Formulating a security policy, encrypting data and securing
the connection from a mobile device to a network using SSL VPN are key steps
in securing the mobile enterprise. By Megha Banduni
mobile devices are used to access enterprise applications, security issues take
centrestage. These devices are not only being targeted by malicious users with
viruses and other kinds of malware but theres also the issue of losing
them. The best way to defend mobile platforms is to create awareness and have
a comprehensive security policy.
Most mobile users store their PINs (Personal Identification
Numbers), passwords, e-mail and other critical information, both personal and
professional in their mobile devices such as smartphones, PDAs, laptops and
USB drives. Some of the key threats can be due to theft, loss, malicious software
or hacking. As a result, a lost PDA or smartphone with no protection makes easy
pickings for thieves, hackers or competitors with regard to corporate information.
Virus on the prowl
In 2004 the first mobile threat, the Cabir Worm SYMBOS_CABIR.A
surfaced on the Symbian platform. Although the worm did not do much damage it
was more in the nature of a proof-of-concept.
According to Vishal Dhupar, Managing Director, Symantec India,
As of April 29, 2005, there are 40 reported Symbian threats, consisting
of 20 variants of the Cabir virus, 8 variants of the Skulls Trojans and about
a dozen others. 82 percent of businesses worldwide indicate that they see the
damage from virus attacks as the same or greater on a mobile network than on
a fixed network, only 26 percent have actually assessed security risks of smartphones,
compared to 81 percent of enterprises conducting security assessments for laptops.
Patrik Runald, Senior Security Specialist, F-Secure Corporation says, Anti-virus
will be more commonly used on mobile devices in the future. Right now there
are 221 mobile viruses for mobile phones with 214 of them targeting the Symbian
S60-based devices. The rest target Palm and Windows mobiles and one targets
While we dont anticipate 185,000 viruses for
mobile devices (thats the current number of PC viruses), the amount of
malware will definitely increase, he adds.
Initially malware will do things like change icons but
slowly it is moving towards causing problems by resetting handset settings frequently,
sending out SMS to premium numbers automatically, and I think it will capture
critical personal information for financial gains, explains Kartik Sahani,
Director, Sales, India and Saarc, McAfee.
Srikiran Raghavan, Regional Sales Head, RSA Security says, There are over
45 million mobile phone subscribers in India according to the Telecom Regulatory
Authority of India (TRAI). While the increasing number of mobile device users
has given rise to a market for third-party applications (such as games and other
mobile applications), it has also opened up opportunities for malicious use.
That said, only a fraction of the 45 million phones in use are sophisticated
enough to be at risk. Although many players feel that wireless malware is not
as sophisticated as its PC counterpart, the incidence of threat is bound to
A comprehensive and stringent security policy
Ensuring that the right security policy is in place is an important step towards
securing mobile devices and many organisations take care of that. Other aspects
that need to be considered include security of the device, type of information
stored on it and transmission of data when connected to a network or other device.
The policy should be formulated in such a manner that it addresses security
risks posed by mobile devices and the procedures guide users on the dos and
donts. One of the important steps is to create awareness among users on
the types of threats and their impact on business operations.
Sahani believes that a security policy is crucial for mobile devices and it
needs to be revised at regular intervals. Mobile devices are not only
restricted to hand phones but also to thumb drives, micro disks and so on. This
is important as with the change in technology the mobile devices undergo changes
and the methodology of unauthorised access also alters, he adds.
Dhupar explains that despite the proliferation of mobile
devices in the enterprise, only 9 percent of companies have incorporated new
security architecture designed to include mobile device access. Of the rest,
10 percent have no measures for addressing mobile security, 39 percent are granting
mobile devices access to corporate networks on an ad hoc basis and another 39
percent are integrating mobile devices into their existing fixed network security
Anil Menon, CEO, SecureSynergy believes that the security
policy should be considered as a process and not a product. It should
be revised frequently. For example, if the organisation introduces one PC, you
need to incorporate it into an existing policy, make a few additions and revise
it. While formulating the security policy one should first define the most critical
assets of the organisation and prioritise them. Further, one should consider
whether the policy is manageable and scalable to heterogeneous platforms.
Encrypting mobile data
As mobile devices tend to be used to store critical data, it becomes imperative
to protect that data and the best way to do that is to encrypt it.
Its not farfetched to think well see a virus that will send
messages to premium rate numbers when the user is not using the device, but
unlike a PC it is always connected. They could be part of a mobile botnet so
that someone can control them centrally at will. We will basically see the same
type of malware on mobile phones that we have today on PCs, adds Runald.
Apart from virus attacks, mobile devices are vulnerable to physical threats
such as theft and loss. Dhupar points out that the obvious threat to a handheld
device is perhaps the most overlooked: physical theft or loss. Loaded
with informationand valuable in and of themselvesPDAs and smartphones
are common targets for physical theft. Small and unobtrusive, theyre also
easy to lose, he adds.
