Mobile Device Security IV: Today's Top Three Vulnerabilities
While in the past most concerns revolved around leaving the device in the back of a taxi cab, today's concerns carry a much heavier threat - stolen e-mail, and attacks aimed at the device, the wireless connection, and ultimately the corporate networks attached to wireless devices.
Last month Bluefire Security Technologies completed a survey of wireless device owners to better understand uses of smartphones, security perceptions, and opinions. According to over 1,800 business executives, the number one use of smartphones, and nearly equal to voice communications, is access to corporate email, followed by web based email and web access, and access to corporate networks and databases.
Access to Public Web/E-mail: Vulnerability #1
Over 90 percent of business executives who responded to Bluefire's survey are using their device for email, either for a web-based account or for a corporate server-based account. By checking e-mail on a smartphone or wireless device, and accessing the public web, the device is highly vulnerable to an attack, virus, or "Trojan."
An attack can be anything from a hacker at Starbucks who is accessing the data on someone else's device, to someone using Bluetooth to steal personal information from another person's handheld. "Trojans" can be defined by something posing as something other than itself. For example, a "Trojan" can be an application that can open a port that should not be opened, allowing outsiders access to the device.
Mobile security features that help protect devices from attacks, viruses, and "Trojans":
Virtual Private Network (VPN)
Firewalls set rules for the device that designate which ports are allowing traffic into the device. A firewall can keep certain attacks out by blocking the ports that would allow those viruses in.
Intrusion prevention addresses more sophisticated kinds of attacks. It first detects an attack, and can then block the attack traffic from reaching the device and causing damage. Intrusion prevention mainly protects the device from signature-based attacks. A common attack involves 'spoofing,' or appearing to be a trusted site/connection when in fact the 'spoofer' is neither trusted nor safe.
Bluetooth and IR (infrared) are alternate wireless mechanisms that allow devices to share information. Using Bluetooth requires the devices to be within 30 feet of each other while IR control requires the devices to point at each other from closer than 30 feet. At a minimum, users should turn off Bluetooth and remain in "undiscoverable mode" and not use IR for communication unless it is with a known source. Some mobile security software controls can be used to keep wireless connections turned off.
VPN (virtual private network) will keep communication between a remote person and a secure network private. While most device owners are not using IPSec VPNs for personal communications, they should at least insist on secure web-based connections using SSL encrypted communications. (SSL-based secure sites are on the internet for purchasing tickets, products on EBay, etc.) The VPN is more secure when working with a firewall. If a device is attacked the hacker will be able to gain access to the network regardless of the VPN, but the firewall and VPN together serve as a more complete security solution.
Integrity Manager is an application that monitors the settings on each device and will quarantine the device if the settings change. This ensures protection from any viruses or "Trojans" that enter the device and begin to make changes to the device.
Anti-virus with automatic updates also keeps your smartphone protected by providing an up to date list of all known viruses from which the software can scrub emails and attachments, just like on your notebook or desktop. Leading security software vendors have all introduced anti-virus software for mobile devices and smartphones.
Access to Corporate Email, Networks, Databases: Vulnerability #2
Smartphones and wireless devices are often used to gain access to the enterprise server for e-mail, shared files, and shared databases. Syncing contacts and the calendar from the desktop to the device, via Microsoft Exchange or Customer Relationship Management (CRM) tools, are all necessary uses to make an employee more efficient with a smartphone. Yet as with other wireless networking options, this also leaves the device open to attacks, viruses, or "Trojans", and ultimately makes the network vulnerable as an unsecured device connecting to a secure server makes that connection unsecured.
Mobile Security Solution: Vulnerability #2
Mobile security features that will protect the corporate server are:
We discussed at length how firewall and intrusion prevention software is critical to protecting the smartphone or wireless devices from attacks and how turning off Bluetooth and not using IR for communication, unless with a known source, is vital.
Bluefire has seen an increasing number of government and enterprise customers requesting that Bluetooth and IR be temporarily or permanently blocked from use.
In the enterprise, use of an IPSec or SSL VPN is prevalent, if not policy, among many customers. Fortunately, there are sophisticated products that allow companies like Bluefire to extend secure infrastructure to smartphones and wireless devices.
Lost and Stolen Devices: Vulnerability #3
Smartphones and wireless devices are ideal for improving efficiencies when employees work remotely from home, in a cab, on an airplane, or in between meetings, right? Right. Or at least until they accidentally leave their PDA in the cab, on the airplane, or who knows where.
If a device is lost or stolen, the private information becomes open and accessible. Lost and/or stolen devices are common; according to a Pointsec Mobile Technologies 2005 survey, 160,000 portable devices are left in taxicabs every year in Chicago. This can be detrimental to a corporation or an individual.
Mobile Security Solution: Vulnerability #3
Mobile security features for protecting lost or stolen devices:
Authentication of the device means that the person who finds or steals that device has a much slimmer chance of actually gaining access to the information on the device. Most mobile security companies offer a type of authentication where the number of password attempts that are allowed before the information on the device is wiped or locked can be pre-set.
Encryption of SD cards (or removable storage) also keeps the lost and stolen devices secure. Anyone that stumbles upon a lost device will not be able to gain access to the information that resides on the card, although they would have access to other information on the device. Similarly, if the device's data is wiped and the device is set back to factory standards, the finder of the PDA may have a new device but the corporate and personal information will not be compromised.
As smartphones and wireless devices enable increasingly sophisticated wireless capabilities and as users become more and more productive, individuals and businesses are faced with greater vulnerabilities. By understanding the risks and taking reasonable steps to protect devices, valuable information is secured and protected and we can all rest a little easier at night.
A complete report on the FierceWireless-Bluefire Wireless Security Survey is available here.