Mobile malware has been limited, says security luminary Winn Schwartau, but security researchers and cybercriminals are set to bring to the table advances in both offensive and defensive technologies.
“For us to believe for a moment that the bad guys are not targeting an incredible sweet spot of hundreds of millions of users would be insane on our part,” Schwartau said.
In the second part of this interview, Schwartau explains why enterprises should bolster mobile security, despite limited attacks and a fragmented mobile market. While thousands of different devices are available, Schwartau said Google and Apple devices pose the greatest risk. Application interoperability on Google Android devices and the availability of cross-compiling application development toolkits make it easier for attackers to build malware for targeted attacks, he said.
To reduce data loss risks, Schwartau advocates a complete device lockdown and an always-on VPN so all data traveling on the device is encrypted. In addition, organizations need the capability to define smartphone security policies based on the location of the device. Schwartau, who is on the board of directors of Mobile Active Defense, was interviewed on mobile security issues at RSA Conference 2011.
Read the full transcript from this video below:
Fight mobile attacks, data loss risks by locking down devices
Rob Westervelt: Hi, I'm Rob Westervelt, the news director of SearchSecurity.com.
Thanks very much for watching this video. In this edition we're going to be
talking about mobile security, the introduction of mobile devices and
tablet computers into the enterprise, and joining me is Winn Schwartau.
Winn is chairman of the board of directors at Mobile Active Defense. Winn,
thanks very much for joining us.
Winn Schwartau: I appreciate it, thanks Rob.
Rob Westervelt: Winn, it seem like experts have been predicting the mobile malware
apocalypse for some time now but we really haven't seen that many
mobile attacks have we?
Winn Schwartau: We're seeing mobile malware. We're seeing it right now, but malware
does not necessarily mean that it is going to do something
hostile to the device. There's an entire spectrum of
capabilities based on the designing of the bad guys. Right now,
we are in the development/learning stages, both from the
offensive standpoint and the defensive standpoint, and the same
thing that we've seen in desktops and all the history of
security for the last 25 years, it's evolutionary.
Unless you get some sort of fundamental basis of protection
using best practices that we already know what those are and
apply them to the mobile scheme, we're going to be in trouble.
Now whether that's going to be in three months, six months, 12 months,
we know the stuff is coming. Right now, we see the hostile ware.
We see the capabilities. We see the proof-of-concept work that's
coming out of the good guys' laboratories, and for us to believe
that for a moment that the bad guys are not targeting an
incredibly sweet spot of hundreds of millions of users would be
insane on our part. Just because we don't see it today doesn't
mean we shouldn't be prepared for when it's coming tomorrow,
next week, or next year.
Rob Westervelt: But aren't there really some specific differences between the
evolution of the desktop environment and mobile platforms, and
if that's the case, right now there are so many different mobile
platforms out there, doesn't it make it less lucrative for
attackers to choose to attack these different mobile platforms
and make money?
Winn Schwartau: There are cross compiling application development toolkits that
already exist so you can develop for one and have it migrate to
the other. When you look at the proliferation of the I-devices,
those are all common operating systems. They have the very
locked down type of environment. In the Android world, you've
got fundamentally the Google model and then some dribs and drabs
kind of stuff on the edges which tends to be a little bit more
hardware differentiation versus operational differentiation
because you have to the application interoperability.
If I have application interoperability, I'm going to have
malware interoperability because malware is effectively an app.
Now when you look at Symbian, that's going to be a dead OS in
the not too distant future, and then you look at WP 7 going into
bed with Nokia, WP 7 is not an enterprise play. It's a pure
consumer device. There is no way to integrate properly into an
enterprise right now. So I think it's a two-horse race for right
now, and the bad guys, I think, are going to be going after
that. For WP 7, if that becomes popular and starts getting
adapted with some level of market share, we might see something
in that area, but it's not as target rich as the other two.
Rob Westervelt: I really don't want to turn this into an advertisement for Mobile
Active Defense, but I think you guys are doing some interesting
things around deploying VPNs around the world. Can you go into a
little bit of what your technology does to address mobile
Winn Schwartau: It's a viewpoint. It's a philosophy that the mobile devices should be
secured and made compliant with the same degree of diligence
that people have already invested billions of dollars in their
fixed enterprise. Why treat them with any less degree of
security, because as the OS's improve, as the capabilities
improve, we're going to be doing more and more and more. So
let's get ready for it.
In order to make this work, the approach that we've taken is,
No. 1, complete device lockdown. Certificate of authority
first establishes identity. Then we do some of our magic and we
enforce a VPN, an always-on VPN, so that every single bit of data
traffic going in and out of the device is completely encrypted,
which is the basis of an awful lot of the compliance standards
that are required. It solves a huge number of security problems
because people are not using their personal VPNs on devices and
they are wide open. So that solves a great deal.
Now after that part, what do you do? Well, we believe that
defense in depth is something that is already best in practice,
so you've got to have complete firewall controls over each and
every device. You've got to have the same type of role based
administration capabilities. You need to have content filtering.
But more importantly, our belief also is that these devices are
truly mobile and you cannot treat them with one set of policies.
So in the health care industry, for example, one set of rules
may apply at the hospital, the doctors there. Now if the doctor
is no longer there, he’s going to go off and he was going to be a
family man, so a different set of rules are going to apply.
Perhaps a corporation has a number of offices around the world.
Do they want the same access rights when there in France or
Russia or China? Perhaps, perhaps not, but they need to have the
capability to define what the policies are based upon the
location of these devices. That is more of philosophical
approach, and we're looking at it from that view point to give
the maximum amount of toolsets to mitigate risk and let the
administrators choose how they're going implement policy.
Rob Westervelt: Well, Winn Schwartau of Mobile Active Defense, thanks very much for
Winn Schwartau: Well, thank you. Appreciate it.
Rob Westervelt: And thank you for watching this video. For more information on mobile
security and other security issues, you can check out our
website at SearchSecurity.com. Thanks for joining us.