If something can happen, will it happen? I've read a post at securosis.com that briefly points out that that's not the case. I've got to agree, although I'll be the first to admit that I made the opposite argument when it comes to full disk encryption. However, as the same post goes to show, it's all a matter of context; or, at least, that's my interpretation.
Do Bluetooth attacks exist? Does malware for Macs exist? Yes. But do you need to protect yourself against them? It depends. If, like me, you never use Bluetooth, and hence don't have it turned on, there's no way to be the victim of an attack via this method. Even if you have it turned on, the chances of suffering an attack are very low. There are situations where those chances skyrocket, such as when attending a hacker conference, as noted at securosis.com; that's a negligible risk for most people, I'd say. In other words, perhaps you don't need to be as concerned about Bluetooth attacks unless you're going to attend a hacker conference. If, as a company, your business model is based on being present at hacker conferences, directing resources towards Bluetooth attacks makes sense (as well as other attacks too numerous to mention.) Otherwise, why not direct your security budget towards other security issues that are probably going to happen?
Do Bluetooth attacks exist? Does malware for Macs exist? Yes. But do you need to protect yourself against them? It depends.
If, like me, you never use Bluetooth, and hence don't have it turned on, there's no way to be the victim of an attack via this method. Even if you have it turned on, the chances of suffering an attack are very low. There are situations where those chances skyrocket, such as when attending a hacker conference, as noted at securosis.com; that's a negligible risk for most people, I'd say.
In other words, perhaps you don't need to be as concerned about Bluetooth attacks unless you're going to attend a hacker conference. If, as a company, your business model is based on being present at hacker conferences, directing resources towards Bluetooth attacks makes sense (as well as other attacks too numerous to mention.) Otherwise, why not direct your security budget towards other security issues that are probably going to happen?
On other hand, just because something is not bound to happen doesn't mean that it's worthless to protect against it. It depends on the expected outcome, which is a different concept from just plain probability or possibility. For example, in the previous hacker conference example, even if you had Bluetooth turned on, what are the chances that you're going to have a massive data breach? Since you're attending a hacker conference, I'd assume you didn't carry any sensitive files with you (shame on you if you did). The expected outcome of a data breach is still low, even if the probability, under the circumstances, of suffering a Bluetooth attack are pretty high. Compare that to what would happen if you lost a laptop computer full of sensitive customer information. The probability of misplacing or having the laptop stolen is relatively low (but probably much higher than a Bluetooth attack). However, the degree of a serious breach with even worse consequences is much higher because of the presence of the customer info. (Some would say there is a point of contention here, though. Whereas Bluetooth attacks are always about looking for information, a computer could be stolen for the hardware only, meaning the chances of data breach are actually lower. Not in these days and times, I would counter, where everyone and your grandmother appear to be involved in identity fraud). Furthermore, if everyone at a company is carrying similar amounts of information (say, a small database of 1,000 customer names or so), then the chances of a breach approach certainty: In a given year, even if only 3 out of 100 laptops issued get lost or stolen, and there's only a 1 in 3 chance of someone stealing it for the information in the device, it means there's a 1% chance of a breach on any given laptop. Pretty small, right? But, if you've issued 500 laptops, you're going to pretty much have a breach in a given year, period. The expected outcome of having a significant breach under such circumstances is 99.3%. So, knowing you can't prevent the breaches (these people are carrying around their laptops for a reason other than "because they can") because stuff will be lost or stolen, what do you do? Use data security products like encryption software from AlertBoot to bring down that 99.3% figure. The odds of the computer being stolen will remain the same; the odds of having a breach will be affected (in a good way). Possibility is not probability. But, there's probability and there's probability. What doesn't seem probable at first glance will reveal surprises once other issues are brought into the equation.
On other hand, just because something is not bound to happen doesn't mean that it's worthless to protect against it. It depends on the expected outcome, which is a different concept from just plain probability or possibility.
For example, in the previous hacker conference example, even if you had Bluetooth turned on, what are the chances that you're going to have a massive data breach? Since you're attending a hacker conference, I'd assume you didn't carry any sensitive files with you (shame on you if you did). The expected outcome of a data breach is still low, even if the probability, under the circumstances, of suffering a Bluetooth attack are pretty high.
Compare that to what would happen if you lost a laptop computer full of sensitive customer information. The probability of misplacing or having the laptop stolen is relatively low (but probably much higher than a Bluetooth attack). However, the degree of a serious breach with even worse consequences is much higher because of the presence of the customer info.
(Some would say there is a point of contention here, though. Whereas Bluetooth attacks are always about looking for information, a computer could be stolen for the hardware only, meaning the chances of data breach are actually lower. Not in these days and times, I would counter, where everyone and your grandmother appear to be involved in identity fraud).
Furthermore, if everyone at a company is carrying similar amounts of information (say, a small database of 1,000 customer names or so), then the chances of a breach approach certainty: In a given year, even if only 3 out of 100 laptops issued get lost or stolen, and there's only a 1 in 3 chance of someone stealing it for the information in the device, it means there's a 1% chance of a breach on any given laptop. Pretty small, right?
But, if you've issued 500 laptops, you're going to pretty much have a breach in a given year, period. The expected outcome of having a significant breach under such circumstances is 99.3%.
So, knowing you can't prevent the breaches (these people are carrying around their laptops for a reason other than "because they can") because stuff will be lost or stolen, what do you do? Use data security products like encryption software from AlertBoot to bring down that 99.3% figure. The odds of the computer being stolen will remain the same; the odds of having a breach will be affected (in a good way).
Possibility is not probability. But, there's probability and there's probability. What doesn't seem probable at first glance will reveal surprises once other issues are brought into the equation.
Related Articles and Sites:http://securosis.com/blog/possibility-is-not-probability