A Call For Industry Players to Address Mobile Handheld Security Concerns NOW
Bluefire Security's Mark Komisky offers advice for how the wireless industry can begin to make mobile devices more secure.
Identity theft. Privacy concerns. Computer viruses that sweep around the world like electronic tidalwaves. The number and frequency of threats to mobile devices just keeps growing. As the "office" is defined less by a physical space and more by the location of a user at any given time, add one more concern: the protection, integrity and security of data stored on PDAs, cell phones and mobile devices.
Evidence of the growing threat surfaced late last year, when InformationWeek reported that virus writers posted a virus called "Skulls" on shareware Web sites. Disguised as a theme manager providing cell phone interface features, Skulls treated those who downloaded it to an interface comprised totally of skulls and crossbones and rendered all applications (email, contacts, calendar, messaging) on the devices useless.
And so it goes, with research firm Gartner predicting that "sometime around 2006, a worm like a Slammer or a Blaster is likely to hit cell phones."
Bottom line: PDAs and cell phones are an increasingly vital part of the enterprise network, and IT managers must treat the protection of mobile handheld devices with the same level of concern afforded desktop and notebook computers. If you are an IT director -- or a wireless carrier or device manufacturer for that matter -- and you or your users/customers haven't yet demanded action on mobile device security, be prepared; those demands are right around the corner. Better yet, be proactive and take the necessary steps to address threats to wireless data and network security now, before disaster strikes.
1. Define a handheld security policy. Organizations of all sizes should work with device manufacturers and carriers to conduct a thorough vulnerability assessment to identify assets and risks. Results will help to define an acceptable use policy for handhelds that coincides with policies regarding desktop and server use.
2. Centrally enforce/monitor handheld security. Security parameters should be configured according to an organization's security policy, with handheld security logs archived to enable centralized surveillance and reporting.
3. Enforce power-on passwords. Perhaps the biggest risk associated with handhelds is that no power-on password is required by default. At minimum, the use of a built-in PIN number, standard on most handhelds, should be centrally enforced.
4. Block unauthorized handheld network activity. Mobile firewall software, configured specifically for handhelds and designed to minimize the amount of memory required, will defend wireless devices from both common network attacks and attacks specific to handhelds. PDA and smartphone manufacturers can help their enterprise customers determine what firewall software is compatible with their devices.
5. Detect handheld intrusions. Intrusion prevention software also can detect and stop registry/attribute tampering, execution of malicious code, and software failure -- all of which can disable virus scanning, change firewall rules, or ride VPN (virtual private network) tunnels into the corporate network.
6. Protect handheld integrity. Anti-tamper products can detect unauthorized changes to sensitive data and alert users or block access to secure resources.
7. Encrypt sensitive data. Users should be prohibited from storing certain types of data on the device (e.g., credit card, bank account, or social security numbers, health records, and proprietary business information). When sensitive information must be stored, a data encryption product can be used to reduce risk if the handheld is lost, stolen, or hacked.
8. Protect traffic sent and received by handhelds. Encrypted, authenticated VPN tunnels can be created to ensure privacy and integrity of communication between handhelds and connected networks.
9. Detect and eradicate viruses. Anti-virus solutions should be used to detect viruses, worms, and Trojans, particularly if WiFi or wireless carrier networks are being used to update email, contacts, calendars, or access the web.
10. Back-up data regularly. Like any computer, frequent back-ups can reduce loss of data and downtime if a handheld is lost, stolen, wiped clean, or damaged.
The emergence of mobile and wireless applications represents a new and exciting chapter in any business or organization's IT development. However, threats to the security and integrity of data held on PDAs and smartphones are both real and present.
Addressing those threats head on -- now -- is not an option, but a requirement, for all players in wireless today: enterprises, wireless carriers, device manufacturers, and security software providers.
Mark Komisky is CEO of Bluefire Security Technologies.