|
Security policy for smartphones
The use of smartphones in the enterprise raises new security
and management issues for corporates as well as for SMBs. By Manjari Juneja
 Smartphones
are increasingly prevalent and adept at handling tasks beyond making voice calls
or even simple calendaring including trading stocks, paying bills and buying
online. Lately, employees have been falling in love with the iPhone, Android,
Windows Mobile and other smartphone platforms. Increasingly, they are using
the devices for their professional work as well and have started storing corporate
information on these devices. With smartphones providing gigabytes of storage
and powerful processing functions, the volume of company data that is being
stored on the devices has also increased to a great extent. This makes them
more attractive to hackers and cyber criminals. Smartphones are also vulnerable
to the same Web-based and e-mail attacks that harm PCs.
Companies need to know what information employees are storing on these devices.
They need to conduct a mobile phone audit, so that they have a starting point
when it comes to managing these devices. With the growing use of smartphones,
it is difficult for companies to keep information within the corporate walls
and, as data is moving off-site, security checks must be put in place.
According to an IDC study, the number of worldwide mobile
workers will reach 1 billion by 2011 with the Asia-Pacific contributing the
maximum numbers. This means that an increasing number of employees will now
be working on the move and accessing not only personal but also corporate information
from their mobile phones. IDC predicts that the number of converged mobile devices
will spike from the 151.6 million last year to 334.2 million by 2013 and that
increasing reliance on business and personal data means that the loss or theft
of devices would pose an even greater threat for users and companies.
|
 "Studies
show that a smartphone is lost 15 times more frequently than a laptop.
Encryption is a vital
component in ensuring that data is not compromised despite there being
a breach"
- Vishal Dhupar
Managing Director, Symantec India
|
|
 "IT
administrators must address the challenge of integrating devices [like
smartphones and tablets] into the network infrastructure and do so in
a way that can be easily and centrally maintained"
- Amit Nath
Country Manager, Trend Micro India and SAARC
|
Smartphones on corporate network need to be secured and policies
should include items that do not compromise a network’s integrity or capabilities.
Smartphone policies should establish and enforce passwords; encrypt data on
the device; remotely lock down and wipe a device clean of data in case of theft
or loss; control network access; allow or disallow application use including
that of corporate mandated programs for filing expense reports and such; control
interactivity with Bluetooth, Wi-Fi and other wireless systems; restrict the
use of the smartphone as a USB flash drive; restrict the use of a media card
on the device and enable compliance mechanisms, such as audit logs.
Enterprises should have a combination of policies and procedures
governing the use of smartphones, and the right tools to enable IT administrators
to monitor and maintain them. When this is done, smartphones emerge as an invaluable
business tool. Larger businesses with substantial IT budgets can and should
mandate a company-standard smartphone platform, even going so far as to supply
business handsets to workers who need mobile access.
Small businesses can adopt policies to simply forbid users
from accessing e-mail and other internal resources from their smartphones unless
their job profile requires it. The safest way for an organization is to identify
which of the employees need to access corporate data on their smartphones and
then simply give them a business handset that can be controlled tightly. In
case of any loss, organizations can wipe the data remotely and the damage done
is minimal.
Companies can also adopt solutions for over-the-air device
management, granular and consistent mobile security policy enforcement and end-to-end
visibility for troubleshooting and support with client applications for BlackBerry,
Symbian, iPhone, Android, Windows Mobile etc.
Amit Nath, Country Manager, Trend Micro India and SAARC,
said, “Smartphones are powerful tools that will continue to evolve and
integrate deeper with business processes. With mobile OS-based tablets such
as the Apple iPad, the possibilities are even greater for mobile computing and
productivity. IT administrators must address the challenge of integrating these
devices into the network infrastructure and do so in a way that can be easily
and centrally maintained.”
IT administrators must address the challenge of integrating
these devices into the network infrastructure, and do so in a way that is seamless.
