2017, all contributing to a busy, and often stressful year for security professionals working in enterprise, government and many other sectors. Strip off just the mobile exploits and the list remains long. So, rather than focus any more time on what kept us up nights in 2017, we decided to look forward to what we can do in 2018 to improve our security posture – in particular in the mobile space. Five things we know for sure:

1. Smartphones will continue to grow as an attack vector of choice for actors of all sorts. Patrick Hevesi, a Gartner analyst, was quoted in a recent DarkReading article: “There are billions of mobile devices for attackers to try and gain access and some form of monetary gain. I feel as more and more people continue to make phones and tablets their primary device, the attacks will continue to grow.”
2. Smartphones are inherently vulnerable to attack.
   • Smartphones have become ubiquitous and attackers take advantage of the mobile lifestyle.
   • Smartphones contain a number of highly acute sensors, allowing hackers to see the world around a device live, hear the conversations that are happening near the phone and the ability to locate and track the phone (and its user).
   • Smartphones consist of a complex, multi-layered, hardware and software ecosystem that includes chips, firmware, operating system and apps. Globally, thousands of players take part in the production of smartphones; designing, engineering, and installing the numerous layers of components required. Each of these parties has associated security risks and when combined the attack surface is notable.
3. People remain the most vulnerable entry point to mobile compromise. Sophisticated social engineering schemes across email, SaaS, social media and mobile apps lure and trick people into giving over their credentials, installing malware, disclosing sensitive information, even sharing financial information. The Proofpoint report – “The Human Factor” – does an outstanding job outlining the risks associated with human error.
4. Setting security protocols and procedures and implementing formalized training programs for security staff and device users is the best defense against motivated and well-incentivized actors of all sorts. Harvard Business Review takes this advice a step further in a recent report: “CFOs Don’t Worry Enough About Cyber Risk”.
5. Software as a solution to software breaches is not a long-term answer – a sophisticated combination of software and endpoint hardware will be required to stop advanced threats.

With these in mind, here are some of my resolutions for 2018. Some are spot-on security, but all encompass mobile life. For a more comprehensive list, we’ve published 11 best practices for mobile device security that is always available on our site.

Without further ado, my resolutions for 2018:

1. No open/public WiFi. Ever. This includes airline WiFi. Committing to turn off my mobile WiFi when away from a trusted network has been one of the hardest things to turn into a routine action. I am, admittedly a creature of convenience. But 2018 – no public WiFi.
2. Using ethical apps – i.e. Lyft not Uber. To this end, I said I would only use Facebook through my mobile browser and not through the app in 2017, but that resolution fell away early in the year. So, 2018, for those apps that track and listen, I am committing to using the browser experience on my phone so I don’t have to worry what the app is doing when I’m not using it.
3. Monthly app audit. I’m sure you all recognize this, but I have to remind myself: free apps are not “free apps”. In most cases, the organization presenting that app is making money somehow. This isn’t true for all apps – think your bank app or Signal and the like – but others are gathering information from your actions and then either selling the data outright or using it to sell advertising. Either way, they are capturing your actions. Getting rid of apps that I’m not using just helps reduce my digital footprint, and every step is a step in the right direction.
4. Check privacy settings regularly. This I’m going to have to put on my calendar and take care of over a Saturday morning coffee. If you’re an iPhone user and you haven’t looked at your “location services” (under Privacy in Settings), you might be surprised what apps are following you, even when they are not in use – we generally give permission for this action when we hit “accept terms” the first time we use an app. Don’t forget to scroll to the bottom of “Location Services” and breeze through “System Services”, again, you might be surprised what you find. And while you’re in there, if you use iCloud, check the settings for the things you back up to iCloud. You may be backing up things that don’t need backing up (and doubling your data exposure).
5. Finally – and admittedly, this won’t bolster my security posture – I’m setting aside time to go digital free. The constant contact with my phone is both irritating to my loved ones and means I’m creating data bread crumbs nearly every waking moment of my day.

If you’re thirsting for a little more practical advice, “The Wired Guide to Digital Security” offers up a clever, entertaining and comprehensive look at security through the eyes of three different audiences.