Do you think organizations are understanding and taking the threat among these new mobile attack vectors seriously yet? Are security managers really getting it? Why or why not?
The most-security-aware organizations are taking these threats very seriously. They're destroying phones after taking them to hostile areas with known malicious carriers, they're limiting what information gets copied to the default inbox/contact list on devices, they're limiting what applications can be installed on devices which have access to enterprise infrastructure. As a group, they're still a very small percentage of organizations, but the numbers are growing. Unfortunately, many organizations wait until an incident happens and then react to the problem. That's probably not the best strategy when it comes to assuring one's career path, but its the state of the industry when it comes to mobile security right now.
I think there is a big gap in knowledge when it comes to really understanding the problem. Most security managers have no clue that foreign carriers have complete administrative control of all devices that are associated with their network. They don't understand how rogue towers can be setup. They haven't had time to really do comprehensive threat modeling for malicious mobile applications. IntegriCell and others in the industry are working to bring these risks to light and helping organizations deploy compensating controls as fast as we can.
In your presentation, you specifically referred to some of the threats mobile users are facing now while traveling internationally. What are you observing?
There are two major threat categories when it comes to international travel, the malicious foreign carrier and the enterprising private mobile attacker. These threats result from the fact that citizens of a foreign country generally have no rights to privacy and no official recourse if their information gets stolen while they are in the foreign country. I already spoke about how foreign carriers have total control over devices which are associated with their networks. Probably the most alarming thing we've seen happen in our tests is how foreign carriers can steal the cryptographic seed values from soft-tokens installed on smartphones. One take-away I'd love to get across to all of your readers is to never let soft-tokens become a solution to be relied on for organizations which have a large number of international travelers.
The 'enterprising mobile attacker' is someone involved in a situation like we found in Mexico. Imagine you're on a cruise ship. You don't want to pay the exorbitant internet fees on-board, so you're constantly looking for WiFi on-shore. You get off the ship, find a coffee shop with great WiFi, so you connect your device and get your internet fix. What you dont realize is that the coffee shop owner has realized he can make more money selling your address book to spearfishers than he ever can make selling you even his most-expensive latte.
Sign up for CIO Asia eNewsletters.