Like many organizations, the city of Seattle is devising a strategy for mobile devices. City officials are figuring out which mobile operating systems they’ll support, whether to allow employees to use their own phones and they’re testing mobile device management technology.
Ultimately, managing an influx of mobile devices requires a much different security strategy than the traditional desktop model of antivirus and other endpoint controls, says Mike Hamilton, Seattle’s CISO. “Computing is becoming extremely ubiquitous. As a result, there is no perimeter anymore,” he says. “So 20th century controls aren’t going to work in this environment.”
The deluge of iPhones, iPads and Android devices into the enterprise has put mobile device security risks at the top of the agenda for many organizations. According to Information Security and SearchSecurity.com’s 2012 Priorities survey, 72 percent of 900 respondents cite mobile device protection as a priority this year. Nearly 35 percent view mobile device security as a major challenge with encryption topping the list of mobile security spending priorities.
“The inevitable loss of the device and, more costly, the loss of the data on the device is what’s driving mobile security priorities,” said Christopher Paidhrin, IT security compliance officer at PeaceHealth Southwest Medical Center in Vancouver, Wash.
At the same time, enterprise security managers are focused on the ever-present threat of viruses and worms, keeping systems patched and getting visibility into their network environment, according to this year’s Priorities survey. They’re also making application security a priority by spending more on pen testing.
Altogether, it looks like 2012 is shaping up to be the year of mobile security and a continued battle against threats on multiple fronts.
Mobile device protection priorities
The consumerization of IT trend gained steam last year, with increasing numbers of employees bringing all types of smartphones and tablet to work. The trend is forcing companies to figure out ways to gain some control over these easily lost or stolen devices and the enterprise data they contain.
“There’s the recognition of reality that people are bringing their mobile devices and they expect connectivity with business assets, so companies are trying to figure out what line to walk,” says Scott Crawford, managing research director of security and risk at Enterprise Management Associates, an IT industry analyst firm based in Boulder, Colo. “Some take a hard line, saying, ‘We’ll only work with BlackBerry because of the level of control we’re used to getting with them’ but people are bringing in more consumer-oriented devices and they’re trying to understand how they can best deal with that.”
According to the Priorities survey, device loss is the top mobile security concern for information security pros, with over half of respondents citing it as an issue. Thirty-seven percent say device theft is a major concern, while 26 percent are worried about malware attacks against devices.
Mobile encryption is a top mobile security priority with 77 percent of readers citing it as an important initiative for 2012 and 39 percent planning to spend more on it this year.
“Encryption is the gold standard,” Paidhrin says. “In my domain of health care security, loss of a device that has encrypted data is not an event that must be reported.”
Seattle’s Hamilton says encryption is critical if a company allows employees to conduct sensitive corporate business on a mobile phone. However, also important is a strategy that allows for control of organizational data but is hands off when it comes to an individual’s personal information. “We’re going to need to respect that this is their phone,” he says. “If this thing is lost, we wipe our side and they get their address book back.”
The mobile device management (MDM) software from Good Technology he’s testing partitions organizational data and would allow the city to wipe only that part out in the event the device is lost.
Twenty-three percent of survey participants plan to spend more on MDM technology this year and 71 percent say MDM is a major initiative. “The options from platform vendors – Apple and Google – have been limited for enterprise use,” says Andrew Braunberg, research director of enterprise networks and security at Sterling, Va.-based Current Analysis. “Third-party MDM vendors try to bridge multiple OSes and provide basic functionality.”
The need now is for rich functionality that ties application management and control into the mix, he says. “Application management and application security are huge issues going forward.”
Applications are the biggest threat vector for mobile security, Hamilton says. Right now, there’s no standard way to test whether a mobile application is safe to deploy in the enterprise, or to certify that mobile applications – for example, ones the city might develop for residents – are secure. “There’s no solution for testing the applications,” he said. “It’s cowboy country out there.”
Another area where information security pros are focusing their mobile security efforts is authentication. According to the survey, 78 percent are making it a priority and 22 percent plan to spend more on mobile authentication this year.
