December 23, 2024

Most Mobile Breaches Will be Tied to App Misconfiguration by 2017: Gartner

Posted on May 30, 2014 by in Security

Analyst firm Gartner is predicting that by 2017, the focus of endpoint security breaches will shift to mobile devices such as tablets and smartphones.

With nearly 2.2 billion smartphones and tablets expected to be sold in 2014, Gartner believes attackers will continue to pay more attention to mobile devices. By 2017, 75 percent of mobile security breaches will be the result of mobile application misconfigurations, analysts said.

“Mobile security breaches are — and will continue to be — the result of misconfiguration and misuse on an app level, rather than the outcome of deeply technical attacks on mobile devices,” said Dionisio Zumerle, principal research analyst at Gartner, in a statement. “A classic example of misconfiguration is the misuse of personal cloud services through apps residing on smartphones and tablets. When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices.”

Doing significant damage in the world of mobile devices requires that malware be launched on devices that have been altered at the administrative level, Zumerle argued. While jailbreaking or rooting phones allows users to access device resources that are not normally accessible, they also put data in danger because they remove app-specific protections as well as the safe ‘sandbox’ provided by the operating system, he said, adding that they can also allow malware to be downloaded to the device and enable malicious actions.

“The most obvious platform compromises of this nature are ‘jailbreaking’ on iOS or ‘rooting’ on Android devices. They escalate the user’s privileges on the device, effectively turning a user into an administrator,” he said.

Gartner recommends organizations protect mobile devices using a mobile device management policy as well as app shielding and containers that protect important data. In addition, passcodes should be used alongside timeout standards and a limited number of retries. Jailbreaking or rooting devices should not be allowed.

“We also recommend that they favor mobile app reputation services and establish external malware control on content before it is delivered to the mobile device,” Zumerle said.

 

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Trustwave Hit With Lawsuit Tied to Target Breach

Posted on March 26, 2014 by in Security

The fallout from the Target data breach has put security firm Trustwave in the middle of a class action lawsuit.

The complaint, which was filed March 24 in U.S. District Court in Illinois, names both Target and Trustwave and accuses the security company of failing to protect Target’s systems.

Contacted by SecurityWeek, a Trustwave spokesperson said the company does not comment on pending litigation or confirm the identities of customers.

Trustwave Sued Over Target BreachThe complaint was filed on behalf of Trustmark National Bank and Green Bank, N.A., and “all other similarly situated financial institutions.”

In the compliant, the banks state Trustwave was hired by Target to protect and monitor the retailer’s systems, and that the security vendor scanned Target’s systems on Sept. 20, 2013, and found no vulnerabilities were present. Because of vulnerabilities in Target’s network however, millions of payment card records were stolen, the complaint states.

“Additionally…Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII [personally-identifiable information] or other sensitive data,” the complaint reads. “In fact, however, the Data Breach continued for nearly three weeks on Trustwave’s watch.”

“Trustwave failed to live up to its promises, or to meet industry standards,” the complaint continues. “Trustwave’s failings, in turn, allowed hackers to cause the Data Breach and to steal Target customers’ PII and sensitive payment card information. In addition, Trustwave failed to timely discover and report the Data Breach to Target or the public.”

The investigation into the breach revealed that Target’s systems were compromised from Nov. 27 to Dec. 15. The data breach, which also included the theft of information such as email and mailing addresses for millions of Target customers, was one of the biggest such incidents in recent history. In February, the Consumer Bankers Association (CBA) and the Credit Union National Association (CUNA) reported that costs associated with the breach exceed $ 200 million. Much of that figure – $ 172 million – comes from the cost of replacing cards for CBA members, while CUNA reported that the cost to credit unions had reached $ 30.6 million.

“A recent analysis by global investment banking firm Jefferies suggests that payment card issuers could sustain upwards of $ 1 billion of damages as a result of the Target Data Breach based on an estimated 4.8 million to 7.2 million stolen and compromised Payment Cards being used to make fraudulent purchases and unauthorized cash withdrawals,” according to the complaint. “These costs fall on Trustmark and the other Class members, even though they had nothing to do with causing the Data Breach and could not have avoided it.”

The suit asks for unspecified damages. 

Just last week, TrustWave announced that it had acquired Cenzic, Inc., a maker of application security testing solutions, for an undisclosed sum.

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed