Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The mobile device revolution is quite possibly the most significant change in computing since we shifted from the mainframe more than twenty years ago. These handheld devices feature ubiquitous connectivity, constant access to the biggest repository of mankinds knowledge, and more computing power than the NASA control room for the first moon landing.
But whats coming next, and what are the security implications?
Your mobile knows where you are, where you are supposed to be and who you should be talking to. We can now instantly connect our real lives to digital information purchasing tickets, sharing business data or connecting with friends who happen to be nearby. Mobile devices and their rapid innovation and development are already enabling busy professionals and home users to conduct business and manage their lives on the move. Furthermore, they are enabling a whole host of new business models and services. As such, they are set to be the linchpin of future economic growth. Hats off to the mobile hardware and software developers modern technology is amazing. But what are the key technologies driving evolution of the mobile, what happens next, and what are the security implications?
While many of us naturally worry about traditional attacks like malware and phishing on these new devices (and without doubt these issues do exist), new functionality breeds fresh opportunities for the bad guys. New features like augmented reality, facial recognition and integrated social media could leave users open to new kinds of abuse. Augmented reality, for example, connects location information with a users social media friends, enabling them to identify digital contacts nearby. I dont know about you, but I am far more scrupulous about my real friends than I am with my digital connections. This in turn opens up new prospects for social engineering, such as figuring out when you are away from your home for crime purposes (sites like PleaseRobMe.com do just this). Of the same ilk, facial recognition technology and the tagging of users in photos on social media sites blur the work-home boundaries even more. For example, police officers have already come under attack after their identities were breached by social media and facial recognition technology.
NFC (Near Field Contact) technology is another interesting example of innovative technology that aims to deliver convenience for consumers. However, it will introduce a new dimension of challenges for security professionals; mobile devices become much more interesting as a target to steal money. There is a push to build NFC technology into mobile devices, enabling users to make payments or pass on personal information with a simple swipe of a mobile device over a reader. This will further transform the mobile into the single device from which most aspects of your life are driven making it even more attractive to cyber criminals.
The more data we make available on our mobiles, the more tools we provide the bad guys to weave creative attacks designed to compromise our personal lives, businesses and finances. Equally, the more applications and new capabilities we use the more we increase the attack surface area for the bad guys. Security is not the only victim, privacy will be challenged too. As we adopt more of these technologies for convenience, we can expect our lives to come under greater surveillance with mobiles becoming the combination of a passport, personal record store and social life.
A change of attitude
Alongside these radical technology changes, business expectations have also changed. Only a few years ago enterprises wanted to block social media sites and non-standard, unmanaged devices. Now we are all consciously trying to embrace these technologies; look at the number of organizations with teams of people entirely focused on using social media as a channel to market. A stark contrast to years previous. These changes in technology and business expectations mean a new attitude is needed to information security. Embrace or die. This change of attitude also impacts the future of mobile security and applications the default answer to new technology is becoming yes rather than no.
Mobile devices are also starting to define their architectures based on modern working practices BlackBerry, for example, has introduced a feature which provides two isolated working environments on the same device, allowing you to separate work and play data. This allows the benefits of a trustworthy and secure business environment alongside flexibility to play games or alike. These features are not yet widespread and the robustness of the security unproven, but they show a positive direction which could much better secure the modern remote worker. These features combined with security vendors offerings could make for very usable, more generically secure devices.
All that said, whilst applications and services on the device are updated, often automatically, OS updates for the device sometimes require painful cable connections or user interaction. This is a significant risk as missing these updates can leave devices with open vulnerabilities. Jail-breaking iPhones is an excellent example of user desired malware which uses such holes. Jailbreaking allows users to customize their device more than Apple allows and run pirated applications it is a fairly widespread practice. These same holes could be used for user-undesired malware too!). The infrastructure for updating and patching security vulnerabilities in mobiles has many lessons to learn from the traditional computer industry perhaps they should take a look at the lessons Microsoft has had to learn here over the years.
