The CSO is becoming increasingly aware of the dangers posed by mobile devices that contain confidential information and that are subject to theft or loss. What can they do to mitigate those risks? Is the education of end users within a company the only way to go?
There are three areas of security attention related to mobile devices which can range from handheld intelligent cell phones and PDAs to more robust notebook computers: protecting the information content on the mobile device, securing the interaction of that device with other computers across a network, and making sure that additional “backdoor” entry points are not introduced to accommodate “convenient” network access for mobile devices. Effective control of mobile devices begins with intelligent policies and vibrant security awareness and training. From a technical perspective, security for mobile devices includes the use of strong encryption and authentication based on a well-managed public key infrastructure. Remote access gateways, which continually convert “full size” web applications to miniature versions that can operate on the limited size and powered handhelds, must also be protected by strong physical and technical security safeguards. The major issue with theft or loss is not the device, but rather its contents; strong encryption and authentication make the device useless other than its face resale value in the black market.
What's your take on the open source vs. closed source security debate? In your opinion, what operating system is better, when taking a look from the security perspective?
Open source software, usually with a strong Unix flavor, has proven to be a viable alternative to the world of the “install wizard”. It is often more compact and efficient and uses much fewer resources to provide equal or superior functionality to the end-user. From a purest high security standpoint, Microsoft Windows has still to prove that it is the equal of a well-tuned Unix system. Linux, a popular open source version of Unix has the potential to be very secure, but suffers from “too many fingers in the pie” unless it is stripped to the barer essentials to allow it to be more easily secured.
For the reader to draw their own unbiased conclusions about which operating system and typically associated web server has a better track record, I will refer them to the US National Institute of Standards and Technology (NIST) vulnerability tracking web site, icat.nist.gov, to make their own comparisons of publicly reported security alert bulletins to see which operating systems and web servers have the best track record in the area of fewest serious security bugs and other vulnerabilities. No system has a clean record, but there is a significant difference between the recent history (last 10 years) of open source and proprietary (“closed source”) software.
From a Chief Information Officer/Chief Technology Officer perspective, despite the clear security benefits, formal support for open source software is only available through informal channels in Internet news and discussion groups. However, formal support for closed source, commercial software, especially in light of the increased use of off-shore support that has not approached that of “good ol’ home cooking”, does not always provide a superior benefit. For example, I recently had an experience with a major handheld computer vendor’s off-shore support which involved a problem with the handheld not recognizing an inserted SDIO card. I reported the problem to the vendor via email and grew continually annoyed after three email exchanges. Each reply from the customer support was from a different technician who never responded directly to my questions and comments. Instead their responses read like a text book and did not directly address my problem.
What do you think about the full disclosure of vulnerabilities?