'Diversity of different devices within enterprise networks is a major challenge'

by Dominic K    Dec 02, 2011

Timothy ArmstrongStatistics indicate attacks on mobile platforms rising expeditiously. This poses multiple major threats to enterprises across the globe as they migrate multiple enterprise applications on mobile based platforms. Timothy Armstrong, Regional GReAT Researcher, Kaspersky Lab spoke to Dominic K on how CIOs should address such complex challenges with in their enterprise.

[Q] The second half of 2011 has been an active one for cyber criminals, who have been increasingly looking for chances to set up new scams in the mobile device environment. This is also due to the rise in Mobile Devices on Android platform. How deeply has this affected enterprises in India? Where do you see it heading?

It’s difficult to tie the effects of mobile malware to a particular region, as the tracking mechanisms we are accustomed to using for Windows Desktop malware are still in their infancy for mobile devices. We expect to see mobile malware increasing in sophistication and complexity as cybercriminals start to focus more effort on creating this platform. We also expect the dramatic increase in volume to continue.

[Q] The Android platform has finally established itself as the most popular for mobile malicious programs, overtaking other platforms as well as “generic” Java malware. How according to you should enterprises address this issue?

Currently there are very few ways for enterprises to enforce policies that may be common on other devices within their infrastructure. Android represents a unique challenge. Administrative tracking and controls do not yet exist for this platform in any common style. An organization must create strong user policies to control how these devices are used, and what is and is not acceptable, and then strictly enforce these rules. At this point technology offers few solutions.

[Q] What are the key trend and challenges you observed for enterprises CIOs in 2012? How according to you should they address the same? Will CERT in every organization help?

I think that the diversity of different devices within their network is a major challenge. Technical departments are required to learn to secure a lot of dissimilar hardware, and this presents a large learning curve as well as a greater requirement for budget. Gaining this budget from upper management can prove difficult as it is not always easy to explain the necessity. CERT can provide some level of assistance, but the solution exists across many resources.

[Q] What are the various factors and parameters that drive the malware economy? Where does India stand?

Malware is driven strictly by profit. India is no different in the eyes of mass malware creators. Any economy is worth attacking for the bad guys. One of the unique challenges we often see is that the creators of malware are attacking countries that may not be very friendly with the country where the malware authors live. In the absence of a cyber-interpol, prosecuting these individuals becomes terribly difficult.

[Q] Malicious programs are increasingly getting sophisticated with various complicated attack vectors and blended attacks specifically targeting large enterprises such as banks and telecom. How do you suggest CIOs could address and mitigate them?

Often the most serious breaches occur in companies that are not following some of the most basic security advice. At the lowest level, companies should be employing a strategy of both offensive and defensive security. There should be a schedule for updates, testing, penetration testing, employee education, etc, to verify the security of important company assets. Companies need to clearly define who has the responsibility for successfully carrying out each step, as well as a response plan for the failure of any step. This includes everything from disaster recovery to public relations.

Even when all of these steps are undertaken there is still the threat of a sophisticated targeted attack. However, if companies have a strong plan of defense in place, the bar of entry is raised significantly, and the chances of proactively detecting these types of intrusions is greatly improved. There’s no excuse to be compromised via a simple web attack because basic security procedures were overlooked.

[Q] Security is only as strong as the weakest link, in this case, human beings. The same can be addressed only be training and awareness programs. Where does the Indian CXO stand with regard to security awareness and initiatives?

I do not have a definite answer to this question (specific to India). Globally, user education is not funded or carried out appropriately. However, it is unfair to place so much responsibility in the hands of users. While it is important to have a strong education initiative, much must be done to leave as few security decisions as possible to end users. It’s unfair and unrealistic to expect them to make security decisions that can affect an entire organization when it’s not their role. It’s far better to spend the resources available to better secure and detect any incoming threats as quickly as possible, before they end up in the hands of end users.