Security

12:30 PM
Jens Hinrichsen
Jens Hinrichsen
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Mobile Security: Pinches Speak Louder Than Passwords

Risk and security professionals hold the analgesic for the pains the C-Suite is feeling when it comes to mobile security.

Being willfully locked away for a week on Amelia Island, Fla., with hundreds of members of the long-standing and influential Financial Services – Information Sharing & Analysis Center (FS-ISAC), gave me a good opportunity to gather, probe, reassess, and reconstitute a variety of assumptions, perspectives, and philosophies surrounding mobile security.

Largely consistent with the many discussions I’ve been fortunate to have with CISOs, CSAs, risk and fraud leaders, and the like, what follows is a not-so-prioritized run-down of how the industry can better unleash the business potential of mobile, while concurrently best assessing risk and ensuring the integrity of the online relationship in this evermore-jumbled mobile-Internet world.

1. Leverage C-Suite’s baptism by breach-fire: As every board and C-suite executive can attest, they have spent more time on security -- of any kind -- these past few months than they likely have in the past few years (or more) combined. Greater chief executive involvement in (mobile) risk and security investment will doubtless support better, leaning-forward, growth-enabling decisions. Too often, leaders in the risk and security profession have effectively assumed the role of naysayer and growth-slayer. Now, in particular, is a time during which we are logically and necessarily able to take on a more proactive role in helping drive the business forward. Clear articulation as to the mobile security investments that need to be made and why -- beyond simply the basics that were likely in the ’13 budget -- will certainly resonate more resoundingly at this point in time. Senior management has been pinched, quite painfully, by all the recent breaches and compromises. We hold the analgesic. So boldly prescribe away.

2. Build-in mobile security and risk mitigation: Easier said than done, yes, but this is another mandate for those of us on the Street. On the coattails of Point 1, security can and must now become much more naturally embedded throughout the software commercialization and development lifecycle. If we can collectively shift the natural tide of “just toss our next native mobile app version over for security testing a couple weeks before release,” we’ll not only be able to make the best risk-informed business decisions on what capabilities and services that are enabled, but we’ll also make great strides toward improving the overall user experience in the process. Kind of a nice proposition, eh?

3. Take advantage of mobile device risk/fraud signals: While many malicious actors and fraudsters emulate genuine users operating on mobile devices -- in order to face fewer security controls than their desktop/PC kin -- there is no reason that mobile security can’t be better. Aside from the über-valuable mobile device accelerometer, biometric features, machine learning-based assessment of pinch-and-zoom and swipe behavior, and much more, we as an industry can do far better in protecting our mobile users, applications, transactions, and businesses.

4. Application layer key to mobile security: We all know username/password credentials are worthless. So what’s the mobile answer? Wrappers? Containers? Endpoint software? Whether it’s a B2C or B2E(nterprise), the reality is that we must go a whole layer deeper – to the application layer. Protecting apps from being manipulated or modified, in-and-amongst the broader landscape of mobile malware that’s rapidly on the rise, what about classic human attacks using stolen credentials? Data wrappers or containers aren’t the answer. As with best detecting and protecting against malicious and fraudulent activity, web applications need to monitor and act upon user behavior in real-time. This should be applied at each key user action within a session, across sessions, even extended to behavior correlated across other channels. Pinches (and zooms), swipes, typing speed and cadence, and accelerometer-informed “mobi-rhythms” in fact speak louder, and more accurately, than passwords, wrappers, and additional authentication measures. By assessing all available user- and device-based behavioral signals, we are then in the power position of being able to best identify and mitigate account takeover, transaction/trade/transfer fraud, and much, much more.

5. Business partnerships: After we’ve accomplished all of the above, risk leaders should aggressively partner with the business to offer more and more services and "high-risk" capabilities. Grow via “smart and secure risk” and rigorously informed, fact-based investment decisions. That’s what we know. That’s how we roll. Just like an accelerometer.

How does the old saying go? A pinch in time saves nine? Scratch that, it’s a stitch, not a pinch. Regardless, let’s all make aggressive strides toward “saving nine” of whatever makes the board and CEO happy through better security.

