A few weeks ago, news broke out that spyware named "Pegasus" has been targeting iOS devices and exploiting them, using three zero-day vulnerabilities dubbed "Trident" by leading iOS security company Lookout. The firm deemed it as the most sophisticated and persistent form of malware to target iOS and advised users to immediately update to the latest version of the OS to secure the device against vulnerabilities.
Now, in a new blog post, Microsoft's corporate vice president for enterprise and client mobility, Brad Anderson, has expressed his thoughts about how the Pegasus/Trident vulnerabilities prove that iOS is just as vulnerable as Android, and what companies can learn from the attack.
Anderson emphasized that the recent attack proves that we are constantly under attack regardless of the platform or the apps that we use. He went on to say that:
Over the last two years, I’ve had senior executives tell me countless times that they have unwavering implicit trust in the iOS platform. In these discussions it’s been pretty common to hear a comment like, “I don’t trust Android because it is like the wild, wild west – but I have tremendous trust in iOS because it is a controlled and procured ecosystem.” I’m not attempting to throw stones at Android or iOS – but there is a dilemma with this perspective. To be perfectly clear, the dilemma is this: I know for a fact that all the providers of mobile operating systems go to superhuman lengths to harden their platforms and do everything they can [to] deliver the most secure operating system possible – but this fact also exists in our modern era of digital threats that produce consistent successful attacks despite the incredible efforts of the organizations building these platforms.
He argued that mobile devices have now become a "juicy" target similar to PCs, because many officials in organizations own multiple handsets, and access to them equals illegal admission to every minute of the the person's daily life. He claimed that in the digital era, there are only two types of organizations: those who have been hacked and those who do not know it yet.
The executive stated that in order to protect an organization against cyber-attacks, companies should always assume that they have been breached, build an in-depth defense, stay current and updated with vendors and security providers, and to approach security holistically, acquiring solutions that have been engineered to deliver an integrated defense.
Anderson ended his piece saying that as with any defense system, it is unwise to put all the eggs in one basket, and claiming that Microsoft makes "the most compelling case for providing the single best foundation for your organization".