In fact, more than one-third of respondents to a survey by the Enterprise Strategy
Group commissioned by Symantec revealed that employees with mobile devices can
access, receive, and store company confidential data, customer data, regulated
data and intellectual property. This new found mobility coupled with the availability
of sensitive information on the mobile devices, makes attacks on mobile phones
a serious problem. Specifically, in India, 43% of respondents to a recent DSCI-KPMG
survey felt that mobile, remote and always-on access is a significant challenge
to information security.
- Pranking for profit: This is a
new class of attacks intended to steal money (as opposed to data) from
compromised terminals. This type of crimeware uses what is known as
RedBrowser to infect smartphones and send premium SMS messages from
the device to a Web site that withdraws money from a bank or credit
account before the user or network realizes what is happening.
- Snoopware:
This enables a hacker to remotely access a smartphone to activate the
microphone feature and listen to private conversations or confidential
corporate meetings. Such software is also capable of viewing a calendar
and list of contacts on a handheld device, making it easier for a cyber
criminal to know exactly which meetings are worth eavesdropping on.
This particular threat can be especially dangerous to users as sensitive
business and personal data may be passed along in conversation.
Source: Symantec
|
The situation in India
|
 "The
corporate sector has started deploying security solutions for smartphone
users and end users have also become aware of the criticality of having
adequate security controls for their devices"
- Valan. S
Systems Engineer, Fortinet, India
|
Smartphone security is becoming increasingly important, as
business and personal information moves from the PC onto a handheld device.
The number of smartphones with access to the Internet has risen significantly.
This has increased the opportunities for hackers to compromise the security
of data on these devices.
With the onset of multiple mobile devices, harmful software
such as viruses and spyware are emerging to exploit their vulnerability. Also,
the launch of advanced services including 3G and m-commerce and the expected
advent of mobile number portability are giving rise to security concerns.
According to market research firm ABI Research, the mobile security market is
slated to exceed $4 billion by 2014, with mobile security services revenue growth
exceeding 40% in 2009, driven by enterprises looking to safeguard corporate
data and regulatory requirements to protect sensitive personal and financial
information. According to technology research firm Ascenda, the smartphone market
in India was sized at 5 million in 2008 is expected to grow at a CAGR of 23%
in the period up to 2011.
Strong enterprise demand for data security is driving rapid
growth in mobile device management services. 73% of employees are using smartphones
in Indian enterprises according to Symantec's latest Enterprise Security Survey
2010 - Millennial Mobile Workforce & Data Loss. E-mail, instant messaging,
online banking, online shopping and Web surfing are all possible on smartphones
and, consequently, the number of threats targeting these devices is growing
at a rapid pace.
Valan. S, Systems Engineer, Fortinet, India, said, “As the Indian mobile
market marches towards maturity, sales of smartphones are also growing. With
the increasing use of smartphones, they have now become more vulnerable to data
theft and misuse. Many of these devices are unmanaged and unsecured making them
ripe for infection by mobile malware. The user's data might even be stolen from
the device while a smartphone is in use. Moreover, these are often misplaced,
lost or stolen, which increases the risk of unauthorized access to confidential
data. It is because of these growing risks and at the same time, due to an increase
in the use of smartphones by corporate users, that they have now become an integral
part of IT security planning for many enterprises. The corporate sector has
started deploying security solutions for smartphone users and end users have
also become aware of the criticality of having adequate security controls for
their devices.”
Due to the increasing affordability of smartphones, conventional
threats such as virus, worms, malware, and spam are on the rise. Symantec has
observed various types of attacks such as viruses that spread through Bluetooth
transfers, game downloads, and updates to the phone's system, ringtones and
alerts. Other common attacks attempted on mobile devices are Bluejacking (techniques
in which nearby users try to push through malicious data via Bluetooth) and
Bluesnarfing, which aims at copying the contents of your mobile device.
|
Historically, no mobile threat has had a high impact.
As the mobile OS landscape changes and devices ship with a huge amount
of memory and are used for storing sensitive data, devices such as the
iPhone or those running Android are becoming fatter targets for criminals.
