Building Castles in the Sky: Mobile Hacking and Its Impact on CyberSecurity

Security5 minutes readSep 22nd, 2011

Today we are featuring a special guest blogger, Tom Kellerman, Commissioner on The Commission on Cyber Security for the 44th Presidency of the United States of America.

Just a few key questions, and we were able to get just a wealth of information. If you have naysayers who do not yet see the need for a new security paradigm, today is a good day to read this blog and add value to your business case on mobile devices and its impact on cybersecurity.

[Sowmya Murthy] Tom, what are some key trends in Mobile Hacking that should be on the radar of any large enterprise CIO/CTO?

[Tom Kellerman] According to the 2011 McAfee study, 85 percent of your assets are intangible and, thus, economic espionage is reaching a global crescendo. In addition, 65 percent of the 1000 executives surveyed were worried about wireless and mobile device security. “Worried” seems like a euphemism in today’s hostile cyber landscape.

The most recent United States Secret Service Data Breach Report noted that remote access compromise was the primary attack vector employed last year. The modus operandi of targeting remote user devices to bypass the network security controls has become commonplace. These cyber infiltrators applaud our widespread adoption of mobile devices as they fully recognize that your latest Android, iPhone or tablet have greater attack surfaces and minimal security controls beyond encryption.

Today’s mobile device is a computer. With more memory and computer power than that of our desktops, mobile devices live in a power struggle between two networks: one we lease (the carrier network) and one we own (our corporate network). These powerful computers lack security controls because the carriers and device manufactures of these mobile devices obfuscate the operating systems BIOS and low level device control from the user. These devices also have a multitude of attack surfaces which create an oasis for hackers.

[Sowmya Murthy] What are the critical gaps you believe need to be addressed in the short term?

[Tom Kellerman] There are 6 fundamental security gaps in mobile device security.

  1. Authentication: Access control is the foundation of computer security. As we follow the lead of the financial sector’s mobile banking models for risk management, we must be aware that one time use passwords via SMS are being defeated by Zeus Trojans and DroidDream as they compromise these devices. Voice authentication and other biometrics will be critical.
  2. Virus scanning and removal: Given the hundreds of mobile malware which are flourishing in the wild, it is important to note that the current mobile antivirus solutions do not actually clean the devices. If these technologies actually do identify a threat, you must get the phone reimaged. Obviously, this is not very easy to do when you are traveling or meeting deadlines.
  3. Data Leakage: Encryption is foundational. However if the user, wireless cyber environment or device is compromised, then the keys will also be compromised.
  4. Web filtering/Browser security: Trends of attacks have focused on this weak side door. The browsers on most smart phones are injectable and thus become gateways for hackers.
  5. Application Security: We have all heard of malicious apps but many trusted apps like their website cousins are being polluted as we speak. The future of systemic widespread infestations is coming when hackers begin to infiltrate the servers of “Android Market” and the “App Store.”
  6. Mobile Intelligence: Mitigating the environmental risks to your users and their devices is paramount. Your users’ mobile devices are capable and intelligent machines. Wireless situational awareness and continuous monitoring sustains your remote user population.

[Sowmya Murthy] There is a lot of talk about a new security paradigm, is one really necessary at this point? Why?

[Tom Kellerman] We are now carrying computers in our pockets – it is time we start treating them as such. You would not let anyone bring a home computer to work and plug into your network without applying the appropriate controls, would you?

Then, why would you let anyone with a smartphone connect and do the same? 2011 has ushered in the year of wireless attacks. Managing these attacks can be achieved through greater situational awareness via continuous monitoring of the wireless spectrum. Mobile intelligence can only be achieved via a combination of wireless intrusion detection and dynamic location-based policy management. A new security paradigm is necessitated – Convergence of physical and cyber security must occur. The way to address these is to apply intelligent mobility by providing contextual awareness in real time.

Building castles in the sky requires a healthy respect for the adversary’s capabilities. The art managing mobile risk resides in limiting the capacity of a hacker to ex-filtrate data in real-time.

Tom Kellermann is a Commissioner on The Commission on Cyber Security for the 44th Presidency, CTO of AirPatrol, and serves on the board of the International Cyber Security Protection Alliance. In addition, Tom is a member of the National Board of Information Security Examiners Panel for Penetration Testing, the Information Technology Sector Coordinating Council, and the ITISAC subcommittee on International Cybersecurity policy. Tom is a Professor at American University’s School of International Service and is a Certified Information Security Manager (CISM). Finally, Tom sits on the steering Committee of the Financial Coalition Against Child Pornography.

Tom Kellermann formerly held the position of Vice President of Security Strategy for Core Security. Prior to his five years with Core Security, Tom was the Senior Data Risk Management Specialist the World Bank Treasury Security Team, where he was responsible for cyber-intelligence and policy management within the World Bank Treasury. In this role, Tom regularly advised central banks around the world about their cyber-risk posture and layered security architectures. Along with Thomas Glaessner and Valerie McNevin, he co-authored the book “E-safety and Soundness: Securing Finance in a New Age.”

Tags-   CyberSecurity Hackers Tom Kellerman