Features such as mobile IP in IPv6 are designed to make it easier for mobile devices to switch between different networks (Wi-Fi and 3G for example) while providing a consistent mobile IP address. This delivers consistent connectivity, coverage and enables efficient routing of traffic for the truly mobile road warrior. There are numerous security enhancements too. It is worth noting that IPSec, the industry standard for secure VPN connections was also invented in IPv6 and back ported to IPv4 in IPv6 its implementation is mandatory and native. Mobile devices could be a driving force of change in networking, but with these changes will also come security challenges and new skills for security professionals to master. Many mobile devices and tablets now talk IPv6 by default on your network, potentially leaving them vulnerable to attack if not addressed.
We are now moving to a new vendor ecosystem, including Google and Apple (to name a few). It is critical that this new ecosystem applies the lessons learned from our experience with desktops, rather than throwing these devices back to the 1990s. Mobile security has in many cases been held back by an absence of APIs or security being a core part of requirements for these new providers. We all need to make sure we apply appropriate pressure to get smart, secure defaults from this new vendor ecosystem and re-enforce that good security capabilities are a part of the minimum requirements of a device.
Overall, the mobile security market today is relatively immature and there is a lot of work to do to develop the right security controls on mobile devices. It may be tempting to start with the concept of a comprehensive security offering with parity to the desktop, including AV, DLP, HIPS, Encryption, App Control (and so on) for the mobile, but in reality these capabilities are not yet broadly available or in many cases possible to deliver. Priority one is to get the basics under control despite all the hype most data breaches occur due to basic configuration failure: poor passwords, lack of encryption, poor patching or social engineering. You can find more details on how to protect yourself on sophos.com. Over time mobile threats and the available security controls will evolve and Sophos will be providing customers with relevant and updated capabilities as required.
Here are some pointers on how to approach your longer-term mobile security strategy:
1. Perhaps the most critical aspect of your long-term strategy is how to approach updating and revising it. Mobile devices and technology are going to evolve at an incredible rate and the evolution of this breadth of technologies is too unpredictable. Therefore, developing a conventional 3-5 year IT strategy is unwise. Project teams dealing with adopting mobile devices should define a 6-month strategy using an agile methodology and then constantly re-evaluate how the devices are changing and what new risks are being introduced. 2. Plan for mobile devices to be more explicitly included in your compliance and regulation requirements. 3. Ensure that any technology solutions you adopt (such as device management) provide as much abstraction as possible to device type and OS. Popular devices will change quickly and you need to future proof your security controls as much as possible. There is a risk that as you adopt 5x the number of device types you increase the cost and complexity of managing them by the same order challenge vendors to solve this issue for you with broad platform support.
4. Carefully look at the combination of work and personal data on mobile devices. These devices are often the extreme scenario, blending your contacts, email and data into one UI with little differentiation for the end user. Consider your strategy for this on an ongoing basis as it is a trend that is likely to continue. Deploy processes, policies and practices to help users avoid making silly mistakes which lead to compromising themselves and your business. 5. Invest in building mindshare with your users on mobile security. They need to understand the value of the information (both personal and business) they are placing on their device and that these mobiles are not eminently secure. This will place you in solid stead as attack vectors evolve. 6. Go broad. Dont be overly clinical with your definition of mobile devices different format factors are evolving every day and your strategy needs to encompass tablets, smartphones and potentially other popular embedded devices. That said, it would be wise to specifically authorize a list of devices many enterprises for example will allow specific versions of an OS which included the minimum required security capabilities. As the devices mature, your list will grow longer.
7. Embrace or die. Entirely resisting these new devices and technologies for most organizations is not a tenable position. Most are in the position of having to adopt them. Enabling certain devices like the iPad at an appropriate level of security in your organization will earn you points to help prevent adoption of more risky technologies. 8. Watch this space. Sophos will be releasing new mobile security controls as the platforms and problems evolve. Customers running our mobile security capabilities are linking in to a journey as the issues evolve rather than a final mobile security capability. James Lyne, Director of Technology Strategy, Sophos @jameslyne
Boston, USA | Oxford, UK Copyright 2011. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners.