There is a cartoon where the two characters are out to take over the world. One character, reminiscent of a Dr. Frankenstein, has a new and increasingly complicated scheme in each episode. His sidekick, sort of like Igor, goes along enthusiastically. The plots, of course, always fail. They could have achieved success if they had built their nefarious plans around mobile devices. Why? Social media.
The explosion of social media has done several things. It has emboldened folks who would like to do harm and do it as invisibly as possible. The social media platforms offer a fluid venue populated with users who either don't know or don't care about security. In fact, many social media users feel that security impedes their process.
While it has given businesses a way to keep contact with customers and potential customers for pennies instead of tens of thousands of dollars, it also has provided a marketplace for applications that can be written and sold without any concern for their impact on users. I have heard knowledgeable people offer the opinion that app stores are the single most successful source of malware on the internet.
Whether all of that is true and the sky really is falling or it's just the ranting of over-zealous security practitioners doesn't matter. However you explain, characterize and justify it, the internet has become a fertile field for the bad guys. The levels of naïve trust, exhibited in the social media is, in my view, unprecedented in the history of mass communications.
"New endpoints join the network constantly so there needs to be a method of provisioning them."
The problem, beyond the obvious possible impact on Joe and Jane User, is that these nice folks probably either work for a living or are associated with people who do. The “harmless” use of social media spreads throughout the internet and cares little if the participants are Joe and Jane or the Massive Big Company. They're all swimming in the same pond and they all are susceptible to breaches that involve social media use.
And how do most people use social media? Mobile devices. These are the same mobile devices that store personal photos and music, give users access to email, and connect to such unsecure locations as file-sharing site Dropbox and its ilk, and store copies of business documents for convenience. So, that is what this month's first Group Test is all about. We will look at four of the best tools for managing the security aspects of mobile devices by enforcing security policies.
It is foolhardy to expect a bring-your-own-device (BYOD) policy to succeed – as with any policy – without a means of enforcing it. This month's first group of products help you do that and, by extension, help you overcome the risks associated with combined personal and business use of the same mobile device, increasingly, a device the organization does not own.
For our second group test, we examine the endpoints. Endpoints are pretty straightforward, right? Usually they are desktop or laptop PCs or Macs. That was then, though, and this is now and those device limitations are, largely old school. Today just about any device can be an endpoint depending upon how it is used. That means that those PCs and Macs now have servers, mobile devices and don't forget the latest buzz-term: the Internet of Things as bedfellows. They all are endpoints and all need some form of security. Add such devices as SCADA components and things start to get even more tricky.
But I'm getting ahead of myself. Why the emphasis on endpoint security in the first place? The way we build networks these days is quite different from the way we used to build them. The extent of distribution of devices on the enterprise is unprecedented. The perimeter has become so porous as to be almost transparent in some cases. Market forces have forced organizations such as banks to do things that we never would have thought of in years past. For example, the idea of allowing users to access the internals of the network in a bank was unheard of. Today we take pictures of checks and deposit them. We log into online banking systems and access backend databases. The slightest coding error in front-end web interfaces can spell unauthorized access to the backend.
Banking systems are by no means the only targets. Patient monitoring devices in hospitals connect to the hospital networks and if the network is vulnerable so, potentially, are they. So the definition of an endpoint is a bit fuzzy around the edges these days. The old tried and true endpoint protection methods are not adequate. Fortunately, current systems are updating almost as rapidly as the devise they must protect. Even pure endpoint protection often is not enough, though, so we are back to our old mantra of defense-in-depth.