Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

The Portable Puzzle

Solutions for managing security of mobile systems and portable storage devices still elude many enterprises

When it comes to developing solutions for managing the security of mobile and portable storage devices, IT executives' attitudes can be summed up in one word: frustrated.

That's the word that best describes the responses we've received to Dark Reading's portable and mobile security survey over the past month. Security professionals say they are frustrated by their inability to enforce policies for securing mobile devices, and their inability to find adequate technology solutions among a plethora of rapidly-developing products.

As we saw in Part 1 of our survey analysis last week (See No Wires & No Policies.), corporations and large organizations are having trouble developing enforceable policies for securing portable devices. While 42 percent of respondents said their organizations maintain an "unplugged" philosophy for most users, approximately 61 percent said they either haven't got a policy for removable storage devices, or their organizations were vulnerable because their policy was unenforceable. About 28 percent of respondents said their policies for mobile device management were either nonexistent or unenforceable.

A major reason for these policy shortcomings is the dearth of viable technology for managing the security of devices that travel outside company walls, security professionals say. In our survey, 47 percent of respondents said current products for managing removable storage were inadequate or nonexistent; about 46 percent said the same is true of products for securing mobile and wireless devices.

A shortage of adequate encryption technology is one problem, IT executives say. "The most frustrating aspect of securing mobile devices and storage media is trying to find a way to implement encryption that works for all our users around the globe," says Greg Lyons, security research analyst at a major consumer-packaged foods company. "Different countries today have widely varying laws on decryption, and regional solutions are no help, because our users often travel between jurisdictions."

Other respondents are exasperated by the myriad of portable technology available on the consumer market, much of which ends up in their users' pockets. "New devices from Best Buy should be left home or at the door," says David Kubista, president of Helimeds, a Tucson, Ariz.-based manufacturer of air ambulances. "The company should provide the tools or access required."

Some security pros say there may be adequate solutions on the market, but they are so overwhelmed with new product information that they can't make heads or tails of it. "Nobody can keep up with all of the new technology," says Phil Long, field support engineer at Goss International Americas Inc., an Illinois-based manufacturer of printing equipment.

And others say the price tag for current solutions is simply too high. "It's not so much that the products are inadequate, it's that they are unrealistically expensive for the small- to mid-sized company, or a not-for-profit like us," says Daniel Cotelo, an MIS technician for Central Coast Community Health Care in Monterey, Calif.

Vendors, not surprisingly, disagreed with the survey respondents' assessment. Officials at companies such as SecureWave and Reflex Magnetics, both of which offer tools for managing and securing removable storage media, say their challenge is simply getting the word out to IT staffers who don't know there are viable products on the market to solve the remote device security problem.

By a wide margin, security professionals' greatest concern about mobile and portable devices is simple loss or theft. Some 62 percent of respondents ranked laptop theft as one of their top two concerns, and 37 percent ranked loss or theft of removable storage media in the top two. Introduction of malware via portable storage devices was cited by 29 percent of respondents; 22 percent were concerned about penetration of Wi-Fi or other wireless data network connections. Only 16 percent expressed high anxiety about the loss or theft of PDAs or other mobile devices; just four percent were worried about eavesdropping on cellular calls.

Interestingly, however, only one percent of respondents have actually experienced a security violation through mobile or portable storage media, and only 26 percent of respondents cited the threat of attack as the primary driver behind their mobile and portable security initiatives. The most frequently-cited driver for mobile security efforts was a general push for better security across the enterprise (30 percent), followed by compliance with Sarbanes-Oxley or other regulatory standards (25 percent).

No matter what their motivation, though, survey respondents wish they could find products and vendors that fit better with their existing environments. "Every [vendor] has a better way of doing things and has included special features in their applications," Kubista observed. "But it's all useless if it takes forever to map that application to a business process."

— Tim Wilson, Site Editor, Dark Reading

  • Reflex Magnetics Ltd.
  • SecureWave S.A. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/21/2020
    Hacking Yourself: Marie Moe and Pacemaker Security
    Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
    Startup Aims to Map and Track All the IT and Security Things
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2015-4719
    PUBLISHED: 2020-09-24
    The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
    CVE-2020-15604
    PUBLISHED: 2020-09-24
    An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
    CVE-2020-24560
    PUBLISHED: 2020-09-24
    An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
    CVE-2020-25596
    PUBLISHED: 2020-09-23
    An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
    CVE-2020-25597
    PUBLISHED: 2020-09-23
    An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...