Ryan Naraine
Device
Network
David Gewirtz
Best Argument: Device
Audience Favored: Network (55%)
The moderater has delivered his final verdict.
Opening Statements
There's no other choice
Listen, I'm not going to sit here and argue that network security isn't crucial to a robust mobile risk management strategy. It is. But if you ignore security at the device layer, you're in for a rude awakening.
In this BYOD world, corporate data is flying through open WiFi networks in coffee shops and sitting in the back of taxi cabs when smartphones and tablets get lost. If you can't protect the device, you are ignoring significant entry points for attackers.
The best defense is multi-layered, but unless you have strict plans and policies around device security, identity management, provisioning, log-in credentials, you are ignoring significant risks. When mobile devices leave the traditional "perimeter," you really need to address that risk at the endpoint level. There's no other choice.
To keep everyone safe
Mobile devices, far more than desktop computers, are extensions of the personalities of the individuals using them. Here's the fundamental problem. If we rely on the device as the sole means of mobile security, we're relying on people.
Mobile device users range in knowledge from very technically skilled to barely able to answer a call. They also vary in willingness to take the time and extra effort to secure their devices. Some users will purposely violate device security, either by jailbreaking or downloading apps from questionable sources.
The simple fact is that the vast majority of mobile users just don't understand security, don't care, and aren't willing to take the time to learn. Since the device itself is under their direct control, we just can't rely on it alone.
Any good security strategy relies on tiers (or layers) of security. Certainly, having some security on the device is a start. But that's far from enough. The network is the common means by which all these devices communicate, and so it's up to the network to keep everyone safe.
Sometimes, that means relying on the internal corporate network or VPNs. Other times, that means relying on carriers, who also don't want malicious traffic on their network. But whether it's IT or the carriers, both have a far more vested interest and dedication to security than the device users themselves.
Talkback
Wiggle Your Finger Cyber Identification
Since MovementMetric Identification™ can, with 100% accuracy, identify any person, then cyber security problems should soon become a concept from the past.
MovementMetric Identification™utilizes changes that occur with the movement of any part of your body.
One example of use would be to observe the wrinkles at any one of the knuckles of any of your fingers, the patterns that occur in these wrinkles during the movement of your finger can never be replicated for use by any other person or any device.
So... in the near future, we will simply wiggle our finger in front of a camera if we wish to be accurately identified. No tokens, no passwords, and no other tricks will be needed to keep others out of our cyber stuff, the wrinkles in just one knuckle will soon be the only key we will ever need.
Information about the use of MovementMetric Identification™ to improve upon our current computing resources and computing environments can be found at PlanetEarth-Online.com
Welcome to the Future!
Half baked trademarked security technologies
there more to security than just the password level
Both/and
If you become too lax on either end, it spells trouble.
But should be an interesting debate nonetheless.
It needs to be a mix
I would expect the network to provide a minimal effective amount allowing me to enhance or add to it as needed / wanted.
Ryan has this technological haughtiness I don't really like . . .
"The perimeter has been dead for a while. "
I have to disagree. Ignore the perimeter, and hackers will go back to attacking the perimeter. Hackers know full well that if modern technological snobbery makes people ignore protection against "old" style attacks, that means that the "old" style attacks are effective again.
Why do you think social engineering is so popular? It's not particularly new, and has been done by scam artists even in ancient history. It's not new or novel - but it's still effective. And yeah, hackers know that.
Ignore older risks at your own peril.
Because of this, I'm siding with David. Protection has to be at all levels, and you can't ignore old, classic attacks just because of some sort of technological snobbery against old stuff. You're putting yourself at risk if hackers discover you've been slacking in older areas of security.
First step is at Device level
So its possible to design something very safe, even though there is nothing like 100% fool proof.
There may be things that could be done at network level, but I am going for device.
The best security is user education
the most vunerable attack vector is the user and the one that needs the most improvement.
this is a useless debate, it's like arguing whether air or fuel is more important to make a fire.
Users are a problem, But.... (This is far from a useless debate!)
As an aside, the number of websites that limit passwords to only 8 characters max and/or do not allow extended characters is truly shocking! (I avoid them on principal). Personally, I have unique 20 character minimum complex passwords for every site I use on the web & need an encrypted USB device to generate, store & apply them that cost over £100. Are we to expect the average user to follow a similar approach. True security (if it exists) costs and the only way we will ever see it reasonably applied is in device development with one or a combination of new & existing technologies, such as retina, fingerprint amongst many others in development.
the best password
security awareness is more than just passwords.
Users are part of the problem but that can be overcome with rigid IT rules