What MSSPs Need To Know About The Impact Of Spyware On Corporate Security
By Trevor Collins, WatchGuard Technologies
It’s getting harder and harder for MSPs to determine the boundaries of their customers’ corporate networks. Employees increasingly use smartphones and other mobile devices for things like multi-factor authentication and catching up on work email when they’re at home or on the go, blurring the boundary between internal and external networks.
There are a variety of security policies for dealing with users’ devices, ranging from strict – no smartphone devices permitted – to a more lenient approach allowing employees to use their personal phones to access the corporate internal network. We propose meeting in the middle.
Pegasus spyware has been in the news recently. At a high level, the NSO Group’s Pegasus spyware exploits vulnerabilities in iOS to access data on a potential victim’s device. NSO sells this software – often for a steep price – to governments, under the guise of tracking cybercriminals, when in fact it’s regularly used by restrictive regimes to spy on activists, opponents, and political figures. We first learned of Pegasus in 2016 when it exploited three flaws in iOS. Pegasus targets Android devices as well, but these targets are few and far between. The number of Pegasus spyware victims increases every year, but this time the attack was big enough to gain attention from not only security blogs but the mainstream media as well.
Pegasus infections used to work by sending a link to the victim’s device; when clicked, the link takes advantage of a vulnerability allowing root access to the smartphone. More recent versions of Pegasus can infect devices without the user doing anything, a so-called “zero-click” exploit. Once the spyware gains root access, it reads messages on applications such as Gmail, iMessage, Telegram, and WhatsApp. Pegasus allows sophisticated Command and Control networks to report back to the operator and even allows them to take control of the device as well.
While an extreme example, Pegasus is a leading indicator of the precarious position we find ourselves in mobile devices have eroded any clear, defined borders between external and internal networks even as threat actors are actively seeking to exploit smartphones with increasingly insidious attacks. Additionally, the leanest underground network can trick users into unintentionally installing spyware by downloading malicious apps. Even the most sophisticated system can’t block all exploits and malicious links, but we can implement strategies to mitigate risks to more manageable levels. As an MSSP, your customers look to you for guidance – they need to know what steps they should take to prevent the smartphones their employees use every day from being turned into a weapon to attack the corporate network. Here are a few approaches to suggest to your customers:
- Enact a policy where sensitive data like passwords, private certificates, and other access tokens may not be sent via email, text, or other phone messaging services. Alternatives – such as password managers – can secure this information separately. Make these guidelines easy for employees to adhere to with policy templates that can administer configurations to multiple devices.
- All users – whether using a corporate computer or their mobile device – can employ a few basic security methods to shrink the network's attack surface. First, use multi-factor authentication to defend against phishing attacks and stolen passwords. Second, create a zero-trust network that allows users access to only the servers needed to do their jobs and blocks access to the rest of the corporate network. Doing so ensures a jeopardized account won’t be able to access other departments’ information. Make sure to stress the importance of applying risk-based authentication when using zero-trust to protect internal networks, as well; it gives clients more control in mitigating risk and doubles down on their zero-trust architecture.
- Teach employees how to protect their phones from threat actors – this will be the best bang for your customers’ buck. If users know what to be on the lookout for, they will recognize any malicious behavior and protect themselves as well as the corporate network. Furthermore, if they know that spyware can come from downloaded apps from the Apple App Store or Google Play Store, they can keep an eye out for spyware before downloading. Cybersecurity training doesn’t have to be expensive, just ensure your employees stay up to date on attack methods that may open their phones up to vulnerability. Urge users to read up on Pegasus spyware and keep up to date on the latest spyware.
- Suggest your clients consider a cloud management platform, highlighting the benefits of transitioning to a cloud-based platform such as increased compliance and efficiency to make carrying out tasks easier and faster, streamlining software upgrades, and offering offline configurations to plan for upcoming deployments. Cloud management doesn’t mean all servers have to be migrated to the cloud, however; it is just one piece in protecting against looming spyware threats.
Some people endorse only granting non-jailbreak or non-rooted phones access to the corporate network. A rooted device doesn’t check the integrity of its OS, which can make it easier for attackers to hide malware in the OS. This doesn’t help in most cases of spyware infecting a phone, however, and could lead some to mistakenly believe their devices will protect them against attacks. Users can still sideload apps onto their Android devices, but where there’s a sideloaded app there’s a possibility for spyware. And, since the user owns the phone barring them from making changes to it, they may stray from the idea of communicating in such a way. Each of your clients’ companies has different needs, so suggest they consider whether they need this kind of policy or not.
Whether your customer is the target of Pegasus spyware or their employees are unintentionally downloading a malicious app, suggest they learn to pinpoint their mistakes and alert the experts and parties involved. Keep in mind that not all of your customers will have the security knowledge to recognize spyware on a mobile device. We recommend implementing policies that echo this to set users at ease when bringing up concerns. Using these strategies will help fill any security gaps and create clear, defined boundaries between the corporate network and the rest of the world.
About The Author
Trevor Collins is a Network Security Analysis for WatchGuard Technologies.