Golf and security: A lesson in risk and reward

Working in the information technology/security field over the last 15 years, I have given many small gifts to customers, associates and colleagues. Just last week I received one of my first gifts from a customer. It was a book entitled, "Harvey Pennick's Little Red Book."  For those of you that do not know, Harvey Pennick is a renowned golf pro and this book details the little lessons that have lasted the test the time of teaching golf to golfers at varying levels of ability over the past several decades. 

Many of you may be thinking, what does golf have to do with information security?  Golf, in my humble opinion, is primarily about risk and reward -- the same two driving (no pun intended) principles of information technology.  

In the chapter entitled, "How to Knock Five Strokes Off Your Game," Pennick refers to a quote by Emerson, "Thinking is the hardest work in the world, that's why so few of us do it."  Pennick holds that most golfers would rather be on the driving range hitting long bombs than practicing chipping and putting. Chipping and putting, he says, are more about thinking/concentration than the enjoyment of seeing a golf ball launched 300 yards. 

Not only am I looking for ways to knock five strokes off my golf game, I’m even more interested in knocking five strokes, I mean points, off my risk score.  In order to knock those risk points down I have to think about the goals and mission of my enterprise, and today this is extremely hard work, especially when compounded by an immature mobile operating system or two.

As security professionals, the hard work -- the thinking, the concentration that is difficult for us -- is to learn more about how our organization does business, the goals of the business and most importantly the mission of each department within our company. This is the chipping and putting for the security professionals.  We aren’t always the types who would be thought of as extroverts so getting to know our internal customers is challenging, but we can’t just blame the security team. Business data owners need to work on their chipping and putting. They most likely dread speaking with the security team for fear of just being told "no."  Perhaps their jitters/shakes are, as Pennick would probably say,  related to the influence of too many negative thoughts put into the mind. 

So, I am going to attempt to make it a little easier for IT and security pros out there by sharing the steps to evaluating the risks to enterprise data in the mobile computing environment: 

  1. First, try to understand which mobile operating systems your organization is going to support and why. 
  2. Second, attempt to gain an understanding of the business and personal apps at each level of the organization that are being installed on mobile devices and what permissions each of these apps are requesting/requiring. 
  3. Third, where are the authentication credentials stored for the business apps?  Recent surveys from numerous organizations show that the iPad is being used heavily in the enterprise; I wouldn't trust an app that uses the iOS keychain to store my authentication credentials (see Zdziarski's book "Hacking and Securing iOS Apps" for more detail). 
  4. Lastly, do the research on the common vulnerabilities and exposures (CVE) for each of the mobile operating systems in play within your organization.  It truly is the wild, wild mobile west, because although Apple's iOS is a really good security architecture, it is no where near perfect. 

Apple, as of today, has more CVEs than Android and Blackberry.  However, do not mistake the number of vulnerabilities as being equivalent to the severity level of the vulnerability.  Based on the existing CVEs, one could assume that if a new vulnerability were to be exposed for Apple or RIM there is only a 50% chance that the vulnerability will be rated with a severity level of high.  However, based on the existing CVEs for Android, if a new vulnerability is found, the likelihood that the severity level being high is around 80%.  So, just because Apple has more CVEs doesn’t necessarily mean it is more or less secure than another mobile operating system. 

The security team needs to understand the CVEs and put them into the context of the users they are supporting. In other words, by putting in the hard work now to better understand your mobile computing environment you will be able to address the next vulnerability, regardless of the mobile operating system, in a manner that will best support your organization. 

I will close with one final application of Pennick’s book for all the security professionals out there.  Pennick wouldn’t tell his student that something was wrong, because he didn’t want to instill negative thoughts in them.  Pennick would re-phrase the negative into a positive by saying “let’s try this instead.”  When our internal or external customer comes to us for security advice let’s stop saying “no” and start advising them on the proper method of implementing technology in a secure manner by saying, “let’s try this instead.” 

Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon