On February 28, 2018 the Federal Trade Commission (FTC) issued a report on security of Mobile Devices. The report focused on patch updates and their policies, risks for the complex ecosystem, and recommendations for improved security. The 136 page report can be found on the FTC.gov website.
A press release accompanied the report calls for more education for security of mobile devices. In the release, Acting Director of the FTC’s Bureau of Consumer Protection, Tom Pahl points to “significant differences in how the industry deploys security” and “that more needs to be done.”
The following is a high-level summary and commentary on this issue. In Teneo’s opinion, the lessons learned from this report apply to any wireless-enabled device, including consumer smartphones, corporate-owned devices, Internet of Things (IoT), watches, glasses and tablets.
Diverse Ecosystem with Complex and Inconsistent Security
Although the bulk of mobile devices are manufactured by eight global companies, there are a staggering amount of variations by platform, brand and carrier. All of these devices can be operating customized operating systems with little or no version control.
The FTC report points out “consumers can choose from thousands of different device-service combinations at a wide variety of price points.” However, these options come at the cost of security. “Operating system customization at the device level can prevent uniform security patch application, increase the time and cost to develop, test, and deploy security updates, and may lead to shorter update support periods and less frequent updates.”
Uncertain Security Updates
With such a complex ecosystem, security patches and updates are difficult to verify and control. The current environment relies on several stakeholders to be successful in performing their roles: developers, manufacturers, carriers and device owners.
All of these risk factors increase as the number of users on your network grows.
Time to Update
The FTC also looked at the support data from each device manufacturer. The report reaches a clear conclusion that “variation in update support periods is the norm,” adding that “about a quarter of the devices were supported for less than one year” and that “some devices are sold after update support has ended.”
The report goes on to look at the time to release a patch for a known vulnerability and finds, not surprisingly, that newer devices are patched faster than older devices. The more popular the device, the more quickly it is patched and, for new operating systems, “although many vulnerabilities were patched within 250 days, it took much longer to patch many vulnerabilities.”
This lack of certainty puts even the best security professionals in a difficult position. As one of the fundamental tenants of network security, you need to know and trust the devices on your network. How can you trust a device with these flaws?
Some of the risks the FTC’s report focuses on include:
Although these examples may seem like an inconvenience – and they are – they are a large and real threat for network security professionals. Compromised devices are the foothold the threat actors use to establish a presence, harvest information, gain intelligence on their targets, and identify their weakness. They may sell that information or deliver a payload that is customized for their target.
Although the report did not reference this recent incident specifically, the University of Virginia Heath System’s breach, was determined to be caused by physician devices that were infected with malware. This incident confirms the FTC’s security fears. Not only are the attacks happening, but they are going undetected for months, if not years.
The FTC makes several recommendations to improve the security of mobile devices.
The FTC’s report sheds good light on the issue of the Security of the Mobile Devices. For network professionals, this threat has been known, but it always something that was on the horizon. Today, that threat is on top of us and can no longer be ignored.
Before the original iPhone’s debut in 2007, most data was accessed by your endpoint, via your wire to your data center. Today, that same data is accessed via the cloud on a foreign network with a BYOD device. Mobile devices, cloud computing, and the perimeter-less networks demand different tools to properly secure the network.
Today’s network security professional demands the tools that can help identify and trust the device regardless of how they are accessing your data. These tools help regain visibility into the network so that the network is more secure.
What is your opinion? What steps do you secure your network with these security holes?
If you have any questions or need clarification on how to best secure your mobile devices (regardless of OS, manufacturer, carrier, owned or BYOD) reach out to me or your Teneo engineer for assistance.
About the Author: John Warnagiris is a Green Belt, PMP and the Senior Project Manager at The Teneo Group where he oversees Client Relations, Business Development, and Marketing. He combines his understanding of Six Sigma & PM along with 30+ years of practical leadership experience to help achieve their mission of securing the networks and data of their clients.
SAM is a series of kits that integrates hardware and software with the Internet. Combining wireless building blocks composed of sensors and actors con…
Artificial intelligence is changing the way businesses interact with customers. Facebook's announcement this week is just another example of how this …
In the upcoming webinar "Apache Spark: The New Enterprise Backbone for ETL, Batch and Real-time Streaming," industry experts will offer details on clo…
In a stunning new report by Carbon Black, "Hacking, Escalating Attacks and The Role of Threat Hunting" the company revealed that 92% of UK companies s…
To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…