Randall Gamby, information security officer for the Medicaid Information Service Center of New York (MISCNY), says organizations are looking to enforce strong password policies on mobile devices. “A lot of people don’t by default turn on password protection or they go with default numeric protections,” he says. The issue, though, is the capability to enforce password policies isn’t consistent across the various mobile platforms.”
Security pros are sharpening their focus on mobile security this year, but they’re also doubling their efforts against malware and other threats to the network. Thirty-four percent of survey participants rate preventing worms and viruses as a top challenge. To that end, they’re making threat management a priority, including antivirus (73 percent) and antispyware (69 percent).
“I recommend two layers of antivirus and antispyware, if your budget can handle it,” says Paidhrin. “In addition to antimalware on the endpoint device, another layer should be at or near the gateway.”
Organizations should also deploy intrusion prevention to detect non-signature based, zero-day threats, he adds. “The threat environment is rapidly expanding. Better and more sophisticated security controls are necessary to meet these challenges,” he says.
However, Paidhrin and other security pros warn that technology only goes so far. User education is critical, they say.
“The worms and viruses came in programs and now they’re coming in phishing attacks through emails to individuals, so one of the big challenges is ensuring your personnel are well trained to recognize what’s a true email,” Gamby says.
Tony Meholic, CISO at Philadelphia-based Republic Bank, says today’s highly sophisticated phishing schemes that come with a malicious payload can easily thwart traditional, signature-based antivirus. A better approach is technology that can perform content inspection, he says.
“The other piece is user awareness,” he adds. Republic Bank educates its employees on identifying phishing attacks in mandatory security training.
For many organizations, fighting targeted threats means making better use of the information they already have, says Scott Crawford, managing research director of security and risk at IT analyst firm Enterprise Management Associates.
They’re looking for ways to convert all the security data they collect into actionable intelligence, such as taking threat data and turning it, for example, into Snort rules, he says. What he refers to as “data-driven security” will become a significant trend, Crawford predicts.
“You have to build your strategy on a foundation of greater awareness of threats inside and outside the organization – how you recognize and respond to those more effectively and contain compromises all depends on intelligence,” he says, adding that this intelligence isn’t just about technology, but also requires human expertise.
Crawford expects to see increasing maturity in technology that can automate data collection, correlation and analysis. Some organizations are investigating tools such as Hadoop for data security warehousing, he says.
The increasingly sophisticated nature of phishing attacks and malware plays a heavy role in targeted attacks, which gained prominence in 2011 with the attacks on RSA Security and other companies. Almost 18 percent of survey respondents view targeted, persistent attacks as a major security problem.
EMA’s Crawford says he’s not surprised at the level of concern about persistent threats. Organizations with high-value assets should be concerned about what he refers to as the “adaptive persistent adversary” that has the resources to invest in intelligence and attack sophistication while using a high degree of stealth, he says.
At the other end of the spectrum, tools have made it easy for less sophisticated intruders to attack companies, he says. This sort of industrialized cyberattack often targets the most vulnerable organizations – small and midsize businesses with fewer security resources.
The onslaught of threats has organizations stepping up their vulnerability management efforts and looking for ways to get better visibility into their environment, according to the Priorities survey. Forty-five percent of participants plan to spend more on network vulnerability scanners and 71 percent are making the technology a priority in 2012. Twenty-eight percent plan to spend more on application-aware firewalls and 65 percent are placing a priority on such systems.
Paidhrin says his organization uses multiple technologies, including a security information management (SIM) system to gain visibility. “You need tools that help you learn what’s going on in your network,” he says.
Getting network visibility is critical, but organizations need people who can understand data produced by monitoring tools, says Meholic. “The issue is getting the right people to do the review,” he says. “You need to have the skillsets and staffing that can take advantage of that visibility.”
On the vulnerability management front, organizations also are focused on making sure their systems are updated and patched: Seventy-three percent of those surveyed are making patch management a priority this year.
“If your systems are properly patched, you’re adding an extra hurdle for attackers to get through,” Meholic says. “You’re not going to have to worry about a three-year-old vulnerability.”
Gamby says patch management is fundamental, but many organizations don’t have a strong process for emergency patches. “You need a formal process to determine priorities. You don’t want to disrupt operations [with a patch] but you also want a timely and consistent manner to make sure you patch properly,” he says.
