Mobile Security with Dave Merill
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  mobile ibm security
0 Comments | 2,094 Visits
All- this blog is a re-post from something I wrote last week on the IBM Institute for Advanced Security website...
It’s not so crazy to think that the number of people accessing the internet from mobile devices will very soon outnumber those accessing the internet using traditional computers. It makes sense because mobile devices offer lots of new opportunities from both a personal and enterprise perspective when we think about efficiency and convenience. However, as these devices develop in popularity, and they are increasingly used to access sensitive information, we must also consider some of the emerging security questions. Is my my mobile phone protected? Is my data and information safe?
While its true that vulnerabilities and attacks associated with mobile phones aren’t currently widespread, it’s worth noting that they do exist and that the best practices for securing mobile computing devices are still immature. When we start thinking about the approach to establishing these best practices, we need to really focus on the ways that we actually use these devices. Security for mobile phones should be strategically, and pragmatically, approached with the understanding that people are likely to use the phone for both personal and business purposes. As such, being successful will mean striking a balance between ease of use and proper security controls.
Earlier this week I sat down with David Merrill, a mobile security expert within the CIO’s organization here at IBM and had the opportunity to talk with him about some of the topics that we’ll be covering in the upcoming IBM X-Force 2010 Trend and Risk Report. The following is the discussion that I had with him.
Bryan: So, how real is the threat to everyday smartphone users? Should only high value targets likes C-Suite executives be concerned about mobile security attacks?
David: Well, we know that we see malware on some smartphones and we know that employees do lose their devices so both of those risks exist and are present today. Certainly the current concern is primarily around data protection (rather than malware) but we certainly feel the risks here are very real based on the data points we have today. As it applies to Senior Executives – or any employee holding high value data- we believe in intentionally taking a more conservative approach. This type of approach would include the selections of platforms that we’d advise them to use as well as the use of web browser-based mail and calendar versus approaches that allow the data to reside on the device itself. I think it would be naive to not acknowledge that Senior Executives could be targets of mobile attacks so taking a more conservative approach to this community makes sense to us.
Bryan: What risks are involved in allowing enterprise employees to use their personal smartphones for personal use while at work? What controls should be put in place for personal smart phone use while at work?
David: At IBM, we believe that you should not lower or differentiate the security requirements based on device ownership. The same security requirements should apply to personally owned as well as company owned computing devices. As such, all of this really points back to the need for well documented and well managed security requirements as they apply to mobile devices. Additionally, companies should be weary of even beginning pilots until the platform under consideration can be secured to the requirements in their standards. I think the broader primary question as it applies to the use of personally owned smartphones is the employee’s willingness to allow their company to manage their device. Companies should look to be very clear in the Terms and Conditions of their program. This way, employees immediately acknowledge that their company will enforce required security controls, including, but not limited to, the right to wipe all data.
Bryan: Building on that idea of foundational platform security, in the upcoming trend report you said that there will be years of vulnerability disclosures ahead of us because the platforms are untested. What are some ways that we can proactively address this issue and try to shorten this length of time?
David: I think much of what we can do proactively revolves around engineering of the mobile security ecosystem. Let me explain what I mean. Today there are some fundamental hurdles that need to be overcome and I feel it starts with an ecosystem that allows security vendors to monetize their research in this area by way of products and services. While I absolutely acknowledge that a lot of great security research occurs in our universities and by independent researchers- the real heavy lifting- the bulk of a lot of research in the area falls to the security vendors in the field – and not just in the discovery of new vulnerabilities, but also in the development of proper security models to address concerns. If these vendors don’t have a marketplace that allows them to monetize their work, I feel it will occur at a much slower pace, if at all. Of course, this circles back to their customers, the enterprises and our understanding of our requirements in this area. Obviously, if we don’t understand the problems, it is unlikely we’ll be willing the spend the money – again, development of the ecosystem is very important in my opinion. I also think we all should have a secondary concern – and one that I’ve discussed with a number of the involved platform vendors and carriers in this space – that being our collective ability to close vulnerabilities thru “patching” when they are discovered. While security vendors can certainly develop products that help protect us before we can patch, ultimately, these are computer operating systems and the notion that a 1-2 time per year firmware upgrade will satisfy the closure of vulnerabilities as they’re discovered is ill-advised. I think this will challenge all of us because the current model is really not aligned to rapidly address vulnerabilities as they are discovered.
Bryan: In the report you mention that there hasn’t been any significant attacks targeting mobile platforms specifically. Do you expect that to change in the next 2-5 years?
David: Significant is obviously a relative term and perhaps a better term might be pervasive. While we’ve definitely seen small amounts of malware on smartphone as detected by our malware protection solution, it has been very small in comparison to what we see attacking Windows-based machines. Personally, I feel that the shift to seeing pervasive attacks to smartphones is probably related to a couple of factors; primarily the ramp toward End-of-Life for Windows XP machines and secondly, the marketshare battle between smartphone platforms. The reason behind the shift will largely be dictated by financial opportunities for the actors that typically exist as part of the underground economy. As their opportunity for Windows XP compromises starts to dry up, I think we should expect that at least a portion of that will be focused to smartphone attacks. Certainly things like the development of malware toolkits to support those mobile platforms as well as the discovery of smartphone vulnerabilities will directly influence their shift.
Bryan: Ok, last question. As smart phone security matures, and people more frequently use this platform to access sensitive information, doesn’t this make them a more attractive target for attackers? Essentially, does enhanced security make them a bigger security risk?
David: It is my belief that people will use these platforms to access sensitive information regardless of the level of protection we can provide. Most users of smartphones are not even aware of attack vectors, vulnerablities and what could be done to improve security so I think that they will use their devices regardless. In fact, I’d suggest as enterprises, we really have a very simple choice; we can spend our money in implementing the proper security measures for our employees or we can spend that money developing ways to prevent them from circumventing controls to enable it themselves. While I think this could vary from corporate culture to corporate culture, I firmly believe folks will invent ways to circumvent controls that exist – and rather than end up in an arm race with our employees in preventing them from what they want to do, we’re all better served to properly educate as well as implement security programs that allow the proper use of this technology. That isn’t to say that we all have all the controls figured out as it pertains to best practices – I think this is a journey – but not unlike the previous generation of personal computers. Let’s face it, things like IPS and DLP were not part of best practices in 1982 either.
And there you have it folks, your first look into the new mobile security section of the upcoming 2010 IBM X-Force Trend and Risk Report. Keep your eyes peeled and your ears open because the full report could be coming any day now.