Cybersecurity in the Age of Mobility

Cybersecurity experts at the CompTIA Tech Summit today shared a chilling scenario of the current threat level in the world of mobile devices and applications

"Right now mobile security is a pretty dicey place," said Andrew Hoog, chief investigative officer, viaForensics. "It's too much for an IT department to take on, but it's too big an issue to ignore. It's a massive hole."

"The numbers of users, devices and applications are massive," said Brian Contos, director, global security and risk management, McAfee. "We're seeing a lot more attacks in the mobile arena. Mobile apps are where it's at."

The attacks come from both criminal elements and nation states, according to Contos, and the reason is clear. Mobile devices typically combine both corporate and personal information, making it a much richer target. Because security has been a secondary concern, the threat model for mobile is significantly higher. The characteristics of the mobile app development world are both a blessing and a curse, speakers said.

"On one side, it's a security threat; and on the other side, it enables a lot of innovation," noted Allan Friedman, research director, Center for Technology Innovation at The Brookings Institution.

Many application developers "are not incented to write secure code," Contos offered. "They want to get the app out there as quickly as possible and create a patch later to handle any problems."

Security issues are made even more complicated by the proliferation of mobile devices with dual uses - personal and business. This trend has created some "pretty significant challenges" for organizations, Hoog said. For example, once a corporate email system is made available via remote access, virtually anyone with a mobile phone, tablet or other device can access the email system.

All is not gloom and doom, however. Hoog said it is possible to develop secure mobile aps, "it just takes a different mindset" on the part of developers.

Developing applications on native platforms and implementing a virtual desktop infrastructure are two tactics panelists identified as ways to make the mobile world more secure.

Re-education of the end-user also is needed, according to Contos. He noted that social engineering is still one of the easiest way to steal data, adding, "Maybe we can get a leg up by learning from what we screwed up on the Internet."