Learning from experience
Our decade-long fight against Win32 malware has shown that PC-resident virus/spyware scanners and spam/phishing filters are necessary but inefficient. Keeping those programs and signatures current has become an onerous, time-sensitive chore.
Of course those PC-resident scanners and filters have not gone away. But most enterprises now back them with server-based and network-edge antivirus and antispam solutions. These added measures can stop most malware before it reaches desktops and laptops, increasing IT control, improving user productivity and reducing the risk of infection.
Fortunately, PDAs and smartphones are well-positioned to leverage enterprise server and network defenses. As wireless connectivity grows faster and more ubiquitous, most mobile threats will be delivered "over the air," passing through an enterprise mail server, mobile application gateway or remote access concentrator. Those enterprise-operated platforms provide a golden opportunity to apply centrally administered mobile malware defenses.
- If your business already blocks spam and phishing messages at a Microsoft Exchange, Lotus Notes or SMTP Server, those same measures can be applied to email sent and received by mobile handheld devices. Require mobile workers to check email using this secure path, and discourage or actively block mobile access to personal POP/IMAP mailboxes that bypass these corporate defenses.
- If your company uses a Web proxy, network firewall or unified threat management platform to block high-risk Web activity (e.g., visiting phishing websites, downloading spyware), consider using mobile browser proxy rules or VPN tunnels to redirect all handheld Web traffic through that same control point. Here again, the goal is to stop mobile users from getting themselves into trouble through unprotected Web surfing (including webmail).
From a traffic engineering perspective, such solutions are suboptimal. Back-hauling all mobile email and Web traffic through your corporate network increases bandwidth consumption and latency. Furthermore, today's network and server antivirus scanners may not spot mobile-specific viruses. However, these approaches let you take advantage of existing IT-managed defenses to defeat a big chunk of mobile malware, without requiring handheld software purchase, installation or maintenance.
Looking outside the box
Enterprise server and network security platforms lie beyond the reach of many small businesses. But all users -- even individual consumers -- can tap spam and phishing filters that accompany hosted email services provided by ISPs and wireless network operators. In some cases, those external antimalware services can actually deliver broader protection.
For example, today's smartphone and cell phone users spend more time communicating via text messages than email. Enterprise servers and firewalls can filter mobile email, but only wireless network operators have the vantage point to apply spam and phishing filters to those SMS and MMS messages -- including mobile-to-mobile messages.
According to Cloudmark chief technology officer Jamie De Guerre, over 30% of all mobile email messages processed in North America are now spam. In China, over 50% of SMS messages carried on mobile networks are spam; in Japan, that scourge tops 80%. Using a technology like Cloudmark Authority to block these unwanted messages inside the operator's network (including those from spoofed addresses) can reduce traffic load, intercarrier roaming costs and billing adjustments.
Doing so is clearly in the network operator's best interest, but why should employers care about SMS spam and phishing? Whether malware arrives by email, SMS or Bluetooth, it threatens the integrity of the mobile device and the privacy of any corporate data that resides on it. Mobile attackers have started to exploit SMS as a largely unmonitored and unprotected communication path. Targeted SMS identity thefts have already been launched against consumers with considerable success. Can "smishing" attacks aimed at the corporate executives who carry smartphones 24/7 be far behind?
Filtered messaging services can stem the tide of spam and put a damper on social engineering attacks, but they can't address every mobile malware threat all by themselves.
For example, the iPhone is ushering in a new generation of handheld devices that make mobile Web not just possible but palatable. As mobile Web traffic grows, network operators will need to batten down the hatches on this vector too, using in-the-cloud content security gateways to block Web-borne malware on behalf of their subscribers.
Moreover, in-the-cloud security services cannot mitigate threats that bypass corporate and provider networks altogether. Many mobile worms and trojans to date have been propagated through Bluetooth peer-to-peer communication and removable memory cards. On-device defenses are the only reliable way to stop these "out of band" attacks.
The bottom line: Don't let handheld software budgets and mobile device management barriers stop you from addressing mobile malware threats. Take this opportunity to establish a first line of defense by reusing network and server countermeasures you already own and can easily control. Complement them with wireless network services that incorporate antimalware measures. That way, when the mobile malware tipping point finally arrives, you'll already have two out of three bases covered.
This was first published in September 2008