Threats, Vulnerabilities Increasing in the Mobile Environment, Experts Say
The growing concern over mobile cybersecurity is warranted, security experts said Thursday at a Washington cybersecurity conference sponsored by CompTIA. “Right now mobile security is in a pretty dicey place,” said Andrew Hoog, viaForensics chief investigative officer. The threat model for mobile devices is significantly higher than for traditional computers and IT systems and the number of targeted attacks is on the rise, Hoog said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
More distressing is the nations that discovered how “wildly successful” these attacks can be, said Hoog. “We are seeing a lot more attacks in the mobile sourcing arena,” agreed Brian Contos, McAfee director of global security and risk management. “And a lot of them are tied to nation states … North Korea in particular.”
Many of the vulnerabilities that allowed U.K. hackers to gain access to data on politicians’ cellphones exist here in the U.S., panelists at the event said. All it takes is one malicious insider at headquarters of the telecommunications provider to expose users to these vulnerabilities, said Contos. Hackers can find someone who needs money, has a drug addiction, can be blackmailed, or even someone who is sympathetic to a particular cause, he said. “Social engineering is always the easiest route,” Contos said. “It is a lot easier than trying to hack through.”
But the new threat vector is in mobile applications, said Contos. Though it is possible to develop secure mobile applications, security for most apps has been a secondary concern. “It’s hard to distinguish which apps are real and which apps are set up with malicious intent,” he said. Even the white-listed apps, the apps people trust, are collecting information in a way that isn’t transparent to the user, said Allan Friedman, a research director at the Brookings Institution. “The way to secure mobile is with native apps,” said Hoog. “Apps that rely on built-in Web browsers are experiencing significant amounts of data on the device that the developer cannot secure.”
Encryption does not equal security for mobile devices, said Hoog, who added that his firm, viaForensics, has cracked most mobile encryption technologies including Apple’s iOS encryption. “People need to understand if it is running on a mobile device then everything you need to decode the information sits on the device. Until you have complex authentication everything you need to access a device is on the device itself.”
"The best way to secure mobile devices is simply not to store the sensitive data on the device,” Hoog said. But that becomes more difficult if the goal is to try to secure it in a way that won’t affect usability. “It’s challenging because you want it to work and you want it to work smoothly,” Hoog said. “But occasionally you will be inconvenienced and frustrated.” But McAffee thinks better security comes when it’s implemented directly into the hardware, Contos said. “If you get to the hardware you can alleviate the issues,” he said. “That is the hope and that where we are trying to get to."
Cybersecurity experts said during a separate panel that different, yet equally pressing vulnerabilities exist on today’s cloud databases. McAfee published a report this week which it said outlined a broad effort by potentially state-sponsored entities to infiltrate international databases connected to the Web. “There was a government entity attacking deliberately,” said Scott Crenshaw, vice president of Redhat’s cloud business unit. “With an attack profile like that it doesn’t matter” if your information is on the cloud or not.
The U.S. electrical grid is already vulnerable to such an attack, said Crenshaw. “There have been assertions made that the codes to trigger that kind of attack have already been inserted into our systems,” he said.
"Large clouds are interesting targets for hackers around the world,” said Ron Culler, CTO of Secure Designs. “It is not a hypothetical concern,” he said. “The risks are bigger because there is more infrastructure to launch an attack at,” added Ellen Rubin, founder of CloudSwitch. She said the primary security issues that cloud users need to address are encryption, network isolation and keeping encryption keys out of the cloud provider’s hands.
Though cybersecurity rules are better understood in traditional IT architecture, “the cloud is no less secure than traditional IT,” said Crenshaw. Right now the average enterprise is still dealing with the early stage questions [of cloud migration] and hasn’t gotten into the stuff that is difficult to do but essential,” he said. “The cloud can be very resilient if done correctly,” agreed Culler. “All of the large cloud providers have sophisticated tools and employees to prevent DDoS attacks.”