When McAfee Inc. released a report claiming 83% of more than 200
mobile operators surveyed had
experienced mobile phone infections, some IT professionals were
skeptical. After all, they haven't seen any phone infections in
their environments.
 | | | | | We haven't seen any big breaches
in this area, so nobody is really paying attention.
Nils Puhlmann,
senior manager for enterprise information
security |
| | | | | |
| |
|
Robert Shullich, senior security technology advisor in the
corporate information security office at New York-based Bowne &
Co. Inc., said he hasn't seen any malware attacks against phones
and PDAs in his company, and wonders if McAfee is "over-hyping this
since they sell antivirus."
But he and other IT professionals admit they'll probably see
mobile phone attacks sooner rather than later, and they're starting
to look at ways to minimize the threat.
"We have many security concerns about mobile devices, including
the loss of sensitive data via loss of the device, and someone
using the authorized channel between the phone and the corporate
server to gain unauthorized access to the network," Shullich said
in an email exchange. Phone spam is also a concern, he said.
Eighty-three percent of mobile operators surveyed by Informa
Telecoms & Media on behalf of McAfee Inc. between December and
January acknowledged they've been hit by mobile device infections.
Respondents, who answered questions on a variety of mobile security
issues in an anonymous online survey, also acknowledged that:
- The number of mobile security incidents in 2006 was more than
five times as high as in 2005.
- The number of mobile operators in Europe and APAC reporting
incidents affecting more than 1,000 devices more than doubled in
2006.
- All operators spent $200,000 or more on mobile security in 2006
compared to 2005.
- The number of mobile operators estimating that the cost of
dealing with mobile threats is more than 1,000 hours increased by
700%.
An underestimated risk
Nils Puhlmann, senior manager for enterprise information security
at a Fortune 100 company in California, said he hasn't read the
McAfee report. But whether the numbers are hyped or not, he does
believe people are underestimating the risk to mobile phones -- and
the larger threat to company networks.
"We haven't seen any big breaches in this area, so nobody is
really paying attention," he said. "Security is reactive, and no
one takes notice until something happens."
Sooner or later, something will happen, he said. And the damage
won't be limited to the phone itself.
"There's no such thing as just a mobile phone anymore," Puhlmann
said. "Some devices have Bluetooth, which means there's some sort
of network connection, and we're seeing a lot more email and Web
functionality. Anything stored on that device is business property
and needs protection."
Several thousand employees in his company use
Blackberries, which he said are more secure than some other
phones on the market because they were designed with IT management
in mind. But employees are eager to try out other phones that may
be a lot tougher to manage from a security standpoint, such as the
newly unveiled Apple iPhone.
"When Apple announced the iPhone, a lot of people in the company
started inquiring about getting one," he said.
Like losing a laptop
In the future, he said, losing a phone may become as problematic
for a company as
losing a laptop is today. "You can lose a phone that easily has
30 email messages on it, many of which can include sensitive
information," he said. "We have a policy that if any of these
devices get lost it has to be reported right away. You have to
treat it as if you lost your laptop."
Steven Dietz, information security principal for North
Carolina-based healthcare services provider Quintiles Transnational
Corp., agrees. He also worries that as phones grow more
sophisticated, they could become vulnerable to older, PC-based
software flaws.
"The smart phone is getting more and more like a PC all the
time," he said. "When people can read .pdf or PowerPoint files or
even make changes to the document over a phone, the phones could
potentially be vulnerable to older flaws that were fixed long ago
on the PC side. Embedded firmware makes patching all the more
joyous."
Like Puhlmann, Dietz's environment is primarily Blackberry
based. He too likes the added manageability of the Blackberry and
said the device has a future in his company. One of the features he
likes is the ability to enforce security policies.
"After a certain amount of attack attempts, it locks up and
becomes useless," he said. "It transmits data in an encrypted
tunnel so it is secure in transit, and we have control of the data,
whereas a mobile operator with a smart phone has to manually add on
security on their own. Blackberries have more initial security
capabilities built in."
But he has tested other phones and believes that in general,
mobile phone security is better than it was a few years ago.
"In 2003 I could crack a smart phone with public or private
forensic tools," he said. For example, he said, a lot of progress
has been made in the security of Windows
smart phones.
Advice for users
To ensure the best possible mobile phone security, Dietz suggests
IT professionals test as many devices and add-on security offerings
as possible to find the technology that's the best fit for their
environment. Puhlmann suggests companies address the proper use of
mobile phones in their security policies.
"It's a mobile computing device, not just a phone, and you
should treat it as such in your security policy," he said.