I’m not sure if i should be scared about moving our mail, systems, accesses, and data sets to mobile devices. after all, we’ve been doing that on laptops for years. in my case, i’ve had the same laptop for four years, though i’ve gone through eight to nine phones in the same time — mostly due to accidents. But even so, that’s a heap of data “out there,” and that does not include the backup laptop, the assessment devices, apple iPad, and other systems that carry critical information. My gear is well-encrypted or has other protections in place, but i’m the exception to the rule. for the most part, organizations allow personal devices, unencrypted devices, B2B clients, and all manner of other devices to connect to their critical information — often with minimal controls (or validation of controls) in place. furthermore, a lot of places still think this is “okay.”

The Weak Link

i’m a fan of the “terminator” movies. You have to give credit to the skynet concept: we, the humans, are still the weakest link in the information security chain, we are susceptible to influence (easily fooled), open to negotiation (bribed), incapable of remembering complex processes (passwords on sticky notes), and distracted (“squirrel!”). We have a problem maintaining contact with our data sources (“Where did i put that phone?”), and, for the most part, we don’t fully grasp our surroundings.

it’s no wonder that the skynet system decided to move on without us. if we were computer systems, we’d have been shelved years ago and probably upgraded with a new shiny apple MacBook. (they don’t get viruses, do they?) the problem is that during my time in it, we have gone through two distinct cycles of data migration (centralize/distribute, centralize/regionalize) and are once again in the middle of heading to the distributed model of keeping our data all over the darn place in the cloud. (the cloud resembles the closets we had as teenagers. We shove everything in there, assume all’s well, and go out with the important stuff stuck in the pockets of our trousers — though today that stuff resides on a dozen unprotected devices.)

What, Me Worry?

Let’s take skynet a little further. let’s say that we are given a chance to “justify our existence” in the electronic world. there are potentially several criteria for being a good custodian. two are key. are we responsible? Heck no, we can’t even manage to look after the data when it’s locked in a data center. How are we going to survive when the iPhone/Droids/ crackberries with all of our emails, passwords, and documents keep getting lost/stolen/misplaced/flushed down the bog? are we conscientious?

good grief, no! We pride ourselves on passing audits and fooling auditors. i sometimes wonder whether we give a fig about the moral obligations of looking after customers’ personal data — especially if it impacts the profitability of the company. We spend more time arguing whether a breach should be disclosed than actually fixing the problem, and, as individuals “outside” of the problem, we, as customers, have become so oblivious to the actual issues surrounding security that the banks have removed all fiscal responsibility from us. the identities that are lost/stolen/misplaced every hour barely make the news, and, if they do, we’ve seen so many of them that our reactions are muted.

Those who do care are typically owned, controlled, or managed by those who don’t. those in power are influenced by the same groups or lobbyists whose job is to ensure we don’t care. if anything ever makes it as far as regulation, it becomes so watered down that it’s almost worse than useless. as humans we pretty much suck as responsible guardians for anything data related. You can almost feel sorry for skynet as it becomes “aware” and realizes we’re such a threat. if you want to argue, go ahead; but watch a couple of documentaries first. “enron: the smartest guys in the room” would be a perfect start.

Back to Basics

Let’s spend a moment on the basics that we have in place today and see how those core elements will translate into the portable, ever-expanding world beyond our desktops.  We’re greeted in the morning with a password prompt to log into the computer. eight characters and we’re done, unless you are part of the 5 percent who encrypt their machines (in that case, congratulations for being security minded and for remembering two passwords). at this point, the machine’s anti-malware program wakes up and begins its sentry duty, theoretically monitoring all ingress and egress points. We traditionally begin our day secure behind firewalls, intrusion detection and prevention systems, spam filters, data loss prevention, and all manner of other devices designed to protect us from the malicious world. it seems pretty safe.

However, in our current untethered world, i grab my portable device, enter a four-digit passcode (that’s probably the same as the Pin on my debit card), and start to surf the web and download mail, apps, and all sorts of other things without a care in the world. i do this with a Bluetooth device stuck in my ear listening to the conference call over the free wireless VoiP network, thus bypassing every control known to humankind. (for those of you complaining about passwords, try typing eight alphanumeric, and special characters while driving. if you haven’t crashed yet, you’ll be yelling at the it team to amend the information security policy.) there’s something rather scary about that picture i’ve painted, but it’s repeated in offices, business parks, and homes all over the world. Yes, i’ve taken some of the images to the extreme, but we security professionals come across these scenarios daily. and the situation is not improving. users demand flexibility, connectivity, and ease of use from our mobile devices, and we want to avoid the constraints that are seen to tie down desktops and laptops. We are simply trying to do too much, with too little control, and this ambition is going to come back and bite us.

Fooling ourselves

I believe we are frequently in situations where, for the most part, security is an illusion. We seem to think it is a good thing to pass compliance initiatives by fooling the auditors rather than using them as tools for change. We have more oversight than ever. We have more rules, regulations, policies, procedures, and controls in place than we know what to do with. Yet we are still being breached, losing data, and managing to make some pretty glaring mistakes. We demand more and more of our staff, and we expect them to be perfect. We throw more hardware at the problem, and we have monitors monitoring the monitored systems producing all manner of reports that gather dust and fill up the shelves. Meanwhile, we continue along this path despite evidence that we’re heading in the wrong direction. My view is not that of a jaded and cynical security professional; this is the view of a seasoned leader of a team that typically breaks into and “owns” the client by lunchtime on the first day.

We are at a point where succeeding with a penetration test against an organization involves little more than gaining access to a single laptop/ desktop/portable device within the infrastructure, planting a trojan (via hardware or software), and getting out undetected. the problem is that with the proliferation of computing beyond the desktop, many of those targeted systems containing critical data (or access to it) don’t live behind the traditional locked doors that are guarded and managed. We can sometimes take out the core infrastructure of a targeted organization while sitting at the coffee shop. (if you think the coffee shop is a dangerous place, consider sitting on an airplane for three hours. i have a captive audience who will happily associate their devices with my “free Wi-fi”— just you, me, and a password cracker for several hours.)

Let’s take a moment to think about the forensic world, which we enter when, eventually, something goes wrong. in the old days, a man in a suit arrived at your office, put on his latex gloves, and proceeded to do unfathomable things to your computers. these days the poor guy must chase around the building looking for laptops, PDas, cell phones, smart devices, tablets, portable drives, and usB sticks. He invariably finds that half the equipment in question is at someone’s home, whereupon he’s dispatched to collect all the devices and probably image the home systems because the company lets its employees use personal computers for corporate activities. He also must collect logs from every conceivable network and security device, and we won’t talk about needing to image servers that reside “in the cloud” in a foreign country.

A challenge

I’ve painted a pretty gloomy picture so far, and with good reason. We face a multibillion-dollar underground enterprise that operates solely to steal, launder, and resell the data we are trying to protect within the current (somewhat centralized) corporate and government environments. at the same time we are embarking on a journey to disseminate that information, and the secured access to it, to the very edges of our control. We needn’t despair, however. We need to go back to the basics: the code (security as part of the software development life cycle, not an afterthought), the people (awareness training), and the policies, procedures, and controls we should have in place. We need to revisit what we missed the first time and fully implement the stuff we planned to do. if you don’t re-secure your systems for the sake of your company, the auditors, or your customers, then do it for my sake. on the first day of penetration testing i shouldn’t already “own” the directory protocol and sit with the CFO’s credit cards in hand.

Do me a favor—make it a challenge.