It’s no secret that I have been focusing on wireless security issues over the past two years, and I have been very vocal about how ‘wireless’ is not limited to wireless LAN. We are approaching a turning point where securing organizations will require even more emphasis on ID management and access control to establish accountability for effective monitoring, thereby establishing metrics based upon and sound measurement processes. Overall, the future challenge for governance will move from writing policy and pushing paper to sound statistical analysis (see more at securitymetrics.org), intricate log analysis, and stronger technical skills among security professionals. Introduction of mobile devices makes this even more challenging. Data leakage exploit issues in this new decade will focus (are focused on) on mobile devices and spurious emissions from environments. These are two avenues of opportunity that attackers will exploit for gaining access to secure environments.
First, because the research and results on spurious emissions are piece-meal at best, which means the opportunity exists across all environments – the next step is a matter of developing an exploit methodology, framework, or tool for such attacks. Probably done and operational right now. A lot of time has been given to attackers on this issue because the security community has hardly addressed it; a lot of time that attackers have available. Unfortunately, I believe in the coming months we are going to see the fruits of this attack vector development, with such attacks becoming a major issue within the next two years. More on this later.

Second, managing connectivity with ubiquitous devices will present the greatest challenge to access control and data leakage immediately. We are looking front and center at that issue as these lines are typed.
In an earlier blog posting I mentioned that the focus of my research in the first half of 2010 would be on mobile issues. This time around, in order to keep people engaged, I decided not to go off on the deep end and create some RF circuits, pull out radios, spectrum analyzers, clustered cracking systems, document frequency hopping analysis tools, and all the other ‘technical’ stuff. Instead, start out at the high level and work a little deeper, revealing some insights as research progressed.
To this end, last week I pulled out my favorite internet search and research programs – DEVONagent and DEVONthink – to compile some ‘high’ level reading material that addresses the security of mobile devices. The word ‘ubiquitous’ sounds so nice, free, and leaky; which is why I like to use the word when referring to enterprise mobile security. Overall, we are approaching an age of cell phone lock-down in enterprise environments. Exactly how those systems are locked down and how such lockdown methods align with the business objectives (that were the impetus for mobile device introduction) is going to tell a very interesting tale in the coming months, years.
Here is a nice little reading list of documents that address the mobile security issues. Some of the links are at bitpipe and such, so a registration and login may be required, but all have free access. Also, some are very vendor focused, but worth a read. Especially the BlackBerry document by Research In Motion.
On ZDNet, this Forrester survey is a good place to start. “Firms Are Not Keeping Pace With A Twofold Challenge: Mobile Device Management And Security” is a section heading that is worth a read if you have any doubt about what is ahead. The meat of the report is on page 7 and 8, but the conclusion is also worth a read. Basically, we need to manage mobile devices more like we manage personal computers, we need to secure this part of our environments immediately, and a mobile business strategy needs to be better defined.
Here goes.
Reference Document:Security Behind BlackBerry – A bit dated but not a whole lot has changed in BlackBerry security recently.
The Security Paradox – A McAfee document, but the statistics are interesting.
Mobile Security Report 2009 – Another McAfee document, but good information.
Maximum Damage Malware Attack in Mobile Wireless Networks – An attack design document. Heavy math, so don’t read in bed or late at night. Okay, okay, not so high level, but here it is.
Security Aspects In A Packet Data Network – A white paper that is worth a read.
Subverting the security base of GSM – I posted about this about a week ago when this was announced. It is a very recent research result, so worth a read.

Happy reading! If you have any comments, please post one. 73, 73s.