Overcoming Mobile Insecurities
While malicious activities on handheld devices like smartphones have been relatively low, several indicators suggest that things are about to change. Enterprises will need to start thinking seriously about a mobile threat prevention strategy to ensure that their networks are not vulnerable to the new threats that will abound with the increasing mobile activities of their users.
The growing prevalence of 3G networks is enabling broader bandwidth for mobile devices, which means more of the bad content is getting in with the good. 3G also enables network operators to offer a wider range of more advanced mobile services, such as real-time access to high-quality audio/video transmission. For example, with its application portal, Apple, which has a small percentage of the handset market, has already changed the way many people interact with their smartphones, while Microsoft and Nokia are also talking up their own similar portals.
The level of personalization and customization possible with these portals will mean new uses, both good and bad, will be found. This presents a big concern for corporate network managers as users are no longer bound by factory-installed applications. With this greater usability, consumers are now adopting smartphones in greater numbers for business and for personal use. iSuppli predicted in a March 2009 report that the number of smartphone shipments is expected to grow to as high as 192.3 million units this year, up 11.1 percent from 2008.
No doubt, the smartphone is becoming much more personal and indispensable to consumers, and where consumers go, money goes, and crime soon will follow. This adds up to increased opportunities for virus infections and attacks that will require a focused approach to secure the millions of handheld mobile devices in operation today, especially for enterprises. Smartphones pose an even greater security risk to corporations as they have become the mobile office for their ability to access corporate networks in real time, much in the way that laptops have been able to do. This presents cybercriminals with the opportunity to use smartphones as the launch pad for penetrating and accessing sensitive corporate data. The increased usability of smartphones and other wireless devices and the new business models they enable could become the biggest threat to corporate security in the near future.
The mobile market presents a unique position in terms of malware as compared to the traditional PC market. The platforms available for attack on PC platforms are limited - Windows, MacIntosh and Linux - while the number of mobile platforms continues to grow: Google Android, Apple mobile OS, SymbianOS, Windows Mobile, Palm. For example, we are just seeing the tip of the iceberg with Google's Android OS vulnerability discovered late last year. And more recently, the discovery of the new SymbOS/Yxes.A!worm (AKA "Sexy View") mobile worm gives strong indication that we may be on the edge of a mobile botnet. This sophisticated SMS-propagation strategy, which hosts the worm on malicious servers, allows cybercriminals to effectively mutate the worm by adding or removing functionality.
A managed client capable of detecting software installations and monitoring file access in addition to encrypting data and reporting status to a central server is the answer for network managers grappling with an active mobile work force. Network managers will want to look for solutions that provide multi-layered protection for blended threats and that protects across all device interfaces. The ideal mobile client solution would be part of an integrated, end-to-end network security platform that offers accelerated hardware and impinges minimum performance impact on user device and services. In addition, the network security platform should offer configuration management and control with reporting, and flexibly-defined profiles and policies for granular network segmentation capabilities.
For the end-user, both corporate and private, here are some tips to follow for the safe usage of their mobile device:
1) Similar to patch management on PC platforms, apply any updates to mobile platforms as soon as they become available. For example, Google quickly issued a fix when the vulnerability in its open source Android OS was discovered in late 2008. Be educated and aware of threats that bridge to the Internet.
2) Phishing scams looking for bank account information or corporate credentials are very real to hit users on mobile devices, just as they are with PCs. Just like social networks, mobile networks through voice contacts are highly trusted. Attempt to verify the identity of any incoming messages that are suspicious. Reply with something simple like "What is this?" to ensure you are able to confirm that the source of the message is trusted.
3) Be aware of what you install. For example, the worm SymbOS/BeSeLo used social engineering over MMS to install itself. It prompted the user to install an application which had a file extension .mp3 or .jpg; users should be aware of this and not install anything they haven't confirmed as being from a trusted source. Many users have "jailbroken" phones, such as the iPhone, which means that uncontrolled (unsigned) code can be run. This is a very big security risk, and users should be aware of the risks they take when they unlock phone functionality.
4) Disable communication channels such as Bluetooth by default, only enabling them on a per-session requirement. This removes an attack avenue. By taking simple precautionary measures, it effectively helps to harden your smart device.
James is vice president of products at Fortinet.