Mobility

August 7, 2006
Better secure than sorry

Runa Mukherjee

NEW DELHI -- As technology gets better by the day, so do the chances of technology being misused increases. In a scenario like that, one must take measures that are intelligent and secure.

With the number of mobile subscriptions crossing the hundred million mark, mobile data security tops the list of security concerns. Mobile data, however, applies to a large number of devices that are mobile, like PDAs, laptops and the likes.

When thinking about mobile security, there is no perfect solution. Security is about reducing risk, not eliminating it. Thus the security options we have today are not only important to remember, but are very important to be followed.

“With the increase in mobility the network perimeter has extended beyond the confines of the four walls of an enterprises office. It is, therefore, necessary to ensure that there are sufficient safeguards such that the network, the data on it and the end devices are secured in a fashion that does not compromise the network and jeopardise the business. This ability to offer consistent, reliable, and secure solutions on a mobile device is termed as mobile data security,” said Hayath Mohammed, business development manager, security, Cisco Systems India and SAARC.

Security threats for enterprises over the years have grown in prominence. Initially hackers used to target individual computers in the 80s, then individual networks in the ‘90s and today they are targeting the global infrastructure. The advent of globalisation and the rise of mobility have extended individual enterprise networks into a larger global network offering seamless connectivity/mobility. This threat and impact on business has increased the importance of security among enterprises and increased the complexity of security solutions as well.

As networks have grown in complexity, so has the need for comprehensive security products/solutions. As per a Q4-05 report by Frost&Sullivan, the India network security market is pegged at US $ 24.9 million with Cisco commanding a lions share of44.6 percent.

Mobile devices such as laptops and PDAs make it possible for workers to access information anywhere. Improved mobility means that the data can travel outside the boundaries of LAN firewalls. Now, more and more workers are using mobile devices to access important data outside the organisation and so, strategies need to be made that address ways of managing and securing the mobile devices that keep and store your data.

Security means to minimise risk, to identify the weakest link and to protect it. There is a huge potential for confidential information to be exploited on mobile devices. Due to this, executives and corporate honchos run a huge risk of leaving their important data at the mercy of feeble security.

Finding out the source or identity who is accessing the information is very difficult in a public network. Also, mobile computing necessitates the exchange of confidential data over public networks, rather than over wired networks inside the organisation. This makes it susceptible for data to be intercepted over wireless networks.

So, why has this issue assumed such a great significance recently?

“Security is a big concern not only in India but the world over. With business users utilising smartphones and other mobile devices not only for company business, but for e-mail, instant messaging, browsing the Web, downloading and sharing files over the Internet, they are being exposed to security threats like viruses & Trojans, which can compromise a enterprises / users data”, said Hayath Mohammed.

Smartphones, PDAs, and laptops are increasingly being used in India much the same way as desktop computers, putting these devices at risk of the onslaught of threats that has been seen in recent years on PCs. It is a challenge for mobile enterprises to ensure that security and administration policies are extended to all endpoints including laptops, smartphones and PDAs.

“Mobile devices are becoming miniature computers with as much computing power as the PCs had five years ago. Therefore, users of such devices can use them for so much more than just phone calls – e-mail, browse the Internet, take photos and send them etc. Therefore they have to be considered for what they are, computers and they have to be protected as such,” said Patrik Runald, senior security specialist for F-Secure Corporation.

India has been witnessing a huge growth in its IT sector for the past few years. Mobile viruses just like 30 other countries in the world have hit India but the problem is still quite new here. It will become a bigger problem in the future though, with the cyber criminals looking into this market as a means of making more money.

Problems

According to a whitepaper by iAnywhere solutions, a subsidiary of Sybase, Inc, four common problems encountered with mobile data are interception of data transmissions, authentication of users, rogue access to data and lost devices.

Protecting data transmissions

It must be ensured that the data being transmitted, must be secure from end to end. The various places where the data can be intercepted are: in thin-client, browser-based applications, e-mail, voice, data-synchronisation, client/server communications, or messages and alerts.

