COLUMN

Smartphone security lacking at many businesses

By Eric Ogren 19 Feb 2009 | SearchSecurity.com Digg This!     StumbleUpon     Del.icio.us

Smartphones are ubiquitous in corporate life, supplying email and browser access to data whenever and wherever information junkies need a fix. But so far IT has been slow to address the security arising as result of the smartphone phenomenon.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The necessity to remain connected with the business is driving explosive demand for smartphones across all organizations. In their last reporting quarter, Apple announced that it had sold 4.3 million iPhones (almost doubling the unit volume of 2.5 million Macintosh computers sold in the same quarter) and Research in Motion reported selling 6.7 million BlackBerry devices. The use of smartphones for accessing business applications and confidential data is a trend that is here for good.

Latest mobile attack: Sophisticated SMS worm attacks Symbian phones: A new worm attacking Symbian-based phones is spreading via SMS messages and smartphone Internet access, according to security vendor Fortinet's research team.

It is surprising that IT is not giving more attention to securing these devices. There must be a huge number of smartphones containing business data that are lost in airplanes, hotel rooms and , taxi cabs. Smartphones are after all computers with voice communications capability with low power considerations to extend battery life. Beyond that, smartphones possess giga-bytes of perpetual flash memory, installed browsers and applications, and real operating systems in the form of Symbian, mobile Linux, and Microsoft Windows. When it comes to security issues of protecting data and ensuring secure connectivity to applications, a smartphone should be treated the same as a laptop running Skype or Voice over IP.

IT should be putting smartphone security policies in place to protect the sensitive data, access to corporate applications, and software configurations.:

• Disclosure laws, such as CA 1386, apply private information that is stored as "computerized data.". Smartphones are not exempt from disclosure laws if they are lost with consumer data residing in memory. The easiest ways to avoid this is to never allow consumer data to be delivered to a smartphone, clear caches and temporary buffers after a VPN session, or encrypt all data that the smartphone receives.

• All connectivity to business applications and networks should require a password and SSL VPN for secure communications. Every smartphone that is used for business should require a password to be entered before launching a browser, mail agent, or other business application. The last thing IT wants is for a total stranger to turn on a lost smartphone and be given complete network access at the click of an icon. The other great feature of smartphones is the presence of a "kill switch" --– a smartphone reported as lost can be disabled as soon as it is turned on.

• Configuration management will become a greater issue for smartphones as business software becomes more prevalent and malicious code starts targeting these devices. Virtualized approaches, for example keeping the application and data in the data center and using the smartphone for display only may help here.

Security vendors are moving forward to embrace protection of smartphones. There are lots of vendors offering smartphone encryption, including Credant, PGP, and Mocana, which has an interesting collection of security toolkits for developers of smartphone applications. I also believe there is great potential from VMware's acquisition of Trango to be able to dynamically deliver secure applications through the air upon user request. While security vendors embrace smartphone security, IT should focus on keeping secure data off smartphones to avoid the most serious security incidents.

Tags: Handheld and Mobile Device Security Best Practices,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices Researchers find thousands of flawed embedded devices Best Mobile Data Security Products Should Windows Mobile updates come from Microsoft? MMS messaging spoof hack could have global ramifications How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Is there a spy on my mobile device? Mobile phones win during Pwn2Own contest Handheld and Mobile Device Security Best Practices Research Smartphone and PDA Viruses and Threats US-CERT warns of BlackBerry snooping software Mini guide: How to remove and prevent Trojans, malware and spyware SMS attacks against BlackBerry certificate flaw possible MMS messaging spoof hack could have global ramifications Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws Latest Apple iPhone features prompt security concerns SMS mobile worm attacks Symbian smartphones RIM warns of serious vulnerability in BlackBerry Web loader RIM fixes serious BlackBerry PDF handling flaws

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary