Mobile Enterprise

Secure mobility

Formulating a security policy, encrypting data and securing the connection from a mobile device to a network using SSL VPN are key steps in securing the mobile enterprise. By Megha Banduni

As mobile devices are used to access enterprise applications, security issues take centrestage. These devices are not only being targeted by malicious users with viruses and other kinds of malware but there’s also the issue of losing them. The best way to defend mobile platforms is to create awareness and have a comprehensive security policy.

Most mobile users store their PINs (Personal Identification Numbers), passwords, e-mail and other critical information, both personal and professional in their mobile devices such as smartphones, PDAs, laptops and USB drives. Some of the key threats can be due to theft, loss, malicious software or hacking. As a result, a lost PDA or smartphone with no protection makes easy pickings for thieves, hackers or competitors with regard to corporate information.

Virus on the prowl

In 2004 the first mobile threat, the Cabir Worm SYMBOS_CABIR.A surfaced on the Symbian platform. Although the worm did not do much damage it was more in the nature of a proof-of-concept.

Vishal Dhupar

According to Vishal Dhupar, Managing Director, Symantec India, “As of April 29, 2005, there are 40 reported Symbian threats, consisting of 20 variants of the Cabir virus, 8 variants of the Skulls Trojans and about a dozen others. 82 percent of businesses worldwide indicate that they see the damage from virus attacks as the same or greater on a mobile network than on a fixed network, only 26 percent have actually assessed security risks of smartphones, compared to 81 percent of enterprises conducting security assessments for laptops.”

Patrik Runald, Senior Security Specialist, F-Secure Corporation says, “Anti-virus will be more commonly used on mobile devices in the future. Right now there are 221 mobile viruses for mobile phones with 214 of them targeting the Symbian S60-based devices. The rest target Palm and Windows mobiles and one targets J2ME.”

“While we don’t anticipate 185,000 viruses for mobile devices (that’s the current number of PC viruses), the amount of malware will definitely increase,” he adds.

Kartik Sahani

“Initially malware will do things like change icons but slowly it is moving towards causing problems by resetting handset settings frequently, sending out SMS to premium numbers automatically, and I think it will capture critical personal information for financial gains,” explains Kartik Sahani, Director, Sales, India and Saarc, McAfee.

Srikiran Raghavan, Regional Sales Head, RSA Security says, “There are over 45 million mobile phone subscribers in India according to the Telecom Regulatory Authority of India (TRAI). While the increasing number of mobile device users has given rise to a market for third-party applications (such as games and other mobile applications), it has also opened up opportunities for malicious use.”

That said, only a fraction of the 45 million phones in use are sophisticated enough to be at risk. Although many players feel that wireless malware is not as sophisticated as its PC counterpart, the incidence of threat is bound to rise.

A comprehensive and stringent security policy

Ensuring that the right security policy is in place is an important step towards securing mobile devices and many organisations take care of that. Other aspects that need to be considered include security of the device, type of information stored on it and transmission of data when connected to a network or other device.

The policy should be formulated in such a manner that it addresses security risks posed by mobile devices and the procedures guide users on the dos and don’ts. One of the important steps is to create awareness among users on the types of threats and their impact on business operations.

Sahani believes that a security policy is crucial for mobile devices and it needs to be revised at regular intervals. “Mobile devices are not only restricted to hand phones but also to thumb drives, micro disks and so on. This is important as with the change in technology the mobile devices undergo changes and the methodology of unauthorised access also alters,” he adds.

Dhupar explains that despite the proliferation of mobile devices in the enterprise, only 9 percent of companies have incorporated new security architecture designed to include mobile device access. Of the rest, 10 percent have no measures for addressing mobile security, 39 percent are granting mobile devices access to corporate networks on an ad hoc basis and another 39 percent are integrating mobile devices into their existing fixed network security architecture.

Anil Menon

Anil Menon, CEO, SecureSynergy believes that the security policy should be considered as a process and not a product. “It should be revised frequently. For example, if the organisation introduces one PC, you need to incorporate it into an existing policy, make a few additions and revise it. While formulating the security policy one should first define the most critical assets of the organisation and prioritise them. Further, one should consider whether the policy is manageable and scalable to heterogeneous platforms.”

Encrypting mobile data

As mobile devices tend to be used to store critical data, it becomes imperative to protect that data and the best way to do that is to encrypt it.

“It’s not farfetched to think we’ll see a virus that will send messages to premium rate numbers when the user is not using the device, but unlike a PC it is always connected. They could be part of a mobile botnet so that someone can control them centrally at will. We will basically see the same type of malware on mobile phones that we have today on PCs,” adds Runald.

