Blind faith

Our business and personal lives are merging faster and faster as we embrace the ‘always on, always available’ culture. Arguably the two most popular mobile devices, the iPhone and the Blackberry, have both been shown to be vulnerable to attack both directly and indirectly, and according to recent research from Juniper Network, there has been a 400% increase in malware on the Google Android operating system since last summer, indicating that mobile devices and smartphones in particular are becoming a key target for cyber crime.

Says Garry Sidaway, director of security strategy at UK-based IT security solutions provider, Integralis: “While the vast majority of these attacks are theoretical, some have been shown to work, and some are out there and active in the wild. Yet end users blindly keep adding data onto these devices, sometimes without thought to the consequences of their own actions; they do it just because it’s easy and convenient,” he remarks.

Alan Ranger, vice president, mobile marketing at Cloudmark, provider of carrier grade massaging security and infrastructure solutions for the world’s most demanding fixed, mobile and social networks, remarks: “Unlike email, where users seem to be more educated about spam and malware, mobile users have an inherent trust in their device, making them more susceptible to falling victim to attack. A general lack of awareness is also responsible for consumers not knowing what information they should share via mobile and how to protect their personal information.”

Sidaway comments: “Many users still treat these smart devices simply as phones. They leave them on the desk, in the car and often do not protect them. Yet they have huge amounts of sensitive information and often access to the corporate address book and corporate email. We are also seeing an explosion of apps that make things on a small screen far easier, but no one looks at the privileges of these apps or their full capabilities. Business and users are slowly waking up to the fact that mobility and smart devices are convenient, but require no less security than if you were behind your corporate bunker.”

An increasing number of companies permit employee-owned smartphones and tablets that, inevitably, have both business and personal data on them, raising new concerns about security as well as privacy. Ojas Rege, vice president of MobileIron, provider of solutions to solve the problems CIOs face as business data and applications move to smartphones and tablets, states: “We call this trend BYOD, Bring Your Own Device. However, regardless of who owns the phone or tablet, a key assumption is that personal and corporate information are inevitably going to end up on it. The challenge becomes, how does one protect the corporate data while preserving the privacy of the personal data?”

Recent developments in mobile computing have led to huge efficiencies and increased productivity for both business and personal tasks. However, notes Sal Viveros, mobile security specialist at McAfee, the world’s largest dedicated security technology company, increased mobility brings with it increased implications for data security. “Mobile devices are much more likely to be lost, stolen or exploited while unattended than those that remain permanently within the confines of the office space,” he says.

“The result is a threat that operates at several levels”, Viveros continues. “At its simplest, a lost smartphone poses a risk if it falls into the wrong hands, and data on it is not encrypted. Businesses risk a fine for breaking data protection laws even if the issues doesn’t go any further, but the reality is, as smartphones become more powerful and ubiquitous, criminal organisations are seeing them as a way to gain entry to a company and steal misuse data,” Viveros notes.

Viveros warns that while to date, mobile security has not been such a major concern, with reports of malicious activity and threats increasing daily, now is the time for attentions to turn to mobile before the risks get out of hand. He states: “Most users have migrated smartphones impressed by the added functionality and ease of use, yet perhaps few people actively realise that the devices they are carrying in their pockets are in fact personal computers designed to connect to networks and transfer more data than their PCs ever.”

Mobile = risk = security
Modern mobile phones are essentially computers in a telephone form factor, so they can be attacked at many different points, ranging from the communication protocols, to planting trojan horses in the devices’ operating software.

Bjoern Rupp, CEO at Germany-based GSMK CryptoPhone, provider of mobile voice and message security, gives a stark warning: “It’s laptops and desktop PCs all over again, and those businesses and consumers who still ignore the fact that they are working with highly vulnerable mobile computers will need to face the uncomfortable experience of their communications being intercepted, confidential data being stolen, and their mobile phones being turned into mobile bugging devices. All too often, mobile phones are the weak link in the security armour to steal confidential information.”

