|David Ginsburg, product manager Innopath|
The PC and the mobile phone are still a long way apart in technology, capability and use – but they’re getting closer by the minute. If mobiles look and work like computers, it seems logical to assume that they’ll start suffering the same problems as computers. And that could be Real Soon Now … But there’s a widespread perception that talk of mobile phone viruses, bluejacking, text spam and phishing is engineered to sell unnecessary add-ons such as anti-virus software and remote handset management. The truth probably lies somewhere in the middle – but where should we strike the balance? And what are the implications for resellers in the mobile space?
First things first: everyone agrees that up to now there have been very few outright attacks on mobile devices. But the consensus is that things are
Todd Thiemann, Director of Device Security Marketing at Trend Micro says the threat of mobile malware has been at the ‘proof of concept’ stage to date, meaning that cyber criminals are testing the waters to see what is possible. But the dangers will “probably” grow as the number of smartphones increases.
“It is currently much easier to make an illicit profit with PC malware, but this is likely to change in the future as unit volume shipments of mobile phones are now growing at a faster rate than PCs.” In short – “it will soon be the case that mobiles offer a much larger target than PCs”.
Dr Guy Bunker of another anti-malware developer, Symantec, agrees. He says criminals only spend their time attacking the most ‘popular’ systems – . “why bother to spend time and effort writing an exploit for something that only has a small percentage of target systems?”
But the opportunities are there, and growing. “Mobile phones now hold information on individuals’ bank accounts, credit cards, usernames, passwords and all sorts of other interesting information - not just people and their telephone numbers.
“Internet access (and for many it is always on) means people do their banking and shopping on their phones.”
And of course there’s a real business dimension too. Jason Langridge, UK Mobility Business Manager at Microsoft’s Mobile arm, points out that “mobile devices are fast becoming the de facto way of doing business”. As a result, “confidential data and company Intellectual Property are often stored on a mobile”.
So the sensitive information is going to be there on the device. But additionally, the mobile web provides an obvious attack vector for criminals – an always-on connection, especially via WiFi or the web, provides a ready route into the handset.
As Andrew Bradshaw, VP of Sophos UK, puts it: “The network as we know it is changing ... We are also seeing a shift in malware. Data theft is big business, and we are seeing even PCI-compliant companies losing data to clever fraudsters.”
And criminal malware isn’t the only issue. Gareth Maclachlan, COO at AdaptiveMobile, notes the statistical reality that more than 80% of phone users worldwide have received spam on their mobile phone; “the average tier-one mobile operator cleanses approximately 90,000 viruses each day, and some users are unwittingly sending up to 200 MMS [spam messages] per day.
“While some of these attacks are commercially focused, the others are threatening or offensive. Either way, they are unwelcome and intrusive and need dealing with.”
He also makes the point that by their nature businesses are vulnerable to mobile security threats. “Procurement will tend to buy large numbers of similar phone models— which makes it easier for viruses to spread. Shared contact lists are an obvious step for an organisation that wants to save its employees time, but it also makes people more likely to open potentially infected MMS or trust SMS from people in their address book.“
And here’s a telling one: “most business users never see their phone bill, so will never query the additional charges that may be the result of a security breach, giving fraudsters the opportunity to make more money undetected over a longer period of time.”
Trend Micro’s Todd Thiemann says the major threats to business users today come in two forms: malware and physical loss. “The most widespread of these attacks are the loss or theft of devices that may contain sensitive information such as trade secrets of intellectual property. An In-Stat analyst recently estimated that 700,000 Smartphones were lost or stolen in 2007.”
Guy Bunker of Symantec adds: “Companies lose around 5% of their laptops per year—and you are 22 times more likely to lose a mobile device than a laptop!”
But the mobile malware threat is growing, and it’s getting pretty clever. “One example we have seen recently is greyware, a type of mobile malware that can be used for spying on unsuspecting users. Although this may be for legitimate purposes in some regions, it can also be used for the illicit monitoring or spying on SMS traffic.”
