Risk
10/26/2012
02:28 AM
Connect Directly
RSS
E-Mail
50%
50%

How Does Mobility Change IT Risk Management?

Understanding the mobile issues that will measurably affect risk posture

With recent surveys showing the majority of enterprises considering mobile device management (MDM) and other security-related solutions, but a minority having actually deployed them, it is clear that organizations are grappling with exactly how mobility plays into their risk postures.

Unfortunately, rather than trying to first measure how mobility and BYOD increase risk to the enterprise to drive best practices and technology, many enterprises are making harried and clouded purchase decisions. But simply throwing money at a newly introduced security program without taking the time to understand why the budgeted item is necessary is dangerous and costly, experts warn.

"Administrators don't typically have enough information to be able to tell their management, 'This is why you have to buy this or do that' because they aren't able to quantify their mobile risks," says Dan Ford, CSO of mobile risk management firm Fixmo, and a doctoral candidate who's wrapping up a thesis on evaluating the risk of iOS in the enterprise.

Recent statistics on MDM deployments tend to back Ford's beliefs. While Gartner analysts predicted that over the next five years more than two-thirds of enterprises will adopt an MDM solution for their corporate-liable users, many of today's enterprises are having a hard time deciding what kind of solution they need. A recent InformationWeek Reports analysis, "40 BYOD Vendors, One Confusing Market," showed that just more than one-quarter of enterprises have currently deployed MDM.

Ford believes that quantifying different mobile risks could help enterprises decide what kind of technology and practices they need to support policies that would affect the risks they quantify as most important to the business. That means doing the hard work to put numbers to risks rather than the basic qualitative assessments of high, medium, low or red, yellow, green. The problem with qualitative assessments is that when security reduces an already high risk by 10 percent -- a considerable amount -- but the risk still remains high, it becomes difficult to justify expenditures specific changes. And specificity is important when looking at all of the moving parts around MRM, including, for example, something like password policies.

"How much risk is it then when I have a four-digit pin, and what if I have a six-character password?" he says, explaining that these questions need to be asked and organizations should endeavor to attach metrics to the answers.

Organizations that are serious about conducting risk assessments around mobile practices should be asking these questions around three major classes of risk, says Andrew Jaquith, chief technology officer at Perimeter E-Security.

"Mobile risk discussions should center around three areas of risk: technology, policy, and law," he says. "Companies have to address all three of them."

On the technology side, organizations should be thinking about how specific devices, settings, and network configurations affect the overall security posture of the IT infrastructure. In particular, organizations should be looking to measure and reduce risks around things like authentication, data access authorization, and encryption, Ford says.

"One of the important things in evaluating the risk is how is this application you're using in the mobile device and MDM storing credentials, which is the authentication piece of it," he says.

[Want to know the scary stories that keep CSOs up on Halloween night? See Nightmare On Database Street: 5 Database Security Horror Stories.]

For example, organizations that depend on credential storage within the the iOS keychain or Android Password feature could be opening themselves up to an elevated risk due to documentable weaknesses in these mechanisms, he warned. It's even an issue for those organizations that depend on MDM products, many of which depend on the keyring to enforce authentication policies, he says.

When it comes to assessing technology risks around mobility in general, Ford recommends organizations seek out NIST's "Guidelines for Managing and Securing Mobile Devices in the Enterprises," a document that's still in draft but nearly complete and can offer a good framework for deciding which risk factors to consider.

As for policy risks, enterprises need to think about how certain mobile policies will increase or decrease risk, be they policies around allowing employee-owned devices to access network resources, policies that restrict authorization of access based on the device it is coming from, or on-device policies that govern things such as screen lock and application use.

"Do you take your desktop security policy and just plop it right on to your mobile phone, using the same password policy and so forth?" Jaquith says. "Probably not. So there's a definite best practices side of the mobile risk story."

One potential best-practice angle that many enterprises may be forgetting is how their development practices introduce risks to the mobile application environment, be it through customer-facing or internal enterprise apps. If enterprises fail to measure the risk posed by insecure apps, they will have a hard time deciding how much to spend on secure development practices in the creation of these apps.

"One question to ask is what's the amount of risk management that's too much or not enough when you're building the apps," Jaquith says. "How much is too much in terms of effort and how much is inadequate?"

And, finally, risks around the law deal with issues not only around how mobile use affects compliance with regulatory mandates, but also privacy laws that could be tricky when trying to control BYOD.

"There's the legal risk to consider; what kind of legal environment are you in when you're entrusting company data on a personally owned device, and does that data become the employees' and expand their rights to it, for example?" he say, explaining that risk assessments need to consider how legal considerations may affect the kind of control the organization decides to assert over an employee-owned device.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.