The Brandeis GPS blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Tag: probability

So What Is the Risk of Mobile Malware?

By: Derek Brink

Originally from: https://blogs.rsa.com/risk-mobile-malware/

Obvious, or oblivious? Short-term predictions eventually tend to make us look like one or the other—as Art Coviello astutely noted in making his own predictions for the security industry in 2014—depending on how they actually turn out. (Long-term predictions, however, which require an entirely different level of thinking, are evaluated against a different scale. For example, check out the many uncannily accurate predictions Isaac Asimov made for the 2014 World’s Fair, from his reflections on the just-concluded 1964 World’s Fair.)

Art’s short-term prediction about mobile malware:

Chapa NO MALWARE2014 is the tipping point year of mobile malware: As businesses provide greater mobile access to critical business applications and sensitive data, and consumers increasingly adopt mobile banking, it is easy to see that mobile malware will rapidly grow in sophistication and ubiquity in 2014. We’ve already seen a strong uptick in both over the past few months and expect that this is just the beginning of a huge wave. We will see some high-profile mobile breaches before companies and consumers realize the risk and take appropriate steps to mitigate it. Interestingly, the Economist recently featured an article suggesting such fears were overblown. It is probably a good idea to be ready just the same.

The Economist article Art references (which is based on an earlier blog) asserts that “surprisingly little malware has found its way into handsets. . . smartphones have turned out to be much tougher to infect than laptops and desktop PCs.” (Ironically, the Economist also publishes vendor-sponsored content such as How Mobile Risks Are Pushing Companies Towards Better Security. I suppose that’s one way to beat the obvious or oblivious game: Place a bet on both sides.)

RSA’s Online Fraud Resource Center provides some terrific fact-based insights on the matter, including Behind the Scenes of a Fake Token Mobile App Operation.

But the legitimate question remains: What is the risk of malware on mobile? Let’s focus here on enterprise risks, and set aside the consumer risks that Art also raised as a topic for another blog.

Keep in mind the proper definition of “risk”—one of the root causes of miscommunication internet-security1among security professionals today, as I have noted in a previous blog—which is “the likelihood that a vulnerability will be exploited, and the corresponding business impact.” If we’re not talking about probabilities and magnitudes, we’re not talking about risk.

Regarding the probability of malware infecting mobile devices:

  • The Economist‘s article builds on findings from an academic paper published by researchers from Georgia Tech, along with a recent PhD student who is now the Chief Scientist at spin-off security vendor Damballa. Their core hypothesis is that the activities of such malware—including propagation and update of malicious code, command and control communications with infected devices, and transmission of stolen data—will be discernible in network traffic.
  • From three months of analysis, they found that about 3,500 mobile devices (out of a population of 380 million) were infected—roughly 0.001%, or 1 in 100,000.
  • Compare this to the computers cleaned per mille (CCM) metric regularly reported by Microsoft: For every 1,000 computers scanned by the Microsoft Malicious Software Removal Tool, CCM is the number of computers that needed to be cleaned after they were scanned. For 1H2012, the infection rates per 1,000 computers with no endpoint protection was between 11.6 and 13.6 per month.

All of this nets out to say that currently, mobile endpoints are three orders of magnitude less likely to be infected by malware than traditional endpoints.

But doesn’t this conflict with other published research about mobile malware? For example, I’ve previously blogged about an analysis of 13,500 free applications for Android devices, published in October 2012 by university researchers in Germany:

  • Of 100 apps selected for manual audit and analysis, 41 were vulnerable to man-in-the-middle (MITM) attacks due to various forms of SSL misuse.
  • Of these 41 apps, the researchers captured credentials for American Express, Diners Club, PayPal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.
  • Among the apps with confirmed vulnerabilities against MITM attacks, the cumulative installed base is up to 185 million users.

In another blog, I’ve noted that mobile applications have a more complex attack surface mobile-appthan traditional web applications—in addition to server-side code, they also deal with client-side code and (multiple) network channels. The impact of these threats is often multiplied, as in the common case of support for functions that were previously server-only (e.g., offline access). This makes security for mobile apps even more difficult for developers to address—mobile technology is not as well known, development teams are not as well educated, and testing teams are harder to keep current.

Meanwhile, malware on mobile is indeed becoming more prevalent: Currently over 350,000 instances from 300 malware families. It is also becoming more sophisticated—e.g., by obfuscating code to evade static and dynamic analysis, establishing device administration privileges to install additional code, and spreading code using Bluetooth, according to the IBM X-Force 2013 Mid-Year Trend and Risk Report.

