Today, just about every individual walks around with a smartphone, instead of
a mobile phone, thanks to the declining prices of these devices. The good thing
here is that though their prices are declining, the number of features they
offer is increasing. So, pretty much every smartphone today let's you browse the
Internet, download emails, manage calendars, and install applications. It's like
having a micro-PC in your pocket. The exponential growth in the number of
smartphones has also resulted in a rise in the number of App Stores that provide
applications for them, a trend that was started by Apple a few years ago. So
just about every smartphone vendor worth his name today, and even service
providers like Airtel, Vodafone, etc have setup and are promoting their own App
Stores, hosting apps that run into hundred thousands of numbers.
Where is all this activity heading? On one side, these devices are becoming
handy business tools, because your employees can now be productive from
anywhere. That's a boon for organizations, which is why we're seeing so many
mobile field force apps being deployed, and so many enterprise software vendors
porting their apps to mobile devices, and so on.
But there's a downside to it as well, and a pretty dangerous one at
that-security threats. As more applications are ported to smartphones, the
number of vulnerabilities on them will also increase. There have been many proof
of concept viruses (like the first one, Cabir) developed to proove that security
threats on mobile devices are definitely real, and will become a menace in the
coming years. Let's take a real life example of the most successful enterprise
mobile success story of them all-the Blackberry. Most enterprises today, hand
out Blackberries to at least key people in their organization. If you visit the
Blackberry website, you'll find an entire section devoted to Blackberry
security, which is regularly updated with the latest vulnerabilities found on
the Blackberry platform.
For instance, one threat we found on the site was a vulnerability in the PDF
distiller of the Blackberry Attachment Service for the Blackberry Enterprise
Server. Using this vulnerability, someone could send out an email with a
specially crafted PDF as an attachment to a Blackberry device owner. When
opened, this file could do things like cause memory corruption, do arbitrary
code execution in the Blackberry Attachment Service component of the BES, etc.
Similarly, there's a host of other vulnerabilities listed on the website. With
declining prices of the Blackberry service, more users will own them, and your
security related tasks will just multiply.
So it's no longer about kiddy stuff like a malicious person on the prowl for
mobile devices with Bluetooth enabled so that a malicious program could be
uploaded to them. It's no longer about malware that causes no harm, but is only
a nuisance. All that is certainly going to remain, but things will become much
more serious than that. After all, why should a malicious person bother about
finding such weak channels to get into the devices, when the devices themselves
can connect to the Internet and to a corporate network? It becomes easier to
penetrate these devices via these two channels.
Smartphone Security Tips |
|
And you can imagine what happens when 3G sets in. There will be a sharp
increase in the number of mobile applications. Users would then start storing
even more sensitive information on their devices, due to which, they'll become
even more vulnerable to attack.
So the time to act on mobile security is now. Find out what kinds of mobile
predators await you, and identify the kinds of solutions that can be used to
protect you against them. Our story focuses on these two aspects.
Mobile predators and the damage they cause
It's human nature to take measures only after a crisis or emergency occurs.
For instance, how many people back-up data from their systems? Mostly nobody,
except when a catastrophe happens and they loose their precious data. Similarly,
people believe that mobile security threats are not real, and are unlikely to do
something about it until a catastrophe occurs. Maybe it won't happen in the near
future, because currently the amount of malware available for mobile phones
isn't as high as that for the regular desktop OSs. But, maybe it will, because
cellphones are increasingly competing with PCs in terms of functionality they
provide, which is why they're called smartphones. As they start becoming as
powerful as computers, they'll also become vulnerable to threats.
Without understanding the different types of mobile security threats you can
face, and how they spread, it would be impossible to identify the right
solutions to protect against them. A mobile device is like a micro-PC. It has
its own OS, memory, display, various ports to connect to external devices,
network connectivity, etc. So you can install different types of applications on
it, connect it to the Internet, network, etc. Due to this similarity, the
security threats on mobile devices would be no different from those found on
PCs-viruses, trojans, key loggers, and other types of malware.
Viruses and Trojans don't need an introduction. Just as they cause damage on
PCs, they can do the same on mobiles as well. On one side, they could do
annoying things like drain out your phone's battery fast, disable certain
functions, rename or change certain icons making it difficult for you to find
information or operate the device. They could get slightly uglier and also
damage your phone's memory and other controls, rendering the device completely
useless, or even delete important business information.
