As handsets become more vulnerable to various types of attacks, a
better device security policy should be put in place
A recent study by Gartner found that 55% of
PDAs shipped in the first quarter of 2005 included integrated wireless local
area network (LAN) or cellular/mobile capabilities.
Knowledge workers use mobile devices for various types of
connectivity—from construction supervisors entering change requests to retail
workers using wireless connectivity for inventory management. For many workers
today, these devices are their only computing platform. However, as mobile
devices move data and files to and from networks and tap into existing
applications, the risks increase for compromising sensitive data and
transmitting infections.
Mobile Carrier Networks and Services
To understand the true security threats to mobile devices requires some
knowledge of the networks they use to communicate. In contrast to PDAs that
regularly synchronize with a PC, smartphones are typically independent devices
that may periodically synchronize with a PC, but rely primarily on a mobile
operator's wirless network for connectivity. The first-generation mobile phone
models—feature phones—provided only voice capabilities in contrast to
Smartphones, which include over-the-air data connections and text messaging
capabilities, such as short message services (SMS) and multimedia message
service (MMS).
Data transfer rates have been increasing and are expected
to jump dramatically in coming years. Commonly used 2G GPRS data transfer
technology typically provides 35 Kbps download speeds, while emerging 3G
networks can provide from about 400 Kbps (WCDMA/UTMS) to 2—3 Mbps (HSDPA) when
fully evolved.
As the data transfer rates climb, enterprises can help
improve knowledge worker productivity by enabling remote usage of enterprise
applications. For example, knowledge workers who commute via train can tap into
high-speed mobile networks to use applications such as e-mail, enterprise
resource planning (ERP) or human resources management (HRM) systems, while in
transit. The faster 3G technologies such as WCDMA, EV-DO, and HSDPA can enable
users with certain mobile devices to access enterprise applications using speeds
approaching 'wired' connections.
Data transfer rates have been increasing rapidly and are expected to jump dramatically. While these high-speed data transfers improve productivity, they also increase the possibility of infection |
While these high-speed data transfers improve productivity,
they also increase the possibility of infection. Higher speed networks ease the
ability of users to surf the Web, use IP networks for communication, and
download and install applications. In the same way that high-speed Internet
connectivity, enabled malware, and spyware to propogate more quickly to
networked PCs. The addition of high-speed mobile data networks is expected to
open the door to potential infections of smartphones.
Authentication, Encryption, and VPN software: Key
Building Blocks
Mobile device are vulnerable without some type of authentication and
encryption to help to protect data from unauthorized access.
Authentication-the first step in securing information on mobile device-helps
to ensure that only authorized users can access the network. Some approaches to
authentication may include a user password, a security certificate in a
smartcard or a SecurID, or another authentication option that relates to a
specific security plan for the mobile device.
Encryption, on the other hand, protects the data in transit
and denies unauthorized access to data stored on a mobile device as well as the
data and communications that pass through the networks. Encryption can be done
by an application, an information service, or the network.
For device accessing corporate IT sources, secure remote
access for applications may require virtual private network (VPN) software. VPNs
provide secure access to information portals and application and can also enable
mobile device to connect to a corporate network over the internet.
Mobile device security also requires management solution
that can erase information or wipe a decommissioned device so that it is
unrecoverable. When an executive accidentally loses a smartphone containing
critical deal information, that device must be wiped clean. Without this
capability, sensitive data can become public very quickly
The Evolution of Mobile Viruses
Viruses affecting mobile phones are a relatively new phenomenon. One of the
first significant attacks involving mobile phones occurred in June 2000 and
focused on a specific mobile operator. The first viruses to attack handheld
device also occurred in 2000. Viruses such as liberty, Phage, and vapor affected
devices using the palm OS has not been subject to further virus attacks.
However, malware affecting devices using other operating systems has occurred
since that time
NTT DoCoMo malware attack:
During August 2001, Japanese users of NTT DoCoMo's in mode found
their phones started to dial 110-the Japanese equivalent of 911 emergency
assistance if they answered 'yes' to a certain question during an online
quiz regarding love. Japanese police switchboards were swamped with bogus calls
that prevented authorities from responding to true emergencies. NTT DoCoMo has
now corrected the vulnerability exploited by the attack.
Symbian Viruses: Beginning
in 2004 and continuing in 2005, viruses affecting symbian OS and the Microsoft
windows Mobile OS have significantly increased. Symbian OS in particular has
suffered from virus outbreaks affecting device using Symbian OS 7.0s with the
series 60 platform user interface, the software used in most Nokia smartphones.
The Cabir attack, which occurred in June 2004 was followed by a steady stream of
variants and permutations including Qdial, Skulls, Velasco, Locknut, and Dampig.
Cabir and its offspring represent proof of concept malware
that has propagated effectively and cause little damage. These initial viruses
represent the hacker community experimenting with a new technology. Cabir used
Bluetooth wireless connectivity to transmit itself; Blue-tooth transmissions are
limited to 10 meters in distance. The infected device would search for other
Bluetooth devices in discoverable mode and then the target device would have to
click through four dialog boxes to actually infect the mobile device.
Although the Cabir virus did not propagate to any
significant degree, the increasing frequency of its variants demonstrates that
virus writers are becoming better at writing viruses for mobile devices.
Subsequent malware- Comwar and Mabir used more effective methods particularly
through MMS.
