Top 10 security trends for 2011 countdown:
- #10: Convergence of Data Security and Privacy Regulation Worldwide
- #9: Hackers Feeling the Heat
- #8: Security Becomes a Business Process
- #7: Data Security Goes to the Cloud
- #6: Mobile Devices Compromise Data Security
The proliferation of sophisticated mobile devices (SmartPhones, Tablets, etc.) is going to have a substantial effect on application and data security in the coming years. In particular, we are going to see organizations struggle to accommodate the increase in number and variety of these devices, while maintaining traditional data and application security practices.
The past couple of years have witnessed a dramatic surge in the number of sophisticated mobile devices being used as access points to online services and enterprise networks. At the same time, these devices acquired more capabilities, in terms of storage size and web technology adoption. Apple’s iPhone comes with up to 32GB of internal storage, while its bigger sibling iPad can accommodate up to 64GB of memory. (For context, one million records holding names, addresses, and social security numbers will occupy approximately 0.5GB.) Mobile devices are no longer mere address books or mail readers.
Add to the mix a growing variety of applications that are a gateway to enterprise systems, including CRM, ERP, and document management. While we are used to concerning ourselves with lost or stolen laptops, it turns out that missing mobile devices may be just as big of a pain point.
However, the storage of sensitive information is not the only new concern with mobile devices. As mobile devices become mainstream, online service providers must accommodate their offerings for these platforms; creating a special version of the applications to match each devices’ capabilities. In this process, it is not uncommon to see older vulnerabilities surface once again. We have witnessed well protected applications’ online version for mobile devices display common vulnerabilities: the CitiGroup incident in 2009, a more recent CityGroup issue, and AT&T’s well publicized mishap with respect to iPad owners. In particular, many mistakes are made around identification and authentication; where application programmers mistakenly trust attributes of the data stream that can be forged by an attacker without the particular mobile device. Thus, the applications themselves become more vulnerable.
Not only that, but some assumptions regarding “strong” multifactor authentication schemes are becoming obsolete. Take for example, applications that use a one-time password (OTP) for validation of sensitive transactions; where the OTP is delivered through SMS to a phone number provided by the user. If the user is employing a smart mobile device for accessing the application, and that device is infected by a Trojan, then that Trojan is able to access the OTP delivered through SMS. If you are surprised by the mentioning of Trojans in the context of your mobile phone, don’t be. Mobile devices rely on sophisticated operating systems running complex applications. Malicious code is available for these platforms (e.g. Zitmo) and the complex applications (not to mention the usual human flaws) make it easy, if not easier, to infect a mobile device with malware, as with any standard desktop platform.
We expect exponential growth in the number of incidents related to mobile devices in the next few years. From theft or compromise of information in these devices, through massive infection campaigns, and up to frequent exploit of the vulnerabilities introduced into the server side.
Organizations need to start planning to secure the devices and their interaction with the enterprise networks. Tools and procedures need to be put into place, such as anti-malware, encryption, and authentication. Special monitoring requirements should be set for access of these devices to enterprise resources (databases, files, Intranets). On the other hand, application providers need to get their act together with respect to serving these devices, including vulnerability mitigation, reevaluation of trust, and incorporation of new authentication/authorization channels.