- Category: July - August 2008
Mobile device use in the business world is definitely on the rise. However, as mobile access to sensitive corporate information becomes more popular and the number and type of mobile devices used to access such information increases, security is an important concern. Mobility has its own characteristics and, hence, security issues. Below are
some security threats to mobile devices and the measures that enterprises should adopt to manage these threats.
Some key mobile security concerns
Exposure of critical information
Small amounts of WLAN signals can travel significant distance, and it's possible to peep into these signals using a wireless sniffer. A wireless intruder could expose critical information if sufficient security isn't implemented.
Lost or stolen devices
Even if sufficient security is implemented in wireless virtual private networks (VPNs), if a device is lost or stolen, the entire corporate intranet could be threatened if those devices aren't protected by password and other user-level security measures.
Mobile viruses can be a major threat, particularly with devices that have significant computational capabilities. Mobile devices, in general, are susceptible to viruses in several ways: Viruses can take advantage of security holes in applications or in the underlying operating system and cause damage; applications or applets downloaded to a mobile device can be as virus-prone as desktop applications; and, in some mobile Operating Systems, malformed SMS messages can crash the device. The 911 virus caused 13 million i-mode users to automatically place a call to Japan’s emergency phone number.
E-mail viruses affect PDAs in much the same way regular e-mail viruses affect PCs (i.e., causing the PDA e-mail program to send multiple emails). These viruses are costly to enterprises and interrupt normal business too. PalmOS/ LibertyCrack is an example of a PDA e-mail virus. It's a known Trojan horse that can delete all applications on a Palm PDA.
Spam causes disruption and drives up costs when it's targeted toward wireless devices.
Measures businesses should take when it comes to mobile devices
- Use advanced encryption and key management techniques to minimize WLAN-related security vulnerabilities. High-level security is available for WLANs using features such as Internet Protocol Security (IPSec) and 802.11 security standards such as EAP and WEP.
- Put strict access privileges on mobile users to protect sensitive information.
- Create security policies specific to mobile device usage. Minimize the impact of a lost device: Password-protect all devices, encrypt sensitive documents on the device, and don't use automatic scripts for VPN login. Mobile device security policies should also include minimizing access to limited sources using firewalls.
- Regularly back up PDA data to a PC to prevent damage from PDA-specific viruses and worms.
- Use antivirus software for PDAs. Network- level scans are the most effective, centralized way of preventing viruses and other disruptions associated with mobile devices.
- Access control should include both hardware/device-based authorization and application based authorization.
- Provide specialized training to mobile device users and administrators, including simple guidelines for the physical security of devices and a reporting mechanism in case of loss or theft.
- For virus/spam protection, customer premises solutions (or behind firewall solutions, as they are called) are more effective than similar solutions hosted by the mobile carrier. Firewall solutions are much easier and effective to control and manage.
It is important to note that the key issue to mobile security is that no single security solution will work, given the nature of the mobile environment. And just extending the existing security infrastructure for mobile devices simply isn't practical. Enterprises must treat mobile security as an independent task and mobile-usage-specific security policies must be created and implemented. A comprehensive risk analysis of the potential security hazards associated with the use of mobile devices should be the first step along the path of mobile device security policy creation.