A panel of security experts clashed today in a lively debate on the level of the mobile malware threat facing enterprises, but all predicted that risk will increase going forward as new generations of devices and services and new generations of employees enter the workforce.
Speaking at a panel debate – Hacking 2.0: Protecting Mobile Devices from Hacking – during the Infosecurity Magazine Winter Virtual Conference today, ISF senior research analyst David Clemente argued that the industry has hyped the risks associated with mobile malware.
He claimed that the majority of phones today couldn’t support malware without “degradation of performance,” making serious covert attacks highly unlikely. “Our best guess is it will take some time for this to change,” he added, pointing to the need for more powerful devices and faster networks.
Not everyone agreed.
ISACA researcher John Pironti claimed that there were already cases of serious threats, just not the kind of “botnet-type attacks" usually seen on the fixed web.
Instead, hackers work within the limits of the different mobile computing architecture to target elements like financial account log-ins, which they can then use for follow-up attacks elsewhere, he argued.
However, he did agree that “more generations are needed” before the true scale of the mobile threat can be understood.
(ISC)2 EMEA managing director, Adrian Davis, argued that although at present it’s more profitable to steal a phone and sell it off for its components than it is to attack one virtually, this will change with the advent of NFC and Apple Pay.
“It will take a couple of cycles before we see something perform the classic functions of malware on a mobile phone,” Davis added.
Users mustn’t forget the physical threat of a shoulder surfer cracking a user’s device log-in and then stealing the mobile, the panelists warned.
However, biometrics are as yet an unproven method of mitigating the risk of such a threat.
“It’s a joint responsibility conversation,” argued Piroti. “For ease of use, what are you willing to give up?”
He added that the controls in iOS and in Android – such as increasingly granular permissions and encryption capabilities – make BYOD mobile devices in many ways a more promising platform for solving corporate security problems than laptops ever were.
However, better user education is paramount, the panelists agreed.
“One of the key issues will be the new generation coming into the workforce. We have to change their learning behavior which they’ve had from the age of two,” said Davis. “That’s the real challenge. We’ll be working with a generation which uses a smartphone just like pen and paper.”
Oliver Lavery, head of research at Gotham Digital Science, promoted containerization as one promising model by which users could be educated to understand the difference between personal and corporate data.