Don't Become Cats Chasing Mobile Security Laser Pointers

Mobile device security threats are certainly real and the exploits demonstrated last week at Black Hat warrant some attention from CISOs as they look over the horizon. But when it comes to solid risk management, most organizations would do well to re-examine their entire IT infrastructure for solid footing in the fundamentals before they get too distracted by mobile security, some experts warn.

"I'm always excited about work done by smart, bright people in security, but it sometimes seems like the bright people in our industry tend to focus too much on the bleeding, cutting edge," says Marcus Carey, security researcher at Rapid7. "Have you ever seen a cat chase a laser pointer? That's how security researchers are. 'Oh, look! What's that over there? Oh, now, what's that over here?' That's where we're at with mobile."

The fact of the matter is that while many of the Black Hat discoveries and demos around mobile threats have a great degree of prescience, they might not have a whole lot of current relevance for the average organization seeking to shore up defenses against the common cybercriminal. As Carey explains, there's no reason for criminals to jump ship to mobile exploits just yet because they're still making a killing off of our traditional IT security failings.

"Attackers are robbing people blind right now. Why would they change their attack vector?" Carey says. "Right now it is really hard to get payloads that work [on mobile devices]. So why jump to mobile when it is harder to the nth degree, [and] when you already have this other stuff working?"

According to Carey, a recent survey conducted by Rapid7 found that only about 35 percent of users patch regularly. Another report out by McAfee in June showed slightly optimistic numbers -- showing about half of organizations are up on their patch management -- but even with these higher estimates, at least half of organizations don't even keep up with the basics of IT risk management. That makes it easy for attackers to keep using exploit kits like Blackhole, which depend largely on known vulnerabilities that could easily be remediated.

"We haven't nailed down the basic fundamentals yet. You have people [at Black Hat] that are not even patching going back to their organizations to say, 'Mobile security is so important,'" Carey says. "But then people are backdooring them every day because they're not patching."

Dave Frymier agrees. The CISO for Unisys believes any discussion of mobile security should start with the basic blocking-and-tackling of handling desktops and laptops. Or, if sports analogies aren't your thing, you have to start playing your scales before moving on to more complicated music, Frymier explains.

"You need to have up-to-date and managed antivirus and a comprehensive patching program -- not just for the Microsoft stuff, but for Adobe and the other applications you may have," he says.

That's not to say that Frymier believes in ignoring mobile risks. His team at Unisys has implemented a mobile security strategy and infrastructure to support mobile policies. But that strategy and those policies exist within a larger IT risk management framework. He urges his fellow security practitioners to start with step one of risk management when thinking about any IT asset, mobile or otherwise.

"You need to do a risk analysis; a real risk analysis where you sit down and you say, 'What are my assets and where are they? What are the vulnerabilities? And who would benefit by exploiting those vulnerabilities?'" he says. "Once you figure that out, then you can take a look at what you need to do to mitigate those risks. It amazes me how many companies haven't done that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.