While Ian Kilpatrick, chairman of value-added distributor, Wick Hill Group, says: “Mobile phones are extremely vulnerable to targeted attacks. Spyware is easy to drop onto phones from websites, hidden in everyday apps like games. Users can be easily tricked into revealing personal and business security credentials via ‘man in the middle’ attacks, where the attacker sets up a base station purporting to be a well known hotspot provider. There are a wide range of other attacks such as ‘bluesnarfing’ for data theft, ‘bluebugging’ to listen in to calls, and the well-known Super Bluetooth hack to make calls. These are just a few of the threats,” he warns.

Ranger notes: “With the growing ubiquity and proliferation of mobile devices in users’ personal and professional lives, it is perhaps unsurprising that spammers and hackers are increasingly focusing their attention on the mobile platform. As a result, there needs to be greater vigilance over the information that is being sent and received via mobile devices, particularly when it comes from an unknown source or leads to a third party website. Consumers must adopt and exercise the same level of caution over the personal data they share via mobile as they currently do in an online environment. Businesses must also ensure that the correct security solutions have been implanted by the IT department to safeguard and protect sensitive company data.”

The IT crowd
Sidaway remarks: “This is not only about mobiles, but about mobile users and smart devices for the business. Setting a policy and making users aware is a good start. Enforcement of the policy requires careful consideration and then the expertise and knowledge to implement the policy controls. We have been working with some large organisations to review policy and also extend the risk management and penetration testing to these smart devices. End users are always part of any good security solutions; they must be educated and made aware of the risks and given simple advice on how to minimise those risks.”

According to research carried out by Computing in September 2010, sponsored by Integralis, nearly one third of organisations do not know if they have lost data, while 46% said that they had, but it wasn’t critical. Yet Sidaway comments: “This means that they have classified their data, ensured that they have the right access controls in place, and know where their critical data is at all times; really?”

Rege notes: “It departments will need to figure out how to manage this boundary of personal versus business use through both technology and company policy. While organisations want to protect corporate data on devices, they need to respect the privacy of their employees. They therefore need to ensure that personal content such as pictures, music and video remains on an employee’s device and are kept private to that employee.

“The repercussions of not securing the devices and the data on them is that your company data is now vulnerable, a terrifying prospect for any organisation,” warns Rege.

Yet according to a recent McAfee Mobile Security Report, Mobility & Security – Dazzling Opportunities, Profound Challenges, there is an apparent unwillingness of the majority of administrators to pay for mobile security product or services. Viveros says there also appears to be a lack of internal education or training regarding company policies, which limits any approach to security management.

He adds: “Additionally, corporate IT teams can too easily lose control of the devices, while legal frameworks find it hard to demarcate between personal and corporate use and data. Until these areas can be properly provisioned, the question of who is responsible for security will continue to rage.”

Rege remarks: “Companies are paying attention to smart device security; the question is whether they are considering an effective approach. The security challenge we see companies struggling with is that IT cannot secure mobile devices the way it did laptops.

“As IT considers smart device security, it’s important to think beyond lost devices and prepare to secure the corporate network against compromised devices; those that have been jail broken or rooted or have rogue apps running on them,” says Rege. “At this point it’s pretty simple to remotely lock or wipe a device. Now it’s about keeping the corporate network safe from insecure devices. The only way to do that is to know the security state of a device and to be able to take action”

Ian Kilpatrick, chairman of value-added distributor, Wick Hill Group, comments that companies such as Kaspersky Lab, Check Point, MaaS360, and others have a range of channel-friendly, easily deployed solutions which provide features such as: secured access to the device; encryption of the data on the device, to ensure that it is not readily visible; device tracking, if it is stolen; device authentication, so that unsecured (or compromised devices) can’t get access to the corporate network; device data wiping, based on either multiple failed password attempts or device loss or theft; and interestingly, there is a feature that enables the phone to stealthily report back, even if the SIM card is removed and changed.

“The big issue for the channel and for customers is that provisioning, reporting and management of these capabilities has now caught up with company security requirements, enabling them to fit into the standard security environment,” adds Kilpatrick.

Ultimately, the decisions on security will lie with IT departments, Kilpatrick remarks. “The opportunity for the channel is to initiate discussion with IT departments and not wait until a security-aware reseller takes the business away from them.”

