When it comes to losing things, London’s taxi users excel. The treasure trove of items recovered from the back seats of the city’s black cabs include : a harp; a throne; diamonds worth £100,000; and a dog. Unsurprisingly then, that as the popularity of mobile devices – phones, PDAs, laptops and the like – has grown, so to have the numbers being left in cabs. But the actual numbers are astonishing, and the levels represent a very tangible threat to corporate security.
A recent survey by the Licensed Taxi Drivers Association and mobile security vendor Pointsec identified 63,135 mobile phones being left behind in a six-month period; 5,838 PDAs and 4,073 laptops were also recovered.
This tale of feckless users is repeated at busy transportation links across the UK. Managers at London’s Heathrow Airport auction off 700 laptops and 1,500 mobile phones that have been left behind, but never reclaimed, every year.
And with each device left behind, the threat to the corporate network grows. Mobile devices have long since evolved from simply storing calendars and important contact details – they have become an extension of today’s office environment, providing a portal into the heart of the corporate IT system.
Companies underestimate the importance of securing mobile devices and remain oblivious to the potential security risks that these small devices can have on IT environments, says Mark Boggia, European lead systems engineer at management software vendor, Altiris. And the security risk is likely to increase as the mobile device market is being driven by employees who are increasingly “working on the road or at home”, he says.
Research from analysts IDC suggests that the global mobile worker population is likely to increase from 650 million in 2004, to more than 850 million in 2009, representing over one-quarter of the total workforce.
Yet this figure contrasts starkly with the attitude of many organisations that still have prohibitive restrictions – and deep reservations – about the use of mobile devices away from the office. Their first reaction is to “keep it out”, says Vince Re, chief architect at software management vendor CA. That works for a time, but it gets to a point where everybody wants to use whatever the latest hot device is, he says.
This is highlighted by a recent survey from Avanade, a Microsoft technology integrator, that shows many UK workers are resorting to buying their own devices, a practice that poses serious challenges for organisations.
Large businesses are struggling to centralise mobile solution deployments and only 38% of enterprise mobile workers are under an IT umbrella, says Jason Corsello, programme manager for business and IT services at consultants Yankee Group.
“A gap exists between individually owned mobile devices and companies’ IT infrastructure,” he adds.
THE RULEBOOK
CA’s Vince Re believes that overcoming these challenges “starts with security and it branches out from there”. The IT department should have had enough of a lead time by now to have adopted at least a number of basic practices, he adds.
Chief among these is establishing a clear and enforceable mobile security policy. “Mobility brings security headaches, but the answer starts with policy,” says Lisa Hammond, CEO of technology consultants Centrix. If a device is reported lost, can it be remotely locked down? How should those devices connect to the corporate network?
One organisation heavily reliant on mobile equipment is UK supermarket giant Tesco. It has over 40,000 devices under its management, including 12,000 PDAs for its wireless warehouse and in-store stock management and ordering systems. The challenges Tesco faces are enormous: ensuring devices send an alert to management if they leave the store; making sure shelf devices can communicate with each other when a store is re-configured; and encrypting key management information are just some examples. Tesco uses a central platform management tool to control its policies, something that “is pivitol to our plans to manage our entire estate” explains Joe Galloway, group infrastructure director at Tesco.
But as wireless devices become more ubiquitous in their use, an important factor is how the device connects to the corporate network – and ensuring no unauthorised devices can connect via the same network.
One popular method is through a virtual private network (VPN), where security features such as tunnelling, data encryption and user authentication give users secure access over the Internet, whether connecting via their mobile phone, PDA, laptop or home computer. In essence, a VPN is a private network within a public network, giving organisations the flexibility and scalability in allowing users to connect to its architecture remotely, but without having to build or manage the network themselves.
VPN also has another advantage: because it connects directly with the applications on the host server, data does not need to be kept on the client device or machine.
“Firms now see SSL [secure socket layer] VPNs as a mature option for securing increasingly mobile workforces,” says Robert Whiteley, senior analyst at Forrester Research. And features like clientless access, better support for devices like PDAs and a secure connection suitable for high-latency mobile networks will make SSL the de facto remote access technology by 2008, he says.
UNDER ATTACK
But VPNs are not the only solution to managing mobile devices, although they go a long way to solving the issue of security and privacy, says CA’s Re. The ability to scan for viruses on the mobile device itself, assessing what content has been downloaded, and knowing what networks the device has been connected to, are all equally important considerations, he adds.
Viruses and malicious code, in particular, are two security threats emerging as serious problems for mobile users. But although the first mobile malware virus, Cabir, was reported in 2004, and more recently a worm that can move between the Symbian phone and a PC has been recorded by security vendor F-Secure, the hacker’s main priority remains Windows-based applications.
