With organizations from the Fortune 100 and U.S. government struggling to take control of smartphone security, we need to break the mental ties we have comparing it to a PC and remember the evolutionary path it took.
A PC did not give birth to a smartphone; the cellular phone of the 1980s did.
Here’s why this understanding is important to truly comprehending mobile security, especially when it comes to corporate IT and smartphones that do double duty for work and play.
Back in the early 1980s, I used my first personal computer, the Apple II.
The public school I attended purchased one for each classroom. I remember playing a few educational games and even attempting a bit of programming. Later that same year, my parents won a computer in a raffle and gave it to me. It was a Timex Sinclair 1000.
History has already written which of those two computers won, but they both had something very important in common: BASIC Programming. Both of these devices could be easily programed using a simple programming language. Simple enough that a technology-intrigued 6-year-old living in the suburbs of Chicago could learn to write programs to draw graphics and create simple video games.
The personal computer (PC) inspired its users, from age 6 to 96, to write their own software. I remember sitting in front of those computers for hours writing a few lines of code and then typing “RUN” to see what I had created. Even though most users do not write their own code, they still use PCs in a very similar way, sitting at the keyboard in one location.
Around the same time, I used my first cellular phone.
My neighbor, Jerry, was employed by Illinois Bell and was working on a project with Motorola to test cellular phones in cars. The entire trunk of his company-issued car was filled with circuit boards and blinking lights making up the cell phone components you hold in your hand today. Located between the front seats was a handset.
Jerry used to take me and his kids to get ice cream, letting us call our moms from the road. From the very start, cellular phones were meant to be mobile devices.
Both PCs and mobile phones evolved over the next 20 years without much convergence. Along the way, they became less expensive and easier to use, attracting more and more non-technical users. Today we still call the personal computer a PC (or a Mac), but the mobile phone gave birth to an array of sub-categories, with the most popular today known as a smartphone.
Often a smartphone is called a PC in your pocket. I even made that statement during a 2011 DEF CON presentation on smartphone security. The more I think about that statement, though, the more I start to believe that the root of our problems around mobile security is an extension of that incorrect comparison.
What we’re dealing with today is the rapid addition of features and a user adoption rate that accelerated faster than anyone anticipated, including organizations’ IT security departments.
While these departments were busy upgrading firewalls, installing IDS systems and anti-spam gateways, their users were waiting in lines around the block to spend hundreds of dollars of their own hard-earned cash to get the next generation of smartphone. Within minutes of their purchase, they connected to their corporate email accounts, installed games and other apps, and use the built-in VPN client to access intranet sites — all of this without oversight or control from their IT security department.
Now this same user group makes security mistakes every single day. They read both personal and business email on the same device and open attachments. They click on links they see on Facebook and Twitter. They allow their friends and children to play games on their device without oversight. They navigate to Websites via QR codes they see on the subway.
In order to understand how an organization would let this happen, we need to start at the top.
There likely isn’t a single CEO in the world that does not own a smartphone or tablet. When the CEO of the company wants a smartphone for business purposes, they get one, and so do all the CEO’s direct reports, and their direct reports, and so on. Pretty soon the entire company has a smartphone connected to the corporate network to access email, calendar, contacts and other information.
This is the moment when the IT security administrator stops reviewing firewall logs and realizes there is a problem, but then immediately thinks a solution already exists. All of these smartphones are really just itty, bitty PCs, right?
The IT security admin has a policy for connecting PCs to the corporate network and it goes something like this:
- Rule 1: The device must be owned and issued by the company.
- Rule 2: It must be connected to the corporate domain.
- Rule 3: It must be running anti-virus software.
- Rule 4: The user must not have local administrative access.
The IT security admin runs through each rule, quickly realizing none of the rules apply to smartphones, starting with the very first rule. Everyone from the CEO down to the mailroom staff bought their own device. The admin is certainly not in the position to tell his boss and his boss’s boss that the company needs to disconnect all smartphones from their network and purchase company-issued devices for all of their employees.
With that, the IT security admin goes back to reviewing firewall logs.
That’s the state most organizations are in today. Smartphones have to be categorized as their own class of device and secured via a completely different methodology, using some techniques probably yet to be invented.
There are, however, ways to help mitigate security risks in the interim. Properly defining the organizations support of smartphones, its users and the data they are required to access is fundamental until the devices themselves offer solutions natively or via 3rd party add-ons.
When these devices are treated as their own asset type, and only then, will IT security departments be able to secure the smartphones connected to their environment.
Nicholas J. Percoco is senior vice president and head of Trustwave SpiderLabs.
With more than 14 years of information security experience, Percoco heads Trustwave SpiderLabs, the advanced security and research team at Trustwave, which assists clients when making strategic decisions around security and compliance regimes. Trustwave SpiderLabs has performed more than 1300 computer incident response and forensic investigations globally, run thousands of penetration and application security tests for clients, and conducted security research to improve Trustwave’s products.
Image courtesy of reallyboring.