Kilpatrick adds that mobile security should be sold upfront on the device at the point of sale. “You can ask, ‘Do you want the device with or without security?’ This is a value-add sale. It’s exactly the same as selling a laptop or a PC with security, such as anti-virus, anti spam, and the rest.”

Ignore at your peril
IT departments and end users alike need to realise that they must protect their mobile devices just like their laptops and desktop PCs, states Rupp. He says: “Not enabling passwords and other protection methods provided by the phone manufacturer amounts to gross negligence in an age where information has become more valuable than ever before.

“In a corporate context, all too often, sensitive information such as PIN codes and passwords are exchanged over voice calls and text messages under a false sense of security. Drastic action needs to be taken to secure this information via phone encryption to ensure data is protected from outside threats.”

The McAfee Mobile Security Report showed that only one fifth to one third of device users said they ‘feel safe’ using their devices, and therefore it is not surprising that around two thirds of users would like more clarification around security options.

Ranger notes: “Although many organisations that allow employees to use personal devices for work purposes actually have a mobile security policy in place, few employees are actually aware of it. As such, employers need to be wary of the primary usage of these devices and the type of information being stored and transferred on them.”

However, the majority of those surveyed for the McAfee report also claimed that they would not be willing to pay for such services, suggesting that even though they may have purchased the devices, they do not feel they should be paying for additional security.

David Ting, founder and CTO at Imprivata, which helps organisations secure their networks by offering a single sign on in an appliance-based authentication and access management solution, states: “As the proliferation in the use of these devices continues to grow, it is unrealistic for businesses and IT departments to think that they can afford to ignore mobile device security.

Businesses now have to take a proactive approach towards data security, and yet there still appears to be some apprehension around allowing employees to access sensitive data from mobile devices. However, once businesses and end users are educated around best practices, working on the move can become a real asset to any organisation.”

Warns Ting: “Businesses of all sizes in both the private and public sector are obliged to comply with regulations such as the data protection act, and failure to do so will lead to severe repercussions, which can include damage to reputation and financial penalties. These regulations apply whether employees are accessing information from the office building, from their home computer, or when on the train. As such, IT departments are realising the importance of securing mobile devices.”

He adds: “Improved efficiency is an obvious bi-product of flexible and remote working, and provided that security requirements are met, employees, businesses and customers can all benefit. Technology innovation is leading the constant improvement around mobile device security, and technologies such as Single Sign On (SSO), and Strong Authentication will be utilised by businesses more and more as increasing proportions of their workforce are demanding access to data on the go.”

How to secure
There is a sharp division between those organisations that have understood that securing and managing their mobile devices is just as important as securing their corporate or governmental IT networks, and those that have not yet done so, Rupp says.

He remarks: “In those cases where no attention is paid to mobile device security, it is usually due to fact that these organisations either think they are not responsible for employees’ personal devices (which are however linked to the corporate intranet), or that they have not yet realised that the days in which a mobile phone was little more than a specialised radio are over.

“Yet it needs to be stressed that the changes and progress in mobile communications and mobile computing have occurred at an enormously fast pace, and that not every organisation has kept track of the security implications arising from that development,” Rupp concedes.

Mobile devices are typically difficult to monitor from a security perspective. But SSO tools can require that the end user reconfirms their identity before accessing sensitive files through the use of strong authentication, states Ting. He says: “This could include phone-based tokenless authentication, where the user is required to confirm a password by answering an automated call-back to the phone.

“While providing a level of security that would be expected inside the office, the best SSO applications are designed so that no software has to be installed on the mobile device itself, which is both simple and effective from the IT department’s standpoint, and non-intrusive for the end user,” adds Ting.

Many organisations have access privileges assigned to employees within the corporate building and these privileges are typically set by role, ‘need to know’ and principles of least privilege requirements, Ting continues. “When securing a mobile fleet, businesses need to decide whether these access rights remain consistent, or whether adaptions need to reduce these privileges and safeguard the most sensitive files.

