Advertisment

A Handset Full of Woes

author-image
VoicenData Bureau
New Update

As handsets become more vulnerable to various types of attacks, a

better device security policy should be put in place

Advertisment

A recent study by Gartner found that 55% of

PDAs shipped in the first quarter of 2005 included integrated wireless local

area network (LAN) or cellular/mobile capabilities.

Knowledge workers use mobile devices for various types of

connectivity—from construction supervisors entering change requests to retail

workers using wireless connectivity for inventory management. For many workers

today, these devices are their only computing platform. However, as mobile

devices move data and files to and from networks and tap into existing

applications, the risks increase for compromising sensitive data and

transmitting infections.

Mobile Carrier Networks and Services



To understand the true security threats to mobile devices requires some

knowledge of the networks they use to communicate. In contrast to PDAs that

regularly synchronize with a PC, smartphones are typically independent devices

that may periodically synchronize with a PC, but rely primarily on a mobile

operator's wirless network for connectivity. The first-generation mobile phone

models—feature phones—provided only voice capabilities in contrast to

Smartphones, which include over-the-air data connections and text messaging

capabilities, such as short message services (SMS) and multimedia message

service (MMS).

Advertisment

Data transfer rates have been increasing and are expected

to jump dramatically in coming years. Commonly used 2G GPRS data transfer

technology typically provides 35 Kbps download speeds, while emerging 3G

networks can provide from about 400 Kbps (WCDMA/UTMS) to 2—3 Mbps (HSDPA) when

fully evolved.

As the data transfer rates climb, enterprises can help

improve knowledge worker productivity by enabling remote usage of enterprise

applications. For example, knowledge workers who commute via train can tap into

high-speed mobile networks to use applications such as e-mail, enterprise

resource planning (ERP) or human resources management (HRM) systems, while in

transit. The faster 3G technologies such as WCDMA, EV-DO, and HSDPA can enable

users with certain mobile devices to access enterprise applications using speeds

approaching 'wired' connections.

Advertisment
Data transfer rates have been

increasing rapidly and are expected to jump dramatically. While these

high-speed data transfers improve productivity, they also increase the

possibility of infection

While these high-speed data transfers improve productivity,

they also increase the possibility of infection. Higher speed networks ease the

ability of users to surf the Web, use IP networks for communication, and

download and install applications. In the same way that high-speed Internet

connectivity, enabled malware, and spyware to propogate more quickly to

networked PCs. The addition of high-speed mobile data networks is expected to

open the door to potential infections of smartphones.

Authentication, Encryption, and VPN software: Key

Building Blocks



Mobile device are vulnerable without some type of authentication and

encryption to help to protect data from unauthorized access.

Authentication-the first step in securing information on mobile device-helps

to ensure that only authorized users can access the network. Some approaches to

authentication may include a user password, a security certificate in a

smartcard or a SecurID, or another authentication option that relates to a

specific security plan for the mobile device.

Advertisment

Encryption, on the other hand, protects the data in transit

and denies unauthorized access to data stored on a mobile device as well as the

data and communications that pass through the networks. Encryption can be done

by an application, an information service, or the network.

For device accessing corporate IT sources, secure remote

access for applications may require virtual private network (VPN) software. VPNs

provide secure access to information portals and application and can also enable

mobile device to connect to a corporate network over the internet.

Mobile device security also requires management solution

that can erase information or wipe a decommissioned device so that it is

unrecoverable. When an executive accidentally loses a smartphone containing

critical deal information, that device must be wiped clean. Without this

capability, sensitive data can become public very quickly

Advertisment

The Evolution of Mobile Viruses



Viruses affecting mobile phones are a relatively new phenomenon. One of the

first significant attacks involving mobile phones occurred in June 2000 and

focused on a specific mobile operator. The first viruses to attack handheld

device also occurred in 2000. Viruses such as liberty, Phage, and vapor affected

devices using the palm OS has not been subject to further virus attacks.

However, malware affecting devices using other operating systems has occurred

since that time

NTT DoCoMo malware attack:

During August 2001, Japanese users of NTT DoCoMo's in mode found

their phones started to dial 110-the Japanese equivalent of 911 emergency

assistance if they answered 'yes' to a certain question during an online

quiz regarding love. Japanese police switchboards were swamped with bogus calls

that prevented authorities from responding to true emergencies. NTT DoCoMo has

now corrected the vulnerability exploited by the attack.

Symbian Viruses: Beginning

in 2004 and continuing in 2005, viruses affecting symbian OS and the Microsoft

windows Mobile OS have significantly increased. Symbian OS in particular has

suffered from virus outbreaks affecting device using Symbian OS 7.0s with the

series 60 platform user interface, the software used in most Nokia smartphones.

The Cabir attack, which occurred in June 2004 was followed by a steady stream of

variants and permutations including Qdial, Skulls, Velasco, Locknut, and Dampig.

Advertisment

Cabir and its offspring represent proof of concept malware

that has propagated effectively and cause little damage. These initial viruses

represent the hacker community experimenting with a new technology. Cabir used

Bluetooth wireless connectivity to transmit itself; Blue-tooth transmissions are

limited to 10 meters in distance. The infected device would search for other

Bluetooth devices in discoverable mode and then the target device would have to

click through four dialog boxes to actually infect the mobile device.

Although the Cabir virus did not propagate to any

significant degree, the increasing frequency of its variants demonstrates that

virus writers are becoming better at writing viruses for mobile devices.

Subsequent malware- Comwar and Mabir used more effective methods particularly

through MMS.

