An increasing number of companies are opening corporate networks and data to consumer mobile technology. The resulting trend, referred to as the consumerisation of enterprise mobility, assumes even more disruptive connotations when the employees are allowed to use their own smartphones and tablets at work.
 
Consumer technology is convenient, easy to learn, and fun to use. However, consumer technology is generally not as secure or manageable as is required by the enterprise. Consumer technology brings real business value in terms of productivity and business agility. However, the lack of a strategic approach to the consumerisation of IT creates security risks, financial exposure, and a management nightmare. Rather than resist it, organizations should embrace consumerisation to unlock its business potential. However, organisations need to consider the security and management capabilities of each mobile platform.
 
New research from Trend Micro compares the ability of several different mobile platforms to meet the demands of use in the enterprise. The results of the research, carried out by Altimeter Group, Bloor Research and Trend Micro’s own specialists, clearly show that in the opinion of the researchers, BlackBerry 7.0 scored highest across the board, ahead of (in descending order) Apple iOS5, Windows Phone 7.5 and Google’s Android 2.3.
 
Platforms were each scored on several factors, including built-in security, application security, authentication, device wipe, device firewall, virtualisation, and many others.

Some highlights of the findings:
 
RIM–BlackBerry OS is the option of choice for the most stringent mobile roles. However, many features and protections that are commonly enabled or enforceable via the BlackBerry Enterprise Server (BES) are not present on devices that are user-provisioned via BlackBerry Internet Services (BIS).
 
Apple – The iOS application architecture natively provides users much protection because all applications are sandboxed in a common memory environment. Security in iOS also extends to the physical attributes of the iPhone and iPad.
 
Microsoft - A reasonably robust and secure smartphone operating system, Windows Phone uses minimum privileges and isolation techniques to create individual process spaces. Apps are pre-approved by Microsoft and only signed code can be executed on the platform.
 
Google– Although Android is now available in more recent versions (4.x), version 2.x is still the most widely deployed on existing and new handsets. This is a security risk in itself; there is no central means of providing Operating System updates, meaning that many users remain unprotected from critical vulnerabilities for a prolonged period.
 
The full report is available here.
 

Hack by copyfighting used under creative commons

“Cyber attacks on IT systems would become a criminal offence punishable by at least two years in prison throughout the EU under a draft law backed by the Civil Liberties Committee on Tuesday. Possessing or distributing hacking software and tools would also be an offence, and companies would be liable for cyber attacks committed for their benefit.“

 
While at first glance, this single paragraph abbreviation of the proposes additions and amendments may appear alarming in some respects, the legislation itself (2010/0273 (COD)) seems much more reasonable.
 
In typical EU style, the document is convoluted, 33 proposals, 13 of them new and the rest amendments… but all in all it is a rational well thought-out document. It calls for harmonisation of penalties for cybercrime throughout the Union and for the harmonisation of the definition of what exactly constitutes a crime. It introduces Europol as a central intelligence hub for national law enforcement agencies and promotes the sharing of best practices. It also recognises the importance of critical national infrastructure and places legal obligations on nations of “adequate standards” of protection of information systems. It also states that the more risk inherent in the compromise of a system, the higher should be the budget spent on protecting it. The document also introduces the very democratic concept that if access to a system is illegally withheld, then entering that system without authorisation will not constitute a crime.
 
In relation to the harmonisation of prison terms, the proposal is a minimum sentence of two years for cyber crimes, unless aggravating factors such as the use of a tool “designed to affect significant numbers” (read “botnet”), crimes committed as a part of an organised criminal operation, or attacks against critical infrastructure are present, in which case, the proposed jail term is five years. It is my personal view that a jail term should not be directly proportionate the *means* of committing a crime, but rather the outcome of the criminal actions, these proposals fall somewhere in between. Having said that though it seems that no length of jail term is sufficient to deter the ambitious and determined cybercriminal, as evidence by the long terms faced by some of the recent arrests in the US.
 
As for the proposals related to hacking tools, the legislation actually does a very good job of amending and clarifying the terms of the earlier document in this regard. This new proposal enshrines the concept of “intent” at the heart of any clauses relating to hacking tools and recognises very clearly the dual purpose nature of many of these tools. For example the simple “possession” of these tools is no longer in the scope of the document (amendment 22) despite what the press release from the European Parliament says; and the terms “purpose” and “intent” have been amended to read “clear purpose” and “clear intent”. It is certainly possible to legislate for the misuse of any tool with criminal intent and whether that tools is physical or digital shouldn’t make any difference. The key to legislation which will not impact the lawful work of security researchers and organisations though is that question of intent, which I feel is adequately covered in this draft.
 
One amendment that did stand out for me was the changing of the term “Instigation” to the term “incitement” with relation to an offence. While I can clearly appreciate the need for such a change, especially in the light of activities undertaken by AntiSec, Anonymous et al, to characterise this amendment as simply a “linguistic” one is disingenuous at the very least.
 
The Rapporteur aims for a political agreement between Parliament and Council on this Directive by the summer.
 

This quote “The sweep was part of a civil suit brought by Microsoft in its increasingly aggressive campaign to take the lead in combating such crimes, rather than waiting for law enforcement agencies to act” from this article is what motivated me to tweet “Opening civil proceedings “without waiting for law enforcement”, against 39 John Does and citing their online handles is a very dumb idea.”
 
The security industry and research organisations should work with law enforcement, not against it. All 39 of the online handles mentioned in the court submission (covered in my blog yesterday) are now fully aware that they are under active investigation and have the chance to “disappear”, probably to resurface elsewhere and carry on business as usual.
 
It is disturbingly similar to how the identities of the Koobface gang were exposed without waiting for due legal process, even though the intelligence behind this “exposé” was mostly generated in an industry group working with law enforcement towards an eventual prosecution. Once the information is published, without waiting for due legal process the criminals have a chance to go to ground.
 
Again in the Microsoft civil suit example, there is a reliance on information that was shared within working groups. The normal model is to collaborate across industry and come up with a shared result in terms of law enforcement. Marketing actions like this very much break that model.
 
The successful dismantling of the Esthost botnet with the arrest of the criminals involved is a true model of how the security industry and law enforcement can and should work together to better secure the internet and internet users. That investigation was 6 years in the making and led to the arrest of an entire crime ring and the dismantling of their infrastructure.
 
Long term law enforcement success should not be sacrificed on the altar of marketing initiatives.