Search

A
A+
A++

Business

Regulatory Resource

Threat Intelligence

Resilient IT

Boardroom Strategies

Threat Intelligence / Strategies

Mobile and Malicious

By Sarah Hicks

Mobile devices such as smartphones and handhelds have been an incalculable productivity boon for today's enterprises. But that fact shouldn't prevent IT managers from taking a long, hard look at the ways these devices access corporate data to ensure they don't pose a security risk. This article examines some of the primary security issues surrounding mobile devices and suggests what enterprises can do to address them.

Increasing risks to confidential data

Smartphone owners often use their wireless devices not only for entertainment but also for emailing, instant messaging, browsing the Web, and downloading and sharing files over the Internet as well as for checking financial accounts. Some smartphone owners use their devices to send and receive emails that include confidential personal data, such as accessing bank and credit card accounts. Many smartphone users store confidential personal, business, or client data on their devices.

At the same time, threats to these devices are increasing. The first worm to target smartphones, Cabir, was released in June 2004. By the end of December 2004, new variants of Cabir were reported, and in February 2005 Cabir surfaced for the first time in the United States in the wild. Other threats to smartphones also have been reported over the last 12 months, including several Trojan horses (e.g., Mos, Skulls, and CommWarrior).

While the number of mobile device threats reported in the wild is still extremely small, the types of threats created demonstrate some of the robust capabilities of these devices. For example, Mos showed that mobile devices could serve as delivery vectors for spyware or adware in the near future. As mobile computing becomes more common and mobile devices become more complex, it is likely that other avenues of attack will be discovered.

A threat scenario

For IT managers, of course, the concern is that a well-meaning road warrior could inadvertently infect the organization's network with a worm or virus. Consider the scenario of an authorized user with a handheld and a secure VPN (virtual private network) connection to the network. Were the handheld to be contaminated by a virus before the user established a VPN link, the virus could bypass the corporate firewall and enter the network.

Because of scenarios like that, more and more mobile enterprises are realizing that they need remote interrogation systems to determine whether a device seeking a network connection is really an authorized device. They also need tools that interrogate a device to see if it is up to speed in terms of firewall settings, antivirus updates, and software patches.

Device theft

Another headache for IT managers is that the inherently small form factors of handhelds and smartphones make them more likely to be lost or stolen. Most users carry critical data on their devices such as emails, address books, meeting notes, and calendar appointments. Also, most platforms come with a simple software-based login scheme that allows configuring a password to protect access to the device. Such mechanisms can easily be bypassed by reading the device memory directly without starting the operating system.

Moreover, as these devices become more powerful, they're increasingly likely to contain sensitive information. Earlier this year, for example, a laptop containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen from the car of an MCI financial analyst in Colorado. In another case, a former Morgan Stanley employee sold a used BlackBerry on eBay with confidential information still stored on the device.

But the loss of sensitive data isn't the only concern. As The Washington Post reported recently:

"Some companies suffer only embarrassment from such incidents. But for public companies or financial firms, a lost device could mean violation of the Sarbanes-Oxley Act, which requires strict controls over disclosure of financial information. For doctors and health care companies, the loss of customer data compromises patient confidentiality, protected by the Health Insurance Portability and Accountability Act."

Securing the operating system

Another security concern has to do with the operating systems in these devices. Most operating systems for handhelds and smartphones have been designed from scratch within the last decade. Among other requirements, the main driving factors in the design phase were low memory usage, small OS footprint, always-on operation and the support of special hardware, such as low-power chipsets and small screens. Although security has always been a focus, it hasn't been a core feature in most early OS releases. Because the industry is moving toward more secure computing models, handheld operating systems are now introducing additional security features (for example, VPN, SSL, crypto modules, login passwords, and code signing).

At the same time, other features continue to be added to these operating systems. Since each line of code can be the reason -for an additional security exploit, the risk for additional security issues grows with each added feature.

Know your options

Fortunately, security products that can detect malicious code exist for most mobile device operating systems. In addition, common safe computing practices such as not installing unknown programs or accepting connections from unknown sources will help prevent infection by these threats. That said, mobile enterprises should still seriously explore the following security solutions:

Firewall/VPN solutions can protect data without slowing performance.
Intrusion detection solutions act as a "security force" inside the perimeter to spot intruders that penetrate the outer defenses.
Policy compliance management solutions help define and enforce policies from a central location as well as probe for network vulnerabilities and suggest remedies.
Virus protection/content filtering solutions offer protection from Internet-borne threats for the desktop through the gateway.
Anti-spam solutions filter spam and other undesired messages at the gateway and are essential to an overall email security solution.
Antispyware solutions can provide real-time scanning, automatic detection and removal, and integrated tools for remediating the side effects that spyware can have on a user's system.
Administration solutions facilitate the management of hardware and software assets, and provide a way to plan, track, and apply system changes.

Enterprises looking to secure their mobile devices should investigate solutions that provide integrated antivirus and firewall capabilities to protect against known malicious threats, such as viruses, Trojans, and worms.

For smartphones in particular, real-time automatic and on-demand virus scan capabilities can protect files that are stored on the smartphone's file system, while the firewall should use protocol and port filtering to protect the data and applications being transmitted. To ensure that devices are protected against new threats, users should be able to download the latest virus protection updates when the device has access to a wireless Internet connection.

Conclusion

Smartphones and handhelds are increasingly being used in much the same way as notebook computers, putting these devices at risk of threats that are similar to their mobile PC counterparts. For today's mobile enterprises, deploying effective tools to thwart the growing number of attacks against these devices should be a top priority.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
	Spam and Viruses
	Preparedness
	Strategies