Recent cyber guidance from HHS ignores the mobile threat
Many phishing attacks now are facilitated by the widespread use of mobile devices, Bob Stevens says.
Voluntary cybersecurity guidelines that the Department of Health and Human Services recently issued are a good start, but they neglect a major cybersecurity risk—the pervasive use of mobile devices.
That’s a big worry to Bob Stevens, vice president of federal systems at Lookout, a mobile security research and advisory firm that has analyzed more than 70 million apps.
The HHS guidance focused on desktop and laptop devices, Stevens notes. “In fairness to HHS, they see mobile devices as an endpoint, but the agency needs to not restrict the guidance to desktops and laptops, but to make sure guidance is extended to all mobile devices.”
Stevens also worries that HHS is not giving guidance to protect against phishing attacks, when many of those attacks now are being targeted against mobile devices, particularly smartphones. “There are multiple ways to phish on mobile devices,” he explains.
A hacker can phish a mobile device just as easily as any other device. The hacker can sent a text to someone who has a family member in the hospital, and 99 percent of people will click on that text and when that happens, malware is placed on the mobile device which now is under the control of an attacker without the device user knowing it.
“Mobile is different from desktops; a hacker can steal a mobile user’s two-factor authentication and log-in credentials, and medical records, turn speakers and cameras on and off, or listen to a conversation,” Stevens says.
Many stakeholders, including HHS, don’t view mobile as needing the protection for an endpoint, which is anything that touches any type of infrastructure in any way and education is needed to ensure mobile users understand their phones are just as vulnerable to attack as any other device, according to Stevens.
For example, a “man-in-the-middle” attack makes a mobile user think they are on WiFi, but data is being taken from the phone. Instead of focusing on desktops, “HHS needs to ensure all devices are protected or a huge hole in the infrastructure can be exploited,” he cautions.