Nader Henein is all too aware of the ever-present IT security risks that envelope our day-to-day lives. BlackBerry’s Regional Director for the Advanced Security Division describes the ease at which the everyday user can be compromised, and what the company is doing to secure defences.
What are the innate risks to user privacy that are posed through mobile apps?
The risks are substantial. When a user selects an app to download, they want specific things from it, and are generally not interested in what features or permissions it is asking for. Most of them will ask for more information than they need so they can market it. To build equity, they need a digital asset, which is the information the person has put in, and the connections between people within services like Facebook.
In these cases, users are at the mercy of the ethics of developers, and what line of business they’re in.
Take fitness trackers as an example. They calculate things like heart rate, the number of steps taken, and how active a person is; body fat, BMI, weight. Insurance companies will often give a free Fitbit in return for access to data, but the consequence of this is people having their life insurance rejected because of certain unfavourable information.
Privacy is important, and protecting users’ privacy should be important for smartphone makers. Unfortunately we can’t depend on the kindness of developers not to use your information. The issue is now of consent, companies now have to explicitly ask if can use data. If it’s used for anything else, they are liable for damages and penalties. However, this framework doesn’t exist in the Middle East yet, and in that sense the region is lagging; the legal system is lacking in maturity. The British legal system has been in evolution for hundreds of years, but the UAE is only 43 years old, so things won’t happen overnight. The concept of ‘I gave my information for banking purposes’ doesn’t exist. I want regulators to pay attention to this.
What can you tell me about your new application, Enterprise Identity?
It’s an extension of what we’ve been doing for a while. We’re now thinking of taking the platform and expanding it so that every time the user logs in, they can use a strong identity within the enterprise; a single sign-on. Lots of vendors are doing it but it’s still clunky. For example, you can log in from a BlackBerry device on the enterprise network.
We need to consider that an endpoint can be any component that holds or processes corporate info. In the case of the Target breach, they didn’t attack a server or smartphone. They got in by attacking the cooling system; they didn’t attack a VPN or access point. It was connected to the same network as their corporate PCs, and they managed to get into their point of sale systems.
Following that train of thought, surely the Internet of Things also poses a huge risk?
The Internet of Things is a term coined for a problem space that’s been there for a while. The only difference is that sensors now are being connected with Wi-Fi hotspots. Now everything is becoming connected, often through the corporate network.
For example, the office fridge can be sitting on the same network as desktops and laptops. If I don’t manage every single component on the corporate network, someone will find a way in. The adage ‘you’re only as strong as your weakest link’ rings true here; these various components are filling that role.
Take my TV at home. I update the software once a year, and it’s plugged in all the time. Is Samsung collecting my viewing patterns? Who knows. TVs today come with cameras. It’s a creepy thought. The security on the TV is probably non-existent.
Are cameras that are installed in offices secure? What if someone gets in and starts tampering with their content?
Most companies won’t connect their fridge. It’s worth thinking of other endpoints like vehicles, or sensors in the medical space that collect data on patients. Even when we talk about wearables in the enterprise space, we should be more concerned with heart monitors or pacemakers. They can be updated and have remote management capabilities. Former US Vice President Dick Cheney actually disabled the remote management on his pacemaker for fear of someone hacking into his healthcare provide and turning it off.
What can you tell me about your latest Enterprise Mobility Management solution, BES12?
Instead of purely managing smartphones and tablets, BES12 is now purely a piece of middleware that extends all services within the enterprise – mail, notes, tasks, calendars for instance – and pushes them out to selective endpoints. If you have SAP, salesforce.com or CRM on the back-end, it takes these things and relays them onto devices selectively for whoever needs them.
With BES12 and integration with the VPN component, when logging into a laptop, instead of it requesting the number, the user is prompted to authenticate their credentials. They are then logged automatically into the network. Compared to the use of RSA tags, this is one less piece of hardware to manage and one less cost to bear.
The focus of BES12 is secure, agnostic endpoint management. It supports iOS, Windows, Android, and of course BlackBerry operating systems. In essence, it covers 99.99 percent of platforms.
We’re talking about security, privacy and scalability. These aren’t sexy things but they need to be in a product. A lot of our competition focuses on user interfaces for the customer benefit, but not on these things. As boring as the security conversation is, it’s important.
All too often security is put in for the sake of it, but not as a priority. Everything we do in the security realm is independently certified by third parties. All these things need to be transparent and omnipresent. If things are not properly implemented, attackers will find a way in.
One of our competitors’ technology was employed at insurance company Aviva. Attackers found a way into their system, and within an hour, employees got a message on their smartphones saying: ‘you’re wiped’. That’s what happens when don’t pay attention. All their private as well as corporate stuff was gone. The help desk had to reinitialise solutions, they suffered days upon days of downtime, and roughly 10 man years of employee time were lost as result. Sometimes it needs incidents like these to realise the importance of robust security products.
BlackBerry recently conducted a survey on mobility risk tolerance, which revealed that one in three organisations were confident that their data assets were protected from unauthorised access. That number seems very high…
It’s very high. People tend to embellish their answers with these kind of surveys. A lot of publicly traded companies are still careful not to own up to anything that they don’t have to. Mandatory breach disclosure is critical.
If bank XYZ loses a laptop – or worse still, a backup – with thousands of peoples’ bank information, in this region they are not required to go to a regulator to say the information has been lost. They issue new cards, monitor transactions, and tighten things up a bit. But there is still no obligation to tell you that the breach has occurred. That needs to change. Once that changes, a lot more people will pay attention to security.
A lot of organisations are beginning to appoint Chief Information Security Officers. Before, this was a function buried with administrators who didn’t even report to the CIO. Now the CISO often reports to the board because their role is that critical. Today, security breaches result in loss of revenue and affect stock prices.