Mobile devices such as smart phones, personal digital assistants (PDAs) and Blackberries are integrated into our day-to-day business life; however, the secure use of these devices is not viewed as a top priority in today’s business community. Policies and procedures often do not cover them, and in
fact in most cases the units have not been formally adopted by the business. Because these tools provide a convenient means to communicate anytime from anywhere, issues relating to security are often overlooked.
Until now, the most typical security concern has been the actual loss of the physical device. However, remote attacks against these devices are becoming more prevalent, mainly with the introduction of malicious code and users’ unprotected file-sharing. Mobile devices often contain sensitive personal and business information, user passwords and contact information. In most cases, the information is not protected by encryption, the built-in security features are not used and automated policy enforcement is not enabled. Furthermore, the contact information may be exploited in social engineering attacks.
The password information harvested from these devices may be used to attack other company network infrastructures such as Web mail, dial-up remote access, or virtual private network (VPN) connections. In some cases, the mobile devices are configured to access the corporate network directly. Depending on the network design, this could be a perfect interface for attacking a company’s infrastructure, as it bypasses the main external firewall security. A malicious user with a stolen device could easily gain access to the information stored on the device, as well as corporate intranet resources.
In the last year, there has been an increase in the number of mobile malicious code vulnerabilities. However, there has yet to be a high-profile virus attack on a mobile device. In most cases, the viruses are “”proof of concept”” and do not include high-risk content. The variety of underlying operating systems used by the various mobile devices (i.e., Palm, Windows CE, Symbian and others) has discouraged many virus writers, simply because they need to create multiple versions of the same virus for each system to cause general havoc. However, the situation may change when the virus programmers become more sophisticated and “”write once, run anywhere”” technologies such as Java become universally adopted by mobile devices.
Today, the majority of known mobile malware (malicious software) is spread through the sharing of infected files. In the near future, it is likely that more sophisticated means of distributing malware, either through Bluetooth, multimedia messaging service (MMS), short message service (SMS) or email, will increasingly be exploited by attackers. For example, there are a number of identified viruses that can disable a device by removing critical application programs. Further exploitation may allow information disclosure, theft of network services, or distributed denial of services (DDOS) attacks on mobile networks. Exploitation of these vulnerabilities, when combined with close integration of business functions, will translate to loss of private and proprietary information, loss of reputation and customer trust and system down time at the device or network level.
By adopting some basic security measures, mobile device users can better protect their data. Smart practices include:
- Using encryption techniques to scramble data in storage and data in transit (between device and corporate infrastructure, and from device to device). Encryption should be transparent if possible. For example, assign a file folder where all content is automatically encrypted. Be mindful about sensitive data in temporary folders such as temporary storage for e-mail attachments or Internet cache, and information cached by desktop search engines.
- Labeling the device in case it is lost, so that an honest finder can return it.
- If supported by the device, installing anti-virus software with the latest signatures, personal firewall and enabling screen savers and power-on passwords.
- Ensuring power on and screen saver passwords are not easily guessable (choose a minimum of eight characters and include alphanumeric characters).
- When disposing of the device, overwriting the entire media at a bit-by-bit level. Some media may require the process to be repeated multiple times.
- Establishing, publishing, communicating and obtaining user sign-off for the mobile and remote access security policy. Define acceptable-use policies. Do not allow storage of sensitive information. If absolutely required, implement appropriate security controls and/or enable built-in security features and policy enforcement. If unattended, use cable lock, screen saver with password or lock devices away (in a trunk, for example).
- Providing user awareness and education.
- Enforcing logging and monitoring of remote access.
- Adopting a vulnerability management process. Keep track of inventory. Regularly monitor for availability of vendor patches and announcements of vulnerabilities that affect the technologies used by the business.
Secure use of mobile technology will help a business, but rapid proliferation of these devices will continue and in order to effectively take advantage of mobile technologies management must take certain steps. It must enforce appropriate security policies, educate users and deploy technological protection mechanisms. It must also adhere to good security practices, monitoring for new attack trends that are on the rise on an ongoing basis, and performing regular security assessments to proactively identify vulnerabilities before any harm is done.
Nick Galletto is a partner with Deloitte Security Services.
Got a question for our experts? E-mail firstname.lastname@example.org.
Contact the editor