Mobile device security: serious concerns or vendors jumping on the bandwagon?
To answer my own question in the title: both. Our mobile devices are generally not adequately protected; and yes, vendors are leaping on the bandwagon because that’s what they do – it’s called business.
Either way, there has been a positive flurry of security warnings and concerns about the increasing business reliance on mobile devices: smartphones, netbooks, tablets and so on. Earlier today I reported on a McAfee survey showing Mobile device security a growing concern. Yesterday I discussed a Credant Technologies survey that found that 58% of mobile users are worried about the security of the data that they carry around with them, while “66% of laptops will be unencrypted and 51% left totally insecure without even a password for protection”.
Today there are two more concerned companies. Firstly, Fortify Software has picked up on the DefCon hack of cellular networks that showed that cellular transmissions from mobile phones can be subverted and users’ mobiles fooled into logging into a rogue GSM station – so allowing calls to be eavesdropped and falsified. Fortify’s concern is that the designers of the GSM standard never envisaged the current and growing need for ultra-high levels of security on mobile calls.
When the GSM standard was formulated more than 20 years ago, the developers were required to design a digital successor to the analogue cellular standards of the day. As a result, security was only added after the basic standard was developed. Security was not built into the standard from day one, but essentially added as an afterthought. And that is why we have today’s crackers able to subvert the technology using an `evil twin’ methodology that is widely used when hacking WiFi networks.
The really bad news about this hack is that it exploits a structural flaw in the GSM standard that is difficult to fix retrospectively, as there are hundreds of millions of existing standard phones in regular usage.
Barmak Meftah, Fortify Software’s chief products officer
Fortify, of course, is all about developing secure code; and the implication is that if you don’t want to risk similar problems in the future, get your developing code checked with Fortify’s products today.
And now ISACA has released a new whitepaper detailing how the increasing popularity of mobile devices poses a significant threat of leaking confidential enterprise information and intellectual property: Securing Mobile Devices.
Ironically, many of the risks associated with mobile devices exist because of their biggest benefit: portability. To help their company meet its goals of protecting intellectual property and sustaining competitive advantage, information security managers need to create an easily understood and executable policy that protects against risks related to leaking confidential data and malware.
Mark Lobel, CISA, CISM, CISSP, and principal, PricewaterhouseCoopers
ISACA believes that a governance framework such as COBIT or Risk IT will help businesses ensure that process and policy changes are implemented and understood, and that appropriate levels of security are applied to prevent data loss; and goes on to advocate that the following issues be considered when designing a mobile device strategy:
- Define allowable device types (enterprise-issued only vs. personal devices).
- Define the nature of services accessible through the devices.
- Identify the way employees use the devices, taking into account the organization’s corporate culture, as well as human factors. (For example, one in 10 Americans who use a mobile work device plan to use it for holiday shopping.*)
- Integrate all enterprise-issued devices into an asset management program.
- Describe the type of authentication and encryption that must be present on devices.
- Clarify how data should be securely stored and transmitted.
The moral of all this? Don’t be Cnut trying to stop this wave of mobile computing, but bring it on in a controlled fashion.