This morning, Symantec released a new paper written by Carey Nachenberg addressing Mobile Device Security [link]. Last week, John Harrison from Symantec offered me a preview and a briefing to discuss the findings as they relate to my passion and focus on the human side of security.
Below, I break down my notes in terms of security awareness, security leadership, effectively communicating the value of security and a few thoughts on how a paper like this advances a security career.
The basic concern is clear: smart phones are gaining market share; increased reliance means they are loaded with personal and corporate information. Considering the continued growth of mobile computing, attackers are going to â€œfollow the moneyâ€ by turning their attention to mobile malware in search of easier, more profitable targets.
The challenge is determining where mobile device security fits into an already crowded and ever-expanding threat landscape.
How big is the risk; how fast do we need to move?
To put it into context, consider the magnitude of the risk: according to the Symantec Internet Security Threat Report there were 163 documented vulnerabilities in mobile device operating systems in 2010, compared to 115 in 2009. The growth demonstrates the rising attention of attackers.
Overall however, Symantec documented 6,253 software vulnerabilities in 2010 (additional context can be found in the most recent ISTR starting on page 15).
The impact of mobile malware on the enterprise is rising; while immediate action may not be warranted, there are some actions to take today to prepare for the future with less friction.
[pullquote]The impact of mobile malware on the enterprise is rising; while immediate action may not be warranted, there are some actions to take today to prepare for the future with less friction.[/pullquote]
At this point in the year, the security awareness programming plan should be in operation â€“ and no immediate changes are required at this time. The topic, however, does present itself as a good secondary or opportunistic topic â€“ especially if people are starting to ask about it.
To get started, redefine the concept of mobile telephones: they do more than dial numbers these days. Ask questions about the type of information people store. A simple question gets this dialogue started, â€œwhatâ€™s on your device?â€ Follow up with, â€œwhat happens if your phone is lost or stolen?â€
Asking, â€œWhat happens if a rogue application gets installed on your device?â€ prompts a more advance discussion. The challenge to this level of security awareness discussion is preparing to talk about how this happens without accusing the individual/audience of being stupid.
Start the dialogue this year, if it makes sense, as an opportunity to learn the challenges people are facing and the language they use. This becomes valuable input for next years programming plan (where it still might not be a prime topic).
Security leadership considerations
Like it or not, mobile devices are connected to the enterprise. The growth of mobile computing coupled with the growth of â€œthe cloudâ€ means personal and corporate information is necessarily stored on the smart phones â€” approved or not.
Reconsider how devices are treated and then review current security policies, standards and procedures to understand how information is protected. Ask questions and consider how the policies address lost or stolen phones and mobile devices. The user experience matters.
Aside: Iâ€™ve tested â€œremote wipeâ€ with clients before. Despite their assurances it would work perfectly, in each case, I was able to turn off the radio transmitter before the wipe and enjoy full access to the information stored conveniently on the memory card inside the phone. Lesson learned: check the policy, and then test to see if it matches reality.
Making the time now â€” before this becomes a hurried rush that never leads to good decisions â€” means the opportunity to consider changing functional and technical requirements.
Given the current average time to change policies and procure new technology solutions, this little bit of a â€œhead startâ€ might make the difference between future success and continued on-going struggle.
In short: do the work now, reap the benefit later.
Effectively communicating the value of mobile device security
As security leadership reviews and makes decisions, consider how to effectively communicate and incorporate the changes to the various audiences in the best possible way (hint: email may not work for everyone).
The key to effective user experience is striking the blend between connecting people to the consequences of their actions â€” restoring their ability to take responsibility â€” while providing a technical and procedural backstop that helps make it easier for people to do their jobs.
How this helps advance a security career
Weâ€™re in a profession where we need to know something about everything (aside: I believe the path to success, however, requires finding a niche and getting good – in addition to knowing a bit about everything).
Mobile device security and cloud computing are both on the rise. Investing time now to amass and understand facts, figures and the ability to explain the importance of these details to different audiences is important.
Breaking down the salient concepts of mobile device security to be able to teach these basic concepts to others in meaningful and appropriate ways is a way to advance a security career.
What do you think? How are you handling the rise of mobile malware, and the continued integration between mobile and cloud computing?
Share your challenges, and if my perspectives on this paper benefit your efforts (or what youâ€™d like to have seen more of).