Encryption is a must. The need is felt by everyone involved right from the user,
handset manufacturer and service provider. Encryption helps when the device
Menon says, Encryption is important to protect your data. You need to
first prioritise your data and then decide on various encryption open standards
such as Advanced Encryption Standard (AES) 128 and 256 and Triple DES (Data
Bluetooth: boon or bane
Today almost all mid-range and high-end mobile devices and smartphones are equipped
with Bluetooth. This increases susceptibility to virus attacks.
TrendLabs discovered in June 2004
that mobile phones are not immune to attacks from malware. The first mobile
phone malware Cabir was spread via Bluetooth-enabled devices but this
proof-of-concept worm failed to enter the mainstream
TrendLabs discovered in June 2004 that mobile phones are not immune to attacks
from malware. The first mobile phone malware Cabir was spread via Bluetooth-enabled
devices but this proof-of-concept worm failed to enter the mainstream.
Sahani believes that the advantages of Bluetooth are its perils too. Bluetooth
and Infrared are two means of peer-to-peer data transfer. But Bluetooth does
not need a line of sight. It comes with a basic precautionary measure which
allows pairing and will communicate with only known devices. It is advisable
to keep the option Discoverable to All off. Keep different passwords
for each of the paired devices, adds Sahani.
Runald feels that even though there have been a few vulnerabilities
in Bluetooth, generally its safe. All the mobile viruses weve
seen so far rely on the user installing the virus and bypassing 3 to 4 warning
messages and questions. They dont use any tricks or vulnerabilities on
either Bluetooth or the operating systems themselves, he explains.
The other reason why phones still get infected is that
the knowledge about threats is low, feels Runald.
Niraj Kaushik, Country Manager, Trend Micro India and SAARC
says, Mobile malware is not going to fade away. Its creators are adapting
to more sophisticated technology and the threat of mobile epidemics is getting
increasingly real. Smartphone sales are rising quickly and virus writers are
coming up with novel propagation techniques as with CommWarrior, which spreads
Kaushik believes that it is only a matter of time before
a more serious virus targeted at smartphones strikes. Mobile viruses such as
Cabir and Commwarrior can spread via Bluetooth or multimedia messaging. Most
mobile phone viruses target handsets that use the Symbian operating system.
Infection can be avoided by turning off Bluetooth on smartphones, he adds.
Shende, Director (ICT) Practice, Frost and Sullivan India
The problem: The biggest hurdle enterprises
are facing is lack of best practices. Mobile device security is still
a new concept in India. People are not aware of it. Though the security
appliance is a developing market, when it comes to mobile security the
awareness and adoption levels are low.
Guidelines: Training is the first step.
Every employee in an organisation should be trained in terms of what are
the security threats associated with mobile devices, how to avoid them
and how to operate mobile devices carefully.
Managing a mobile device is the next important
step. The easiest way for a virus to attack is through Bluetooth. For
example, most of the time the Bluetooth port is kept on. This should be
avoided. The Bluetooth port should be kept off when not in use. Again
awareness is the key.
Enterprises should create policies that apply to
mobile devices. The policy makers should treat mobile security in the
same way as network security.
Encryption is not enough
Encryption is for securing data transaction. Generally
people think that encryption is required to secure highly sensitive data.
This perception is wrong. Encryption is important but not sufficient.
There are other ways too. VPNs, tokens and password protection are the
other means to protect data.
Securing the network is another
area of concern. Data transmission takes place from handheld devices over
an internal or third-party Wi-Fi network. Hence the network should also
be encrypted using strong algorithms
Securing the network is another area of concern. Data transmission takes place
from handheld devices over an internal or third-party Wi-Fi network. Hence the
network should also be encrypted using strong algorithms.
The security threat not only revolves around a desktop or
mobile platform; it also revolves around the network or connectivity level.
Hence there is need for connectivity between the device and the enterprise to
be secure. It can be done by 2-factor authentication (tokens), AES encryption
and SSL VPN.
The connections between a mobile device and a corporate network must be
secured using SSL VPN, says Runald. Organisations have to keep in
mind that mobile devices have to be treated in the same way as PCs because they
connect in the same way. They use IP connectivity to connect to the network
and just as any other computer on the Internet, the mobile devices must be protected,
Though virus attacks are unpredictable, several incidents have drawn attention
to and created greater awareness around wireless threats. The best way to have
a secure wireless work environment is by adopting a detailed set of best practices
like establishing and enforcing laptop security and creating an awareness programme,
implementing timely, automatic updates, being careful while accepting files
via Bluetooth, and if the phone gets infected, turning off Bluetooth, so that
the malware does not find new targets. As Sahani says, Any of these measures
are meant to reduce the risk level and the best technology would be rendered
useless unless the basic precautions are not taken.