Locking down handhelds is moving up the CIO
priority list, but diversity in operating systems in the cell phone
environment is putting spokes in the wheel.
By Ashwani Mishra
Mobile devices such as smartphones
and PDAs have equipped enterprises to access e-mail, business
applications, customer information and critical corporate data.
With this initiative business houses have become more productive,
streamlined their processes, and enabled better
decision-making.
However, with instant access to information comes the
responsibility of protecting the information and securing the
corporate network. The success of digital mobile communication
systems has triggered the interest of hackers and fraudsters as
other media like desktops and laptops are becoming more
secure.
 |
“Only one out of 10 companies has a comprehensive security
solution for smartphones/PDAs. They should have a similar outlook
for such devices as they have for desktops, laptops and
servers…they need to realize that any point that connects to
the Internet needs protection,” says Vishal Dhupar, Managing
Director, Symantec, Saarc.
Security risks for mobile computing are similar to those for other
computing platforms. They can experience the same kind of attacks
that were targeted at desktops and laptops, from rootkit-like
programs that attempt to infect device operating systems to
ingenious social engineering attempts. Recently, Symantec stated
that there are still about 450 PC-oriented threats for every attack
designed to attack mobile devices, but it expects the gap to close
rapidly over the next several years.
According to Ohio-based SMobile Systems, a company specializing in
mobile security, there are now more than 400 mobile malware
threats; it expects the figure to exceed 1,000 by year-end.
“As smartphones and handhelds frequently connect wirelessly,
robust wireless security becomes essential. Enterprises have
ensured that their corporate network is secure, but they also have
to ensure that they secure their wireless modes of
connectivity,” says Sajan Paul, head, technology &
consulting, enterprise solutions, Nortel India.
According to Kaspersky Lab, neither makers of mobile devices nor
service providers are taking responsibility for blocking threats.
But in future the security model will imitate that for computers so
that hardware providers, service providers and customers will all
have specialized offerings for mobile computing.
Authenticating users and shielding against viruses and other
malicious code is just part of the solution. Because of their
mobility and compact size, smartphones and handhelds present some
additional challenges.
Challenges
The easiest way to exploit mobile
devices is by getting physical access to the device. Therefore even
if a user only accesses e-mail with the smartphone there is still a
level of risk involved. If he loses contact with his phone for a
minute, there is a threat that the device can be accessed and used
for illegitimate purposes like getting access to e-mail or
launching an attack on the network.
“Developers of mobile applications have done nothing to
secure this kind of exploitation, and neither have they done a good
job of having a second form of authentication,” says Shekhar
Kirani, VP, Verisign India.
Another way of exploiting a mobile network is intercepting a
non-encrypted Wi-Fi connection. Messages and related data could be
intercepted in transit or could be used for toll bypass for
external communication. Toll bypass can be used to launch an attack
on the corporate network and bring it down.
Enterprises have no control over their employees’ buying
habits. Employees buy devices as per their choice. These devices
will have different form factors, and also different operating
systems like Linux, Symbian and Windows. Also, these devices have
varying processor speeds and memory capacities.
“This makes it difficult for a standard antivirus solution to
be run on these various devices as the hardware resources available
on each device would vary. There should be a policy in place for
users asking them to buy mobile devices and connections from a
single provider,” says Shailendra Sahasrabudhe, country
manager, Aladdin Knowledge Systems.
According to Gartner, another area of prime concern is that
smartphones and handhelds are far more easily lost or stolen than
laptop or desktop computers. The research major advises managers to
implement remote destruct technology that allows deletion of data
from a lost mobile device.
An online survey from viruslist.com revealed that 70.7 percent of
users keep confidential information (their own or their
employer’s) on their mobile device.
This calls for an understanding of what constitutes an effective
mobile application and its architecture, and awareness of aspects
beyond the application itself (such as security, mobile middleware
and device management).
Strategy
Some vendors provide client software
installed on the PDA, allowing instant access to the network. For
getting access to an ERP network, users have to ensure that they
have a mobile client version installed on the handset. The access
from the mobile device is pre-authenticated and is encrypted by an
algorithm that encrypts data leaving the device, and establishes a
safe tunnel between the network and the device.
“We use a certification revocation list that is a unique
certificate assigned to each mobile device. If a device is lost the
user should call the administrator who will disable the
access,” says Ajay Kumar, country manager, Aventail
India.
A USB token can also act as a second factor for authentication.
Even if the user of the device has left his smartphone unattended
and carries the USB token with him, no one can get access to the
data.
In terms of wireless security standards, the industry is unanimous
in the adoption of Wi-Fi Protected Access 2 (WPA2) over Wireless
Encryption Protocol (WEP). WPA2 provides users with a high level of
assurance that only authorized users can access the network, and
offers per user authentication and encryption for traffic flow. The
encryption is based on Advanced Encryption Standard.
“There should be more security between the access controllers
and access points as they talk to each other. Also, a management
frame protection standard is necessary. Even if data is snoofed,
the hacker will get access to junk data,” says Mohammed
Hayath, business development manager, security, Cisco India &
Saarc.
An access controller involves a hardware that resides on the wired
portion of the network between the access points and the protected
side of the network. Access controllers provide centralized
intelligence behind the access points to regulate traffic between
the relatively open wireless LAN and important network
resources.
“The only defense for enterprises is to develop capabilities
on the network and not on the mobile device. The WAP, GPRS and MMS
gateway levels should always be secured,” says
Sahasrabudhe.
Enterprises ought to look at rogue access points coming to the
network and use a location-tracking service. Administrators can
also track the number of devices that are connected to the network,
and pick up an illegitimate activity on the network to perform
trend analysis and take decisions.
“Enterprises need to have wireless security as part of the
corporate policy, and use application-level authentication. Adding
SSL would be good…[one would] have an additional security
layer,” opines Nortel’s Paul.
Kirani from Verisign adds that enterprises should develop ways to
know that their network has been compromised before it gets too
late. Once they know that their network has been compromised, they
can fall back on a disaster recovery plan. This would require
products from the market that can watch every network element and
monitor information flowing in and out of the network.
“Mobiles should not have direct access to the back-end
infrastructure. Enterprises should use mobile gateways as this
additional layer secures information flow,” advises
Kirani.