PEN testing resurgence
The steady stream of attacks on Web applications has organizations focused on boosting application security. Fifty-three percent of survey participants cite threats to Web-based applications, including SQL injection, cross-site scripting and similar attacks as the primary driver for improving application security within their organization.
One area where organizations are particularly focused is penetration testing. According to the survey, 37 percent of respondents plan to spend more on penetration testing this year.
“The reality is that the number one access method for hackers still is SQL injection,” Gamby says. “It’s a well-known attack vector but it still occurs because we have applications with the vulnerability in it. The only way to ensure your application is secure is to run that pen test.”
In order to be effective, pen testing needs to have the latest signatures, he says. In addition, it helps to have a third-party conduct the pen test to avoid conflicts of interest within the organization. “It’s always better if you have a disinterested third party to do the work for you,” Gamby says.
Companies hiring outside pen testers need to make sure that person is qualified, Meholic advised.
“It takes a different set of skills and tools to do application-level pen testing as opposed to network and infrastructure [pen testing],” he says. “I know someone who’s a whiz at the network level but with a Web app, he’s totally lost. You have to make sure they’re doing it properly.”
Paul Rohmeyer, a faculty member in the graduate school at Stevens Institute of Technology and a risk management consultant, says compliance requirements for layered security and risk assessments – especially in the financial sector – may be helping to drive the increased interest in application pen testing.
“The regulatory environment has stressed the need for a layered approach, and this is a natural extension. Identifying your assets will point back to those enterprise applications,” he says. “This might be a hint that we’re reading our own risk assessments.”
Protecting the data
Information Security and SearchSecurity.com have polled readers on their priorities for several years now. Data protection frequently makes the list of top priorities and this year is no different. Survey participants plan to spend more on data protection, including disaster recovery and backup (36 percent), laptop encryption/desktop/drive encryption (32 percent), and data loss prevention for database applications (80 percent) and for email/Web (78 percent).
“A lot of attention has been focused on the infrastructure but the back end systems, the databases, are usually the root cause of data breaches,” Meholic says. “By focusing your DLP funds and efforts into that space, it can be cost effective. Infrastructure has gone through years of hardening, so it’s getting pretty good but focusing on where the data resides is definitely advantageous.”
Crawford says DLP is a great source of intelligence as well as a protection tool. “It gives you an idea of how your data is moving and tools for controlling how that data is handled,” he says. Encrypted communications can pose a problem for DLP, though, he adds.
Seattle’s Hamilton says the mobility trend will reinforce organizations’ focus on data protection.
“You have to focus on the data sets – personal health information, cardholder data, intellectual property,” he says. “You have to focus on securing the information rather than the endpoints or the perimeter.”
Cloud security concerns continue
Information security pros remain cautious about cloud computing, citing a number of security and compliance challenges, according to Information Security and SearchSecurity.com’s 2012 Priorities survey. Well over half of respondents say data privacy is a major cloud security concern at their organization while almost 52 percent say meeting industry specific standards and regulations is a top compliance/legal concern.
However, survey participants are inclined to use a variety of cloud-based security services. Almost half say they would use email security Software as a Service (SaaS), 33 percent are interested in using Web security SaaS and 31 percent are inclined towards cloud-based intrusion detection/prevention.
In fact, flat security budgets pose an opportunity for providers of cloud-based and hosted security, says Scott Crawford, managing research director of security and risk at IT analyst firm Enterprise Management Associates. According to the Priorities survey, almost 35 percent of participants expect no change in their security budgets from last year.
“Given all the challenges of security management in the enterprise, there are a lot of opportunities for providers of Security as a Service,” he says.
Providers of any type of cloud service must provide security in order to gain traction in the enterprise, and they have the resources to attract security talent and invest in security, Crawford says.
Seattle has developed a SaaS contract process that ensures the SaaS it buys is secure, says Mike Hamilton, the city’s CISO. The city requires that SaaS providers, before they can file an RFP, provide a third-party report showing their application is free of known security defects per OWASP guidelines. Providers can use the report as a competitive differentiator, Hamilton says.
“This turns security into a market force,” he says.
About the author:
Marcia Savage is editor of Information Security. Send comments on this article to firstname.lastname@example.org.