Mobile devices such as smartphones, PDAs and laptops have been an incalculable productivity boon for today's enterprises. Mobile devices are prized for the flexibility and convenience they provide, while at the same time mobility presents significant challenges for IT administrators charged with managing their companies' data and networks and keeping them secure -- particularly as mobile devices and networks have become more sophisticated and ubiquitous. IT managers must take a long, hard look at the ways these devices access and store corporate data to ensure they don't pose a security risk. This article examines some of the primary security issues surrounding mobile devices and suggests what enterprises can do to address them.
Increasing risks to confidential data
According to a recent survey by InsightExpress, business users utilize their smartphones not only for company business, but for e-mail, instant messaging, browsing the Web, downloading and sharing files over the Internet, as well as for checking financial accounts. The survey found that the majority of smartphone users (55.7%) store confidential personal, business or client data on their devices. More than 54% of smartphone owners use their devices to send and receive e-mails that include confidential personal data; 40% access bank accounts using their smartphones; and nearly one-third of respondents' access credit card accounts.
Imagine the business impact if an employee's smartphone, laptop or handheld were lost or stolen, revealing confidential employee or customer data such as contact information, credit card information, social security data, or credit reports. Such incidents could not only turn into public relations disasters, but could also violate laws and regulations. Consider the potential legal action for a publicly traded company whose employee records, sales reports, or M&A plans fell into the wrong hands.
In addition to loss or theft, security experts are finding a growing number of viruses, worms, and Trojan horses that target mobile devices. Although none of the new attacks has done extensive damage in the wild, many experts believe it's only a matter of time before this occurs. Within the past few months, there have been several examples of nuisance malware such as worms, viruses and Trojans in the public domain attacking mobile devices. Table 1 highlights just a few recent threats:
|1-18-06||SymbOS.Sendtool.A is a Trojan horse that runs on the Symbian operating system, which is the operating system used for Nokia series 60 mobile phones. The Trojan horse drops a hacktool that can be used to send malicious programs, such as variants of the SymbOS.PBStealer family of Trojans, to other mobile devices via Bluetooth.|
|1-18-06||SymbOS.Pbstealer.D is a Trojan horse that runs on the Symbian OS. The Trojan sends the user's contact information database, Notepad, and Calendar To Do list to other Bluetooth-enabled devices.|
|1-18-06||SymbOS.Bootton.E is a Trojan horse that restarts the mobile device when executed. However, as it also drops corrupted components, the device is unable to restart. The Trojan runs on the Symbian OS.|
|1-13-06||CDropper is a family of Symbian SIS file Trojan that will install Cabir variant(s) into the device. Some of the installed Cabirs will replace system or common third party applications. If user has one of those applications installed into system it gets replaced with Cabir and its icon in the menu will go blank.|
|1-3-06||SymbOS.Pbstealer.C is a Trojan horse that runs on the Symbian OS, which is used as the operating system for Nokia Series 60 cellular telephones. The Trojan sends the user's contact information database, Notepad, and Calendar To Do list to other Bluetooth-enabled devices..|
|12-3-06||SymbOS.Hidmenu.A is a Trojan horse that drops corrupted files to the memory card of the compromised device.|
In the emerging smartphone and PDA markets, the three dominant mobile device operating systems are Symbian, Palm, and Windows Mobile. According to Canalys, an industry-analysis research firm, Symbian's market-leading share rose to 53% in 2004 from 38% in 2003. Due to their broad availability, Symbian phones have become malware writers' favorite target.
While the number of mobile device threats reported in the wild is still relatively small, the types of threats created demonstrate some of the advanced capabilities of these devices. As mobile computing becomes more common and mobile devices become more complex, it is likely that other avenues of attack will be discovered.
A threat scenario
For IT managers, of course, one concern is that a well-meaning road warrior could inadvertently infect the organization's network with a worm or virus. Consider the scenario of an authorized user with a smartphone or PDA and a secure VPN connection to the network. Were the smartphone or PDA to be contaminated by a virus before the user established a VPN link, the virus could bypass the corporate firewall and enter the network.
Because of scenarios like that, more and more mobile enterprises are realizing that security and administration policies must be extended to all endpoints including laptops, smartphones, and PDAs. They need remote interrogation systems to determine whether a device seeking a network connection is really an authorized device. They also need tools that interrogate a device to see if it is current in terms of firewall settings, antivirus updates, and software patches. These security measures are a matter of policy to reduce risk, ensure business continuity, comply with regulations, etc. This should be a policy irrespective of actual threats because it's a matter of risk management to key business assets, processes and proprietary information.
Another challenge for IT managers is that the inherently small form factors of PDAs and smartphones make them more likely to be lost or stolen. Most users carry critical data on their devices such as e-mails, address books, meeting notes, and calendar appointments. Also, most platforms come with a simple software-based login scheme that allows configuring a password to protect access to the device. Such mechanisms can easily be bypassed by reading the device memory directly without starting the operating system.
Moreover, as these devices become more powerful, they're increasingly likely to contain sensitive information. Earlier this year, for example, a laptop containing the names and Social Security numbers of 16,500 current and former employees at a large telecommunications firm was stolen from an employee's car in Colorado. The chief executive of a leading technology company had his laptop stolen from the podium of a hotel conference room where he had just finished giving a talk to the Society of American Business Editors and Writers. He had been talking with several members of the press only 30 feet away when he noticed the laptop was missing.