But threats, vulnerabilities, and exploits are not risks. What would be obvious to predict is this: The likelihood of exploits based on mobile malware will increase dramatically in 2014—point Art.

The other half of the risk equation is the business impact of mobile exploits. From the enterprise perspective, we would have to estimate the cost of exploits such as compromise of sensitive corporate datasurveillance of key employees, and impersonation of key corporate identities—e.g., as part of attacks aimed at social networks or cloud platforms, where the mobile exploits are the means to a much bigger and more lucrative end. It seems quite reasonable to predict that we’ll see some high-profile, high-impact breaches along these lines in 2014—again, point Art.

Obvious or oblivious, you can put me down squarely with Art’s prediction for this one, with the exception that I would say the risk of mobile malware is much more concentrated and targeted than the all users/all devices scenario he seems to suggest.

About the Author:

BA8D94F2924E634831C8CA3D8E7179C7477BBC1Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/  and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx

Footerindesign

Watch Your Language: How Security Professionals Miscommunicate About Risk

Author: Derek Brink

Original Post: https://blogs.rsa.com/watch-language-security-professionals-miscommunicate-risk/

What a joy it is to be understood! Yet many security professionals find it difficult to be understood by the business decision-makers they are trying to advise.

“They just don’t get it,” we say. And we grumble that our committed, faithful, and honorable efforts to protect the company and its assets are under-recognized, under-appreciated . . . and under-funded.

riskWe could try speaking louder, and more slowly—the comedic memes for how we instinctively try to communicate with someone who speaks a different language.

Of course, we could start trying to speak the same language. That would probably yield better results.

The way we talk about risk is a prime example of how we habitually miscommunicate. Security professionals mistakenly think they are talking about risk, when they are, in fact, talking about threats, vulnerabilities, and exploits. Some examples include

  • Phishing attacks: This is not a risk. It’s an exploit of a very common vulnerability (humans).
  • OWASP Top 10: These are mistakenly described as “The 10 Most Critical Web Application Security Risks,” but they are not risks. They’re vulnerabilities and exploits.
  • Advanced persistent threats: This isn’t a risk. It’s a threat. (Even when we get the name right, we get it wrong.)
  • Rootkits: This is not a risk. It’s a type of exploit.

As security professionals, we tend to go on and on, talking about threats, vulnerabilities, exploits, and the technologies that help to defend against them, and we think we’re talking about risk. Meanwhile, the business decision-makers we’re trying to advise are confused and frustrated.

So, what is the right language? What is risk?

Shon Harris, author of the popular CISSP All-in-One Exam Guide, defines risk as “the likelihood of a threat agent exploiting a vulnerability, and the corresponding business impact.” Douglas Hubbard, author of The Failure of Risk Management: Why It’s Broken, and How to Fix It, defines risk as “the probability and magnitude of a loss, disaster, or other undesirable event.” (And in an even simpler version: “something bad could happen.”)

To be very clear, it’s not that there are multiple definitions of risk, or that the definition of risk is unclear. It’s that we as security professionals aren’t speaking the right language. When we speak about security risks, we should be speaking about the probability of successful exploits, and the magnitude of the corresponding business impact.

Imagine yourself in the role of the business decision-maker, and imagine that your subject matter experts presented you with the following assessment of risks related to endpoint security:

  • Cleverly engineered stealth malware, rootkits, is designed to evade detection, and persists on endpoints for prolonged periods of time. And new strains of malware are targeting an area of endpoints that performs critical start-up operations, the master boot record, which can provide attackers with a wide variety of capabilities for penetration, persistence, and control. In both cases, we may already be infected, but not even aware.
  • There is a 15 percent probability that an endpoint security exploit will result in business disruption and productivity losses that may exceed $5M.

internet-security1Which of these would be more helpful to you in terms of informing a decision about endpoint security? (It should go without saying that this point could just as easily apply to managing identities and access, or data protection, or application security, or mobility initiatives, and so on. Endpoint security is just an illustrative example.)

Clearly, the second option is more helpful. And the second option is properly framed in terms of risk.

In no way does this guarantee what the actual decision will be. One decision-maker might conclude, “I approve your request to invest in additional endpoint security controls to reduce this risk,” while another decision-maker might conclude, “that’s a risk I’m willing to live with.” But that’s okay—as security professionals, we will have done our job.

By better understanding how to communicate about security risks, we will also enjoy the benefits of being better understood.

About the Author:

BA8D94F2924E634831C8CA3D8E7179C7477BBC1Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/  and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)