For those Shakespeare aficionado’s out there, the quotation “The lady doth protest too much, methinks” comes from Hamlet. The phrase has come to mean that when someone insists so passionately about something being “true”, people suspect exactly the opposite. As an aside (something Shakespeare loved to do in his writings – and, before some wise guy tries to invoke the Lloyd Bentsen “gotcha” as in the VP debates of 1988, no, I am NOT likening myself or my writing to Shakespeare), the word “protest” in Shakespearean days did not have its current day meaning but, rather, meant “affirm” or “avow”. Substituting either of those words into Shakespeare’s famous quotation actually makes its current day interpretation more understandable, doth it not?
Fast forward from Shakespearean days to the present where ‘doom and gloom’ pundits feed us with a constant, overwhelming stream of warnings about how corporate America or our national security system or, heaven forbid, “the internet” will be brought to their respective knees by a massive attack of malware from Android devices. The FBI and the National White Collar Crime Center, in the form of the Internet Crime Complaint Center, have now gotten into the act with their (poorly written) “Intelligence Note” issued on October 12th that warns against Loozfon and FinFisher malware which “are attacking Android operating systems for mobile devices [sic]”. To those ‘chicken little’s” I say “Thou doth protest too much, methinks” or, as I like to put it, “Malware, Schmalware”.
If one digs into what IC3 reported, we find that Symantec has documented less than 50 instances of the Loozfon program, and FinFisher has been ported to all the major mobile devices, including Android, Blackberry, and the iPhone. So why is IC3 characterizing Loozfon, with less than 50 reported instances, as an Android problem and FinFisher as an Android-ONLY problem? Because Android malware is “in the news”, and both the media and companies that sell ‘anti-malware’ software, like to sensationalize issues that either generate readers of their media or buyers of their software (I know, I can hear you now saying “media companies and marketing execs who sensationalize issues that benefit their agenda, go on!”).
I note with some degree of amusement that one of IC3’s “Safety Tips” suggests that If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device. The problem is, factory reset doesn’t erase the SD card and that’s where most of the data is stored on an Android device.
So, why am I, the CEO of a mobile DLP and app control company, blogging about malware being a totally over-hyped problem? Doesn’t this add to the FUD in the marketplace, thus making it easier to sell our mobile DLP solution? In a word, “no”. What the hype and FUD does do, however, is to create a huge distraction from the important things that an enterprise IT security person should worry about. As Joshua Corman, director of security intelligence at Akamai, said: “I do think the hype is a huge distraction. It’s hard enough to spot the right priorities. Just because something is sensational and headline grabbing doesn’t mean it’s the most important thing for you.”
I couldn’t agree more. According to a Symantec study, the average organizational cost of a data breach is $5.5 million (or $194 per compromised ‘record’). The study also shows that ‘negligent insiders’ remain the number one cause of enterprise data breaches. To be fair, the study also ranks malicious attacks as the 2nd leading cause, and malware is one of the many ways (in addition to viruses, Trojans, worms, malicious insiders, device theft, phishing, SQL injection, web based attacks, and social engineering) that malicious attacks are orchestrated against the enterprise but, again, the preponderance of the evidence shows that malware instances on mobile devices is simply not currently a significant issue.
Or, put differently, Malware, Schmalware!