Could 2013 be the year we finally sort out security?

Locked-down mobile platforms can provide a more secure environment for ecommerce, but vendor attitudes and security processes must change

In a recent episode of a certain podcast, we discussed the idea that the new mobile platforms represent a once-in-a-generation opportunity to transform online security.

Whichever platform you pick -- iOS, Android or Windows Phone -- it's potentially a powerful combination. A known, limited range of hardware. An operating system where users don't have administrator access. A process for vetting and signing software before distribution to minimise the possibility of malware entering the ecosystem. And everything authenticated with a robust system of cryptographic keys.

It all made so much sense.

And then my dream was shattered by the realisation that all of this would have to be created by the vendors. None of them can be said to have a great track record when it comes to putting security ahead of their corporate interests. Nor, for that matter, honestly facing up to security problems.

Take Samsung's official statement on the recently-discovered Android kernel vulnerability that affects most of its top-line products.

"The issue may arise only when a malicious application is operated on the affected devices; however, this does not affect most devices operating credible and authenticated applications," Samsung said.

The vulnerability isn't a problem unless someone is malicious? Well that's OK then. People walking alone in dark alleys are only at risk of being mugged if someone is malicious too.

I hope this idiocy simply reflects an unfamiliarity with security concepts on the part of Samsung's PR department, rather than the security awareness of Samsung as a whole -- though the hard-coded admin passwords in their network printers suggest otherwise.

But is Samsung's naivety better or worse than Apple's institutionalised denial?

As I wrote in May, Apple simply doesn't talk about security.

"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available," says the Apple Product Security website.

Read that carefully. Apple doesn't even discuss an issue until they've patched it. Issues could exist, be known to Apple, and even be actively exploited -- but they won't tell you. Not even a suggested workaround. Nothing must tarnish the image of invulnerability.

At least Microsoft learned the hard way that true security requires a certain amount of honest communication. But with Windows Phone's market share down below 5 percent somewhere, they really do have security through obscurity. Who'd write malware for such small numbers?

I don't imagine any of this will be fixed in 2013.

Nor do I imagine that there'll be much improvement in our ability to take care of the security basics, whether that's patching software or managing passwords -- and in just the past few weeks I've experienced two password howlers.

When I organised a new mobile broadband account with Telstra, the password that gives access both to the 4G network and to the account management portal was emailed to me in plaintext.

And when fat fingers led me to lock myself out of my American Express merchant account, necessitating a password reset, Amex's helpful staff gave me a new password: "password1". At least they suggested I log in immediately and choose a new one. Yes. Good idea.

There's two lights on the horizon for 2013, though.

First, the Defence Signals Directorate (DSD) is getting praise for its "Catch, Patch, Match" strategy, which now lists application whitelisting as the number one item for defending against targeted intrusions.

Second, a security strategy called "measured risk reduction" is getting some attention.

Pioneered by the US Department of State, measured risk reduction involves using automated vulnerability reporting to measure the risk across the organisation's networks, and putting the different problems onto a common scale to create a simple metric that can be communicated daily.

Along with that daily metric, systems administrators are given one or two high-return security tasks, along with instructions, that can be done in the 20 minutes or so they can typically spend on security.

The adoption of measured risk reduction will transform security, says SANS Institute director of research Alan Paller. That sounds like an excellent plan for 2013.


Join the CSO newsletter!

Error: Please check your email address.

Tags Applesamsungandroid kernal vulnerabilityMicrosoftsecuritymobile securityTelstra

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts