• BLOG
  • Mobility Moves Faster than CSOs

Mobility Moves Faster than CSOs

December 16, 2015

Alice begins her workday staring at a white wall in order to get the best resolution with her smarteye. The smarteye contact lens projects light into her retinas having the best contrast with a colorless background. Reading midway through the morning news blogs, she receives a gentle tap from her outdated smartwatch. The tap indicates her IoT coffee maker received the trending brew formula from a cyber roaster and has completed its automated task.

She brings a 3D printed mug to her lips for a sip. The mug was fabricated at home thanks to a popular online maker space selling their STL (STereoLithography) files. Alice notices the temperature is off and remembers to recalibrate the coffee maker using an app in her smarteye. Another gentle tap from the smartwatch and Alice is reminded that her manager’s conference call begins in 5 minutes.

Quickly snapping her Samsung Galaxy S11 into an Oculus Gear VR, Jane is almost ready for the meeting. Her smartphone knows how to join the conference call, but waits for Alice to mentally visualize her key image. Now authorized to act on Alice’s behalf, the smartphone joins the meeting. Her colleagues’ predefined profile avatars come into mental visual clarity. Alice begins receiving thoughts of salutations and welcome from her colleagues. Bob arrives late and thinks to everyone, “Please authenticate your attendance.”

Members of Bob’s team touch the metallic tab on their smartphones in order to authenticate, while simultaneously thinking of the key image he sent to join the meeting. The last person authenticates and Bob thinks, “We’ve almost had a breach last night, but the Sentries were able to block it. What can we do next time to detect the attack before it reaches the Sentries?”

Will the future of mobile security be something similar to the story above? This might be as about as fantastic as some of the October 21st, 2015 futuristic technology examples found in the popular “Back to the Future 2” movie. A difference between the two stories is that most of the examples in this article are either available today, under development, or could be available with some additional research.

Mobility and CoIT (Consumerization of IT) have forever changed our personal and work lives. The changes will continue until the mobility version of Moore’s Law eventually comes into effect. We are living in an exciting time as innovation continues to make improvements upon what already has been improved upon. How will rapid innovation affect the decisions of CSOs in 2025?

Looking at where we are today with technology, while adding in some recent and not so recent research and development, we can speculate future technology and their security compliance implications.

Future Today

We are already having virtual meetings daily. Participating in a virtual meeting on a smartphone is fairly close to that of a 13” or greater display. Being the presenter from your smartphone (or smartwatch) still requires some additional effort.  

A company named Oculus is shaping the future of the virtual meeting. Today, you can purchase an Oculus Gear VR and snap in your Samsung Galaxy Note 4, S6 or S6 Edge for a fantastic gaming experience. Multi-player gaming is just one step away from a virtual meeting Alice attended.

The CSO of 2025, much like today, will need to ensure that all participants in the virtual meeting are genuinely invited and have designated permissions in the meeting that they require.

Speed on the Internet is good. Speed further enables mobility… even more good. Today, the city of Chattanooga, Tennessee in the United States has 1 Gbps Internet speeds going directly to 150,000 businesses and homes.  For about a decade, EPB, Chattanooga’s community-owned electric utility company, has been laying down a 100% pure smart grid fiber optic network, completed in 2010. Parlaying the new smart grid infrastructure, EPB is now capable of offering 10 Gbps fiber in the home office with prospects of 1 Terabits (1 Tbps) by 2030. 

This is concerning because with greater bandwidth comes greater responsibility. The CSO of 2025 will have little room for error when it comes to implementing their endpoint protection strategy. Users will be enabled to download and store (locally) much greater quantities of data; therefore, breaches will result in larger and faster data dumps. Torrents will transit much more quickly, so dissemination of protected information will be unstoppable. Couple that with zombie machines having the ability to open more connections for even stronger DDoS, spam, etc. attacks, the foundation will be laid for massive breaches with unmeasurable effects. 

Ready to relocate to Chattanooga?

Commerce is another point of interest for the CSO of 2025. The way we are transacting business is changing rapidly. This month was expected to increase adoption for the United States to use EMV (Europay, Mastercard and Visa) chip-and-PIN for credit card transactions. According to an article by Ian Kar from QUARTZ, standing at the POS (Point of Service) terminal for an extra 20 seconds is swaying consumers toward mobile pay systems. Are we that busy? Retail CSOs might actually be able to breathe a little easier here because none of the mobile pay transaction data is supposed to contain PCI (Payment Card Industry) data. 

At least we hope.

Note: The Internet enabled coffee maker (IoT), smartwatch, and 3D printer were intentionally omitted to keep this article brief.

Future Tomorrow

In 2014, ExtremeTech reported on Google’s patented design for smart contact lenses. Yes! We are on the cusp of wearing tech that has direct contact with our eyes!! Some folks might be recoiling at the idea of putting on contacts to get to work. I can relate. I choose to wear glasses in lieu of contact lens, but I’m open for a change if there is enough of a benefit. Imagine the security ramifications! 

