Security

05:48 PM
Jens Hinrichsen
Jens Hinrichsen
News
Connect Directly
RSS
E-Mail
50%
50%

Mobile Security in the Face of BYOW (yes, "W") Cross-Device Attacks & More

Four fundamental assertions to start the mobile security conversation

Jens Hinrichsen, NuData Security
Jens Hinrichsen, NuData Security
Mobile devices are being increasingly targeted by attackers who are proving ever more surgical in how they go about compromising the employees and/or customers of particular organizations.

For starters, it’s not a stretch to suggest that mobile security spans about as many facets as the derivatives market has evolved to become over the past decade. And now even with wearable technology having converged upon wigs – thanks to our style-first friends at Sony – not only do we need to collectively plan for, execute, manage, and optimize for BYOD (Bring Your Own Device) security, but perhaps “BYOW(ig)” might even squeeze itself into the lexicon in the not-too-distant future.

Now, whether you’re an über-in-the-know CISO, security architect, CIO, head of an operating unit, or the like, let’s begin by laying out a few fundamental assertions, upon which subsequent considerations shall build:

  • Assertion #1: All devices are, or have the potential, to become compromised. Sure, iOS is secure relative to Android, but attackers always find a way. That way may not necessarily be purely technological, but instead rely on some blend of deception and social engineering.
  • Assertion #2: Focusing primarily on locking down, and then trying to clean, infected devices is a Sisyphean pursuit. It is what we as organizations do in the face of acknowledging that either customers or employees have the potential to be compromised – as well as once we detect an infected user – that will set us up for greatest success moving forward.
  • Assertion #3: As long as particular user functionality is desired, curbing access to it is not a viable tack. For example, employees will continue using Dropbox to share sensitive information because of its convenience. That is, unless they are presented with a similar alternative that is just as convenient, but more importantly, more secure. The same applies to mobile devices: it is preferable to provide a secure and monitored approach to enabling additional functionality, rather than simply forbidding it, and causing it to then go “underground”.
  • Assertion #4: Protecting critical data itself, across its lifecycle, coupled with deep behavioral analytics – to discern between genuine and malicious user activity – is the endgame. At least the endgame for the rest of this decade. These are the only particularly effective approaches employed thusfar that best enable functionality being demanded by users, while maintaining a necessary level of control and security.

So then what? Let’s wrap up with a few directional paths upon which we can – and should – embark over the coming weeks and months.

  • Ensure that whether you’re protecting internal stakeholders or external users, you build systems to profile normative behavior, research malevolent behavioral patterns, as well as enable real-time intervention against such malicious activity.
  • Assess your best options to protect the critical data itself. While MIM (“Information”) is a growing area, there are a few particular firms that are doing great things to protect all data in motion, how and where that data can move, and so on.
  • If you have controls in place to protect critical data across its lifecycle – while concurrently discerning between malicious and legitimate behavior – then you will have the ability to provide users with the functionality they desire, and with better risk management, than simply locking down the device.

Jens Hinrichsen is Vice President of Business Development for NuData Security, having most recently served as VP of Marketing & Business Development for Versafe (acquired by F5 Networks). His background in the online threats and fraud space includes having headed up global marketing for the FraudAction (Cyota) suite of services at RSA, the Security Division of EMC, during which time its Anti-Trojan and Intelligence were brought to market. He is a frequent speaker on the topics of malware, social engineering, and proactive security approaches across the web and mobile channels.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
12/17/2013 | 3:28:08 AM
re: Mobile Security in the Face of BYOW (yes, "W") Cross-Device Attacks & More
I agree that forbidding users from using services like Dropbox is not the best approach since employees will gravitate toward a convenient technology for sharing data. A better way is for firms to offer an alternative that is as user friendly or to come up with ways for monitoring the service. Profiling "normative"behavior with stakeholders and external customers is important as a benchmark for being able to detect intruders. As you say, firms must also prepare for real-time intervention if security violations occur.
Becca L
50%
50%
Becca L,
User Rank: Author
12/16/2013 | 9:57:58 PM
re: Mobile Security in the Face of BYOW (yes, "W") Cross-Device Attacks & More
Assertions #3 and #4 are really interesting, and applicable well beyond the scope of mobile.

#3 is the first misstep a lot of firms are making, shooting themselves in the foot. I'm sure we can all think of several day-to day things we do that are against the rules of the road or convention, not out of rebellious spirit, but because we're stressed for time and we've discovered the better cheats. For the sake of compliance FS firms must make sure their tools are also the best, most convenient tools are the only way to keep from using alternatives.

#4 deep behavioral analytics is a growing market, especially with mobile. And it's super cool. I think this extends to voice capture that can be put in predictive analytic models. We'll be seeing some exciting findings in this space.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video