Mobile computing: The next Pandora's Box

Data security breaches, phishing attacks, fraud in financial transactions, information leakage, compliance-related issues, and large scale attacks financed by or sometimes even perpetrated by national governments are currently the types of incidents that disproportionately catch senior management and information security professionals’ attention. Too much focus on well-publicized risks is, however, potentially counterproductive. New, potentially very serious security risks related to mobile computing technology are, for example, very much on the rise, yet they are for the most part being overlooked in real life settings. Mobile computing presents serious security challenges in part because mobile workers are physically removed from the immediate control of organizations’ security staff. It would, for example, be relatively easy for employees to notice another employee who allowed a non-employee such as a child who is visiting during a ‘‘take a child to work day’’ to use an organization-owned computer on work premises. The opposite is true, however, when an employee is working at home. Furthermore, many security controls that are in effect when users connect to an organization’s network from a location within the workplace are not likely to be in effect when users engage in mobile computing while on travel or at home. An organization’s network may, for example, have firewalls and network-based intrusion detection and intrusion prevention technology in place. If a user connects to the Internet via a wireless network at an airport, however, none of these security controls may be in effect, at least for the initial trail of connections. Networks to which mobile users initially connect are in fact often if not usually out of the control of the organization for which ‘‘road warriors’’ work – something that elevates security risk considerably. The network could even be owned and operated by a competitor or by a perpetrator. Mobile users also create new entry points into networks, entry points that may not have been anticipated when network security controls were being designed, implemented and tested. Virtual Private Network (VPN) connections to an organization’s network may mitigate some of the risks, but they do not by any means provide an ‘‘end all’’ solution. Security maintenance activities such as installing patches and updates in systems may also be thwarted when mobile users are connected outside an organization’s network. When risks related to ‘‘shoulder surfing’’ are also taken into account, it is impossible to conclude anything else but that mobile computing is becoming downright dangerous. Of all the mobile computing-related security risks that currently exist, ones related to lost and stolen laptops have received the most attention, almost certainly because missing laptop incidents are often the most widely and dramatically publicized. Furthermore, appropriate control measures – hard drive encryption, technology that disables missing laptops, and more – for the problem of missing laptops tend to be concrete, understandable, and for the most part affordable. I fear that too many infosec professionals do not realize that the meaning of the word ‘‘computer’’ has radically changed in recent years. ‘‘Computer’’ used to mean a server or a workstation such as a PC. A cellular phone or remote communications device such as a personal digital assistant (PDA) was not considered to be a ‘‘computer,’’ per se. This is in many cases no longer true. Today’s smartphones are not merely phones; they can download, store, upload and transfer files, as can today’s PDAs. A growing amount of business-critical information is now stored on non-traditional computing devices. Viruses and worms can and do infect these devices. Attackers can remotely break into them to glean sensitive information. Many of these devices send sensitive information in cleartext. The potential for denial of service attacks against these devices is also considerably higher than many infosec professionals realize. Worse yet, vendors too often do not inform customers of vulnerabilities in such devices, let alone develop patches for them. Yet critical business-related processes have become increasingly dependent on such devices. The problem is growing disproportionately because of the proliferation of mobile technology and its many uses to individuals and organizations. It is time for infosec professionals to wake up to the associated security-related risks. There is no quick fix, but a good start would be to at least expand the scope of risk assessments to include mobile computing.