Again, the loss of sensitive data isn't the only concern. As The Washington Post reported: "Some companies suffer only embarrassment from such incidents. But for public companies or financial firms, a lost device could mean violation of the Sarbanes-Oxley Act, which requires strict controls over disclosure of financial information. For doctors and health care companies, the loss of customer data compromises patient confidentiality, protected by the Health Insurance Portability and Accountability Act."(Lost a BlackBerry? Data Could Open A Security Breach, July 25, 2005)
Securing the Operating System
Most operating systems for PDAs and smartphones have been designed from scratch within the last decade, and security has been one of several important criteria. The early driving factors in the design phase were low memory usage, small OS footprint, always-on operation and the support of special hardware, such as low-power chipsets and small screens. Because the IT industry now recognizes the need for more secure computing models, additional security features such as VPN, SSL, crypto modules, login passwords, and code signing have been introduced. Microsoft and Symbian in particular, have made significant improvements to their mobile operating systems. Symbian 9, for example, has sophisticated security models, trusted computing concepts, data caging, applications rights, etc.
At the same time, other features continue to be added to these operating systems. The market and user expectations have largely driven OS providers and device manufacturers to more and more features, which introduce additional software complexity. And since each line of code can be the reason for an additional security exploit, the risk for additional security issues grows with each added feature. Additionally, mobile devices can be connected in many more ways than via a carrier's network; no longer do mobile devices operate in a closed environment (e.g., Bluetooth, Wi-Fi, infrared, corporate networks).
Know your options
Despite the high numbers of mobile devices that go missing, companies are apparently not doing enough employee education to help secure their mobile assets. The problem is not unique to the U.S. -- a recent survey in the U.K. revealed that nearly two-thirds of UK business users do not use a password when they logon to their laptops, and of the users who do use passwords, 15% use their name and 10% give password details to colleagues. A third of the respondents have not changed their passwords in the past year.
The ideal solution would be to prohibit all confidential data from being stored on mobile devices, but that is neither realistic nor practical. Of course, developing company policies and procedures to minimize the risk of theft or compromised data on employees' mobile devices should be the foremost precaution taken by IT or IS administrators. The following safety measures could reduce the risk that confidential information will be accessed from lost or stolen mobile devices:
- Provide training to personnel using mobile devices. People cannot be held accountable to secure their information if they haven't been told how.
- Remove data from devices that aren't in use. Several incidents have occurred by people obtaining "hand-me-down" mobile devices that still had confidential company data.
- Establish procedures to disable remote access for any mobile devices that are lost or stolen. Many devices store user names and passwords for Web site portals, which could allow a thief to access even more information than on the device itself.
- Centralize management of your mobile devices. Maintain an inventory so that you know who's using what kinds of devices.
- Patch management for software on mobile devices should not be overlooked. This can often be simplified by integrating patching with syncing, or patch management with the centralized inventory database.
Fortunately, security products that can detect malicious code exist for most mobile device operating systems. Security technologies that can protect both the organization and the various types of mobile devices should also be implemented. Native mobile device security such as light encryption, basic passwords, and physical locks may deter some hackers, but rarely stymie a determined criminal.
A multi-layered approach to security is important; securing the endpoint, gateway and network is key. Endpoint security must go with security at the edge and core of the enterprise network; they are complementary and address different threats and entry points. That said, mobile enterprises should seriously explore the following security solutions:
- Intrusion detection solutions act as a "security force" inside the perimeter to spot intruders that penetrate the outer defenses.
- Message security solutions filter spam and other undesired messages and content at the gateway and are essential to an overall e-mail security solution.
- Integrated firewall/VPN and virus protection/content filtering solutions offer protection from Internet-borne threats for the desktop and can protect data without slowing performance.
- Anti-spyware solutions can provide real-time scanning, automatic detection and removal, and integrated tools for remediating the side effects that spyware can have on a user's system.
- Policy compliance management solutions help define and enforce policies from a central location as well as probe for network vulnerabilities and suggest remedies.
- Administration solutions facilitate the management of hardware and software assets, and provide a way to plan, track, and apply system changes.
For smartphones in particular, real-time automatic and on-demand virus scan capabilities can protect files that are stored on the smartphone's file system, while the firewall should use protocol and port filtering to protect the data and applications being transmitted. To ensure that devices are protected against new threats, users should be able to download the latest virus protection updates when the device has access to a wireless connection.
Smartphones, PDAs, and laptops are increasingly being used in much the same way as desktop computers, putting these devices at risk of the onslaught of threats that has been seen in recent years on PCs. Today's enterprises are mobile enterprises, and deploying effective tools and policies to thwart the growing number of malicious attacks that can not only impair mobile devices, but could potentially breach enterprise security, compromise proprietary data, negatively impact regulatory compliance and legal agreements, should be a top priority.
About the author: Sarah Hicks serves as vice president of strategic opportunities at Symantec Corporation, where she leads Symantec's security strategy and solutions development in the wireless, mobile device and service provider space.