Smartphones opening up enterprise risks

By Marcia Savage, Features Editor, Information Security magazine 24 Jul 2008 | searchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A recent survey of consumers revealed an unsettling trend: The use of smart phones to access sensitive corporate information away from the office, creating huge security gaps for enterprises.

Many risks can be addressed with technology, but the human factor is usually the wild card. Sheryl Harkleroad, CISSP and information technology manager

In a survey of 200 consumers conducted by market research firm Decipher Inc. and sponsored by endpoint security supplier GuardianEdge Technologies Inc., 70% said they access what they consider sensitive data on their smartphone in order to do work outside the office. Eighty-nine percent of the respondents said they can access email and other corporate information using their personal or corporate issued smartphone when not in the workplace.

Smartphone users appear to be aware of the risks involved in accessing corporate data from devices like BlackBerrys. Eighty-two percent said they were open to their company deploying security technology on either their personal or company supplied smartphone. Another 75% said they'd feel more comfortable traveling for work if their smartphone was protected with encryption.

Smartphone security: Security Wire Weekly: iPhone Mania and Enterprise Security: Tom Cross, mobile security expert with IBM's X-Force security researchteam discusses smartphone security on the heels of Apple's release of iPhone 3G. As more end users bring their smartphones into the workplace, companies need sound mobile security policies and technologies in place for data protection. Cross gives some tips for controlling smartphone use in the enterprise. Download

In addition, 52% of consumers surveyed believe companies should allow employees to store and access company information on personal smartphones if corporate issued devices aren't provided.

Harkleroad said her firm doesn't provide access to corporate data on non-corporate owned devices, and employees who are issued smartphones are provided with specific policy training on acceptable use of the device.

The company isn't currently using encryption technology on its BlackBerry devices, but is utilizing BlackBerry Enterprise Server, which provides centralized control of devices, including forced password protection and the ability to remotely wipe a device if it's stolen or lost. Harkleroad plans to evaluate encryption technology for smartphones in the next 12 months to follow up the full-disk encryption the company deployed on its notebooks.

The University of Louisville in Kentucky is also taking steps to reduce the risks associated with smartphones. The university is in the process of deploying GuardianEdge Smartphone Protection to its faculty members and staff. The deployment will eventually reach 2,500 devices.

SearchSecurity radio:

"More and more of our workforce is becoming mobile and the majority is using smart phones," said Brenda Gombosky, director of enterprise security at the University of Louisville. "They're using them not just for email, but to store important records and files. That leads to concern about potential data loss, but you also lose control from a centralized technology standpoint."

A large health science community at the university deals with data that could potentially fall under HIPAA requirements while faculty members have student information that must be kept secure.

The University of Louisville had already worked with GuardianEdge Technologies Inc. to deploy its full-disk encryption to laptops and desktops, and saw the company's smart phone protection as a natural choice, Gombosky said. The product provides centralized control linked to Microsoft Active Directory for Windows Mobile, Palm OS and Pocket PC-based devices. The university counts many Palm Treo users.

The university takes a layered approach to security, Gombosky said, adding, "This is another tool we can add to our tool box."

In Information Security magazine's Priorities 2008 survey, 69% of 619 respondents ranked protecting mobile devices like BlackBerrys and PDAs as important or very important.

In a recent interview with SearchSecurity.com, Tom Cross, X-Force researcher at IBM, offered advice for businesses dealing with the proliferation of mobile devices like BlackBerrys and Apple iPhones. He recommended that companies set up a process employees can follow if they lose a device, including a point of contact to get the device wiped remotely.

Cross also suggested deploying firewalls and intrusion detection systems (IDS) at VPN endpoints. The firewall should limit the Internet sites a smartphone can access, while the IDS can inspect traffic coming from the device to detect attacks.

Tags: Handheld and Mobile Device Security Best Practices,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices Protecting enterprise networks from new mobile application downloads Screencast: Find rogue wireless access points with Vistumbler Secure your remote users in 2010 Researchers find thousands of flawed embedded devices Best Mobile Data Security Products Should Windows Mobile updates come from Microsoft? MMS messaging spoof hack could have global ramifications How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws Handheld and Mobile Device Security Best Practices Research Web Server Threats and Countermeasures Microsoft doesn't rule out rushed patch for IIS zero-day vulnerability How do passwordless SSH keys represent an enterprise attack vector? Information security book excerpts and reviews Increase in Gumblar backdoors poses FTP credential problems VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Web Application and Web 2.0 Threats Torrent phishing scheme trips up Twitter users Browser exploit kit probe highlights need for patching, vigilance Attackers continue barrage of SEO attacks Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Facebook attacks prompt investments in social networking security PDF attack code complicates security analysis, skirts detection Adobe warns of critical Flash Media Server vulnerability Firefox, Opera, Safari browsers top list of high risk software FBI estimates rogue antivirus losses exceeding $150 million

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache cramming  (SearchSecurity.com) content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary