Tuesday, September 25, 2012

Unrealistic "Security Advice"

I just read a blog post (no need to direct traffic there with a link) that included the following content:

This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents.

For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on mobile devices.

This author is well-meaning, but he completely misses the bigger picture.

Against a sufficiently motivated and equipped adversary, no device is impenetrable.

Mobile devices are simply the latest platform to be vulnerable. There is no reason to think your corporate laptop is going to survive any better than your iPhone.

Now, I believe that non-mobile devices enjoy some protections that make them more defensible compared to mobile devices. Servers and workstations are generally "wrapped" with multiple defensive layers. Laptops benefit from those layers when connected to a corporate network, but may lose them when mobile. Still, even with those layers, intruders routinely penetrate networks and accomplish their missions.

One might also argue that mobile devices are more likely to be lost or stolen. I agree with that. However, full device encryption and passcodes can mitigate those risks. That's not the same as "zero-day vulnerabilities and clever exploitation techniques" however.

Despite these limitations, we still conduct work on computing devices. If we didn't, what would be the point?

We would be much better served if we accepted that prevention eventually fails, so we need detection, response, and containment for the incidents that will occur.

Software developers and security engineers should of course continue to devise better protection and resistance mechanisms, but we must remember we face an intelligent adversary who will figure out how to defeat those countermeasures.

3 comments:

Anonymous said...

Richard - We see the same horror over mobile devices in the SCADA and DCS world, and it is the same losing battle.

A number of the SCADA and DCS vendors are offering solutions to push process information to smartphones, tablets and other Internet connected devices. And they are doing this in a way that doesn't increase the risk to the availability or integrity of the control system. The additional risk is to the confidentiality of process data on these devices.

ICS security types in asset owner companies should fight process control from these Internet connected mobile devices and proper security controls for process data access rather than just saying no to all smartphones.

Dale Peterson
Digital Bond, Inc.

Anonymous said...

Great post. It's amazing how much we need to drill the fundamentals over and over, even for experienced pros.

The fact of multi-facet attacks is the reason we have defense-in-depth. It's not just that countermeasures fail - it's also that different attacks require different countermeasures.

Let's not overlook the fact that encryption is susceptible to stronger cracking over time by the plain fact of increasing computer power.

Plus, having possession of a device is not the same as having control of the data. Data isn't physical property anymore. An attacker can easily clone an encrypted drive and brute-force it later, at their leisure, with as many resources as they can muster.

The original author did make a good point though - don't trust your own devices!

Anonymous said...

This is not true:

"There is no reason to think your corporate laptop is going to survive any better than your iPhone.",

for reasons analogous to the fact that a teen is more vulnerable than an adult human.

There are many, many reasons why your corporate laptop will survive better than the iPhone beginning with the fact that the corporate laptop technology is more mature and has been subject to more hardening than the iPhone, for no more complicated reason than the iPhone hasn't been around as long.

By the same token, there are more tools and capabilities available to lock down the corporate laptop to prevent unvetted apps and other code from being accessible and executable than on the iPhone.

You're absolutely correct in your previous sentence:

"Against a sufficiently motivated and equipped adversary, no device is impenetrable.",

but that is not to say that all devices are equally impenetrable.