Smartphone Popularity: A Double Edge Sword for Security

Date:   Wednesday , November 02, 2011

Are mobile phones and other wireless devices the new weakest link in securing information outside of corporate networks? We all know that “bad” guys take notice of new tech and gadgets and create attacks based on the latest trends—-how are enterprises keeping up? With mobile usage of Facebook and Twitter rising users can affect enterprise networks easily without knowing it. What are some best practices and concerns to avoid horrible issues? What should wireless gurus know about unforeseen security issues created through wireless devices?

While malicious activities on handheld devices like smart phones have been relatively low, there are several indicators to suggest that things are about to change. Enterprises will need to start thinking seriously about a mobile threat prevention strategy to ensure that their networks are not vulnerable to the new threats that will abound with the increasing mobile activities of their users.

The growing prevalence of 3G networks is enabling broader bandwidth for mobile devices, which means more of the bad content is getting in with the good. 3G also enables network operators to offer a wider range of more advanced mobile services, such as real-time access to high-quality audio/video transmission. For example, with its application portal, Apple, which has a small percentage of the handset market, has already changed the way many people interact with their smart phones, while Microsoft and Nokia are also talking up their own similar portals. The level of personalization and customization possible with these portals will mean new uses, both good and bad, will be found. This presents a big concern for corporate network managers as users are no longer bound by factory-installed applications. With this greater usability, consumers are now adopting smart phones in greater numbers for business and for personal use.

No doubt, the smart phone is becoming much more personal and indispensable to consumers, and where consumers go, money goes, and crime will soon to follow. This adds up to increased opportunities for virus infections and attacks that will require a focused approach to secure the millions of handheld mobile devices in operation today, especially for enterprises. Smart phones pose an even greater security risk to corporations as they have become the mobile office for their ability to access corporate networks in real time, much in the way that laptops have been able to do. This presents cyber criminals with the opportunity to use smart phones as the launch pad for penetrating and accessing sensitive corporate data. Fortinet believes the increased usability of smart phones and other wireless devices and the new business models they enable will become the biggest threat to corporate security in the near future.

The mobile market presents a unique position in terms of malware as compared to the traditional PC market. The platforms available for attack on PC platforms are limited – Windows, MacIntosh and Linux – while the number of mobile platforms continues to grow: Google Android, Apple mobile OS, SymbianOS, Windows Mobile, Palm. For example, we are just seeing the tip of the iceberg with Google’s Android OS vulnerability discovered last year.

A managed client capable of detecting software installations and monitoring file access in addition to encrypting data and reporting status to a central server is the answer for network managers grappling with an active mobile work force. Network managers will want to look for solutions that provide multi-layered protection for blended threats and that protects across all device interfaces. The ideal mobile client solution would be part of an integrated, end-to-end network security platform that offers accelerated hardware and impinges minimum performance impact on user device and services. In addition, the network security platform should offer configuration management and control with reporting, and flexibly-defined profiles and policies for granular network segmentation capabilities.

For the end-user, both corporate and private, here are some tips to follow for the safe usage of their mobile device:

* Similar to patch management on PC platforms, apply any updates to mobile platforms as soon as they become available. For example, Google quickly issued a fixed when the vulnerability in its open source Android OS was discovered in late 2008. Be educated and aware of threats that bridge to the Internet.

* Phishing scams looking for bank account information or corporate credentials are very real to hit users on mobile devices, just as they are with PCs. Just like social networks, mobile networks through voice contacts are highly trusted. Attempt to verify the identity of any incoming messages that are suspicious. Reply with something simple like “What is this?” to ensure you are able to confirm that the source of the message is trusted.

* Be aware of what you install. For example, the worm SymbOS/BeSeLo used social engineering over MMS to install itself. It prompted the user to install an application which had a file extension .mp3 or .jpg; users should be aware of this and not install anything that haven’t confirmed as being from a trusted source. Many users have “jailbroken” phones, such as the iPhone, which means that uncontrolled (unsigned) code can be run. This is a very big security risk, and users should be aware of the risks they take when they unlock phone functionality.

* Disable communication channels such as Bluetooth by default, only enabling them on a per-session requirement. This removes an attack avenue. By taking simple precautionary measures, it effectively helps to harden your smart device.

The author is Regional director, India and SAARC, Fortinet