“We’ve seen little PDA and mobile phone specific malware for things like the Symbian,” says Graham Cluley, senior technology consultant at anti-virus software maker Sophos. And the handful of viruses that do exist have tended to be written by hackers wanting to show off their skills, as opposed to the financially motivated, organised gangs who are writing regular Windows malware, he says.
There are over 185,000 computer viruses and Trojans that attack the Windows operating system alone, and even though the threat of viruses crippling mobile devices remains small – for now – they can become a vector by which Windows viruses are transferred to other machines or systems, such as when forwarding attachments containing a virus to a colleague. Says Cluley: “Most people looking to protect their PDAs, BlackBerrys and other devices are looking to scan for the malware which doesn’t affect the actual device, but more prevents it from coming into the organisation via the device.”
“Don’t give users the right to install software on mobile devices, thereby making it harder for a piece of malicious code to install itself too.” – Graham Cluley, Sophos
But even though the small number of viruses that do exist have not caused widespread damage, “they have established a beachhead for the next generation of attackers”, says Thomas Raschke, senior analyst at Forrester. These attacks will increasingly focus on disrupting local mobile phone networks using worms and stealing information from PDAs. Already there are incidents of hackers claiming to have found ways to exploit the trust relationship between the BlackBerry mobile email technology and the organisation’s server connection to hijack information.
One such hacker is Jesse D’Aguanno, director of research and professional services at IT risk management firm Praetorian Global, who released a Trojan virus called BBProxy that allows hackers to attack machines on the corporate network. His aim: to demonstrate how, even though these devices are “regarded as inherently secure, most administrators deploy the [BlackBerry] solution without a full understanding of the technology or risks involved.”
Part of mitigating the risk of attacks from viruses and Trojans, is the sensible setting up of the device, says Cluley: “In terms of administrator rights, for instance, you may not want to give the users the right to install software, thereby making it harder for a piece of malicious code to install itself too.”
BACK TO SCHOOL
Putting policies in place is one matter; ensuring that users adhere to them is another. And when employees are on the road and away from the controlled environment of the office, the potential for things to go wrong is greater. To circumvent this problem many organisations that have introduced mobile technology are educating their users on how to use the devices, and instilling mobile security best practices that help them protect both their own data and the organisation’s information from loss or outside attacks.
High street retailer Marks & Spencer has such a programme in place. Executives at M&S use mobile devices enabled with Microsoft’s Windows Smartphone operating system for accessing both their emails and a number of core information systems to monitor business performance. “From a policy perspective they have to attend a training course,” says Jason Langbridge, UK mobility business manager at Microsoft, responsible for implementing the solution. “They have to understand how to use the device and what to do if they lose it.” The results have been dramatic: in over a year, only three mobile-related calls have ever been logged with the helpdesk.
It is a lesson for the IT executive: users can be encouraged to use mobile devices sensibly. But until such ground rules become commonplace and user awareness improves, management controls will form a necessary part of any mobile strategy.
Securing mobile devices
There is no single technology for fully addressing all issues related to mobile security. However, a number of technologies can work together to ensure a more comprehensive approach is taken in protecting valuable corporate information.
Password authentication
Passwords provide the easiest method to secure devices, but if not used properly offer an open door for hackers. Two-factor authentication, where additional security is used alongside a standard password system is more robust. Password tokens that dynamically generate new passwords every 30 to 60 seconds, and are synchronised with the organisation’s security system, provide a secure method for logging in from mobile devices, VPNs, laptops and desktop machines.
Management tools
Management tools give organisations the ability to centrally manage the configuration, deployment and management of mobile devices. Many include basic functionality such as: remote locking and erasing of data on lost devices; device tracking; asset management; configuration enforcements; and backup and recovery services.
File Deletion
If a PDA or laptop is lost, its content can be deleted, either at the machine level, such as when the device is switched on, or remotely, using a range of management tools (see above).
Device and data encryption
A multitude of data encryption technologies exist, and data can be encrypted at a file, folder, partition or disk level. Similarly, sensitive or confidential data transmitted over external networks can be protected through encryption.
Backup and recovery
Mobile devices should be subject to the same backup policies and procedures that govern devices within the corporate firewall. Many vendors offer functionality for automatic, real-time data backup for PDA, mobiles and laptops.
Further reading in Information Age
Sybase’s mobile pursuit, August 2006
Crosstown traffic: Three technologies for metropolitan wireless broadband services, July 2006
Dual-mode handsets boom: Converged voice and data mobile devices, June 2006