In this RSA Conference 2011 preview video, SearchSecurity.com News Director, Robert Westervelt, moderates a discussion on the growing threat posed by mobile devices and the state of the network perimeter. Speakers include SearchSecurity.com's Senior Site Editor, Eric Parizo, and Research Director, Josh Corman of The 451 Group.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
RSA Conference 2011 preview: Mobile security
Robert Westervelt: Hi, I'm Rob Westervelt, the News Director of SearchSecurity.com.
Thanks for watching this video as part of our 2011 RSA Conference Coverage.
Joining me today is Joshua Corman. Josh is Research Director for Enterprise
Security at the 451 Group. Thanks for coming, Josh.
Joshua Corman: Thank you.
Robert Westervelt: And Eric Parizo. Eric is Senior Site Editor of SearchSecurity.com.
Eric Parizo: Thanks, Rob
Robert Westervelt: Of course the iPad was introduced in 2010. And it's really picked up,
generated a lot of attention around mobile, and the whole mobile space
around securing mobile devices. We're hearing a lot from vendors on that
issue. Is that bound to be a major theme this year?
Joshua Corman: The iPad or mobility in general?
Robert Westervelt: Protecting tablet devices, smartphones, coming on the enterprise
Joshua Corman: So, every year is the year that mobile malware is going to be big,
right? Every year is going to be and none of them have been, but that's
actually just the echo chamber again. The truth is there have been some. I
think what's keeping the systems up at night is the complements of three
things. They tend to get lumped together but one of them is the
consumerization of IT in general. So whether that's their employee owned iPad in
the workplace or an employee owned laptop or even a company giving a budget
for you to go buy your own equipment. The consumerization or employee owned
has interesting legal wrinkles, sphere and span control issues for IT
management. And it's going to make it much, much harder to enforce your
security policy on those devices, which tend to be putting your enterprise
and your secrets at risk. So, consumerization is one.
Number two is the devices themselves. We're going from pretty much a
homogenous Windows X86 wintel world to a lot more Mac, a lot more Linux, a
lot more netbooks, PC on a stick, iPads, tablets, smartphones. So the
definition of the end point is expanding even if were in our control. Then
you compound that with the first issue of who owns the device and who owns
the governance of that. And the last one is the social networking/social
media kind of phenomena because the first two exacerbate that kind of
exposure and risk, so even if you have a traditional desktop tower, the
ability for you to stop these port agnostic social media things that could
be used for Skype, for file transfer, for Facebook, for leaking
accidentally or deliberately state secrets or internal IP. Those three
things in combinations have really just shattered any sort of notion that
there's control over your IT environment or that you have a perimeter. So
it's very interesting to watch, you have initially people trying
desperately to gain back control to people throwing their hands up in the
Robert Westervelt: I wonder if we're going to here, or I wonder if more enterprises are
going to be looking at digital rights management, then or those kind of
technologies to kind of protect intellectual property.
Eric Parizo: Well, I don't know if I would be that specific but to me it certainly
highlights the need to shift from a network or perimeter centric model to a
data centric model. As well as simply making sure companies practice good
defense in-depth practice, you know. To succeed you're going to need to
have multiple layers of security and to defend just about everything.
Joshua Corman: Yeah, I mean, several years ago one of my seven dirty secrets of
the infoset community was that if you still believe in a perimeter you
might as well believe in Santa Claus. And I had a bunch of reasons listed
and they were very valid at the time, and they're still valid. But the
people who told me I was wrong three years ago are saying, yeah, yeah,
we've lost the perimeter. But it's not about do we or don't we have one. I
think what I'm hoping happens this year is instead of people lamenting the
control they've lost, they focus on the control they have. So if you can't
control the perimeter or the device, can you better classify the data? Can
you better restrict who has it? I've actually seen some pretty intelligent
uses of these tablet, so instead of giving someone a laptop where they're going
to have storage and access of sensitive data leaving the physical
perimeter, going overseas. They're using that pane of glass as a remote
presentation view. So they're not giving you the data, they're giving you
visibility of the data. So think like a Citrix type terminal. So there can
be intelligent ways to embrace new work enablement technologies, allow your
workforce to use the technology they want, and reorient that if you can't
control those things, don't lament what you've lost, focus on what you've
kept and to a certain extent, it makes for some positive agitation in
recalibration on what our span and sphere of control is.