2009 saw two distinct handset-based rudimentary
botnets: one on the Symbian platform, which propagated through SMS and
aimed to steal International Mobile Equipment Identity (IMEI) details,
and one more recently that originated in Australia, and affected only
jail-broken iPhones, but was later adapted and aimed at banking customers
in the Netherlands, stealing details and passing them to a command and
control (C&C) server in Lithuania. With this change in consumer behavior,
and the possibility—for the first time—of some sort of handset
monoculture being created, there is increased potential for more mobile-related
malicious activity, the extent of which will be dictated by consumer behavior.
Trend Micro Researchers were earlier alerted to
the discovery of a malware that came preinstalled on a Vodafone mobile
phone handset. Its memory card was also believed to carry malware in it.
Vodafone has been taking the heat for packing malware straight out of
the box on its HTC Magic Android smartphones. The recipient of one of
the malware-laden phones was an employee of the Spanish anti-virus firm,
Panda Security. Plugging the phone in via USB into any PC quickly led
to an infection by WORM_SILLY.QT. Vodafone has already released an official
statement saying that the infected phone problem was an isolated one.
Trend Micro threat researchers believe that it
is likely that a computer in Vodafone's production line was infected by
WORM_SILLY.QT. Because of the worm's capability to propagate through removable
drives, somehow SD cards in a certain batch of smartphones were infected
and there is a possibility that other smartphones coming out of the same
factory might be carrying the same malware.
Trend Micro in it's 2010 Future Threat Report has
also predicted that mobile phones fresh from the factory could be carrying
malware.
Source: Trend Micro
|
Encrypting data
The bigger issue with corporate data on phones is data loss due to lost phones
or compromised removable storage in phones. These devices have large drives
and the ability to support microSD storage cards, so a corporate user can store
a lot of data on the phone. Companies making investments in smartphone security
today are looking into solving the data at rest problem first.
Data leakage can be prevented. Firstly, IT heads can frame a security policy
specifically for smartphones that aligns with other IT security processes. A
strategy for controlling devices is needed for when a device is lost or stolen,
or when a user loses the removable memory card. IT organizations should also
aim to standardize on smartphone platforms to make security easier to manage.
The second step, after policy making, is to devise a response plan for when
a mobile virus does hit.
Vishal Dhupar, Managing Director, Symantec India, commented, “Most devices
place customer data, financial data and other confidential data at risk. Left
unprotected, mobile devices like smartphones represent the weakest link in an
enterprise's IT infrastructure. Studies show that a smartphone is lost 15 times
more frequently than a laptop. Encryption is a vital component in ensuring that
data is not compromised despite there being a breach. Encryption enables organizations
to protect sensitive information in whatever state it is whether it is in motion,
at rest or in use. It is a well-known fact that mobile phones are being used
by employees to access corporate information today. Therefore, one way of reducing
the risk of data loss is by encrypting it.”
There can be other techniques to block viruses and spam.
The simplest is to set a PIN for a device. Some PIN numbers are programmed to
wipe out all data from a smartphone upon a certain number of failed attempts.
The downside of such a program is when a mobile-device gets into the hands of
children who make several attempts to log into a smartphone resulting in the
loss of precious data.
Other mechanisms include paying attention to system updates from the wireless
carrier or phone manufacturer and being sure to install the required upgrades.
Backing up data such as contacts and documents and syncing regularly to keep
information current can also help.
Authentication or Encryption?
Authentication and encryption are both part of a multi-layered approach to mobile
security. More than one layer should be implemented to secure data residing
on phones. Authentication provides the sign on security during initial access
to data, whereas encryption secures information access. The emphasis should
be on strengthening encryption controls that are used to protect the information
contained in a phone.
Enterprise IT administrators rely on encryption as data is the most precious
commodity for them. They want to provide strong encryption for both data-at-rest
as well as for data-on-the-fly. However, passwords only provide limited security
when it comes to data access and are prone to be cracked, easily. Then there
is also the matter of internal threats wherein employees deliberately leak data
or take it to their next employer. On the other hand, encryption ensures that
data when copied from one device to another requires a decryption key and prevents
leakage.
