Mobile security: What's the best defense?

Moderated by Jason Hiner | February 25, 2013 -- 07:00 GMT (23:00 PST)

Summary: Is it the device or the network? Ryan Naraine and David Gewirtz weigh the options for protecting your organization's precious data.

Ryan Naraine

Ryan Naraine

Device

or

Network

David Gewirtz

David Gewirtz

Best Argument: Device

45%
55%

Audience Favored: Network (55%)

The moderator has delivered a final verdict.

Opening Statements

There's no other choice

Listen, I'm not going to sit here and argue that network security isn't crucial to a robust mobile risk management strategy. It is. But if you ignore security at the device layer, you're in for a rude awakening.

In this BYOD world, corporate data is flying through open WiFi networks in coffee shops and sitting in the back of taxi cabs when smartphones and tablets get lost. If you can't protect the device, you are ignoring significant entry points for attackers.

The best defense is multi-layered, but unless you have strict plans and policies around device security, identity management, provisioning, log-in credentials, you are ignoring significant risks. When mobile devices leave the traditional "perimeter," you really need to address that risk at the endpoint level. There's no other choice.

 

To keep everyone safe

Mobile devices, far more than desktop computers, are extensions of the personalities of the individuals using them. Here's the fundamental problem. If we rely on the device as the sole means of mobile security, we're relying on people.

Mobile device users range in knowledge from very technically skilled to barely able to answer a call. They also vary in willingness to take the time and extra effort to secure their devices. Some users will purposely violate device security, either by jailbreaking or downloading apps from questionable sources.

The simple fact is that the vast majority of mobile users just don't understand security, don't care, and aren't willing to take the time to learn. Since the device itself is under their direct control, we just can't rely on it alone.

Any good security strategy relies on tiers (or layers) of security. Certainly, having some security on the device is a start. But that's far from enough. The network is the common means by which all these devices communicate, and so it's up to the network to keep everyone safe.

Sometimes, that means relying on the internal corporate network or VPNs. Other times, that means relying on carriers, who also don't want malicious traffic on their network. But whether it's IT or the carriers, both have a far more vested interest and dedication to security than the device users themselves.

Talkback

24 comments
Log in or register to join the discussion
  • Wiggle Your Finger Cyber Identification

    Hi Guys, I believe you will find that a new version of biometric identification called MovementMetric Identification will replace all current measures that are used to grant and deny cyber access.

    Since MovementMetric Identification™ can, with 100% accuracy, identify any person, then cyber security problems should soon become a concept from the past.

    MovementMetric Identification™utilizes changes that occur with the movement of any part of your body.

    One example of use would be to observe the wrinkles at any one of the knuckles of any of your fingers, the patterns that occur in these wrinkles during the movement of your finger can never be replicated for use by any other person or any device.

    So... in the near future, we will simply wiggle our finger in front of a camera if we wish to be accurately identified. No tokens, no passwords, and no other tricks will be needed to keep others out of our cyber stuff, the wrinkles in just one knuckle will soon be the only key we will ever need.

    Information about the use of MovementMetric Identification™ to improve upon our current computing resources and computing environments can be found at PlanetEarth-Online.com

    Welcome to the Future!
    Jeffaaaaaa6
    Reply Vote I'm Undecided
    • Half baked trademarked security technologies

      Movement metric is hardly reliable and easily fooled
      there more to security than just the password level
      warboat
      Reply 1 Vote I'm Undecided
  • Both/and

    It's not really either/or - it's both/and . . .

    If you become too lax on either end, it spells trouble.

    But should be an interesting debate nonetheless.
    CobraA1
    Reply 6 Votes I'm Undecided
    • It needs to be a mix

      Personally I'm for network first, device next.
      I would expect the network to provide a minimal effective amount allowing me to enhance or add to it as needed / wanted.
      rhonin
      Reply 1 Vote I'm Undecided
    • Ryan has this technological haughtiness I don't really like . . .

      Ryan has this technological haughtiness I don't really like:

      "The perimeter has been dead for a while. "

      I have to disagree. Ignore the perimeter, and hackers will go back to attacking the perimeter. Hackers know full well that if modern technological snobbery makes people ignore protection against "old" style attacks, that means that the "old" style attacks are effective again.

      Why do you think social engineering is so popular? It's not particularly new, and has been done by scam artists even in ancient history. It's not new or novel - but it's still effective. And yeah, hackers know that.

      Ignore older risks at your own peril.

      Because of this, I'm siding with David. Protection has to be at all levels, and you can't ignore old, classic attacks just because of some sort of technological snobbery against old stuff. You're putting yourself at risk if hackers discover you've been slacking in older areas of security.
      CobraA1
      Reply Vote I'm Undecided
  • First step is at Device level

    Lets looks at Andorid, more malware than apps, and for Windows Phone there are zero malware.
    So its possible to design something very safe, even though there is nothing like 100% fool proof.

    There may be things that could be done at network level, but I am going for device.
    Owlll1net
    Reply 3 Votes I'm for Device
  • The best security is user education

    Security needs to be handled at different levels.
    the most vunerable attack vector is the user and the one that needs the most improvement.
    this is a useless debate, it's like arguing whether air or fuel is more important to make a fire.
    warboat
    Reply Vote I'm Undecided
    • Users are a problem, But.... (This is far from a useless debate!)

      @Warboat - True, the typical net user has NEVER learned the importance of proper passwords, despite repeated warnings and advice (I can name and shame at least 20 people amongst my social circle & I am on about it all the time!). However, users are not an excuse for poor system design. In the real world, asking the average user to remember even a tiered password system with just three base passwords and variants is virtually impossible. However, all the good password/PC management means nothing if the device is flawed. SECURITY HAS TO START AT DESIGN LEVEL.

      As an aside, the number of websites that limit passwords to only 8 characters max and/or do not allow extended characters is truly shocking! (I avoid them on principal). Personally, I have unique 20 character minimum complex passwords for every site I use on the web & need an encrypted USB device to generate, store & apply them that cost over £100. Are we to expect the average user to follow a similar approach. True security (if it exists) costs and the only way we will ever see it reasonably applied is in device development with one or a combination of new & existing technologies, such as retina, fingerprint amongst many others in development.
      Rauvin
      Reply Vote I'm Undecided
      • the best password

        is useless if the user gets phished.
        security awareness is more than just passwords.
        warboat
        Reply Vote I'm Undecided
  • Users are part of the problem but that can be overcome with rigid IT rules

    I make an attempt, I have a 36 number & letter password and MAC address system to access my network. My browsers clear their history as soon as I close them (its a pain but I'd rather look for content again than be hacked) I have spybot S&D and antimalware running, because of my browser control I have to re initiate the rules for most pages. As long as network security is tightly governed including monitoring such as USB sticks & mobiles and user rules everything "should" be fine. IT do have a lot of responsibility and ours do a good job for little thanks tbh.
    Kevin Morley
    Reply Vote I'm for Network