The megatrend of mobility is a megatrend of the attack surface.
Mobility isn't just trending; it's megatrending. the CyberWire
By The CyberWire Staff
Jun 23, 2017

The megatrend of mobility is a megatrend of the attack surface.

SINET's panel on mobility considered as a megatrend began with an arresting factoid: there are eleven times more phones sold on a given day than there are babies being born in the world. 

Bob Gourley, Partner and Co-founder, Cognitio Group, moderated the panel whose members included Brian Collins (Chief Executive Officer, Adaptive Mobile Security), Rodger Desai (Chief Executive Officer, Payfone) Michael Murray (Vice President of Security Intelligence, Lookout), and Richard Rushing (Chief Information Security Officer, Motorola Mobility).

Those tech newborns Gourley et al. alluded to permeate the enterprise in ways that would have been difficult to imagine a few years ago. With the convenience and technological consolidation the smartphone represents—telephony, email, video, camera, music, browsing, authentication tokens, etc., and the millions of apps—it's not only an increasingly indispensable personal adjunct, but a default endpoint in the enterprise as well. The iPhone 7 is one-hundred-twenty-five million times more powerful than the computers used in Project Apollo. But these phones are also vulnerable, and they're appealing to the adversary: they typically carry more, and more attractive, data than does an individual's PC.

That means also, of course, that the mobile device is attractive to threat actors. Its commingling of the personal and professional make it difficult to secure, and of course it increases the enterprise attack surface. We hear a great deal about Android malware and exploitation, but the panel was quick to point out that this is by no means exclusively an Android issue: iOS has its threat actors as well.

The panel saw the United States as "sleepwalking" through its mobile problems. The panel concluded with a rehearsal of some familiar security themes: use multi-factor authentication, make sure the carrier is secure, isolate and sanitize data, secure the browser, watch for abuse of trust (and attendant fraud) and above all, control the device. That these points bear repetition is an index of how they're honored more in the breach than the observance.