Gareth Maclachlan and AdaptiveMobile take a broader view. “Mobile telephony is a very private medium of communication, and therein lies the danger. At the individual user level, the threats lie in unwanted and inappropriate content including SMS and MMS spam, pornography, illicit or even illegal content.”
And organisations have a broad responsibility here. “Threats such as cyber-bulling that are becoming a growing social problem are also prominent in the corporate world, especially as the proportion of company communications conducted through mobile devices continues to increase. According to the Dignity at Work Partnership, 6.2% of UK employees have been bullied via a text message and almost 9% believe that cyber-bullying is a problem in their current organisation.“
Spam is going through the roof, too. Recent YouGov research for Cloudmark has shown that 66% of UK mobile phone users have been victims of spam, with the number of 18 to 24 year olds targeted as high as 75%.
The survey which explored experiences and attitudes towards mobile spam found that the service providers are going to be the ultimate victims as 28% of consumers blame their operator for unwanted communications and 44% would consider changing network because of mobile spam. This figure rises to 65% as soon as the frequency of unwanted messages hits one or more a month.
In addition, there are data protection issues and industry-specific regulations that need to be borne in mind. “For example, the FSA is proposing that both MiFID (Markets in Financial Instruments Directive, a regulatory regime to increase competition and consumer protection in investment services) and non- MiFID compliance companies should record certain telephone conversations for regulatory purposes, as a measure to assist in preventing fraud. Undoubtedly, business conducted via mobile phones will also be affected.
“Further, PCI compliance will come into play for organisations, especially retailers, as mobile payments become more widespread.”
So how should malware and similar threats be countered? Well, it all depends on where you stand – or rather, where you make your money.
AdaptiveMobile sells an operator-oriented solution, so it’s no surprise that Gareth Maclachlan sees the solution at the operator’s end. “For mobile security to be truly effective, personal and corporate mobile users alike are therefore dependent on their mobile network operator to manage these unwanted communications, at the network level.”
He makes the point that mobile needs a specific type of response. “Unfortunately, traditional PC network security cannot be transferred to the mobile world, where the challenges are very different and more complex.
“For instance, spam filters don’t work for SMS and MMS as they do on emails. Also, the threats in the mobile space are not usually traditional viruses, which are designed to be highly virulent and so easily detected. Instead, rogue applications and even incorrectly written applications can cause significant havoc, but do not meet the PC vendors’ definition of viruses, and so are excluded from their AV clients.“
Sophos sells into business and so sees the significant role as being the end-user’s: “While it is true that only a smart proportion of data is being stolen from non-computer devices, it would be wise to ensure that a companywide policy as to their use is in place.
“Data theft can be as easy as stealing someone’s USB stick or username and password. Think of Single Sign-On, for instance, which will give access to all your applications in one go. The wrong person getting a hold of that has access to all the data you are allowed access to, without any further barriers.”
His solution: restrict the type of mobile device given to users. “Only allow devices you can prove give you an added business benefit. Then make sure the users are educated as to what can go wrong and make sure the information the device can access is as secure as possible. And consider having application control. Certain applications have a business use and are appropriate; others are not - disallowing these will lower the security risks while increasing productivity.”
More specifically, there’s a real need for user awareness and education. Andrew Bradshaw, VP of Sophos UK, reckons the user is actually the biggest single risk here. “The ignorant user—that is, one that has not been educated on acceptable behaviour in terms of password use, appropriate application use, the important of security, etc—is at much greater risk than someone who understand the risk and the actions they should take should something go wrong.
Jason Langridge of Microsoft agrees: “First and foremost, end user education is key. Employees need to understand that a mobile phone can potentially be a gateway to a company’s confidential information, whether it be leaving a mobile phone in a taxi or failing to implement a secure password, employees need to be aware of the potential consequences if a device falls in to the wrong hands or is compromised in some way.
