Avoiding Evil: Securing Mobile DevicesRisk Mitigation Steps Organizations Should Follow
Cloud and mobility continue to change the landscape for security professionals concerned with data loss and the growing number of endpoints holding sensitive information, says Dan Hubbard of the Cloud Security Alliance.
"A lot of security tenets today are built off the fact that you have this visible and single point in your network," Hubbard says in an interview with Information Security Media Group's Eric Chabrow [transcript below]. "The cloud and mobility in the consumerization of IT are changing all of that. ... This kind of single traffic, lane or freeway doesn't exist anymore."
With cloud and mobility comes the threat of data loss from misplaced, stolen or decommissioned devices, the number-one threat according to the "Evil 8 Top Threats to Mobile," a new survey conducted by the Cloud Security Alliance.
The Evil 8 includes:
- Data loss from lost, stolen or decommissioned devices.
- Information-stealing mobile malware.
- Data loss and data leakage through poorly written third-party applications.
- Vulnerabilities within devices, operating system, design and third-party applications.
- Unsecured WiFi, network access and rogue access points.
- Unsecured or rogue marketplaces.
- Insufficient management tools, capabilities and access to application programming interfaces.
- Near-field communications and proximity-based hacking.
"It's definitely top of mind for corporate professionals," Hubbard says of the Evil 8. "Because of the small footprint of the devices and the use, it's likely that the devices clearly can be lost or potentially stolen or picked up from somebody else and that information at that point becomes at risk."
To mitigate the risk of data loss, organizations at a minimum need to have passwords set on their devices above the four-character passwords, Hubbard explains. "Encryption is also very important, so if somebody does get the device, it's just another hurdle that they have to get across," he says.
Remote wipe also offers another layer of defense for organizations in the event a device is misplaced or stolen.
In the interview, Hubbard also explains the:
- Synergy between mobile and cloud computing;
- Top threats to mobile;
- Growing malware concerns.
Hubbard's day job is chief technology officer for Internet security provider OpenDNS. He previously held the same post at Websense, the data and e-mail content security provider, where he founded the Websense Security Labs.
Mobile & Cloud Computing
ERIC CHABROW: First off, this survey of mobile computing was conducted by the Cloud Security Alliance. Take a few moments to explain the synergy between mobile and cloud computing?
DAN HUBBARD: I chaired a couple of years ago the top threats to the cloud and it was time for us to do a refresh of that. When we started doing a refresh, mobile kept coming up over and over again and we thought that mobility and the way things are moving at such a rapid place in mobility, it's very aligned to the cloud. However, we thought that it actually deserved its own kind of framework, survey data and report that outside of the top threats to the cloud, mobility is really 100 percent driven from the cloud and to the cloud and kind of without the cloud it's very difficult for mobility to work.
CHABROW: I guess it goes away from the traditional way of IT where you had servers and computers within the enterprise itself. Now the cloud is off from the enterprise as well as mobile devices?
HUBBARD: Absolutely. A lot of security tenants today are built off the fact that you have this visible and single point in your network where you can look at all of the traffic and make deterministic decisions and potentially log and have visibility to the traffic. The cloud and mobility in the consumerization of IT are changing all of that, so this kind of single traffic, lane or freeway doesn't exist anymore. It's now actually going out to other places that you may not necessarily have access to.
CHABROW: We'll go into specific points of the survey in just a moment, but generally what's your takeaway from the entire survey?
HUBBARD: One was that we had results come in really quickly and we had a really diverse group of people, more than 200 people in more than 26 different countries, so there's clearly a lot of global interest here. Some of the things that made the list were a surprise to me, some of it from a ranking perspective, and then some of what people thought were the future threats were also quite of interest to me.
Top Threats to Mobile
CHABROW: We'll get to some of that in a moment. The survey identified what it calls the "Evil 8 Top Threats to Mobile." Let's address a few. Number one on the list was data loss from lost, stolen or decommissioned devices. How much of a challenge does such loss present to end-user organizations and are you surprised that was number one?
HUBBARD: No, I'm definitely not surprised that was number one. It's definitely top of mind for corporate professionals where, especially at the senior level, the officers frequently have these pockets of sensitive information quite frequently on their devices. Because of the small footprint of the devices and the use, it's likely that the devices clearly can be lost or potentially stolen or picked up from somebody else and that information at that point becomes at risk. Data loss from the devices being misplaced, stolen or not decommissioned properly has probably been top of mind for quite some time.
