Mel Gibson had it easy. The star of the Mad Max cult movie series could at least see his enemies approaching, so he knew just what to do to keep them at bay. And, the second film of the series, titled Road Warrior, helped spawn the descriptive term for business people who travel a lot.
For today’s road warriors, no longer armed just with a laptop but also with mobile phones, tablets and a growing array of personal “smart” technology, the threats can be hard to detect, harder to anticipate and well nigh impossible to completely fend off. Indeed, experts paint a grim picture of potentially expanding vulnerabilities. Of course, in truth, we’ve seen this movie before in the form of the learning curve provided by personal computers and the early years of the internet. We are all older – and potentially at least, wiser.
One element of the threat is simply volume. As TJ Keitt, a senior analyst at Forrester Research, points out, the more locations from which an individual works, the higher the rate at which they use multiple devices. “Someone who is deskbound doesn’t use the technology at the same rate as someone who works from three or four locations,” he says. “As they shift context, they try to use the device that best conforms with their needs in that situation.”
In addition, Keitt notes, personal technology devices – such as those from Fitbit (activity trackers, wireless-enabled wearable devices that measure data) – have the potential to further complicate the challenges of staying secure. For the moment, though, Keitt says most of those technologies are “connected” but not yet too intelligent. So, hacking them is not yet likely to prove rewarding to the bad actors.
However, even with the existing spectrum of intelligent devices – phones, tablets, and laptops – there’s plenty to keep security professionals busy. “Individuals care about secure practices up to a point, but that concern is often sublimated to concerns about accessibility and convenience,” says Keitt. Thus, if a business cares about keeping applications and data secure, it is up to them to do the work. Individuals won’t.
Michael Finneran, principal of dBrn Associates, an advisory firm, says for organizations with a mobile workforce, the greatest security concerns relate to the increased vulnerability they cause for corporate data and systems. In his view, organizations need to first define their objectives (e.g., increased employee productivity and satisfaction, lightening carbon footprint, allowing work flexibility for families, etc.) and then identify what platforms they will support (e.g., Windows, OS X, iOS, Android, Windows Phone, BlackBerry, etc.). Then they need to delineate the potential threats and design protection measures for each of them on all supported platforms. “That can be VPNs, SSL, secure RTP for voice, MDM systems for mobile operating systems, and anti-virus – the whole nine yards,” he says.
As a first step, says Finneran, organizations should develop an overall strategy for telecommuting that defines who can participate, how often they must come into the office, how they will keep in sync with co-workers and managers, and what kind of equipment and work environment should be required. “As part of that planning, the security plan should be developed…and there should be ongoing monitoring and assessment as part of the program,” he says
Like Keitt, Finneran dismisses the immediate threat from wearables. However, Tyler Shields (left), Forrester’s senior analyst for mobile and application security, says that those new technologies, also referred to as the Internet of Things (IoT) is complicating the challenges for security.
“Wearables are mobile devices in many ways but they are more embedded and are changing the threat landscape,” Shields explains. Not much consideration has gone into the manufacturing of IoT devices and its software. “Within the IoT of embedded devices, protocols are mostly wide open and all of a sudden security is a real issue. In effect we are taking steps backwards so people can relearn the lessons of the past,” he says.
And, Shields suspects that road warriors will be among those to quickly adopt wearable technology. Echoing Keitt, Shields says not all IoT/wearable technology will pose a threat. The targets will be some devices – such as wristbands that automatically authenticate the user to other devices – because those attacks can be monetized.
However, the security industry is paying attention. Shields says IoT vulnerabilities have already been a big topic at Black Hat. “IT has gone through the necessary thinking but the people involved with IoT haven’t experienced the software exploits of the past,” he says. Still, those lessons are accessible. When combined with some of the “hype” about IoT vulnerabilities, Shields believes the organizations creating the IoT will come up to speed quickly. “Now it is really mostly a matter of educating them about secure processes and secure design, he says.
Still, the overall picture for mobile security remains worrisome. “We face a clear growth in malware, and operating system flaws will continue to be a problem,” Shields says. On the other hand, he notes improved MDM capabilities and stronger products from secure network gateway vendors as plusses on the report card.
Of course, technology is only part of the picture. How and where technology is used is just as important. Darren Hayes, assistant professor and director of cybersecurity at Pace University, says while the Snowden revelations have heightened awareness of U.S. government spying, it is by no means just within these borders. France and Spain are very active in phone surveillance and even tracking visitor’s highway travel. He points out that many vulnerabilities, including some of the biggest, are connected to governments or government-sponsored hackers. “When you travel to a country like China or Russia, very likely the quick inspection of your laptop or phone conducted at the airport is actually an imaging of the device using special hardware,” he says
Some hardware should also be suspect, including some computer and telecommunication products manufactured in China, most likely with the complicity of the People’s Liberation Army. “Most western governments won’t use Lenovo laptops, for example, and they may be right,” says Hayes. Other similar perils potentially afflicting users, mobile or not, are the use of free anti-virus software. For example, Hayes says the free version of Kaspersky should be adopted with caution because “there is reason to believe the company is backed by the Russian government,” he says.
Finally, there are now known vulnerabilities with devices such as Cisco routers and with certain encryption algorithms. Another persistent issue is Heartbleed – the security bug in the OpenSSL cryptography library, which still has wide impacts.
Although Hayes (left) does not yet see threat vectors involving wearable technologies, he does see Bluetooth as a continuing source of concern and says it should be a point of focus for security efforts. “Bluetooth 4.0 allows you to be monitored by beacons that are used for commercial purposes, for example by retailers to offer special deals. However, that can also be used to track the movement of people,” he explains.
Steps to take
Hayes says there are some specific steps organizations can take now to protect themselves and their mobile workers. One of them is adopting Pretty Good Privacy (PGP) data encryption and decryption software to provide cryptographic privacy and authentication for data communication – or the similar GNU Privacy Guard (GPG), which is a free version of the OpenPGP standard. It may not solve all of the road warrior problems but it is a good start, he notes.
Additionally, Hayes suggests adopting some of the secure tools increasingly adopted by journalists, including SecureDrop, an open-source software platform for secure communication originally designed and developed by Aaron Swartz and Kevin Poulsen under the name DeadDrop.
Bluetooth, however, remains problematic. “I recommend that organizations encourage people to disable Bluetooth,” says Hayes. And never use “free” anything. USBs handed out as tchotchkes at tradeshows often contain problematic programs if not actual malware.
“I don’t even trust some of the supposedly legitimate free apps because they can also make use of your machine in ways you don’t expect,” adds Hayes. “Any company that claims to be concerned about a secure infrastructure has to pay attention to these issues if it is going to protect its business travelers,” he adds.