Skip to main content
Security Posture Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Mobile Software Risk Vector: Understanding Findings and Remediation Tips

Ingrid

When evaluating the Mobile Software risk vector, Bitsight grades both a mobile device’s operating system (OS) and web browser independently based on their support status. The final finding grade is calculated by combining these two individual grades.

Understanding how these combinations work and how much time you have to fix them is key to maintaining a strong rating.

Risks of not remediating Mobile Software findings

Upgrading to newer operating systems and web browsers is critical for addressing security vulnerabilities, bugs, and stability issues. Malicious actors often target known weaknesses in outdated software to compromise data or deploy malware. Using unsupported software versions increases the risk of malware infections and potential security breaches.

  • If there are unsupported mobile devices in an organization's network, there is a greater risk of:
    • System failure (vendor devices are not being maintained).
    • Disruption of business continuity.
    • Attackers may be able to use unpatched vulnerabilities to gain system access.
  • Connecting a personal device to a corporate network infrastructure adds a potential surface of attack for a threat actor to gain access to company data and sensitive information.

Proactive Best Practices for Remediating Mobile Software Findings

  • Implement Mobile Device Management (MDM)
  • Enable automatic update methods for all critical mobile software.
  • Identify and update unsupported software.

The 28-Day Grace Period

We understand that updating systems takes time. There is a 28-day grace period to allow for validating and updating software packages.

  • During this 28-day window, findings are issued a FAIR grade and do not negatively impact your rating.
  • If the software remains unpatched after the grace period ends, but it is still less than 365 days after the software's end-of-support date, the finding will drop to a WARN grade.
  • Older unsupported software eventually drops to a BAD grade.

Common Findings & How to Remediate Them

Support Status Indicators Key:

  • ❗Undetermined: Either there’s no version available, the finding cannot be identified, or both the OS and browser are unknown. The finding is evaluated as NEUTRAL.
  • ❓Unknown: When either the OS or browser has been evaluated and the other is unknown. The finding is graded as the available grade.

Depending on the combination of your OS and browser, you will see different finding messages. Here is how to resolve the most common scenarios:

1.Supported Operating Systems

  • Supported OS + Supported Browser: Both the mobile OS and the browser are fully supported.
    • Grade: GOOD
    • Remediation: No action required.
  • Supported OS + Unknown Browser (❓): OS is supported, but the browser version was not recognized.
    • Grade: NEUTRAL
    • Remediation: Ensure users are utilizing approved mobile applications to allow for proper security analysis.
  • Supported OS + Unsupported Browser: The OS is healthy, but the browser version is out of date.
    • Grade: FAIR, WARN, or BAD (determined by the browser's age).
    • Remediation: Update the browser to the latest version available for that operating system.

2. Unsupported Operating Systems

  • Unsupported OS + Supported Browser: The OS is unsupported, even if the browser is the most recent version available for that specific OS.
    • Grade: FAIR, WARN, or BAD (determined by the OS age).
    • Remediation: Upgrade the mobile device's operating system to a supported version.
  • Unsupported OS + Unknown Browser (❓): The OS is unsupported and browser data is missing.
    • Grade: FAIR, WARN, or BAD (determined by the OS status).
    • Remediation: Update the mobile operating system to a supported version.
  • Unsupported OS + Unsupported Browser: Both the OS and browser are out of support.
    • Grade: FAIR, WARN, or BAD (based on the lowest grade of either component).
    • Remediation: Upgrade the operating system immediately, then install a supported browser.

3. Unknown or Undetermined Systems

  • Unknown OS + Supported Browser: The browser is supported, and the OS version is unknown.
    • Grade: GOOD
    • Remediation: Ensure an organizational strategy is in place for mobile OS updates.
  • Unknown OS + Unknown Browser: Neither the OS nor the browser could be recognized.
    • Grade: NEUTRAL
    • Remediation: Verify that mobile devices are reporting version data correctly for analysis.
  • Undetermined OS + Undetermined Browser (❗): No version data available for either component.
    • Grade: NEUTRAL
    • Remediation: If obfuscation is intentional, ensure an alternate update strategy is managed internally.
  • October 11, 2023: FAIR finding behavior allows 28 days for validating and updating software.
  • September 12, 2023: Separated Desktop Software to its own page.
  • July 18, 2023: Published.
Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.