I spend a great deal of time on global security programs where the focus is beyond the bit and bytes (finally) and includes the people process side of the equation surrounding information security. One may argue this has always existed when just looking at the regulations and standards we have built our compliance programs around. I would politely highlight this is not always the case and not to a sufficient level.
A common challenge in the security world is that a lot of bad can and does happen online. The only difference between what scares people one day to the next, lies in what is being focused on. Exposed emails are nothing new; financials leaked on torrents; or simply the acronym APT are not as new as they appear. What is substantially new is the emerging device universe and the consumerization of tools beyond and into the enterprise.
These devices not only introduce entire new platforms with application risks, but also the manner of handling the traffic and the data itself is also different. A bit of an example to clarify:
In the late 1990s web browsers and websites allowed fields that went unchecked by the server – why? Well, there was no reason anyone would send a bazzillion letter ‘A’s, or would type in SQL statements that might interfere with the database backend, right?
Switch to 2011, and with smartphone devices we have new platforms and a model where assumptions are being built into the applications and interfaces on what the users will do. It is a given that we are wiser today on these points, but with the release of new code and applications the level of complexity increases rapidly on each device and technology ecosystem. The consequences of these individual applications interacting on the same device have yet to be realized.
Another point of view is what happens with the data being handled by the service provider? As organizations switched to mobile sites 3rd party systems were used, but those are being pushed aside by custom built and iOS type applications. As was highlighted in a nice little post by Dan Wallach – not all communication settings are adhered to for every device and every channel (his example Android and Facebook).
There is an immense opportunity to reduce current and future difficulties by reflecting on the past and applying the correct safeguards in place today – completely. Coverage is key – without it, we are just plugging holes and hoping others don’t look at the others.
A bit broad, but look forward to challenge and alternate perspectives,
James DeLuccia IV