Wireless security: IT pros warily watching mobile phone threats

By Bill Brenner, Senior News Writer 28 Feb 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

We haven't seen any big breaches in this area, so nobody is really paying attention. Nils Puhlmann, senior manager for enterprise information security

Robert Shullich, senior security technology advisor in the corporate information security office at New York-based Bowne & Co. Inc., said he hasn't seen any malware attacks against phones and PDAs in his company, and wonders if McAfee is "over-hyping this since they sell antivirus."

But he and other IT professionals admit they'll probably see mobile phone attacks sooner rather than later, and they're starting to look at ways to minimize the threat.

"We have many security concerns about mobile devices, including the loss of sensitive data via loss of the device, and someone using the authorized channel between the phone and the corporate server to gain unauthorized access to the network," Shullich said in an email exchange. Phone spam is also a concern, he said.

Eighty-three percent of mobile operators surveyed by Informa Telecoms & Media on behalf of McAfee Inc. between December and January acknowledged they've been hit by mobile device infections. Respondents, who answered questions on a variety of mobile security issues in an anonymous online survey, also acknowledged that:

• The number of mobile security incidents in 2006 was more than five times as high as in 2005.
• The number of mobile operators in Europe and APAC reporting incidents affecting more than 1,000 devices more than doubled in 2006.
• All operators spent $200,000 or more on mobile security in 2006 compared to 2005.
• The number of mobile operators estimating that the cost of dealing with mobile threats is more than 1,000 hours increased by 700%.

An underestimated risk
Nils Puhlmann, senior manager for enterprise information security at a Fortune 100 company in California, said he hasn't read the McAfee report. But whether the numbers are hyped or not, he does believe people are underestimating the risk to mobile phones -- and the larger threat to company networks.

Mobile device security: Why Mobile Device Management is Critical to IT Mobile device security in six simple steps Data breaches may be new boon for mobile security Who should install handheld device security: Vendors or customers?

"We haven't seen any big breaches in this area, so nobody is really paying attention," he said. "Security is reactive, and no one takes notice until something happens."

Sooner or later, something will happen, he said. And the damage won't be limited to the phone itself.

"There's no such thing as just a mobile phone anymore," Puhlmann said. "Some devices have Bluetooth, which means there's some sort of network connection, and we're seeing a lot more email and Web functionality. Anything stored on that device is business property and needs protection."

Several thousand employees in his company use Blackberries, which he said are more secure than some other phones on the market because they were designed with IT management in mind. But employees are eager to try out other phones that may be a lot tougher to manage from a security standpoint, such as the newly unveiled Apple iPhone.

"When Apple announced the iPhone, a lot of people in the company started inquiring about getting one," he said.

Like losing a laptop
In the future, he said, losing a phone may become as problematic for a company as losing a laptop is today. "You can lose a phone that easily has 30 email messages on it, many of which can include sensitive information," he said. "We have a policy that if any of these devices get lost it has to be reported right away. You have to treat it as if you lost your laptop."

Steven Dietz, information security principal for North Carolina-based healthcare services provider Quintiles Transnational Corp., agrees. He also worries that as phones grow more sophisticated, they could become vulnerable to older, PC-based software flaws.

"The smart phone is getting more and more like a PC all the time," he said. "When people can read .pdf or PowerPoint files or even make changes to the document over a phone, the phones could potentially be vulnerable to older flaws that were fixed long ago on the PC side. Embedded firmware makes patching all the more joyous."

Like Puhlmann, Dietz's environment is primarily Blackberry based. He too likes the added manageability of the Blackberry and said the device has a future in his company. One of the features he likes is the ability to enforce security policies.

"After a certain amount of attack attempts, it locks up and becomes useless," he said. "It transmits data in an encrypted tunnel so it is secure in transit, and we have control of the data, whereas a mobile operator with a smart phone has to manually add on security on their own. Blackberries have more initial security capabilities built in."

But he has tested other phones and believes that in general, mobile phone security is better than it was a few years ago.

"In 2003 I could crack a smart phone with public or private forensic tools," he said. For example, he said, a lot of progress has been made in the security of Windows smart phones.

Advice for users
To ensure the best possible mobile phone security, Dietz suggests IT professionals test as many devices and add-on security offerings as possible to find the technology that's the best fit for their environment. Puhlmann suggests companies address the proper use of mobile phones in their security policies.

"It's a mobile computing device, not just a phone, and you should treat it as such in your security policy," he said.

Tags: Handheld and Mobile Device Security Best Practices,  Security Industry Market Trends, Predictions and Forecasts,  Information Security Policies, Procedures and Guidelines,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices Screencast: Find rogue wireless acess points with Vistumbler Secure your remote users in 2010 Researchers find thousands of flawed embedded devices Best Mobile Data Security Products Should Windows Mobile updates come from Microsoft? MMS messaging spoof hack could have global ramifications How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Handheld and Mobile Device Security Best Practices Research Security Industry Market Trends, Predictions and Forecasts Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Part 5: Marcus Ranum on the state of information security Layoffs prompt insider threat fears, cybersecurity survey finds Healthcare security spending remains sluggish, report shows How to use Internet security threat reports M86 buys Web security gateway vendor Finjan Security Industry Market Trends, Predictions and Forecasts Research Information Security Policies, Procedures and Guidelines Health Net breach failure of security policy, technology How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary