Mobile security: What's the best defense?

Moderated by Jason Hiner | February 25, 2013 -- 07:00 GMT (23:00 PST)

Summary: Is it the device or the network? Ryan Naraine and David Gewirtz weigh the options for protecting your organization's precious data.

Ryan Naraine

Ryan Naraine

Device

or

Network

David Gewirtz

David Gewirtz

Best Argument: Device

45%
55%

Audience Favored: Network (55%)

Closing Statements

Emphasize the endpoint

Ryan Naraine

David scored major points in this debate by reinforcing the point that we can't let users run the asylum. It's true that we can't rely on the users to make proper security decisions, whether on mobile platforms or traditional computing systems.

I spent a few hours on a panel discussion here at Mobile World Congress talking about the challenges of security data in motion and heard first-hand the nightmares faced by IT security departments with an active mobile workforce. Users will always opt for convenience over safety, regardless of the consequences. Corporate security policies are circumvented in the name of getting work done, and smartphones are 'jailbroken' to make life easier with no regard for the security posture of the device. These are truths that aren't going away.

We all agree that this exciting mobile world introduces gaping holes for attackers to penetrate the network. Then why is mobile device security such an afterthought? Network security and device security must co-exist but, with users as the weakest link, we need to place the emphasis on the endpoint.

 

Secure your network

David Gewirtz

Ryan and I essentially agree on most of this debate. Neither of us would recommend you entrust your organization's protection solely to devices in unpredictable users' hands. And neither of us would tell you to avoid any good security facilities available at the handset level.

Interestingly, device manufacturers are finally beginning to recognize the need for better security. BlackBerry now offers the Balance system and Samsung announced Knox at MWC this week. But both security kernels are optional purchases, so most device users won't have them.

What's particularly relevant for my side of the argument is that even the very existence of these device-level security features showcases the expectation of a network defense. After all, if a company mandates that only devices with Balance or Knox features are allowed on the network, then -- almost by definition -- there is central management of security and an organization-level set of policies.

Ultimately, that's what network security is. It's using the full resources of the organization (as well as the physical set of networks) and providing security services at a professional level.

The bottom-line is really simple. The best-best-best defense is a mix of device and network security. But you must never rely solely upon your devices to provide security. Employees, customers, consumers, and partners can't, universally and without any deviation, be counted on to follow all your security recommendations.

After all, a discount, malware-infested copy of Angry Birds Star Wars is going to be far too appealing to at least one user on your network. All it takes is one user. Unless, of course, you secure your network. But that would make the network the best defense, wouldn't it?

Heck, you know I'm right.

Ryan's case for device holds up better

Jason Hiner

The reality is that mobile security needs both the network and the device layers as well as the middle ground between them. Both Ryan and David made good cases. Overall, Ryan's case that you still need the device held up better. The network can't do it all. I'll give the nod to Ryan by a slight margin.

Talkback

24 comments
Log in or register to join the discussion
  • Wiggle Your Finger Cyber Identification

    Hi Guys, I believe you will find that a new version of biometric identification called MovementMetric Identification will replace all current measures that are used to grant and deny cyber access.

    Since MovementMetric Identification™ can, with 100% accuracy, identify any person, then cyber security problems should soon become a concept from the past.

    MovementMetric Identification™utilizes changes that occur with the movement of any part of your body.

    One example of use would be to observe the wrinkles at any one of the knuckles of any of your fingers, the patterns that occur in these wrinkles during the movement of your finger can never be replicated for use by any other person or any device.

    So... in the near future, we will simply wiggle our finger in front of a camera if we wish to be accurately identified. No tokens, no passwords, and no other tricks will be needed to keep others out of our cyber stuff, the wrinkles in just one knuckle will soon be the only key we will ever need.

    Information about the use of MovementMetric Identification™ to improve upon our current computing resources and computing environments can be found at PlanetEarth-Online.com

    Welcome to the Future!
    Jeff@...
    Reply Vote I'm Undecided
    • Half baked trademarked security technologies

      Movement metric is hardly reliable and easily fooled
      there more to security than just the password level
      warboat
      Reply 1 Vote I'm Undecided
  • Both/and

    It's not really either/or - it's both/and . . .

    If you become too lax on either end, it spells trouble.

    But should be an interesting debate nonetheless.
    CobraA1
    Reply 6 Votes I'm Undecided
    • It needs to be a mix

      Personally I'm for network first, device next.
      I would expect the network to provide a minimal effective amount allowing me to enhance or add to it as needed / wanted.
      rhonin
      Reply 1 Vote I'm Undecided
    • Ryan has this technological haughtiness I don't really like . . .

      Ryan has this technological haughtiness I don't really like:

      "The perimeter has been dead for a while. "

      I have to disagree. Ignore the perimeter, and hackers will go back to attacking the perimeter. Hackers know full well that if modern technological snobbery makes people ignore protection against "old" style attacks, that means that the "old" style attacks are effective again.

      Why do you think social engineering is so popular? It's not particularly new, and has been done by scam artists even in ancient history. It's not new or novel - but it's still effective. And yeah, hackers know that.

      Ignore older risks at your own peril.

      Because of this, I'm siding with David. Protection has to be at all levels, and you can't ignore old, classic attacks just because of some sort of technological snobbery against old stuff. You're putting yourself at risk if hackers discover you've been slacking in older areas of security.
      CobraA1
      Reply Vote I'm Undecided
  • First step is at Device level

    Lets looks at Andorid, more malware than apps, and for Windows Phone there are zero malware.
    So its possible to design something very safe, even though there is nothing like 100% fool proof.

    There may be things that could be done at network level, but I am going for device.
    Owlll1net
    Reply 3 Votes I'm for Device
  • The best security is user education

    Security needs to be handled at different levels.
    the most vunerable attack vector is the user and the one that needs the most improvement.
    this is a useless debate, it's like arguing whether air or fuel is more important to make a fire.
    warboat
    Reply Vote I'm Undecided
    • Users are a problem, But.... (This is far from a useless debate!)

      @Warboat - True, the typical net user has NEVER learned the importance of proper passwords, despite repeated warnings and advice (I can name and shame at least 20 people amongst my social circle & I am on about it all the time!). However, users are not an excuse for poor system design. In the real world, asking the average user to remember even a tiered password system with just three base passwords and variants is virtually impossible. However, all the good password/PC management means nothing if the device is flawed. SECURITY HAS TO START AT DESIGN LEVEL.

      As an aside, the number of websites that limit passwords to only 8 characters max and/or do not allow extended characters is truly shocking! (I avoid them on principal). Personally, I have unique 20 character minimum complex passwords for every site I use on the web & need an encrypted USB device to generate, store & apply them that cost over £100. Are we to expect the average user to follow a similar approach. True security (if it exists) costs and the only way we will ever see it reasonably applied is in device development with one or a combination of new & existing technologies, such as retina, fingerprint amongst many others in development.
      Rauvin
      Reply Vote I'm Undecided
      • the best password

        is useless if the user gets phished.
        security awareness is more than just passwords.
        warboat
        Reply Vote I'm Undecided
  • Users are part of the problem but that can be overcome with rigid IT rules

    I make an attempt, I have a 36 number & letter password and MAC address system to access my network. My browsers clear their history as soon as I close them (its a pain but I'd rather look for content again than be hacked) I have spybot S&D and antimalware running, because of my browser control I have to re initiate the rules for most pages. As long as network security is tightly governed including monitoring such as USB sticks & mobiles and user rules everything "should" be fine. IT do have a lot of responsibility and ours do a good job for little thanks tbh.
    Kevin Morley
    Reply Vote I'm for Network