The most critical element of mobile security: you
The rise of hacktivism and the growing popularity of mobile computing have combined to create what McAfee researchers have called a year of chaos and change.
Quasi-organizations such as Lulz Security and Anonymous have grabbed headlines using vulnerabilities and exploits long known to any penetration tester, said Dave Marcus, director of security research at McAfee Labs.
“It’s troubling, the ease they seem to have in getting in where they want,” Marcus said. “They know almost every time there is going to be cross-site scripting issues or SQL injection issues.”
Android app test demonstrates dangers for mobile devices
Is the smart phone the new laptop?
But the steady growth of malware targeting mobile devices, while not surprising, could be a game-changer for IT security.
“A lot of what we do in security is now in the hands of the end user more than ever before,” Marcus said. “If there is a lesson to be learned from this, it’s that we need behavioral user training if we are going to have a secure mobile workforce.”
The trends were reported in McAfee’s threat report for the second quarter of 2011. Marcus said the report contains few surprises and mostly confirms earlier trends. “We’re seeing predictions come to fruition,” he said.
One confirmed trend is the dominance of the Android mobile operating system as a target for malicious code. The platform went from No. 3 in the first quarter of the year to No. 1 in the second quarter, accounting for about two-thirds of mobile threats identified during the quarter. The total number of mobile malware samples continued their steady growth, to 1,200 during the quarter.
The attention from hackers tracks the product’s market penetration, Marcus said. “The more popular something becomes, the more attractive it gets.”
Mobile computing changes the nature of the threat being faced by enterprises because, although they are increasingly being used as workplace tools, they often are personally owned and operate much of the time outside the managed enterprise environment. This puts a premium on educating users beyond general security awareness training, Marcus said.
“It means being trained to know what the risks are, what to look out for and how to behave safely,” a task he admitted probably is “easier said than done.” But he is optimistic that with enough education users can securely use devices that have little inherent security, especially power users. “At the end of the day, people who like to fiddle with things tend to use things better.”
Training budgets often are at risk during tight economic times, but Marcus said they provide a solid return on investment. “It will cost you less long-term if you have better trained users,” rather than having to spend resources on responding to incidents, restoring systems and doing forensic investigations.
The rise of politically motivated hacktivism has grabbed headlines this year, but characterizing these activities is difficult, Marcus said. One group, Lulz Security, had a brief but high-profile life with successful breaches of a number of sites, but does not fit the profile of hacktivism. “They’ve always been in it for the LOLs,” or laughs, in text-speak, he said.
Another group, Anonymous, which has gained attention most recently for its OpBART activities targeting San Francisco’s transit system, comes closer to the definition of hacktivist. “It’s more focused on human rights and openness,” he said.
One positive aspect of their activity is that they have exposed chinks in enterprise security, delivering tough lessons. Organizations need to view security holistically rather than as a technology or product, Marcus said.
“A lot of them will put in an appliance and think they are secure, and then forget about the basics of locking down and managing an enterprise,” he said. “Anonymous takes advantage of that.”