Mobile devices: Corporate security strategies

Cybercrime: Coming to a mobile near you
Wireless PDAs and smartphones have been used for years with few headline-grabbing security breaches. Pescatore argues that unsecured mobile devices have flown under the radar because mobile malware writers have been hampered by platform and operating system diversity. "There have definitely been examples of mobile malware," he said, "but most of it has been ineffective, caused very little real damage, and did not spread." For example, a recent McAfee survey of 200 mobile operators found that 83% had been hit by mobile infections, but just five of those incidents affected more than 100,000 devices.

Malware impact is likely to change, however, as the mobile workforce grows, mobile environments become more consistent, and business system connections expand. "This is the year that enterprises should begin to deploy security processes, architectures and controls to defend against mobile malware," Pescatore recommends. "Mass worms and viruses will not be the real threat .... Mobile malware will be more targeted to particular devices, applications and businesses. Enterprise protection strategies need to be developed with a new approach in mind."

Wireless interfaces used by mobiles represent another vector for attack. John Girard believes there have been few wide-area wireless exploits because carriers secure their own networks. "Digital satellite and cellular networks use two-way authentication and strong encryption to discourage attempts to eavesdrop, track communications, or decrypt data and voice streams," he said. In stark contrast, Wi-Fi and Bluetooth exploits have been frequent, caused by unpatched legacy vulnerabilities and end user misconfiguration. "Wi-Fi in smartphones is unfortunately yet another opportunity to repeat [those same] old mistakes."

Turning back the tide
Most companies are all too familiar with fighting Win32 malware and wireless leaks. An effective strategy for protecting business PDAs and smartphones will require a combination of existing best practices and new techniques and tools.

1. Like Win32 notebooks, mobile devices with Wi-Fi and Bluetooth interfaces must be configured securely, taking advantage of robust data link security options like WPA2-Enterprise and disabling risky options like Bluetooth discovery. On-campus wireless activity can be monitored and controlled using best practices like 802.1X and WIPS, independent of client device type. New tools such as mobile VPNs will be required to impose consistent, end-to-end communication security on devices that roam from carrier 3G to corporate WLAN to public hotspot. Where 3G is viable and economical, mobile devices may prefer it to hotspots in order to reduce risk. Finally, companies should try to bake security into all new mobile business applications and client/server interfaces.

2. Mobile devices can be equipped with client security measures that resemble those long used on Win32 notebooks, from power-on authentication, data encryption and backup/restore to personal firewall, VPN and antivirus. Mobile operating systems are still playing catch-up, so these often require add-on security software, designed to run on mobile devices. Girard estimates that the yearly cost for all of these mobile security tools will exceed the initial purchase cost of a basic smartphone through the year 2010. Companies may want to make this near-term investment for PDAs used in critical business processes, but pressure their vendors to include such capabilities with mobile devices purchased in the future. However, Pescatore cautions against depending solely on client-side mobile antivirus. "It hasn't been sufficient on a largely homogeneous Windows platform," he said. "It will never work for heterogeneous mobile devices."

3. Instead, mobile client security should be complemented by server-side protection, including malware removal on corporate mail servers and mobile communication servers. "Enterprises should focus malicious-content protection investments on sync servers, wireless application gateways, and external wireless network service provider offerings through 2007," Pescatore suggested. Enterprises can also use server-side measures such as file activity monitors, database activity monitors, and messaging content filters to track and control mobile use of corporate data. Finally, network gateways can use NAC to grant selective access to employee-owned mobile devices or to block network access by stolen corporate devices. These diverse measures can mitigate a broad spectrum of threats, but they all benefit from being under IT control and (at least to some degree) transparent to mobile users. To offload the IT burden, some companies may opt to outsource certain mobile security tasks to wireless carriers or third parties such as iPass.

Conclusion
Most PDAs and smartphones used for business today are "bring your own" devices. Many employers could not begin to enumerate the devices touching their network, servers and data, much less take rapid action to stop a major mobile malware outbreak. That first outbreak may be coming soon -- or it may still be years off. Either way, it is simply common sense to start considering strategies for mobile security. Size the problem by inventorying the mobile devices already used by your workforce. Take near-term action to mitigate those existing vulnerabilities in accordance with business risk. Then resist the temptation to deploy mobile applications and devices without building a security strategy into those long-term plans.

About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.

Rate this Tip To rate tips, you must be a member of SearchMobileComputing.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Mobile Security On-device defenses for mobile malware Mobile malware: Coming to a smartphone near you? Protecting data on your BlackBerry Defining your mobile security policy Government regulations and mobile security policies Symbian: Protect your data, not just your device Mobile security policies: Why a policy is important Avoiding data breaches through mobile encryption Mobile security: Setting responsible goals Mobile security: Top oversights Mobile Policies and Procedures Mobile security culture starts at the top Detecting rogue mobile devices on your network Mobile security policies Defining your mobile security policy Government regulations and mobile security policies Mobile security policies: Why a policy is important BlackBerry usage policy and agreement Mobile device security: Auditing the airwaves Mandate security training to safeguard your mobile fleet Google's Android platform could complicate security Mobile Security Software and Tools On-device defenses for mobile malware Sybase adds antivirus and firewall to mobile management suite Detecting rogue mobile devices on your network Symbian: Protect your data, not just your device Mobile phone spyware -- it's here Mobile security -- Are antivirus and firewalls enough? Smartphones, PDAs left in cabs at alarming rates Endpoint security extended to smartphones Locating a lifted laptop Mobile security policy useless if not enforced RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PEAP (Protected Extensible Authentication Protocol)  (SearchMobileComputing.com) screaming cell phone  (SearchMobileComputing.com) Stratellite  (SearchMobileComputing.com) Wireless Transport Layer Security  (SearchMobileComputing.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.