Data transmission that is secure has the following features:

• Confidentiality : Communications should remain private;
• Integrity : The data should not be modifiable, whether anybody is able to see it or not;
• Non-repeatability : A recording of the stream should not be useful if it is sent repeatedly to the server;
• Authentication : You should be sure that you know who you are communicating with on the other end and avoid a man-in-the-middle attack. Clients connecting to the enterprise system need to know that they are communicating with the correct server. Only authorised clients should be able to communicate with the server.

In order to protect your data, you should ensure that there is end-to-end encryption of your data, from the remote device to behind the corporate firewall.

Protecting against unauthorised users

You want to be certain that only authorised clients can connect to your server and that clients are connecting to the correct server. Verifying that the correct entities are involved in data transmission is even more difficult in message systems because hand-shaking protocols cannot be used. Definition of clients is also important as depending on the application, definite rights and permissions are configured on a per-user basis.

Protecting against rogue access to data

In few cases, services on a mobile device may respond to requests for data. These services can be exploited to gain access to the device's contents. Trojans can lurk on devices, and if a device has been exposed, then the Trojan can make connections and pass out data: in effect, the Trojan becomes a service. Currently, there are not many Trojans around for handheld devices, but this is a significant concern for laptops that are connected to the Internet. Devices are also be attacked through interfaces such as database servers, FTP servers or Internet servers,etc. The Code Red virus was spread via an infected Web server. It is also important to monitor for unauthorised software, ensure that a device has the correct system configuration, or push out operating system security updates.

Devices that are used on WLANs should be considered outside the firewall and treated accordingly. WLANs should be set up outside your firewall using a VPN to gain access to the corporate LAN.

On laptop computers, you can use a personal firewall, for instance, BlackICE or ZoneAlarm, to help prevent rogue access to your data. Device management software can also help address the problem of rogue access to data by allowing you to enforce your security policies from a central position.

Protecting data on lost devices

Another security consideration for mobile devices is how to protect data on lost or stolen devices. There are two areas that your solution needs to address: data that is persistently stored on the device, and always-running applications.

“Information theft and viruses are the most common of all threats. As these devices get more and more data storage capabilities they typically contain more confidential information than just phone numbers. By loosing the device, a company risks loosing confidential information,” said Runald.

Protecting data stored persistently on a device

There are two precautions that you should take to prevent disclosure of the data stored on a mobile device, encrypting sensitive data, and encrypting the entire file system. Data that is stored on hard disks, in persistent memory, or on removable flash cards should be protected.

Protecting applications that are always on

Applications that are always running can also be under a risk. Even if the data store is protected, and if the application has cached data, you may risk exposing the data to unauthorised users. Data stored in an application's memory is more difficult to access, but may also be exposed.

If your application sends updates that appear on-screen, the data contained in them may be available to anyone who turns on the device. In order to protect applications that are always on, you should include a password-protected timeout in your applications and it is important that the password is not stored on the device; otherwise, anyone who has access to the device may be able to access your data. Your application should also include a code to verify that users have not defeated your password protection features.

Additional data transmission security issues

Mostly, third parties control security, the phone carriers, browser providers, and e-mail providers. For example, a potential security problem that can only be addressed by carriers is the WAP Gap. WAP is a form of thin-client Web browsing that is available on PDAs and mobile phones. At the WAP gateway, data is decrypted and re-encrypted because the WAP/WML and Internet/HTTP security standards are different. This results in a period of time where your data is available in a decrypted form. There is also a risk of data being intercepted over wireline phone communications. Analog communications are easier to decipher than digital communications, but the data may still not be secure, even after encrypting.

“Viruses are also a growing problem for the mobile devices. Right now there are over 230 mobile viruses targeting mobile devices. The most wide-spread viruses (Cabir and Commwarrior) do not do anything damaging to the phone. Commwarrior can cause an increase in the mobile phone bill as it, in addition to using Bluetooth, uses MMS to spread,” he said.

Mohammed has similar beliefs: “Most users carry critical data on their devices such as e-mails, address books, meeting notes, and calendar appointments. Loss or theft of these devices can result into misuse of critical and confidential data. In addition to loss or theft, security experts are finding a growing number of viruses, worms, and Trojan horses that target mobile devices.”

These could further unknowingly infect the organisation's network with a worm or virus. For instance, consider the scenario of an authorised user with a smartphone or PDA and a secure VPN connection to the network. If the smartphone or PDA is contaminated by a virus before the user established a VPN link, the virus could bypass the corporate firewall and enter the network.

