So, as we open 2012: What were last year’s security challenges, and will trends continue this year?
2011 seemed to be a banner year for hackers (Sony, HB Gary, Stuxnet, etc. ), but was it really?
According to the stats at datalossdb.org, 2008 was far worse than last year, but that is a record of all data breaches, not just computer related ones. Still, I think the perception of attacks was up in 2011.
The increased attention can be a good thing. The greater focus on security issues from media outlets put pressure on management to properly fund (or create in the first place) their security departments. However, all too often, when money is thrown at an issue it ends up being spent on magic-bullet type solutions that don’t really address the core problems in an organization.
While we’re on the subject of security departments, something that will become a bigger issue for them this year is mobile security. Over the past few years, this has been relatively straightforward. The company issues BlackBerries, which are centrally managed through a BES (BlackBerry Enterprise Server).
However, companies are increasingly adopting a BYOT (Bring your own technology) policy, which makes security far more difficult. I’ll use myself as an example, since my company has such a policy.
I can utilize my personal cell phone as my company phone. I print my number on my business cards, include it in my email signature, and hook it up to my company’s mail server. I submit my cell phone bill every month to receive a reimbursement up to the maximum amount set in the policy.
From a business standpoint, this has many benefits. Employees are happier with their equipment, more likely to check and respond to work emails off hours, and IT has less inventory to keep track of.
From a security standpoint, this is far from ideal. You have a myriad of different devices with different vulnerabilities connecting to your network, and you have no way to force settings down to them. Apple offers some enterprise management tools for iOS devices, so they have a leg up here (apart from RIM, but they seem to be circling the drain). You’d think Microsoft would have strong enterprise support tied into their mobile OS…you would have been correct 3 years ago, but the more consumer-focused Windows Phone 7 is lacking in enterprise integration (there is very strong Microsoft Office integration, but remote management and VPN configuration is not there yet). Android phones present a major challenge. Because the core of the operating system is open source, each phone manufacturer and carrier has added their own tweaks, hooks and features to almost every Android smartphone. There are solutions out there like Good (who also provide support for iOS devices), but this requires a client app to be installed on every managed device, and compatibility may be an issue.
Smartphones and tablets are going to keep expanding their footprint in enterprise in 2012, and their potential to be utilized as an attack vector will be explored. How successful these attacks are, and how big the fallout remains to be seen.