Mobile Threat Predictions Give Way to Brighter Outlook

Subscription Options

Subscribe Magazine

Subscribe Newswire

Widgets & RSS Feeds

Here we go again with mobile meltdown. As long as we’ve had handheld devices we’ve been told to fear for their safety by experts who know, and have actually seen, the dark side. For corporate telecom groups it’s a regular journey to the edge of the cliff. Constant efforts are made to update, upgrade, patch and secure the myriad devices that are used to conduct business on a global scale. Where we used to worry about mere viruses, we now worry about destructive malware jumping from our phones on to our networks and worse, we’ve now entered into a sort of James Bond world where it’s possible to intercept our data and/or conversations using tools downloadable from the Web.

Currently though, experts unilaterally agree that the number one threat to mobile devices is that of the human sort—human beings doing human things, like loudly discussing a product launch on the train, downloading “cool” new apps, losing our phones and having them stolen. Michael Osterman, principal, Osterman Research, points to two different ways in which users create security issues: by sending inappropriate content out on to the Web (utilizing Twitter, Facebook, blog posts, and other forms of social networking), and by downloading and installing applications onto their devices that can precipitate leaks of sensitive information or introduce malware to the network.

Randy Abrams, director of technical education for ESET, feels that the most serious mobile threat is the loss of the device, and points to the recent Apple SNAFU. “For general users the loss of the device can allow the finder to social engineer the owner and/or their contacts. A lost device may allow the finder to access the owner’s email, IM, and social networking accounts. For business users a lost device can do all of the above, as well as compromise proprietary information.”

Serious or Not?

Today’s mobile devices, for all of their convenience, are fast usurping the laptop as the new portable workstation of choice. As our devices continue to evolve alongside our dependence on them, so too do criminals and their methods. As such, our devices require the same robust, multi-layered approach to managing attacks against them that we employ on our networks—from anti-spam, malware and virus protection, to authentication and voice and data encryption. With such a laundry list of requirements, how do we determine what to tackle first?

A 2009 Osterman Research survey found that 23 percent of organizations considered mobile devices as an entry point for malware onto the corporate network to be a serious or very serious issue. This same survey found that 11 percent of organizations have actually had malware enter their corporate network in this way.

Steve Neville, senior product manager of Entrust, notes that the general feeling his organization gets from customers is that they’re much less worried about mobile malware than they are about malware getting onto the end-users’ desktop. “I’ll give you an example, right now there is an attack out there called the “man in the browser”—the concept is fairly straightforward: somehow I get a piece of software onto your machine, possibly through focused phishing (ideally you’re a CFO or someone with the ability to move money in a small to medium-sized business) with that software I can transparently move money out of your account. Millions of dollars are being moved out of business accounts today using this method. The benefit for the attacker is that it’s out-of-band or out-of-channel with the traditional Web transaction. Because of this, people are talking more about how to authenticate individual transactions to prevent such abuse. They’re losing money today as opposed to worrying about whether a piece of malware is on a mobile device that can eventually lead to their being defrauded.”

According to Mikko Hyppönen, chief research officer of F-Secure, the general situation is quite good for mobile phone security (in terms of viruses or malware). “There is a diversity of mobile phone operating systems and those platforms are frequently updated for better functionality and security. Users are often prevented from running older software on newer phones because the mobile phone ecosystem encourages users to replace older, less secure phones with newer models.”

Hyppönen feels that mobile device security is a serious issue if only because of the sheer amount of data existing on today’s smartphones. While malicious viruses might not be a threat, he points to the growing number espionage cases and attempts at stealing information from mobile sources using tools such as Flexispy or Neocall. He also points to the pesky human problem, that of the losing and breaking phone variety, which call for the installation of backup, remote wipe, and anti-theft capabilities.

Applications can be a serious threat, especially when combined with social engineering tactics. “For example, a commercially available spyware package can be packaged as a game and some users will be easily tricked into installing the software,” explains Abrams.

Where Do We Go From Here?

Users are as users do, and as long as they have a gadget, they will undoubtedly at some level wreak havoc with it—intentional or not. Experts agree that there are several things organizations and users can do to minimize mobile threats. Abrams’ suggests mixing common sense with a bit of technology: set the phone to lock after a few minutes of idle time, encrypt the data on the phone, don’t leave Bluetooth in “discovery mode”, and to back up contacts and other data on a regular basis. “Devices should also have the ability to be remotely wiped in case of loss. A label with a phone number or address to contact if the device is lost can result in the recovery of the device. Most people are honest and would return the device if they know how to do so.” He also suggests that users take a few minutes every few months to get educated about device specific threats.

In addition to screen-lock and anti-theft software and features, Hyppönen says that if the phones belong to an organization and are centrally managed, such as BlackBerries, F-Secure encourages administrators to consider preventing users from installing any unapproved third-party applications on their phones.

Osterman recommends putting things into writing and advocates establishing policies related to the appropriate use of mobile devices, such as Web surfing on corporate-supplied smartphones in conjunction maintaining good malware defenses at every point in the network, including on smartphones themselves. Additionally, he says preventing human-related threats is of key importance, and all the experts agree that the ability to clear data in the case of loss is a non-negotiable. “It’s critical to have remote kill capabilities so that IT can disable any mobile device the next time it connects to the network. Other than that, policies are the next best defense against loss of data. Any such policy should include a requirement to immediately report any loss of a mobile device.”

Another way to minimize mobile threats is through authentication, which, as Neville explains, is all about proving you are who you say you are before being allowed to access a sensitive resource. “Much like the traditional Web browser world, through a mobile device you want to have some way of proving who it is that’s on the other end.”