Tackling mobile threats

Security fears are preventing organisations from fully embracing mobile technology despite the manifold benefits of a connected mobile workforce

  • E-Mail
By  Diana Milne Published  April 30, 2006

|~|feature-body.jpg|~|Despite the value of mobile devices such as smart phones, users leave them behind in airport lounges or restaurants.|~|Mobile technology is proving to be something of a mixed blessing for companies. It can bring great benefits, such as enabling mobile workers to stay connected at all times, but equally it can also bring great risks. For instance, while having all your data readily to hand on your laptop can be beneficial, what happens if you lose it? When a laptop or other device is taken out of the office and into the big wide world, confidential company data and a gateway to the corporate network goes with it. Such mobile devices are rich pickings for thieves and hackers who can attack them easily through unprotected wireless networks. Such nightmare scenarios are not uncommon. One study, conducted for mobile security firm PointSec, found that over a six-month period in London 63,000 smart phones, nearly 6,000 personal digital assistants (PDAs) and nearly 5,000 laptops were left behind by passengers in taxi cabs. This despite the fact that the firm found that as much as 40% of a company’s data may be saved on laptops — and that 60% of managers said their business would be damaged or extremely damaged if their mobile devices were to be lost or stolen. According to research by security firm Symantec, security concerns are the biggest barrier to us all becoming wireless workers: over 60% of companies worldwide are holding back on deploying mobile technology because of fears over cyber crime. The same research found however that despite their cautious approach to wireless and remote computing, of these same companies 10% had no measures for addressing mobile security and 39% granted mobile devices access to the corporate network on dangerously ad hoc basis. So it seems that while companies are very aware of the risks associated with today’s increasingly mobile computing environment, they lack understanding of how to protect themselves against those risks. “In today’s enterprise, there are multiple end points to account for — and proper protection cannot be tackled as one size fits all,” says Paul Miller, director of mobile and wireless solutions at security giant Symantec. “While most enterprises are aware of the risks introduced with mobility they continue to lack the appropriate security measures and policies required to protect themselves from potential threats,” he adds. “A coherent strategy for mobile security would work towa- rds alleviating the concerns of many enterprises,” says Miller. “Companies can begin leveraging mobile technology as a competitive advantage by adding mobile protection to five to 10% of their mobile workforce and heeding to best practices,” he goes on to suggest. The most obvious — and one of the most frequent — threat is the physical one associated with notebook PCs or handheld devices such as PDAs and mobile phones being lost or stolen. In part, this is down to the simple fact that there are just more of these devices around today. Research firm IDC claims that the number of remote or mobile computer users will have increased from 110 million employees worldwide in 2005 to 162 million this year. Yet despite the value of these mobile devices, many are left in airport lounges, restaurants or trains every year. On its website Microsoft has published a comprehensive list of guidelines to mobile workers on how to prevent such mishaps occurring — and if they do occur how to limit the damage. One of its tips is to ensure that all data on a laptop is encrypted. Encryption provides an additional layer of protection should someone gain access to that user’s files. It is possible to encrypt files and folders using Windows XP which makes it virtually impossible for anyone to gain access to confidential company data. Microsoft also advises mobile workers to purchase one of the laptop security devices that are available on the market. These can range from devices as simple as a security cable which attacks a laptop securely to a heavy chair or table to programs that are able to report the location of a stolen laptop. They work when the laptop connects to the internet and can report its exact physical location. Such tracing programs include zTrace, CyberAngel and Computertrace Plus. Laptops now available on the market also feature increasingly sophisticated authentication capabilities, including biometric fingerprint sensors and biometric smart cards that can be inserted into the laptops then activated with a password before they can be switched on. Other Microsoft tips include the obvious, such as not leaving access numbers or passwords in your carrying case, not setting your laptop down on the floor and carrying your laptop with you on a plane rather than checking it in with your luggage. While theft or human error does indeed present a significant risk to company data held on mobile devices, this at least can be prevented through following some common sense precautions. ||**||Infected devices|~|Hayatibody.jpg|~|Patrick Hayati of McAfee Middle East.|~|Far more complex and ever increasing threats are viruses and malicious code, which can easily infect mobile devices while they are connected to wireless or home networks. Wireless networks are becoming commonplace in many hotels, airports and restaurants with WiFi hotspots now having reached around 100,000 worldwide according to a report by the research firm Informa Telecoms and Media. While this presents major benefits to companies, allowing mobile workers to access the corporate networks from their mobile devices while on the move, it also brings with it great risks. Entering a wireless network is entering unknown territory wh- ere you don’t know the level of security protecting that network and you don’t know who else is also connected to it and looking over your shoulder. According to Kevin Issac, Symantec Middle East regional director, “Wireless networks are intrinsically unsafe because of the community you are entering into.” He describes having a WiFi connection on your laptop as tantamount to “having a big gaping back door which people can use to enter your network.” The proliferation of mobile devices that are now available has also increased the number of channels through which hackers are able to attack company networks. As well as laptops, other mobile devices — particularly smart phones — are also becoming increasingly vulnerable increasing the channels through which hackers can access company data. Symnatec’s Internet Security Threat Report Volume IX which was published in March, claimed that malicious code that targets mobile devices continued to rise through the second half of 2005. The report also highlighted several new examples of malicious code for smart phones including