Dont Become Cats Chasing Mobile Security Laser Pointers

Mobile security threats may pose some risks, but do a risk analysis on the entire situation before diverting funds to fundamental security activities

Mobile device security threats are certainly real and the exploits demonstrated last week at Black Hat warrant some attention from CISOs as they look over the horizon. But when it comes to solid risk management, most organizations would do well to re-examine their entire IT infrastructure for solid footing in the fundamentals before they get too distracted by mobile security, some experts warn.
Im always excited about work done by smart, bright people in security, but it sometimes seems like the bright people in our industry tend to focus too much on the bleeding, cutting edge, says Marcus Carey, security researcher at Rapid7. Have you ever seen a cat chase a laser pointer? Thats how security researchers are. Oh, look! Whats that over there? Oh, now, whats that over here? Thats where were at with mobile.
The fact of the matter is that while many of the Black Hat discoveries and demos around mobile threats have a great degree of prescience, they might not have a whole lot of current relevance for the average organization seeking to shore up defenses against the common cybercriminal. As Carey explains, theres no reason for criminals to jump ship to mobile exploits just yet because theyre still making a killing off of our traditional IT security failings.
Attackers are robbing people blind right now. Why would they change their attack vector? Carey says. Right now it is really hard to get payloads that work [on mobile devices]. So why jump to mobile when it is harder to the nth degree, [and] when you already have this other stuff working?
According to Carey, a recent survey conducted by Rapid7 found that only about 35 percent of users patch regularly. Another report out by McAfee in June showed slightly optimistic numbers -- showing about half of organizations are up on their patch management -- but even with these higher estimates, at least half of organizations dont even keep up with the basics of IT risk management. That makes it easy for attackers to keep using exploit kits like Blackhole, which depend largely on known vulnerabilities that could easily be remediated.
We havent nailed down the basic fundamentals yet. You have people [at Black Hat] that are not even patching going back to their organizations to say, Mobile security is so important, Carey says. But then people are backdooring them every day because theyre not patching.
Dave Frymier agrees. The CISO for Unisys believes any discussion of mobile security should start with the basic blocking-and-tackling of handling desktops and laptops. Or, if sports analogies arent your thing, you have to start playing your scales before moving on to more complicated music, Frymier explains.
You need to have up-to-date and managed antivirus and a comprehensive patching program -- not just for the Microsoft stuff, but for Adobe and the other applications you may have, he says.
Thats not to say that Frymier believes in ignoring mobile risks. His team at Unisys has implemented a mobile security strategy and infrastructure to support mobile policies. But that strategy and those policies exist within a larger IT risk management framework. He urges his fellow security practitioners to start with step one of risk management when thinking about any IT asset, mobile or otherwise.
You need to do a risk analysis; a real risk analysis where you sit down and you say, What are my assets and where are they? What are the vulnerabilities? And who would benefit by exploiting those vulnerabilities? he says. Once you figure that out, then you can take a look at what you need to do to mitigate those risks. It amazes me how many companies havent done that.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Dont Become Cats Chasing Mobile Security Laser Pointers