Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

Mobile Software Risk Vector

Avatar
Ingrid
Follow
  • November 27, 2023: Clarification on low or no findings.
  • November 10, 2023: Linked to finding messages.
  • August 16, 2023: New Grading & Finding Behavior sections.

⇤ Diligence Risk Category

The Mobile Software risk vector looks at a mobile device’s operating system (OS) and browsers and compares them with the latest and currently available OS and browsers to determine if they are supported or out-of-date.

Mobile devices are smartphones and tablets in a company's network that access the Internet. Outgoing communications from mobile devices include metadata about the device's operating system, device description, browser version, and description of applications (endpoint data).

See data collection methods.

Risks

Newer versions of operating systems and web browsers typically fix stability issues, bugs, and vulnerabilities that existed in older versions. Bad actors frequently exploit known bugs in older software versions to steal information or run malicious software. The use of unsupported operating systems and browsers is correlated with the presence of a high number of malware infections and an increased likelihood of breach.

  • If there are unsupported mobile devices in an organization's network, there is a greater risk of:
    • System failure (vendor devices are not being maintained).
    • Disruption of business continuity.
    • Attackers may be able to use unpatched vulnerabilities to gain system access.
  • Connecting a personal device to a corporate network infrastructure adds a potential surface of attack for a threat actor to gain access to company data and sensitive information.

Grading

See how the Mobile Software risk vector is graded in more detail.

Concept Behavior
Lifetime 65 Days
Number of Findings: Low or None

– “N/A” Letter Grade

Due to user usage patterns, this risk vector can have some volatility in the number of findings. To ensure fairness in grading, there is a 65-days buffer to limit changes to the risk vector due to this volatility.

Finding visibility is considered low if:

  • The number of estimated users is less than 5.
  • The estimated number of users is less than 100 and is less than Employee Count/1000.

This N/A grade has no negative impact on the rating.

  • If there’s a low number of findings or no findings for 65 consecutive days, the grade changes from between A and F to N/A.
  • If there are enough findings for 65 consecutive days, the grade changes from N/A to a letter grade (A to F).

Weight

(Out of 70.5% in Diligence)

 1%

Remediation

Resources

Recommendations

  • Search and identify unsupported mobile software and then update the software to the latest version.
  • Set up auto-update methods for critical mobile software.
  • Insufficient information prevents Bitsight from identifying unsupported software. The use of mobile device management (MDM) systems is recommended, along with integrating human processes that ensures systems in the organization are patched and the software is up-to-date.

Finding Behavior

Concept Behavior
Refresh

Automated: Not applicable.

User-Requested: User-requested refresh not available.
Remediated 28 Days

Related articles