InfoSecurity

February 23, 2007
Mobile Security: Top Tips to Ensure Best Practise

Mike Oliver

UNITED STATES -- When it comes to mobile solutions, you can’t simply “shrink” down a LAN-tailored solution. The mobility needs of enterprises vary greatly from those of consumers and users of other technology solutions. Mobile enterprise solutions must scale easily to address the number of users, while also supporting the broadest possible range of device platforms. In addition, mobile solutions should be architected to maximise user productivity, including optimisation for intermittent and slower bandwidth connections.

While a central point-of-management is also a critical element of any mobile solution, having too many management consoles can become unwieldy. Recognising this, companies are seeking ways to minimise the number of management consoles by implementing management solutions that address all of their mobile device, management and security requirements. This article outlines three areas of best practise enterprises need to consider when developing a comprehensive mobile security solution.

Need for mobile security

The deployment of mobile devices across business has rapidly increased over the past few years. The flexibility of being able to work with business information on a portable device, regardless of location, is appealing to many. This next wave of enterprise computing is already resulting in greater productivity and efficiency for many people and processes.

Unfortunately, instances of security breaches are all too often accompanying this steady rise in the number of deployed mobile and handheld devices. Consider the following:

• In their 2002 “Computer Crime and Security Survey” the Computer Security Institute (CSI) found that 134 of 503 security professionals reported instances of laptop theft, resulting in an overall estimated dollar loss of $11,766,500, with the bulk of the damage resulting from the loss of proprietary information.
• In early 2005, a laptop computer containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen from the car of a Colorado-based MCI financial analyst.
• In Japan, a handheld device containing personal information for 665 families was stolen from a Japanese power company employee.
• According to the FBI and CSI, people are more likely to be a victim of laptop theft than any other computer crime, except malicious software infection.
• A nine-nation survey of leading taxi companies indicated that tens of thousands of digital devices are inadvertently left behind in taxis. Leading the pack was a Chicago-based cab company reporting an average per cab device loss of 3.42 for mobile phones and 0.86 for PDAs and PocketPCs
• Even celebrities aren’t immune to mobile security incidents: in early 2005 someone hacked into Paris Hilton’s smartphone and posted her private information on the Internet, including phone numbers, e-mail addresses, notes and photos.

Obviously, from the few examples cited above, mobile and handheld devices raise their own significant security challenges. It is now a well-known fact that these devices need to be protected against a number of vulnerabilities, including:

• Small size and portability, which makes devices easier to lose or steal
• Operation outside of the company firewall, which increases risk due to the unprotected and unsecured environment
• Viruses and other malicious code, which can find an easy route into the enterprise via unprotected devices
• Software and data not authorized by the company, the presence of which increases overall security risk

Gone are the days when handheld devices were used solely as electronic diaries. Core business process data has followed PIM (e-mail, calendar, contacts, tasks, etc.) onto devices as advances in mobile technology have enabled storage of increasing amounts of critical business information. This highly sensitive data needs to be protected across large numbers of applications, devices and networks.

Protecting access to central networks

Enterprises need to protect the LAN from unwanted outside sources. Mobile workers present a unique challenge to this requirement, due to their frequent need to connect over public wide area wireless networks. Luckily, there are many existing, well-understood techniques and capabilities for dealing with these threats, including:

• Secure user log on and network authentication
• Secure remote access services
• Firewalls
• VPNs for secure connections over public networks
• Protection against hacking, worms, viruses and other malicious attacks via patching, and software that detects/prevents malicious activity
• Logging, reporting and auditing of access activity, including protection from an inside job.

Protecting data travelling across a network

Data must be protected from interception when travelling across a network. In a secure private network, access controls such as those listed in the previous section may be enough protection. Where data is travelling across a public network open to other traffic, such as wireless GSM/GPRS or the Internet, additional steps are necessary to prevent its interception and unauthorised access. These may include the use of software to provide protection for data travelling across public networks, such as data encryption or the use of a VPN, which lets remote users access internal resources without risking public accessibility.

Protecting data and applications stored on the device

The power of many mobile computing devices lies in their ability to provide multiple applications along with local processing and data storage. Despite the inherent advantages, data stored locally on a device is vulnerable to incorrect usage, unauthorised access, and even deliberate misuse. These vulnerabilities exist even when there is no connection back to the company network. The small size and portability of mobile devices, and their removable memory sources, also makes them more vulnerable to loss or theft. When this happens, it is critical that strong access controls and data protection measures are already firmly in place on the device in order to protect against unauthorised data and network access.

Locally stored data can be protected in several ways:

• Power-on Password protection mechanisms
• Data encryption, both locally on the device and on removable media
• Access logging and auditing
• Over-the-air data wipe (for when devices are reported as lost or stolen)
• Data backup and restore (for data recovery in the event of loss)
• Virus and spyware protection
• Patch management to close security loopholes found in OS and application software.

(The author is marketing manager, Sybase iAnywhere)