Security in the cloud is a hot topic and often a major hurdle for businesses looking at using the cloud for the first time. Understanding the actual versus perceived risk is crucial and many people instinctively choose the wrong option.
As an earlier post pointed out, although businesses like to see their servers humming away in their offices, it is more likely that your systems are less secure than the cloud.
But once your data is secure in the cloud it raises another question: what is the safest way to access it?
BoxFreeIT spoke to security expert Adam Pointon from Sentinel Data Security, about the historic vulnerability of desktop operating systems such as Microsoft Windows versus the new breed of operating systems for smartphones from Google and Apple.
The new mobile platforms have been built with security as a key first principle and as a result smartphones and tablets are much more resistant to viruses and hackers than desktops, whether PCs or Macs, Pointon says.
BoxFreeIT: What is the most secure way to access cloud software – a smartphone or a PC?
Adam Pointon: As a general rule, smartphones and tablets are safer than PCs. Mobile devices running iOS are still regarded as the most secure for several reasons; from the operating system itself, to Apple’s patch management and security methods, and the vetting processes for apps sold on the Apple App Store.
BoxFreeIT: Is it harder for viruses to attack your phone? Why?
Yes. Phones have the luxury of being built from the ground up with modern software techniques and are less flexible in what software it supports. This has brought the benefit of prior research into secure software development and has resulted in platforms that are less susceptible to viruses (often referred to as malware).
The heart of the system – the software kernel – has made use of more modern security features. And as it hasn’t needed to support older software and older hardware, it can be more forceful in controlling access to software applications and components.
BoxFreeIT: Can you get a virus by visiting a website with your smartphone?
Pointon: Yes you can, however the number of moving parts on the phone, also known as the attack surface, is far smaller, which naturally results in many fewer vulnerabilities.
Take Adobe Flash for example. For a few years it was in the top five programs that caused infections on the internet. Java and Adobe Acrobat and are the number-one and number-two attack paths for desktops at the moment, with Adobe slowly getting better.
None of those applications exist on smartphones mostly due to the fact phones don’t need them.
BoxFreeIT: Does a phone offer more protection against fake online banking websites?
Pointon: Sort of. In the case of online banking, banking application developers do not allow new billers to be set up on a smartphone because the phone also receives SMS codes or tokens required to set up a new biller.
That stops an attacker from adding a new biller and moving money on your phone. Still, an attacker who controls your phone can get your username/password, log into the normal banking web site, get the token sent to your phone, log into your phone and steal the token hopefully without you noticing, then transfer money.
However, it’s not as simple (and therefore lower likelihood) as stealing credit card details. And there are no public methods for hacking an iPhone remotely, and custom attacks cost hundreds of thousands of dollars. So they’re not used to drain bank accounts of small businesses.
BoxFreeIT: What about scammers running fake sites for Paypal and Amazon and so on?
Pointon: When it comes to scammers, fake emails and the like, the phones don’t really offer any further protection over a desktop.
In fact, all mobile phones, not just smartphones, have had problems with fake SMSes. These appear to come from legitimate phone numbers or just a word like “Commbank”. A spoofed SMS can be used to trick people into visiting web sites or replying to the text message which may go to a premium SMS phone number, costing the sender $5 per message, for example.
BoxFreeIT: Is it possible for a botnet to take over your phone? Why not?
Yes, it is possible, however bot-herders (as they are often called) see phones as little value. The main aim of a botnet is to have a distributed cluster of internet-feeds or computing power. In the case of a phone, it neither has a fast upload and download link nor has fast computing power, so there’s little value to a bot herder.
BoxFreeIT: What other types of wireless attacks are there?
Pointon: Phones also open other avenues of attack, mostly physical/presence attacks, such as against Bluetooth, or against near-field communications (or NFC, a wireless payment technology). Both have proven exploitable, however it’s a different threat because the economics are different.
An attacker can sit in any country around the world, and send millions of attacks out against PCs and get a 0.02 percent conversion rate which is still economically viable.
However, attacking Bluetooth or NFC by placing attacking devices at a busy area, such as an airport, is different.
BoxFreeIT: Should you run anti-virus software on your smartphone?
Pointon: No. Phones don’t need the current form of anti-virus technology because they have the luxury of a modern software platform and design. These limit access through controls and have new security features (such as hardening, kernel protection mechanisms and memory randomisation) and control of the hardware.
In the case of non-rooted or non-jailbroken devices, smartphone manufacturers provide a layer of control over the applications installed on their smartphones through their app stores. The stores provide a vetting process to weed out malicious apps, and smartphones won’t install random files that can be run by any user (such as virus.exe). Whilst not perfect, it does prevent users from running or installing random files found on the Internet.
BoxFreeIT: Is it more secure to do your internet banking on a 3G network rather than public wifi?
Pointon: Yes, most definitely. Telco networks such as 3G or 4G can only be intercepted by those within the telco network.
Unauthorised attackers would need to overcome the telco’s security measures or otherwise find themselves in the path between the phone, the telco network and the internet-banking web site.
Image credit: Top10reviews.com