CHABROW: What can the organization do about that?
HUBBARD: There are a variety of things. One is to make sure that the devices have at minimum passwords set on them, above and beyond the four-character passwords. Encryption is also very important, so if somebody does get the device, it's just another hurdle that they have to get across, some of the encryption, and some companies are offering that and a lot of the devices have the ability to wipe the device remotely if you have lost it and are not comfortable with the data that's on it.
CHABROW: Number two on the Evil 8 list was information-stealing mobile malware. Is this a problem vendors create by not manufacturing more secure devices? What should end-user companies do about this problem?
HUBBARD: Most of the attacks, although the numbers are pretty small, are going up pretty rapidly and they're in large part focused really around Android devices. The kind of device diversity that Android brings, there are so many different variants of it that are out there and so many different ways that the platform can be delivered. There are also a number of different stores and there's not the lock-down that the Apple product has to legitimately download apps directly from Apple, so they have a little bit more of a central place where they can do the security versus Android which is quite a bit more distributed and the user has the option to turn that off and download apps from wherever they want. With that, most of the malware we've seen has been around Android devices. It's pretty simple economics from the attacker's standpoint. They're just going to go where information and the users are, and this is just another piece of technology that has expanded the kind of surface of things that they can attack.
CHABROW: Are there more secure marketplace stores than others?
HUBBARD: Yes. The main companies being predominately Apple, Google with the Play store and Amazon are significantly more secure than the third party, unknown locations. A lot of these are very popular in the Asia Pacific area, China and Southeast Asia where stores quite often have broken some type of digital rights management for free access to things that are otherwise available in the other stores, but also there has been a number of stores that have been compromised and have malicious apps built in along with those cracked free apps.
CHABROW: Threats three and four have something in common, third-party applications. Number three is data loss and data leakage through poorly written third-party apps, and number four is vulnerabilities within devices, operating systems design and third-party applications. What can be done to assure that either third-party apps are written more securely or vetted before being downloaded on mobile devices?
HUBBARD: You usually are downloading apps from a central location. Unlike on Windows in the past where you can get apps anywhere and install them from anywhere at any given time, there's quite a bit more control around how apps get published and downloaded. With that, there are a lot of security checks that the provider of the app stores can do, and some have talked about that, whether it's Google with some of the tools that they've announced and Apple with some of the things that they do in the publishing process.
Unfortunately, it's a very large numbers game, so there are a lot of apps that they're going through at any given time. Manually looking at every single app is particularly challenging to scale. Really, a lot of it is around the publishers creating the right process in looking at some of the apps in an automated, funneled approach where automated things will solve 95 percent of the problem and then at the end of the day maybe a researcher has to look at the app and decide whether or not it's something that can go into the store or not.
Near Field Communication
CHABROW: At the beginning of this conversation, you mentioned there were some surprises you found in the survey. What were those surprises?
HUBBARD: The first one really was around wifi and the access of wifi. We've talked about ubiquitous Internet for quite some time, but depending on where you are, it never ceases to amaze me where Internet access is available. It's in any retail store front, coffee shop, restaurant, hotel, planes, trains, automobiles. You name it and there's some type of connectivity. Whether this kind of ubiquitous connectivity is going out, more and more people are connecting because of the performance gains and potentially the cost savings of not having to use 3G or 4G. I was actually pretty surprised that more than 80 percent of all the respondents believed there were attacks that were happening over these unsecure wifi access points. The second one was that almost two-thirds of all the respondents believed that next year, moving into 2013, there would be near-field communications and proximity-based attacks that will be happening.
CHABROW: That's the new feature where you can tap someone else's device and you can share content, correct?
HUBBARD: Yes, and near-field is unlike standard wifi where you have a larger area where you can provide access and communicate. Near-field is a very small area, sometimes within centimeters, where you can either connect the phones or bump the phones where the device is able to share information. It's also becoming a very popular way for payment, though you can do payment through some of the devices today just from connecting your phone to another device or to some type of point-of-sale terminal, and maybe that's why people believe that's going to be a place the attackers are going to look at.
CHABROW: Anything else you would like to add?
HUBBARD: I think this will be a space to really watch and it will be interesting to see how these threats are perceived and real threats change moving forward. We plan on releasing this every six months so we will definitely keep an eye on it.