Smart phones and mobile
messaging malware: Built in messaging capabilities of smart phones
make them a natural target for messaging worms. A virus can leverage the phones
integrated messaging capability to propagate other phones. This malicious code
can use the phone's address book to finds new targets. For example, devices
infected with the Mabir virus, which affects Symbian 0S 7.0 with the series 60
platform user interface, will attempt to infect other devices supporting MMS by
responding to received SMS or MMS messages and sending a copy of the virus by
MMS. This interrupts user productivity, drains the battery, can increase MMS
charges, and provides the potential to damage a user's reputation among
friends and business colleagues. Although they are not yet common. Protecting
phones from mobile messages with malicious payloads, also known as mobile
messaging malware, is an essential component of any antivirus solution.
Best Practices for Mobile Device Security
Understanding |
||
Category |
Type |
Example |
Local |
Physical |
SD card, |
Peer to |
Personal |
Infrared |
|
|
Bluetooth |
|
|
Synch |
Local |
Local |
PCMCIA |
|
Wireless |
802.11/Wi-Fi |
Mobile |
Mobile |
GSM |
|
|
GPRS |
|
|
EDGE |
|
|
CDMA2000 |
|
|
EV-DO |
|
|
HSDPA |
Mobile device security has become an important component of security policy
and strategy for today's enterprise. Mobile devices operate on the edge of the
corporate network and pose a new set of challenges because they are often
disconnected from the internal network for extended periods and don't have
affixed location.
IT departments must plan for both worker-introduced devices
and planned deployment of corporate selected devices on business applications.
Businesses need adequate safeguards in place to protect corporate networks and
prevent the loss or theft of sensitive information, while at the same time reap
the benefits of increased staff productivity. Some best practices outlined below
can help planning process to expand the secured network perimeter to include
mobile devices:
Perform a risk assessment: Risk management for
mobile devices must be valued just as other business risks for an organization.
A first step is to determine how mobile devices fit into the organization and
how these devices will be managed and secured.
-
A sound security plan should be dictated by the
organization type and the risks that it faces. Information security planning
starts by understanding the value and sensitivity of data that is stored and
manipulated -
Identify the location of sensitive data who controls
the data who has access to the data and how it is currently protected.
Determine what information is stored on mobile devices
procured by users: in general, it may be better to extend the policy to control
mobile devices rather than to try and lock them out of the organization.
Establish a mobile devices security
policy for the enterprise: Companies can maintain handheld security by
consistently implementing security policies that include the use of antivirus
software to counter viruses and SMS malware. These policies should either
eliminate the use of mobile devices or force compliance across all devices
accessing corporate networks and information, regardless of whether the company
has purchased the device and services for it.
IT management can find this particularly challenging since
mobile devices have become a lifestyle item- many knowledge workers want to
choose their mobile device rather than defer to corporate policy. The policy
needs to provide direction for the following:
-
Appropriate use of mobile devices
-
Information appropriate for the device to access or
download -
List of approved devices and software
-
Device purchase or order instructions
-
Guidance on employee purchase device
-
Security standards and enforcement
-
User responsibilities
MAKET |
|
Operating System |
Market |
Symbian |
80.5 |
Microsoft Windows Mobile |
9.7 |
Palm Source |
4.6 |
Linux |
4.4 |
Research in Motion (RIM) |
0.8 |
Total |
100 |
Require user education and
training: One key challenge in smart phone and mobile device deployment lies not
in the technology, but in user education. Just as most PC users generally
understand what is appropriate or risky behavior when using a PC, mobile users
need to learn the security risks for mobile devices.
Employees need o be aware of vulnerabilities in mobile
devices and the implications to the company if they lost or compromised.
Training should include physical security of the device, the mobile device
security policy, and the types of information that are permitted to be stored on
the device. The training should also educate users on what to do if a device is
lost, stolen, or infected.
Implement on-device security: To
maximize the protection of enterprise data, security software with antivirus,
encryption and messaging attack protection must be installed on devices. Because
devices have multiple routes for malware to invade them, on-device security is
key to safeguarding business information, customer privacy, and productivity.
Antivirus software requires frequent updating of the
antivirus definitions to ensure ongoing protection against emerging threats.
Sensitive information such as product roadmaps, customer and order information,
pricing, and confidential employee information require strong encryption
protection device. Messaging attacks are also a risk to employee productivity
and should be part of the on-device protection.
Manage device security centrally. Centralized management
and provisioning of security software helps to provide better protection for the
business and personal information residing on and accessed by these devices.
Centralized management helps IT install software (provision), manage, and update
device security software to enable more consistent protection of business
information and network access.
IT departments must plan for worker-introduced devices and deployment of corporate selected devices on business applications. The secured network perimeter must include mobile devices |
Conclusion
Mobile devices have exploded in popularity and significantly improved
employee productivity. However, enterprises, mobile operators, and consumers all
need to be aware of the potential for damage caused by lost devices or by virus
infection that results in the loss or theft of valuable or sensitive data.
Enterprises must take proactive steps to minimize the security threat.
Establishing and consistently applying a device security
policy can significantly improve the likelihood that enterprises will continue
to adopt productivity-enhancing mobile devices, while avoiding the potential of
lost productivity caused by future virus outbreaks.
The table on previous page shows connectivity technologies
that are commonly used by mobile devices. Each represents a potential security
threat and should be considered when designing or evaluating a security solution
for mobile device.