Eric Parizo: Specific to mobile devices though, I think I will say, despite every
year being the year for mobile device threats for several years now, my
personal belief is I think we're going to see more news around mobile
threats than we have in the past. For a few different reasons, but some key
ones to me are, the emergence of these malware development tools,
Metasploit type tools that automate the development of malware or exploits
across multiple platforms. So we're talking IOS, which would be iPhone, the
iPad as well as Android and other platforms as well and that's been a
major issue up to this point. Attackers don't want to put the time and
effort into one platform, when their attack surface is going to be limited.
So I think that problem is going to be quickly going away and we're going
to see that this year, as well as a few other interesting problems. Like
you said, organizations are trying to put more controls in place. But if
let's say they want to add that multifactor authentication and that second
factor is a PIN that gets sent to a mobile device, suddenly that mobile
device becomes a greater target than before. So I think we're going to see
more issues like that. Maybe not all exploding onto the scene this year.
but this, I think, is the first year we're going to see more significant
reason to be concerned about mobile security.
Joshua Corman: There's certainly going to be a migration of the attacker towards
prevalently adopted devices. We've written about some of these cross over
threats but also the good news is these technology platforms themselves
are more defensible, than a general purpose X86 work station. So in the
case of the phones, for example, you have the stores, the app communities.
In IOS, for example, it's a, you have to have it be signed. So unless
someone is jailbreaking your phone, which never happens as we know. There's
a logical choke point, and currently it's are you signed or not. I
personally like to see some analysis of the application, to see is there
any malfeasance in the tool? Is it vulnerable to any exploitation?
Eric Parizo: Right. So I would argue it's pretty easy to get signed.
Joshua Corman: It's very easy to get signed which is why we need to have the
rigor but unlike a Windows workstation, we have the chance that every app
has to go through this choke point. The choke point is currently being used
just to make sure it's signed. But imagine if there was some sort of
assessment that this is very well coded, it's very rugged software
development and it's going to hold up against remote exploitation. There's
already one in the Android universe, there's a vendor I believe, Lookout,
that's assessing what's the capabilities of these apps such that you can
say, "yeah, I don't like all those remote access points, or I don't like
that it has geo location in it." so some sort of description through these
filters, these choke points, for a very limited number of platforms, gives
us at least a fighting chance if we chose to take advantage of it.
Eric Parizo: I would disagree with that simply because I feel like that's kind of
a limited way to look at it. To me I feel like there are many, many more
ways to get malware onto the device. You know, email is still an issue.
Bluetooth, believe it or not, is still an issue even though it's not 2007.
Joshua Corman: Oh, I didn't say the users good. We have a few opportunities that
are present in their counterpoints.
Eric Parizo: Right. And the reality is if you get through one of those many
different methods onto the device what happens then? It's not like there's
an anti-malware system in place like you have on a traditional PCM.
Joshua Corman: I think it would be a shame if we took the entire bloated stack of
agents that we currently need on traditional systems, and replicate them
down to endpoints. I'd like us to take a look at a more strategic approach.
Reducing the total attack surface, creating those choke points for
evaluation, maybe using sandboxing virtualization. And a lot of these
platforms and even hardware vendors on the mobile endpoint are talking
about these. We've written a little bit about it. At the end of last year,
we're going to do a lot more this year. But, if we simply replicate the
very inefficient methods we use for traditional endpoints on these mobile
devices that would be a shame.
Eric Parizo: Our colleague, Brian Madden, from BrianMadden.com, recently talked
about one of the interesting opportunities that he felt went awry in 2010.
Which was as organizations started to deploy Windows 7, there was an
opportunity to deploy desktop virtualization along with it, as a security
mechanism. Because of the virtualization capabilities built into the OS.
Most organizations have not taken advantage of that. Hopefully, to your
point, more organizations will take a look at some of these emerging
methods that can be applied to mobile devices and like you say, avoid some
of the mistakes that have been made in the past.
Joshua Corman: Hopefully we won't make the same mistakes, probably make some new
ones. But that's why the space never gets dull.
Eric Parizo: Mm-hmm.
Robert Westervelt: Well gentlemen, thanks very much. And thank you for joining us. For
more information about the RSA Security Conference you can go to
SearchSecurity.com/RSA2011. Thank you.