However, encryption of data does not mesh well with law enforcement around the
globe. Several governments (including the Indian government) are contemplating
making a policy on the deposition of encryption keys that are being used for
mobile devices.
Monitoring smartphones
Depending on the size of an organization, the issue of managing
and securing smartphones is a complex one. Larger businesses with substantial
IT budgets can and should mandate a standard smartphone platform going so far
as to provide business handsets to workers.
“Small businesses are more often plagued by the challenge of managing a
diverse portfolio of employee-owned smartphones. It might be a good policy for
small businesses to simply forbid users from accessing e-mail and other internal
resources from their smartphones unless their job duties specifically require
it,” added Nath.
Dinesh Jotwani, India Co-Chair, Business Software Alliance,
said, “Enterprises would not only have to extend their information security
policy from their existing infrastructure that provides security to their servers
and end points, but also have to provide for additional security coverage for
their mobile devices. The fact that mobile devices are geared up to being connected
only to the service provider, results in huge IT challenges for administrators.
An administrator would now have two options—to gear up security through
the service-provider, wherein all the enterprise IT-compliance policies are
adapted by the service-provider infrastructure; or to have its own end-point
protection on mobile devices. There are problems with both of these options
and enterprises are struggling to mitigate risk by adapting both to varying
degrees.”
Central management
Central management allows you to optimize the performance of devices, which
helps keep them running efficiently while lowering the total cost of ownership
and decreasing support costs by centralizing the help desk for device-related
issues.
Based on the level of risk that an organization is exposed to, a centralized
management capability for phones should be implemented to monitor user activity.
This mechanism would monitor devices and enforce the security policy from a
central location. The company's e-mail policy and access controls should apply
to handhelds in the same way that they apply to any e-mail client.
With a multiplicity of devices and communication means, it
is obligatory for central management to lay-down policies with respect to backup,
archival, preservation, collection and production of information from all connected
devices. In short, the law now mandates that an organization needs to have a
complete gambit of information management solutions covering all end-points.
Added Jotwani, “With a multiplicity of end points now connected to the
enterprise, the central management has to play a crucial role in enforcing compliance.
Qualcomm vs. Broadcom (2008) saw the courts in the U.S. taking a broader view
of what constitutes central management. Before this judgment, the central management
meant an organization's IT department. The judgment saw sanctions against the
in-house legal department and even the law firm for non-compliance in producing
evidentiary information It is now obligatory for an organization's general counsel
to be aware of where the organization's data is stored and to produce the same
in case of litigation or investigation.”
The dynamic nature of threats from a multitude of sources means that organizations
have to effectively reduce risk and ensure that data is protected at all times,
no matter where it is used or stored. An integrated approach that combines management,
security and recovery provides organizations with visibility into and control
of the endpoint environment and can help eliminate exposure to risk. Enterprises
need to protect their infrastructure and, should a breach happen, rapidly respond
to threats. Enterprises need to take a proactive, information-centric approach
to protect both information and interactions. They need to develop and enforce
IT policies and automate their compliance processes. Finally, enterprises need
to manage security efficiently to make things easier for customers through standardization,
workflow and automation.
Remote data wiping
With employees relying heavily on their smartphones for their everyday work,
companies must provide adequate security measures to ensure the safety of corporate
data. Cyber criminals have increasingly targeted corporate smartphones to steal
valuable private data. To combat these attacks, many businesses have invested
in new technology that offers them greater central management options, such
as remote data wiping and phone locking, in case a device is lost or stolen.
This feature helps the organization minimize the risk of data loss in case of
phones being lost. Remote wiping ensures that sensitive data on a device cannot
be retrieved by an outsider.
Although this is a powerful tool when it comes to preventing the leakage of
confidential information, it has its repercussions. Many tools that wipe out
data are available and can be controlled by mobile service providers, IT administrators
or even satellite controlled through GPS. However, the legality of such actions
are still being debated as it also results in wiping out of evidence in the
scenario of investigation, litigation-hold and e-discovery processes.
manjari.juneja@expressindia.com
|
