Today we are featuring a special guest blogger, Tom Kellerman, Commissioner on The Commission on Cyber Security for the 44th Presidency of the United States of America.
Just a few key questions, and we were able to get just a wealth of information. If you have naysayers who do not yet see the need for a new security paradigm, today is a good day to read this blog and add value to your business case on mobile devices and its impact on cybersecurity.
[Sowmya Murthy] Tom, what are some key trends in Mobile Hacking that should be on the radar of any large enterprise CIO/CTO?
[Tom Kellerman] According to the 2011 McAfee study, 85 percent of your assets are intangible and, thus, economic espionage is reaching a global crescendo. In addition, 65 percent of the 1000 executives surveyed were worried about wireless and mobile device security. “Worried” seems like a euphemism in today’s hostile cyber landscape.
The most recent United States Secret Service Data Breach Report noted that remote access compromise was the primary attack vector employed last year. The modus operandi of targeting remote user devices to bypass the network security controls has become commonplace. These cyber infiltrators applaud our widespread adoption of mobile devices as they fully recognize that your latest Android, iPhone or tablet have greater attack surfaces and minimal security controls beyond encryption.
Today’s mobile device is a computer. With more memory and computer power than that of our desktops, mobile devices live in a power struggle between two networks: one we lease (the carrier network) and one we own (our corporate network). These powerful computers lack security controls because the carriers and device manufactures of these mobile devices obfuscate the operating systems BIOS and low level device control from the user. These devices also have a multitude of attack surfaces which create an oasis for hackers.
[Sowmya Murthy] What are the critical gaps you believe need to be addressed in the short term?
[Tom Kellerman] There are 6 fundamental security gaps in mobile device security.
[Sowmya Murthy] There is a lot of talk about a new security paradigm, is one really necessary at this point? Why?
[Tom Kellerman] We are now carrying computers in our pockets – it is time we start treating them as such. You would not let anyone bring a home computer to work and plug into your network without applying the appropriate controls, would you?
Then, why would you let anyone with a smartphone connect and do the same? 2011 has ushered in the year of wireless attacks. Managing these attacks can be achieved through greater situational awareness via continuous monitoring of the wireless spectrum. Mobile intelligence can only be achieved via a combination of wireless intrusion detection and dynamic location-based policy management. A new security paradigm is necessitated – Convergence of physical and cyber security must occur. The way to address these is to apply intelligent mobility by providing contextual awareness in real time.
Building castles in the sky requires a healthy respect for the adversary’s capabilities. The art managing mobile risk resides in limiting the capacity of a hacker to ex-filtrate data in real-time.
Tom Kellermann is a Commissioner on The Commission on Cyber Security for the 44th Presidency, CTO of AirPatrol, and serves on the board of the International Cyber Security Protection Alliance. In addition, Tom is a member of the National Board of Information Security Examiners Panel for Penetration Testing, the Information Technology Sector Coordinating Council, and the ITISAC subcommittee on International Cybersecurity policy. Tom is a Professor at American University’s School of International Service and is a Certified Information Security Manager (CISM). Finally, Tom sits on the steering Committee of the Financial Coalition Against Child Pornography.
Tom Kellermann formerly held the position of Vice President of Security Strategy for Core Security. Prior to his five years with Core Security, Tom was the Senior Data Risk Management Specialist the World Bank Treasury Security Team, where he was responsible for cyber-intelligence and policy management within the World Bank Treasury. In this role, Tom regularly advised central banks around the world about their cyber-risk posture and layered security architectures. Along with Thomas Glaessner and Valerie McNevin, he co-authored the book “E-safety and Soundness: Securing Finance in a New Age.”