Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
Michael A. Davis
November 1, 2013
4 Min Read
InformationWeek Green - November 4, 2013
Download the entire November 4, 2013, issue of InformationWeek, distributed in an all-digital format (registration required).
Not a day goes by that some headline isn't screaming about the existential threat posed by mobile computing. Attacks are up some astronomical percentage! Gen Y employees won't follow the rules! App stores are breeding grounds for malware! We even have breakout conferences within conferences to hash out mobile security. The number of respondents to InformationWeek's 2013 Mobile Security Survey jumped about 32% over 2012. The device type and platform diversity in bring-your-own-device programs is apparently causing so many problems that IT teams just want to pack up their servers, send everything to the cloud and go home.
Hold on a minute. Mobile security isn't something you can buy, so put down the checkbook, back away from the MDM system and realize that what we have here is a process and a trust problem.
I don't blame CIOs for feeling like a deer in the headlights. But I do blame many of them for thinking that mobility is different from any other IT security challenge. Heck, the risks aren't even new. The big increase in concern simply highlights the bad process, communications and technology decisions that most infosec teams have made over the past 10 years.
Take a look below at the "Top Five" checklist from a major mobility and IT security provider (which shall remain nameless):
1. Label all mobile devices with user and company information.
2. Require a user to authenticate to the device using a security password.
3. Define authentication features, such as password expiry, attempt limits, length and strength.
4. Ensure that all devices have timeout mechanisms that automatically prompt the user for a password after a period of inactivity.
Report CoverOur report on the state of mobile security is free with registration. This report includes 52 pages of action-oriented analysis, packed with 45 charts.
What you'll find:
What enterprises should look for in mobile security
Advances in mobile device management
5. Prevent mobile devices from downloading untrusted third-party applications over the wireless network.
Now remove the word "mobile." Yeah, 1995 called -- it wants its security boilerplate back. This advice applies to every network-connected IT asset you own, including laptops, desktops and servers, so why are we all so panicked?
Because sometimes, panic serves a strategic purpose.
The fact that the mobile malware risk is vastly overstated can be good for IT. It's difficult to get users to pay attention to, or executives to spend time and money on, something they don't perceive to be a problem. A first step is often to sow some fear. For example, a few years ago my consulting company was hired to perform a physical security assessment for a financial firm that had a problem with tailgating -- employees regularly propping open doors to secure areas. Management resisted change, saying the culture of the company emphasized openness and customer service, and therefore didn't want to force people to wait for admittance ... even after the CISO pointed out that an attacker could waltz into the network. So the CISO did something a bit risky: He asked us to send a stranger into the building to steal a purse. We did so easily. Remember, that CISO had spent two years trying to get basic physical security processes in place, to no avail. When the "victim" couldn't find her purse, and thus her car keys, chaos ensued. News of the incident spread. Of course, we gave the purse back about 15 minutes later, but the issue of open doors and the associated risk immediately took on a very different light.
About the Author(s)
CTO of CounterTack
Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of entrepreneurship earned him a spot on BusinessWeek's "Top 25 Under 25"
list, recognizing his launch of IT security consulting firm Savid Technologies, one of the fastest-growing companies of its decade. He has a passion for educating others and, as a contributing author for the *Hacking Exposed* books, has become a keynote speaker at dozens of conferences and symposiums worldwide.
Davis serves as CTO of CounterTack, provider of an endpoint security platform delivering real-time cyberthreat detection and forensics. He joined the company because he recognized that the battle is moving to the endpoint and that conventional IT security technologies can't protect enterprises. Rather, he saw a need to deliver to the community continuous attack monitoring backed by automated threat analysis.
Davis brings a solid background in IT threat assessment and protection to his latest posting, having been Senior Manager Global Threats for McAfee prior to launching Savid, which was acquired by External IT. Aside from his work advancing cybersecurity, Davis writes for industry publications including InformationWeek and Dark Reading. Additionally, he has been a partner in a number of diverse entrepreneurial startups; held a leadership position at 3Com; managed two Internet service providers; and recently served as President/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.
You May Also Like
Data Center Firewall Toolkit
10 Considerations to Building Hybrid Mesh Firewall
How a trading floor continues its operations during COVID-19 lockdown
A revolution in healthcare IT service management: How automation is driving improvements in a complex environment
IT Service Management Vendor Rankings & Quadrant