web analytics
  Featured Eseminar Auditor Download GuardianEdge GuardianEdge Federal

    “Full-disk encryption allows us to make good on our promise to customers that their data remain secure.”

    —Scott Davis, Information Security Project Manager, MassMutual.
    Ward Off Mobile Security Threats



    Ward Off Mobile Security Threats


    As Workers Become More Mobile, Risks Increase


    March 7, 2008

    Courtesy of Processor.com

    The world is going mobile, and IT must keep up to protect corporate investments. At a midsized enterprise summit last year, Gartner found that 40% of those surveyed see mobile devices and mobile access as ranking in the top three of all security threats. According to the survey, 90% deploy laptops, 60% deploy RIM BlackBerrys (www.rim.com) and PDAs, and 30% deploy smartphones to employees. In general, mobile access is rising due to readily available Wi-Fi, 3G cellular access, and broadband.

    Understanding which mobile security threats exist—and why the threats have successfully invaded corporate LANs—is a crucial step. Defending your company against these threats is just as critical.

    Mobile Security: Rising Threats

    For the past six months, all eyes have been focused on the Apple iPhone (www.apple.com) and its rippling effect with consumers and in IT. Apple has reported more than 4 million devices sold, and it predicts 10 million sold by the end of this year.

    One important tip for data center admins is to keep an eye on the most popular devices. Any popular mobile device instantly becomes a prime target for hackers and virus creators. Reports recently surfaced about a libtiff exploit that can take control of programs on the iPhone and record video and audio, potentially stealing sensitive company information. The iPhone is a prime candidate because of an API that could allow hackers to use the built-in camera for surveillance.

    It’s also important to be on guard for attacks where an individual attempts to take over a smartphone and record company secrets. Paul Miller, managing director of mobile security at Symantec (www.symantec.com), says this new threat in mobile security is called "snoopware" and is increasingly common as hackers figure out how to take control of other smartphone cameras and intercept audio recording capability. It’s a particularly heinous attack because the hacker can assume control when the device is not actually in use yet still powered on. This is also a difficult hack to prevent because it can use 3G networks or Wi-Fi. The most obvious precaution is to have employees and consultants power down devices during any important conversations or to leave them outside the door, but security software that prevents unauthorized access to a mobile device—and using a VPN to tap into corporate LANs—can help.

    Another tip is to keep abreast of the latest security breaches, especially when the attack intends to steal an employee’s identity or credit card information. One such mobile security threat is called "pranking4profit," which uses SMS messaging to request that the user send personal information to continue a sign-up process that he may or may not have started. What makes this threat dangerous is that cell phone users are accustomed to explicitly trusting incoming text messages as authorized by the carrier and legitimate in nature.

    The risk of losing devices is still the most important security pothole. Risk mitigation, where there is a plan of action if an employee misplaces a gadget or it is stolen, is a critical strategy for mobile security and perhaps the most important first step in an SME action plan.

    "Losing these devices still remains one of the biggest threats, especially now that they function more as a computer than a cell phone," says Miller. "With this increased functionality, they have become a convenient alternative to a bulky laptop. However, their small size also contributes to the increased risk that they will be lost or stolen. Businesses who use these devices to store confidential data need to understand this risk and employ some form of loss mitigation to protect the information."

    "Devices such as smartphones, USB drives, and laptops are built to be user-friendly, but unfortunately, that ease of use makes it simple for sensitive enterprise content to be copied from one location to another and be physically removed from the enterprise," adds Ram Krishnan, senior vice president of products and marketing of GuardianEdge (www .guardianedge.com), a company that focuses on securing mobile devices. "If this information is compromised, it has huge costs for the enterprise. It is imperative that organizations take these types of devices into consideration when reviewing their overall IT security strategy."

    Gartner says that mobile threats are successfully infecting and compromising corporate networks for three reasons. One is that end users typically only obtain the latest updates and patches when they are on the corporate campus, instead of at the point of mobile access. The second reason is that mobile users who connect in public places are sometimes infected by a virus or spyware and then infect corporate networks when they tap in to the home office. A third reason has to do with consultants and customers who are allowed to connect to a company network, often over Wi-Fi, and unknowingly infect systems.

    Protecting Networks From Mobile Threats

    As with any new security threat, there’s a near-constant catch-up process for vendors and IT. One of the best strategies, says GuardianEdge’s Krishnan, is to integrate tightly with Microsoft AD (Active Directory; www.microsoft.com). GuardianEdge’s Data Protection Platform encrypts data on mobile devices and controls data leakage, yet the integration with Active Directory means admins can work alongside the AD management console. As the infrastructure around AD changes with the needs of an SME, the plug-in architecture of the mobile security agent also expands. Too many companies deploy new mobile security products as their user counts grow and the business needs change, which delays the security strategy and plans.

    On the mobile device itself, TrendMicro (www.trendmicro.com) offers the greatest depth in terms of support for Windows Mobile devices, Palm, Symbian OS, Apple iPhone, and others. The "all-in-one" approach of its Mobile Security 5.0 product includes a firewall, managed encryption, authentication, anti-malware, and intrusion detection as opposed to offering separate and disparate packages for each defense.

    Symantec, one of the long-time leaders in desktop security, offers enterprise mobile device security tools for antivirus and firewall, data encryption, and data loss protection. In keeping with the trends in the industry, the company has also instituted a program to help IT admins deal with lost or stolen mobile devices.

    "Aside from encryption capability, Symantec has incorporated into its suite an audit log that keeps track of all the files accessed on the device," says Miller. "If the phone is lost, an employee can call their IT department, and they can remotely access this log to see if any files were accessed after the employee realized it was missing. Once they have that information, the IT department can execute a remote wipe and kill of the device, to remove the threat that any files may be accessed in the future. Symantec has also incorporated a mobile VPN into the suite for secure access to a company’s network."

    In the end, these best practices will help protect company assets, but the best strategies are always evolving and adapting to the latest threats, the latest devices, and the latest development in security.