Viruses and Trojans could become worse, and do more serious damage, like
steal important information such as your bank account details if you use mobile
banking (explained later) and cause monetary loss, do false billing, spread
themselves to other devices, and so on. Further still, they could even mis-use
your identity.
Security Measures for Your Smartphone | ||
For providing end-to-end mobile security solution, the
Mobile Core Network: The security solution for the Enterprise Security Solution: At the enterprise,a End Device: The security solution for the End Device Sandeep Gupta, CTO, iPolicy Networks, |
Next come mobile keyloggers. These programs would log every key you press on
the smartphone, every message you send out or receive, and scan all data within
the mobile banking or trading software that you might be using.Then, there would
be security threats like spying tools that are specific to the mobile phone
function of these devices. PhoneSnoop for instance, is a tool that can remotely
turn on the microphone of your smartphone so that somebody else can listen in on
the conversation. Similarly, there would be other tools that can intercept
communication, turn on phones, etc.
Finally, the most common predators of all are people who physical steal your
smartphone. Most of the times, the only aim for these people to steal is to
earn a few easy bucks by selling them to somebody else. That's the least bit of
damage you can expect, but it could get worse, if somebody steals it for
malicious intent. Since there's no way to find out the thief's intentions, it's
better that you're prepared for such a calamity as a user, and as a CIO who has
to protect all the data on those smartphones. What do you do to secure the
confidential data in your phone after losing it in the back of a cab? There are
solutions like CompuTrace Mobile that can remotely delete valuable information
from your device.
How mobile predators attack
If you think your smartphone is safe from security threats, then think
again. It might be safe now, but as you start using it more aggressively beyond
a basic phone, by installing different types of applications on it, you're bound
to face the security threats. And when 3G sets in, besides the higher bandwidth,
you'll also get 'other guests' coming in!
The regular channels of attack are of course SMS and Bluetooth. You use SMS
to send out important information to your clients, or send SMS queries to your
ERP system to find out the prices of your latest product. Plus, you send out
SMSs to participate in contests, and of course to friends.
SMS based ads have become a menace. Everyday, there's an ad about a new
property for sale, or about a company offering cheap website hosting, etc. SMS
is also used to receive news from various channels. Somebody could easily send
you a link via SMS, which takes you to a malicious website. Bluetooth is one of
the oldest way spreading malware, so it would suffice to say that you might
transfer a program from somebody, which contains a Trojan or a worm.
Email is becoming the other common way of spreading malware on mobiles. You
download emails to your smartphone, just as you do to your desktop or laptop.
The only difference is that these emails could contain vulnerabilities specific
to your mobile phone, just like the Blackberry PDF vulnerability that we talked
about earlier in this story.
Finally, as web browsing becomes more popular on smartphones, the world of
malware will just open up. The browsing could happen over 3G when you're on the
move, or over WiFi when you're in office.
Kaspersky Mobile security 9.0 |
This anti virus solution provides access scan |
Memory cards
One typical issue that 'on the go' employees face is transfer of worms and
other malware through memory cards from infected mobile devices. This leads to
further infection of corporate resources. Also, data piracy resulting from the
stolen and misplaced phone can compromise corporate network.
Enterprise apps like mobile banking
Mobile banking in the US is pretty hot, with most of the banks offering this
facility to their customers. Several banks in India, like ICICI are also
offering mobile banking. As more users start using their cellphones and
smartphones for mobile banking, security threats are likely to follow. So if
your smartphone gets stolen, you loose more than just your contact information,
especially if you have your mobile banking software installed on it, and access
it over GPRS.
Through a harmless game
You might for instance have found a good game on the Internet and install it
on your smartphone. Without your knowledge, the game also installs a Trojan in
the background, turning your smartphone into a gateway for sending out
information without your knowledge. A company called Storm8 had developed free
games that collected users' mobile numbers. It is said that this was not done
with malicious intent, but there can certainly be others that would take
advantage of the opportunity.
Securing your smartphone from attacks
As the very first step, you should register for the Do not disturb (DND)
service from the service provider of your phone. It's a different matter of
course that even after registering, some SMS based spam is likely to creep
through but at least you'll have some protection. So, the next step is to just
be careful about links you might get on your SMS.
Encrypt data on your phone, so that even if it gets stolen, you don't have to
worry about your information being mis-used. The Blackberry service for
instance, allows strong encryption of the data residing on the device.
Configure your mobile device so that it asks for a password every time you
access your email or a VPN. Then of course, you should back up your mobile data
frequently.
