|
Locking down handhelds is moving up the CIO priority list, but diversity in operating systems in the cell phone environment is putting spokes in the wheel.
By Ashwani Mishra
Mobile devices such as smartphones and PDAs have equipped enterprises to access e-mail, business applications, customer information and critical corporate data. With this initiative business houses have become more productive, streamlined their processes, and enabled better decision-making.
However, with instant access to information comes the responsibility of protecting the information and securing the corporate network. The success of digital mobile communication systems has triggered the interest of hackers and fraudsters as other media like desktops and laptops are becoming more secure.
“Only one out of 10 companies has a comprehensive security solution for smartphones/PDAs. They should have a similar outlook for such devices as they have for desktops, laptops and servers…they need to realize that any point that connects to the Internet needs protection,” says Vishal Dhupar, Managing Director, Symantec, Saarc.
Security risks for mobile computing are similar to those for other computing platforms. They can experience the same kind of attacks that were targeted at desktops and laptops, from rootkit-like programs that attempt to infect device operating systems to ingenious social engineering attempts. Recently, Symantec stated that there are still about 450 PC-oriented threats for every attack designed to attack mobile devices, but it expects the gap to close rapidly over the next several years.
According to Ohio-based SMobile Systems, a company specializing in mobile security, there are now more than 400 mobile malware threats; it expects the figure to exceed 1,000 by year-end.
“As smartphones and handhelds frequently connect wirelessly, robust wireless security becomes essential. Enterprises have ensured that their corporate network is secure, but they also have to ensure that they secure their wireless modes of connectivity,” says Sajan Paul, head, technology & consulting, enterprise solutions, Nortel India.
According to Kaspersky Lab, neither makers of mobile devices nor service providers are taking responsibility for blocking threats. But in future the security model will imitate that for computers so that hardware providers, service providers and customers will all have specialized offerings for mobile computing.
Authenticating users and shielding against viruses and other malicious code is just part of the solution. Because of their mobility and compact size, smartphones and handhelds present some additional challenges.
Challenges
The easiest way to exploit mobile devices is by getting physical access to the device. Therefore even if a user only accesses e-mail with the smartphone there is still a level of risk involved. If he loses contact with his phone for a minute, there is a threat that the device can be accessed and used for illegitimate purposes like getting access to e-mail or launching an attack on the network.
“Developers of mobile applications have done nothing to secure this kind of exploitation, and neither have they done a good job of having a second form of authentication,” says Shekhar Kirani, VP, Verisign India.
Another way of exploiting a mobile network is intercepting a non-encrypted Wi-Fi connection. Messages and related data could be intercepted in transit or could be used for toll bypass for external communication. Toll bypass can be used to launch an attack on the corporate network and bring it down.
Enterprises have no control over their employees’ buying habits. Employees buy devices as per their choice. These devices will have different form factors, and also different operating systems like Linux, Symbian and Windows. Also, these devices have varying processor speeds and memory capacities.
“This makes it difficult for a standard antivirus solution to be run on these various devices as the hardware resources available on each device would vary. There should be a policy in place for users asking them to buy mobile devices and connections from a single provider,” says Shailendra Sahasrabudhe, country manager, Aladdin Knowledge Systems.
According to Gartner, another area of prime concern is that smartphones and handhelds are far more easily lost or stolen than laptop or desktop computers. The research major advises managers to implement remote destruct technology that allows deletion of data from a lost mobile device.
An online survey from viruslist.com revealed that 70.7 percent of users keep confidential information (their own or their employer’s) on their mobile device.
This calls for an understanding of what constitutes an effective mobile application and its architecture, and awareness of aspects beyond the application itself (such as security, mobile middleware and device management).
Strategy
Some vendors provide client software installed on the PDA, allowing instant access to the network. For getting access to an ERP network, users have to ensure that they have a mobile client version installed on the handset. The access from the mobile device is pre-authenticated and is encrypted by an algorithm that encrypts data leaving the device, and establishes a safe tunnel between the network and the device.
“We use a certification revocation list that is a unique certificate assigned to each mobile device. If a device is lost the user should call the administrator who will disable the access,” says Ajay Kumar, country manager, Aventail India.
A USB token can also act as a second factor for authentication. Even if the user of the device has left his smartphone unattended and carries the USB token with him, no one can get access to the data.
In terms of wireless security standards, the industry is unanimous in the adoption of Wi-Fi Protected Access 2 (WPA2) over Wireless Encryption Protocol (WEP). WPA2 provides users with a high level of assurance that only authorized users can access the network, and offers per user authentication and encryption for traffic flow. The encryption is based on Advanced Encryption Standard.
“There should be more security between the access controllers and access points as they talk to each other. Also, a management frame protection standard is necessary. Even if data is snoofed, the hacker will get access to junk data,” says Mohammed Hayath, business development manager, security, Cisco India & Saarc.
An access controller involves a hardware that resides on the wired portion of the network between the access points and the protected side of the network. Access controllers provide centralized intelligence behind the access points to regulate traffic between the relatively open wireless LAN and important network resources.
“The only defense for enterprises is to develop capabilities on the network and not on the mobile device. The WAP, GPRS and MMS gateway levels should always be secured,” says Sahasrabudhe.
Enterprises ought to look at rogue access points coming to the network and use a location-tracking service. Administrators can also track the number of devices that are connected to the network, and pick up an illegitimate activity on the network to perform trend analysis and take decisions.
“Enterprises need to have wireless security as part of the corporate policy, and use application-level authentication. Adding SSL would be good…[one would] have an additional security layer,” opines Nortel’s Paul.
Kirani from Verisign adds that enterprises should develop ways to know that their network has been compromised before it gets too late. Once they know that their network has been compromised, they can fall back on a disaster recovery plan. This would require products from the market that can watch every network element and monitor information flowing in and out of the network.
“Mobiles should not have direct access to the back-end infrastructure. Enterprises should use mobile gateways as this additional layer secures information flow,” advises Kirani.
|