Apart from virus attacks, mobile devices are vulnerable to physical threats such as theft and loss. Dhupar points out that the obvious threat to a handheld device is perhaps the most overlooked: physical theft or loss. “Loaded with information—and valuable in and of themselves—PDAs and smartphones are common targets for physical theft. Small and unobtrusive, they’re also easy to lose,” he adds.

Encryption is a must. The need is felt by everyone involved right from the user, handset manufacturer and service provider. Encryption helps when the device is stolen.

Menon says, “Encryption is important to protect your data. You need to first prioritise your data and then decide on various encryption open standards such as Advanced Encryption Standard (AES) 128 and 256 and Triple DES (Data Encryption Standard).”

Bluetooth: boon or bane

Today almost all mid-range and high-end mobile devices and smartphones are equipped with Bluetooth. This increases susceptibility to virus attacks.

TrendLabs discovered in June 2004 that mobile phones are not immune to attacks from malware. The first mobile phone malware Cabir was spread via Bluetooth-enabled devices but this proof-of-concept worm failed to enter the mainstream.

Sahani believes that the advantages of Bluetooth are its perils too. “Bluetooth and Infrared are two means of peer-to-peer data transfer. But Bluetooth does not need a line of sight. It comes with a basic precautionary measure which allows pairing and will communicate with only known devices. It is advisable to keep the option ‘Discoverable to All’ off. Keep different passwords for each of the paired devices,” adds Sahani.

Runald feels that even though there have been a few vulnerabilities in Bluetooth, generally it’s safe. “All the mobile viruses we’ve seen so far rely on the user installing the virus and bypassing 3 to 4 warning messages and questions. They don’t use any tricks or vulnerabilities on either Bluetooth or the operating systems themselves,” he explains.

Niraj Kaushik

“The other reason why phones still get infected is that the knowledge about threats is low,” feels Runald.

Niraj Kaushik, Country Manager, Trend Micro India and SAARC says, “Mobile malware is not going to fade away. Its creators are adapting to more sophisticated technology and the threat of mobile epidemics is getting increasingly real. Smartphone sales are rising quickly and virus writers are coming up with novel propagation techniques as with CommWarrior, which spreads using MMS.”

Kaushik believes that it is only a matter of time before a more serious virus targeted at smartphones strikes. Mobile viruses such as Cabir and Commwarrior can spread via Bluetooth or multimedia messaging. “Most mobile phone viruses target handsets that use the Symbian operating system. Infection can be avoided by turning off Bluetooth on smartphones,” he adds.

The Analyst's Point of View

Alok Shende, Director (ICT) Practice, Frost and Sullivan India The problem: The biggest hurdle enterprises are facing is lack of best practices. Mobile device security is still a new concept in India. People are not aware of it. Though the security appliance is a developing market, when it comes to mobile security the awareness and adoption levels are low. Guidelines: Training is the first step. Every employee in an organisation should be trained in terms of what are the security threats associated with mobile devices, how to avoid them and how to operate mobile devices carefully. Managing a mobile device is the next important step. The easiest way for a virus to attack is through Bluetooth. For example, most of the time the Bluetooth port is kept on. This should be avoided. The Bluetooth port should be kept off when not in use. Again awareness is the key. Enterprises should create policies that apply to mobile devices. The policy makers should treat mobile security in the same way as network security. Encryption is not enough Encryption is for securing data transaction. Generally people think that encryption is required to secure highly sensitive data. This perception is wrong. Encryption is important but not sufficient. There are other ways too. VPNs, tokens and password protection are the other means to protect data.

Network security

Securing the network is another area of concern. Data transmission takes place from handheld devices over an internal or third-party Wi-Fi network. Hence the network should also be encrypted using strong algorithms.

The security threat not only revolves around a desktop or mobile platform; it also revolves around the network or connectivity level. Hence there is need for connectivity between the device and the enterprise to be secure. It can be done by 2-factor authentication (tokens), AES encryption and SSL VPN.

“The connections between a mobile device and a corporate network must be secured using SSL VPN,” says Runald. “Organisations have to keep in mind that mobile devices have to be treated in the same way as PCs because they connect in the same way. They use IP connectivity to connect to the network and just as any other computer on the Internet, the mobile devices must be protected,” he adds.

Taking precautions

Though virus attacks are unpredictable, several incidents have drawn attention to and created greater awareness around wireless threats. The best way to have a secure wireless work environment is by adopting a detailed set of best practices like establishing and enforcing laptop security and creating an awareness programme, implementing timely, automatic updates, being careful while accepting files via Bluetooth, and if the phone gets infected, turning off Bluetooth, so that the malware does not find new targets. As Sahani says, “Any of these measures are meant to reduce the risk level and the best technology would be rendered useless unless the basic precautions are not taken.”