What if your mobile gets stolen? There are services like Lookout Mobile
Security, which can back up your data and remotely wipe out the same if it gets
stolen. F-Secure Mobile Security 6 has the Premium Anti-theft with Locator
feature, which can help you locate the phone on a map. With its anti-theft
feature, you can also lock or erase data remotely.
Smartphones are one arena that changes every year. IT administrators are due
to see more and more of these powerful devices on their networks in the future.
It's important to gain visibility into which devices are connecting into the
network and manage the devices with policies designed to protect the same. You
should have policies that require smartphones that access your network be
protected by password or biometrics. Monitoring which devices are connected to
your corporate network, when they are connected, etc are of equal importance. IT
managers should be able to generate a complete inventory of all
enterprise-connected devices to ensure they are compliant with IT policy. Again,
given the host of mobile platforms available today, like BlackBerry, Windows
Mobile, iPhone, Symbian, and Android, single platform strategies will not help
you keep pace with the innovation. There are solutions like MobileIron Virtual
Smartphone Platform that help enterprises with smartphone management. These
provide visibility into what's on a smartphone and how it's being used, thus
enabling both IT admin and users secure data without compromising privacy. The
Virtual Smartphone Platform is packaged as an easy-to-install appliance that
plugs into your corporate network.
Types of mobile security solutions
Anti-Virus: With smartphones increasingly being adopted, given the slew of
functionalities in them including emailing, anti virus prove to be critical to
do away with any Web based attacks.
Encryption: Encryption based solutions are essentially targeted at and
useful for the enterprise users. This type of solutions help employees secure
their data by avoiding third-party access to the same.
Firewall: The solutions providers have upgraded their anti virus
modules to include firewalls for the smartphones. These firewalls, just like the
ones for normal computers provide the first level of security by pro-actively
stopping attacks from unwanted sources. The firewall concept is all the more
important for smartphones as your active Bluetooth connection or an active Wi-Fi
network can be a source for a mobile hack attack which basically compromises
your data safety.
Remote Data Recovery: What worries you most when you lose your mobile
phone? It is essentially the data that resides within and not the device. Remote
data deletion helps you wipe out your sensitive information in your mobile
remotely.
Enable content protection: Smartphones store a whole lot of important
information, so it's important that you protect it. In Blackberry devices for
instance, you can easily enable content protection and all the information would
lie in encrypted form in the device. This way, if anybody tries to pull out the
data using a USB port, they won't get anything out of it. There is also software
available to prevent the download and installation of unauthorized software on
smartphones.
What to look for in mobile security solution
To decide which mobile security solution is right for you, keep in mind how
much protection you need and which software program your device will support.
Some of the factors to keep in mind while deciding your security solution are:
Protection: The best security solution is the one that provides
maximum level of protection. Its look and usability should ideally take a back
seat for a security product. A typical mobile security solution will incorporate
anti virus, anti-spam, and firewall security with real time protection.
Features: Most security solutions provide additional
features apart from the regular ones like anti virus, etc. But these invariably
come at a price premium or sometimes at the cost of taking over the performance
of your device by unnecessary usage of resources. Thus it is important to match
solution with your needs before you buy one.
10 Mobile Security Tools (You'll also find these tools on this month's DVD) |
|
Installation and Ease of Use: The ease of usage is a
major criteria in deciding the security product. For mobiles, the preference
gets magnified as the device has lesser resources at hand. The product should be
one that is easy to install, operate and easy to understand which helps in
optimizing the use of resources and freeing them up as soon as possible.
Updates: Threats keep updating and multiplying with
the passage of time. Software which helps protect from these threats is only as
effective if it is kept updated. Thus it is important that the security solution
be updated regularly. The software vendors do keep providing updates but these
should be easily accessible, which forms the basis for complete protection from
latest threats.
Technical Support: Ideally, the solution should not
require much support or documentation. But, it helps if the vendor provides
technical support in a variety of accessible formats. This may be important if
the user faces any glitches in his handling the product. The idea is to minimize
the downtime of the security layer as even a small time frame is sufficient
enough for a dedicated attack at your precious security.
Costs: Since data security is of prime concern for
any individual or an enterprise, the cost of the security solution may not be an
issue. This is because the costs associated with losing data may be much higher
than the cost of buying and deploying a solution. However, with multiple
options available in the market today with varying prices, the cost of the
solution can also be kept in mind while opting for a solution.