Jens Hinrichsen is Senior Vice President of Business Development for NuData Security, having most recently served as VP of Marketing & Business Development for Versafe (acquired by F5 Networks).  His background in the online threats and fraud space includes having headed ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
KBurger
100%
0%
KBurger,
User Rank: Author
6/12/2014 | 2:21:14 PM
Be Careful What You Wish For
Interesting overview and I think this observation from #1 is key: "Greater chief executive involvement in (mobile) risk and security investment will doubtless support better, leaning-forward, growth-enabling decisions." This is what CISOs, CIOs, CTOs and other tech execs say they want. Now that it actually seems to be happening, seize the moment. I suspect in some organizations, tho, it becomes a be-careful-what-you-wish-for moment, because greater CEO and board understanding an involvement means more scrutiny, more transparency, more deliverables, more metrics, more accountability. That's as it should be, but it might not be what some security and IT organizations expect.
Becca L
50%
50%
Becca L,
User Rank: Author
6/30/2014 | 1:30:47 AM
Re: Be Careful What You Wish For
Ha, great point, Kathy. Board involvement can be a nightmare, but in this case it may help them explain why they need more resources/room in the budget to reach new goals. No firm wants to be the next Target, and the c-suite is looking to make sure all these vulnerabiltiies are attended to, their support is paramount to any successful security endeveour.
KBurger
50%
50%
KBurger,
User Rank: Author
6/30/2014 | 9:38:05 AM
Re: Be Careful What You Wish For
Interesting that you reference the Target debacle, Becca. It certainly has been a wake-up call to many organizations. That said -- I read an interesting article in the WSJ last week that suggested there were problems with the CEO (bad match with the culture, hostility with other senior executives, etc.) and that the card breach actually was the straw that broke the camel's back leading to his departure. Again, that tells me that culture, communications, collaboration, etc. -- not just technology and systems -- play a key role in security.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
6/30/2014 | 12:06:07 PM
Re: Be Careful What You Wish For
I wonder how that lack of collaboration and culture affected their reporting of the breach in the first place. It took them four days to announce publicly what had happened after they initially found out about it.
Kelly22
50%
50%
Kelly22,
User Rank: Author
6/30/2014 | 1:09:12 PM
Re: Be Careful What You Wish For
That's an interesting point, Kathy. I can see how issues with culture and communication could have a negative effect on security, which is a company-wide responsibility. If there's tension between the CEO and other execs, it would likely impede the collaboration needed throughout the organization to defend against cyberattacks. 
KBurger
50%
50%
KBurger,
User Rank: Author
6/30/2014 | 1:28:20 PM
Re: Be Careful What You Wish For
I'm not saying the culture/management issues caused the breach -- let's not forget there are criminals out there who are well organized and global in scope who are very determined to commit theft and other crimes. These threats are increasingly sophisticated and present ongoing challenges to even the "most secure" organizations. However, just as we're seeing with the VA, a dysfunctional culture tends to discourage communications, trust, and proactive behavior. That kind of environment is a disaster waiting to happen.
KBurger
50%
50%
KBurger,
User Rank: Author
6/30/2014 | 1:28:34 PM
Re: Be Careful What You Wish For
I'm not saying the culture/management issues caused the breach -- let's not forget there are criminals out there who are well organized and global in scope who are very determined to commit theft and other crimes. These threats are increasingly sophisticated and present ongoing challenges to even the "most secure" organizations. However, just as we're seeing with the VA, a dysfunctional culture tends to discourage communications, trust, and proactive behavior. That kind of environment is a disaster waiting to happen.
Becca L
50%
50%
Becca L,
User Rank: Author
6/30/2014 | 1:37:48 AM
These futurtic capabilities are available today, right now.
Jens, thank you! Great article, and I loved the emphasis on point #2 and #3 "there is no reason that mobile security can't be better." The ability to capture the smallest details of a mobile users' experience from cadence of keystrokes to the tilt of the hold means a whole world of security opportunity. It's incredibly cool, too. Perhaps many firms are stuck in the old way of security protection (Un/PW, containers, etc) or scared of the new unstructured data streams that will come with the capture of pinches and swipes. Maybe it all just sounds too futuristic. But I imagine FS will seize these tools over the next few years.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
6/30/2014 | 12:02:01 PM
Re: These futurtic capabilities are available today, right now.
The security ecosystem still needs to be worked out around mobile before some of these security capabilities can be taken advantage of. Who is going to own the data around a mobile user's behaviors with the mobile device will have to be worked out. I'd imagine that eventually the telcos (who will naturally have acces to that data) will be able to build a very accurate behavioral profile around each mobile user. How they share that profile and data with others will be interesting to see.
Becca L
50%
50%
Becca L,
User Rank: Author
6/30/2014 | 12:39:31 PM
Re: These futurtic capabilities are available today, right now.
Fair point, Jonathan. I also wonder to what degree a user is obligated to give this information to the telecom - can users choose opt out of the capture of these soft biometrics?
More Commentary
Why Settle for Less in the Front Office?
Recent research shows that sell-side firms are less than satisfied with their order management system (OMS) technology. Many front offices, however, continue to make do with their current solutions. Are they selling themselves short?
BYOD Policy: Don't Reinvent the Wheel
Financial firms still feel overwhelmed by BYOD risks and challenges. But these can be addressed by a good policy, and the guidelines are already out there.
The BYOD Challenge
Having a policy in place to manage mobile devices used by employees for work purposes is necessary in this current day.
Getting Onboarding Right in the Age of the Customer
Disparate “Frankenstein” systems slow down the onboarding process and impede customer service, says Pegasystems.
Performance Monitoring Key to Smooth Infrastructure Modernization
As banks consider how to shift infrastructure and storage solutions, they can’t afford to lose visibility into performance.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - July 2014
In addition to regular audits, the SEC will start to scrutinize the cyber-security preparedness of market participants.
Video