Solution

Developing company policies and procedures should look at minimising the risk of theft or compromise the data on employees' mobile devices and that should be the foremost precaution taken by administrators of IT and IS.

The safety measures given below could reduce the risk that confidential information will be accessed from lost or stolen mobile devices:

• Provide training to professionals using mobile devices. One cannot be held accountable to secure their information if they haven't been told how;
• Remove data from devices that are not in use. Several incidents have occurred by people obtaining "hand-me-down" mobile devices that still had confidential company data;
• Centralise management of mobile devices. An inventory must be maintained so that one knows who's using what kinds of devices;
• Patch management for software on mobile devices should be initiated. This can often be simplified by integrating patching with syncing;
• Establish procedures to disable remote access for any mobile devices that are lost or stolen. Devices store user names and passwords for Web site portals, which may allow a thief to access even more information than on the device itself.

What are the vendors doing?

The Self-Defending Network is Cisco's long-term strategy to protect an organisation's business processes by identifying, preventing, and adapting to threats from both internal and external sources. With a multi-layered approach to security - endpoint, gateway and network, Cisco helps organisations take better advantage of the intelligence in their network resources, thus improving business processes and cutting costs.

The Cisco ‘Self-Defending Network’ security solution addresses the complex security threats faced by today’s global enterprises and is designed to dramatically improve the ability of the enterprise networks to autonomously identify, prevent and adapt to a range of security threats. The three principal characteristics of the Cisco Self-Defending Networks are:

• The integration of security throughout all aspects of the network;
• Collaborative processes between the various security and network elements;
• The ability of the network to adapt to new threats as they arise.

“The Cisco networked-based strategy allows enterprises to use their existing investment to solve the most pressing security concerns today, while providing an architectural platform that can evolve to proactive, automated, real-time management of threats,” said Hayath Mohammed.

Cisco leads the enterprise network security space with a 44.6 percent of market share share in India.

iAnywhere Solutions also offers a wide range of mobile data solutions that help protect your data. SQL Anywhere Studio uses TLS/SSL to protect data synchronisation and client/server communications. Server authentication is achieved through the use of digital certificates. Manage Anywhere Studio encrypts all the packages sent between the server and the remote client. Client/server communications in Mail Anywhere Studio are also encrypted.

F-Secure provides anti-virus and firewall solutions for mobile devices. It shipped its first anti-virus product back in 2001, three years before the first mobile virus was found. So wit has been looking at this area for a very long time.

“Our product is very competitive and we recently won an anti-virus test for mobile phones (the first test of its kind) conducted by a magazine in Germany. F-Secure provides security for all levels of the network, from the gateways down to laptops and mobile devices (phones and PDAs). These solutions are all easy to use, updated automatically and our dedicated anti-virus research team works 24/7 to continuously update the products to protect the users against all the latest threats,” said Runald.

For the laptops, F-Secure Anti-Virus Client Security, offers protection against new breeds of threats. It is a centrally-managed solution consisting of tightly-integrated virus protection, spyware protection, desktop firewall, and intrusion prevention and application control software for desktop and laptop computers.

For the mobile devices, F-Secure mobile security enables secure mobile computing by combining an integrated antivirus and firewall. Device-resident protection safeguards the mobile device from any type of attack, from intrusion attempts to malware. The solution delivers invisible and automated safety through real-time, on-device protection with customisable firewall rule sets and automatic over-the-air antivirus updates.

Standardisation of mobile data security

Standardisation of mobile security is very relevant as it offers a set of norms and standards for organisation to look into and build upon. Enterprises with mobile data services through WiFi, can look into standards such as WPA and WPA2, apart from the backend security, which needs to get sound architecture should be implemented.

Mobile IP and GPRS Tunneling Protocol (GTP) are some of the standards available for service providers providing GPRS data services. Cisco security products support inspection of such protocols.

Mobile data security remains a primary concern for us. Success depends on the measures taken by individuals and organisations alike. It should be looked after that when a breach takes place, we do not have to compromise on privileged information. However, making sure that no breach occurs in the first place is the best way to go about it. Securing your mobile data with the help of experts and the advanced security solutions available in the market is and can be an achievable dream in the long run.