Whenever someone enters a facility that provides public services such as water works, energy, or requires a high level of security clearance, that individual will need to be scanned for tech on their eyes. What could they record or be transmitting to a collection site from their eyes? The hacking community will engineer a countermeasure to avoid detection and then the cat and mouse game begins.

Alice and her colleagues provided the majority of their input utilizing brainwaves. This might sound like its way, way off into the future, but it’s not. I personally enjoyed the experience playing a mental input-based game during a MobileIron customer appreciation dinner at this year’s Mobile First Conference. The game was incredible!

Brain-to-text research is already underway, including a journal article published in June, 2015 titled “Brain-to-text: decoding spoken phrases from phone representations in the brain.” 

A company name BrainGate whose slogan is “Turning Thought into Action” has clinical trials for individuals with tetraplegia. Imagine how much more enriched the global society will be when we can interact with people on the Internet who never tapped a letter on a keyboard.

Then again, thinking in scope of 2025, with technologies such as brain-to-text or even brain-to-brain there is the possibility of a critical software vulnerability. An exploit written for said vulnerability will potentially give a malicious individual the opportunity to have the upper hand during contact negotiations, a job interview, or even worse…dating! 

Future in Time

When Alice tapped the metallic edge of her smartphone to authenticate into the virtual meeting, what was she doing? She performed authentication using imaginary technology very similar to what a company called Yubico manufacturers. The Yubikey products are very interesting because there is a small form factor USB key (12mm x 13mm x 3mm, 1g in size) with a metallic tab. The idea is that the Yubikey stays in your device and you tap the metallic authentication tab with your fingertip to gain access to email, files, LastPass, websites, etc. using a secure static password, fido U2F, OTP, OATH, PIV compliant smart cards, even OpenPGP, an email encryption algorithm. Presently, Yubico does offer one key model that supports NFC (Near Field Communication) MIFARE for smartphone authentication. 

Assuming Yubico may already have integrated authentication built into smartphones coming out of their R&D labs in time. Think of the increased levels of security on mobile devices if this would become reality. Given enough time, security researchers could find a way around the most commonly used security controls for device authentication. We love our pocket sized computing devices but communication speeds still leave much to be desired.

We know the connection point between a device and their owner has room for enhancement. Properly implemented mobile security utilizes certificate based authentication for many of the connection points between systems. Imagine when our devices make a leap into quantum computing. How will that affect speed and security?

In time, networking communications will go faster using teleportation. On September 22, 2015 NIST (National Institute of Standards and Technology) researchers have successfully teleported quantum information using light within 100KM of optical fiber. This is different than science fiction teleportation to the planet’s surface because quantum teleportation utilizes photons to transfer encoded information in quantum states of light. Consider this as bringing us closer to having quantum PKI and quantum communications offering the possibility of unbreakable encryption, at least at first.

NIST provided an infographic help illustrate how quantum teleportation works. 

Proactive Planning

While it’s important for today’s CSO to keep current security requirements on top of mind, mobile security of the future is already creeping into our daily lives. What do you do when future technologies become science fact? The following are some items to consider and put into practice.

  • Educate your team about mobile security weaknesses and how the technology can be misused by following the findings of mobile security researchers. 
  • Partner with your Enterprise Mobility Management provider to understand where they are supporting the emerging technologies, including your timeline for production. Equally important, understand which emerging technologies they are supporting, and why.
  • Be ready to apply mobile security processes and controls from the EMM to prevent data loss. Basic mobile device management features will most likely not be enough for optimal compliance.
  • Create a mobility task force. Include at least one stakeholder from Information Technology, Information Security, Business units, Executive team along with any other departments that would be relevant to your organization.
  • Establish a Proof of Concept lab deployed for vetting the viability of cutting edge technologies.
  • Utilize your newly created mobility task force to methodically test new technologies to ensure alignment with business objectives. 

When it comes to mobility, the users are in control. This is an inherent challenge for CSOs. Your organization will benefit from early mobile adoption, as long as you and your team is prepared to embrace innovation and partner with your strategic vendors.

No security, no privacy. Know security, know privacy.

 

David Schwartzberg

David Schwartzberg, Sr. Manager, Security & Privacy for MobileIron

About the author

David Schwartzberg, CISSP, GMOB, is Sr. Manager, Security & Privacy for MobileIron. He has 23 years of information security and information technology experience. Specializing in mobile device management and security, David works closely with technology executives and security professionals to help them protect corporate secrets and remain compliant. In his spare time, he co-founded Hak4Kidz, www.hak4kidz.com, and has blogged for Dark Reading, Naked Security and Baracuda Labs. David has spoken at conferences including: RSA, ISC(2) Congress, Black Hat Arsenal, BSides, Converge, DerbyCON, GrrCON, OWASP AppSec, THOTCON and Wall of Sheep Village, among others. You can learn more about David from his Linkedin profile http://www.linkedin.com/in/davidschwartzberg and follow David on Twitter @Dschwartzberg to see what he has to say on the industry and conferences.

Similar Blogs