cardtrp, the first cross-platform threat with the ability to affect both Symbian and Windows operating systems. There are several ways in which companies can add protection to their mobile devices as well as protecting their corporate networks from any viruses carried on these devices. There are numerous products available, which provide anti-virus and firewall protection for mobile devices — including laptops and hand held products. Symantec offers solutions to address wireless devices running on the Symbian, Palm OS, Microsoft Windows Mobile and Pocket PC platforms. Its Anti Virus for Handhelds Corporate Edition 3.5 product is a virus protection solution desi- gned to secure corporate data held on such devices and protect against the spread of malicious code, which has been downloaded from the web, e-mail or a WiFi connection or via Bluetooth. Similarly Trend Micro offers the Anti Virus for Mobile Devices product as well as a corporate anti virus solution that covers both laptop and desktop PCs. As well as protecting the devices themselves from attack, organisations must put systems in place to protect their corporate network from potentially infected mobile devices that are plugged into it. McAfee has launched TOPS (Total Protection Solution) which offers network protection that extends to the laptop and includes anti virus protection for all tiers of the networks, anti spyware, anti-spam desktop fireware, host intrusion prevention and a complete network access control systems — all managed by a single console. If an employee takes their laptop out of the office then plugs it back into the corporate network the product is able to check to see whether it has been infected by viruses, and if so alert the IT manager. Patrick Hayati, regional director, McAfee Middle East, says: “I think laptops are becoming a must but organisations are worried about the additional security risk they pose in terms of theft and outside intervention.” “There was a survey done that showed over 40% of people will take their laptops home and let their kids play with them at weekends. This in itself is dangerous, because children tend to download stuff, including games, that are not secure,” he adds. “Because of this I think that products like TOPS will become the norm,” Hayati explains. Similarly the Blue Coat Remote Access End Point product, protects the corporate network and alerts the IT manager if any mobile device infected with a virus is connected to it. It also prevents information theft and leakage on unmanaged end points, ensures compliance with security policies for data protection and provides an “in office work environment” to help the mobile workforce operate securely. This product was added to the Blue Coat portfolio through its acquisition of Permeo Technology and has been integrated with the Blue Coat ProxySG family of proxy appliances. These products sit at the internet gateway and protect company networks from spyware, phishing attacks and inappropriate web usage and are able to stop potentially harmful traffic from entering the network via remote users. The product is also able to prevent the use of mobile devices for peer-to-peer applications — the sharing of files such as music or games online. “Our corporate clients want to control that because they don’t want their employees going out and using the internet for purposes other than business,” says Ray Kaffity, regional manager for Blue Coat Systems, MENA. “It’s a real waste of their resources and can be a security threat,” he adds. Trend Micro in conjunction wi- th Cisco offers a product which checks to see if notebook PCs are equipped with up-to-date antivirus technology before they can connect to the corporate network. Whichever technology they choose to deploy Symantec advises all companies to deploy a multi-layered approach to security. “Just having antivirus protection is not enough,” says Symantec’s Isaac. “You to need to protect against every possible vector of attack — firewall, intrusion protection and anti spyware are all different layers in your arsenal of defence,” he advises. In an age where wireless and home networks provide hackers with multiple entry points to a company’s corporate network, the need for organisations to secure mobile devices and stop them from contaminating the corporate network is stronger than ever. With more ways for hackers to attack your network being created, secure access for the mobile worker is essential. Virtual private networks (VPNs) are considered by many enterprises as the best way to protect their corporate networks. A VPN is a private network that uses a public network to connect remote sites or users together. It users virtual connections routed through the internet from the company’s private network to a remote site or employee. “Companies should make sure that anybody accessing the network is connected using a VPN because whenever they do that the network will be protected,” says Isaac. A remote access VPN is designed specifically for companies with employees that need to connect to the private network from remote locations — such as a large firm with many sales people working outside the office. A VPN provides a secure way to connect mobile employees with the network by using security procedures and tunneling protocols. These protocols encrypt data at the sending end and decrypt it at the receiving end via a “tunnel” that cannot be “entered” by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses. The Symantec Clientless VPN Gateway is a stand-alone security appliance that connects large numbers of remote users to corporate networks without requiring the installation of client VPN software. However companies must not stop at just deploying security devices. They must also educate their employees on how to protect their company’s network at home, on the move and in the office. Many security experts believe that workers are the weakest link when it comes to protecting corporate networks from virus and hacking attacks. The simple act of a user taking his laptop home, downloading virus infected games and music files then taking it back to the office and connecting it to the corporate network can be catastrophic for an organisation. Samir, Kirouani, a pre-sales engineer for Trend Micro in the Middle East, says: “Sooner or later all applications will be accessible from mobile devices. So I would say that, for companies, educating their employees is one of the most important things they can do.” ”It’s definitely not intentional, and probably because a lot of people would not know that their actions could harm the company, but employees can expose a corporate network to dangers,” Kirouani explains. It is vital therefore that companies rigorously enforce their IT security policies and ensure that staff are properly trained in how to use mobile devices safely — before ignorant employees become the biggest vulnerability on their corporate network. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code