“For those businesses that do decide to go down a strong authentication route, selecting the most appropriate method is also crucial. For example, hardware tokens can be easily carried by an employee, and using this kind of authentication means that the employee will need to enter a code before access to corporate data is granted,” Ting states. “And as mentioned earlier, phone-based tokenless authentication is growing in popularity because it can provide two factor authentication without requiring employees to carry a token.

“Using strong authentication alongside SSO will ensure that only trusted users can access information and applications, while making sure that all existing access and authorisation policies apply,” concludes Ting.

There is a wide selection of mobile device management software out on the market today, notes Rupp. He says what will suit a particular organisation will depend on that organisations’ needs, and the type of mobile devices it has deployed.

“While application software can plug some of the most severe holes, what is really needed for any organisation exchanging confidential information over mobile phones is a comprehensive 360-degree solution that addresses operating system security, security of data at rest, and the security of mobile phone calls and messages. Unfortunately, so far, only a select few vendors worldwide can offer such a comprehensive protection package that addresses all aspects of mobile device security,” laments Rupp.

Yet Rupp continues: “The recent announcement by SAP that it will be offering mobile versions of its enterprise business software suggests the way the market is going. We can expect a growing range of corporate back office applications to be available in mobile variants, across multiple platforms. This introduces a new degree of risk as this creates a higher level of exposure for organisations. Technologies that balance the risk in accessing these applications versus the gains in productivity will be important here. Another area for consideration is the use of NFC (near field communication) technology for contactless payment, assigning a greater commercial value to individual handsets.”

Carrier and supplier spotlight
At the moment the responsibility for mobile security resides exclusively with the end user and IT departments. Operators and manufacturers are playing little or no role in safeguarding mobiles.

Rupp comments: “The network operator is under an obligation to secure its network and ensure that unauthorised parties do not tamper with people's calls. Unfortunately, recent developments in cryptanalysis have made operators look rather negligent when it comes to protecting the rights of theirs subscribers in respect to the privacy of their voice calls.”

At a minimum, network operators must upgrade their networks to the newer A5/3 GSM encryption algorithm, and pay increasing attention to network anomalies like ‘rogue base stations’. Rupp says while this still will not provide true end to end security, it will at least plug some of the most obvious holes that can be exploited even by amateurs these days, and which have resulted in the privacy of any GSM call being made over legacy GSM networks being a rather theoretical construct.

Yet operators’ revenue from mobile data will stagnate unless the necessary steps are taken to prevent the increase in mobile messaging abuse and fraud, claims Ranger. Therefore, it is vital for operators to regularly assess their networks and ensure they have the utmost confidence in the security measures they have implemented to protect their subscriber base. “In doing so, they will provide consumers with the confidence to take full advantage of the ever increasing number of services available via mobile,” he says.

Ranger continues: “The recently launched GSMA Spam Reporting Service (SRS), powered by Cloudmark, allows participating operators’ subscriber base to report messaging abuse. Once reported, the SRS provides information to the operators, which allows them to understand the extent of spam within their networks. The service also provides individual operators with detailed information on content, senders and reporters, as well as aggregated messaging spam data across mobile network operators. This gives enhanced visibility into high-volume and emerging threats.”

Sidaway says his company is seeing a lot of development around extending the corporate security onto the mobile device. “This is the basis of consumerisation, being able to separate business and personal information and data on the one device that the employee wants to use. We are also seeing the device used as a security token or being able to receive a one-time password for authentication via SMS. But we haven’t really seen these functions from the providers themselves; they still rely on either a PIN or simple lock function to secure the device, so the devices are still treated as  a phone and not a powerful work tool by providers.”

Rupp adds that more work to secure phones should be done by the manufacturers of these devices: “The handset manufacturers should take more time to audit their code and thoroughly debug their phones before shipment. While there will always be a conflict between the pressure to ship early and the desire to have a mature product, the fact that many phones are shipped with buggy software that openly invites attacks is not acceptable in a time when corporations and governments alike rely on mobile phones to exchange confidential information.”

Ed says:
“So, there is much to do for the mobile industry to increase security on these increasingly sophisticated devices. Not doing so will result in end users being burnt and corporates getting into trouble. The opportunity, which is great, is there for the channel; seize the day.

Source: Comms Dealer, July 2011, Business Profile