“For businesses it is key to ensure employee mobile phones are managed securely, in particular phones that are being in brought in through the back door, owned by staff but used for work purposes.” This is where one of his products—Microsoft’s System Center Mobile Device Manager—comes in. This is a management platform that is compatible with the recently announced Windows Mobile 6.1; it should enable the IT department to protect sensitive information by encrypting the device, remotely wipe devices and also provide secure remote access to applications inside the corporate network.
What to sell
|Dr Guy Bunker, Symantec|
finding the tool that can implement your policies, effectively, on devices that are rarely in the hands of corporate IT.
“You employ your mobile workers for a variety of skills - they’re nurses, engineers, inspectors etc. They’re rarely IT-savvy and certainly not security experts. Yet more than 75% of enterprises leave the responsibility of securing mobile data in the hands of these users.
“For mobile solutions to deliver on their promise both security and management are necessary requirements. There are many common factors between them, so much so that security and management need to be symbiotic in order to be successful.
Guy Bunker of Symantec thinks that “from a business perspective, management of the mobile estate is an increasing problem. Central management is essential, and that includes the ability to rapidly provision new and replacement devices (people are lost without their phones - and business will stop for a sales individual if they don’t have one - with all their contacts on).
“So part of management also needs to include backup of contact details. Quite a few mobile email solutions do this automatically - providing you put the details into the email / contact solution, rather than on to the SIM in the phone (there is an education need here)
RDM is going to be a major sales and support opportunity in the future, because it’s a no-brainer. Organisations can impose security and usage policies on remote users, ensure that everyone has the most up-todate software on the phone, provide tiered access to company addressbooks and other information, and kill the handset if it gets stolen. A must-have for any business.
The killer argument here is probably the sheer number of handsets that get lost or stolen. If the user does not have confidential information on their mobile, the direct threat is minimal – but there’s still the danger that a thief will use the device illegally and run up a huge bill, or maybe make the kind of prank calls or send texts to customers and suppliers that can warp a relationship. So ‘remote kill’ functionality should be an easy sell. Says Guy Bunker: “The final piece of management is to enable central control - remote locking, wiping, and even being able to reduce functionality on the phone—switch off the camera, not allow data to be put on to removable media, and so on”.
But even at the level of the individual user, there are simple and obvious options. “Mobile devices must be protected by a password,” says Guy Bunker, “and ideally they should be encrypted—both the phone and any removable memory cards.
“After this, there is a need to look at mobile protection suites, anti-virus, firewall, antimalware etc. These should be kept up to date.”
How to sell
|Todd Thiemann, Director of Device Security Marketing, Trend Micro|
or field service automation,” says Todd Thiemann of Trend Micro. “Resellers should also point out and address the issues involved in ensuring that these devices are secured properly.”
In short, “the issue of mobile security is a relatively new one for customers and the reseller can act as an advisor as enterprises grapple with how to leverage smartphone technology, whilst ensuring the information kept on their devices is kept safe.
David Ginsburg, product manager for InnoPath, thinks the smartphone user should mandate the same protection as on a PC, especially if they are using the device for email and browsing. “At present, this is post-sale in the operator, where the user is expected to find and install the solution. It is not heavily marketed. This should change with the operator considering it a network deployment. On the enterprise side, I think they understand the problem, and where they are asking operators for EDM services, they are mandating this protection.
Bradshaw reckons resellers should also be educating themselves on the Network Access Control market. “This is a big growth area and one which has many strengths in helping secure the network from potential risks. Its policy implementations can help administrators stay on top of their network and stay informed on what is trying to access the network but is posing a risk. Not only does it prevent access to non-compliant systems, it also reports any findings to administrators.
“Resellers can also talk to anti-virus for mobile devices, especially when speaking to businesses. As many phone can synchronise with the network, it is vital that they do not introduce any risk.”