I just read a blog post (no need to direct traffic there with a link) that included the following content: This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents.
For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on mobile devices.
This author is well-meaning, but he completely misses the bigger picture.
Against a sufficiently motivated and equipped adversary, no device is impenetrable.
Mobile devices are simply the latest platform to be vulnerable. There is no reason to think your corporate laptop is going to survive any better than your iPhone.
Now, I believe that non-mobile devices enjoy some protections that make them more defensible compared to mobile devices. Servers and workstations are generally "wrapped" with multiple defensive layers. Laptops benefit from those layers when connected to a corporate network, but may lose them when mobile. Still, even with those layers, intruders routinely penetrate networks and accomplish their missions.
One might also argue that mobile devices are more likely to be lost or stolen. I agree with that. However, full device encryption and passcodes can mitigate those risks. That's not the same as "zero-day vulnerabilities and clever exploitation techniques" however.
Despite these limitations, we still conduct work on computing devices. If we didn't, what would be the point?
We would be much better served if we accepted that prevention eventually fails, so we need detection, response, and containment for the incidents that will occur.
Software developers and security engineers should of course continue to devise better protection and resistance mechanisms, but we must remember we face an intelligent adversary who will figure out how to defeat those countermeasures.
0 comments:
Post a Comment