Smart phones and mobile

messaging malware:
Built in messaging capabilities of smart phones

make them a natural target for messaging worms. A virus can leverage the phones

integrated messaging capability to propagate other phones. This malicious code

can use the phone's address book to finds new targets. For example, devices

infected with the Mabir virus, which affects Symbian 0S 7.0 with the series 60

platform user interface, will attempt to infect other devices supporting MMS by

responding to received SMS or MMS messages and sending a copy of the virus by

MMS. This interrupts user productivity, drains the battery, can increase MMS

charges, and provides the potential to damage a user's reputation among

friends and business colleagues. Although they are not yet common. Protecting

phones from mobile messages with malicious payloads, also known as mobile

messaging malware, is an essential component of any antivirus solution.

Advertisment

Best Practices for Mobile Device Security

Understanding

Potential Infection Vectors: 



Mobile Device Connectivity



Category



Type



Example



Local

Storage



Physical

media



SD card,

Memory Stick



Peer to

Peer



Personal

Area Network



Infrared

(IrDA)



 



 



Bluetooth



 



 



Synch

cable (Active Sync)



Local

area Network



Local

Area Network



PCMCIA

Ethernet Network card



 



Wireless

Local Area Network



802.11/Wi-Fi



Mobile

Network




Mobile

Operator Network



GSM



 



 



GPRS



 



 



EDGE



 



 



CDMA2000



 



 



EV-DO



 



 



HSDPA



Mobile device security has become an important component of security policy

and strategy for today's enterprise. Mobile devices operate on the edge of the

corporate network and pose a new set of challenges because they are often

disconnected from the internal network for extended periods and don't have

affixed location.

IT departments must plan for both worker-introduced devices

and planned deployment of corporate selected devices on business applications.

Businesses need adequate safeguards in place to protect corporate networks and

prevent the loss or theft of sensitive information, while at the same time reap

the benefits of increased staff productivity. Some best practices outlined below

can help planning process to expand the secured network perimeter to include

mobile devices:

Perform a risk assessment: Risk management for

mobile devices must be valued just as other business risks for an organization.

A first step is to determine how mobile devices fit into the organization and

how these devices will be managed and secured.

  • A sound security plan should be dictated by the

    organization type and the risks that it faces. Information security planning

    starts by understanding the value and sensitivity of data that is stored and

    manipulated

  • Identify the location of sensitive data who controls

    the data who has access to the data and how it is currently protected.

Determine what information is stored on mobile devices

procured by users: in general, it may be better to extend the policy to control

mobile devices rather than to try and lock them out of the organization.

Establish a mobile devices security

policy for the enterprise: Companies can maintain handheld security by

consistently implementing security policies that include the use of antivirus

software to counter viruses and SMS malware. These policies should either

eliminate the use of mobile devices or force compliance across all devices

accessing corporate networks and information, regardless of whether the company

has purchased the device and services for it.

IT management can find this particularly challenging since

mobile devices have become a lifestyle item- many knowledge workers want to

choose their mobile device rather than defer to corporate policy. The policy

needs to provide direction for the following:

  • Appropriate use of mobile devices

  • Information appropriate for the device to access or

    download

  • List of approved devices and software

  • Device purchase or order instructions

  • Guidance on employee purchase device

  • Security standards and enforcement

  • User responsibilities

MAKET

SHARE FOR MOBILE DEVICE OPERATING SYSTEMS



Operating System



Market

Share ( in %)



Symbian



80.5



Microsoft Windows Mobile

for Smartphones



9.7



Palm Source



4.6



Linux



4.4



Research in Motion (RIM)



0.8



Total



100



Require user education and

training: One key challenge in smart phone and mobile device deployment lies not

in the technology, but in user education. Just as most PC users generally

understand what is appropriate or risky behavior when using a PC, mobile users

need to learn the security risks for mobile devices.

Employees need o be aware of vulnerabilities in mobile

devices and the implications to the company if they lost or compromised.

Training should include physical security of the device, the mobile device

security policy, and the types of information that are permitted to be stored on

the device. The training should also educate users on what to do if a device is

lost, stolen, or infected.

Implement on-device security: To

maximize the protection of enterprise data, security software with antivirus,

encryption and messaging attack protection must be installed on devices. Because

devices have multiple routes for malware to invade them, on-device security is

key to safeguarding business information, customer privacy, and productivity.

Antivirus software requires frequent updating of the

antivirus definitions to ensure ongoing protection against emerging threats.

Sensitive information such as product roadmaps, customer and order information,

pricing, and confidential employee information require strong encryption

protection device. Messaging attacks are also a risk to employee productivity

and should be part of the on-device protection.

Manage device security centrally. Centralized management

and provisioning of security software helps to provide better protection for the

business and personal information residing on and accessed by these devices.

Centralized management helps IT install software (provision), manage, and update

device security software to enable more consistent protection of business

information and network access.

IT departments must plan for

worker-introduced devices and deployment of corporate selected devices on

business applications. The secured network perimeter must include mobile

devices

Conclusion



Mobile devices have exploded in popularity and significantly improved

employee productivity. However, enterprises, mobile operators, and consumers all

need to be aware of the potential for damage caused by lost devices or by virus

infection that results in the loss or theft of valuable or sensitive data.

Enterprises must take proactive steps to minimize the security threat.

Establishing and consistently applying a device security

policy can significantly improve the likelihood that enterprises will continue

to adopt productivity-enhancing mobile devices, while avoiding the potential of

lost productivity caused by future virus outbreaks.

The table on previous page shows connectivity technologies

that are commonly used by mobile devices. Each represents a potential security

threat and should be considered when designing or evaluating a security solution

for mobile device.

Advertisment