Mobile malware has already been predicted, and it is fair to say that it is now here. There are already numerous exploits and scams in the wild that have been used to exploit users and mobile devices alike.
Nokia Symbian platform was the most targeted for 2010 but exploits exist for Android devices as well. It is suggested that exploits for other mobile devices are expected this year and attackers are gaining experience.
Despite this, the prevalent opinion appears to be that the risk from mobile devices is low and unlikely. It seems that we all are waiting for a "big event" such as the Chernobyl computer (CIH) virus in 1998 that returned in 2001 as Love Letter, a worm with a CIH dropper program. Recent research, however, has shown a 250% increase in Mobile Malware between 2009 and 2010.
It could be that there might not be a "big event", but rather a steady infection of mobile devices specifically designed to stay under the radar, as is the case with current PC malware, Like rising damp, you only see it after it has been there for a long time. SMS exploits, for example, have been disguised in movie players or system updates for mobile devices, which, without any user interaction send messages to premium rate numbers at around $5 a message. The exploit is only launched a few times a month so that they aren't noticed and exploit the fact that most business users don't see their mobile bill. Zeus Trojan with a mobile component is estimated to have caused $9.5m losses in the UK and US, by stealing personal and business banking details.
My response is a "D4" mobile security model, based on the classic information security CIA triad, covering device security, device data protection and device user education:
It must be acknowledged that the "consumerisation" of IT, with increasing numbers of people connecting their own devices to business networks, often without approval, means the scope of device management has changed drastically.
The security of mobile devices, must now, for example, account for the wide variety of mobile device operating systems. Some of these have open architectures and others are "walled" by the controls implemented by the manufacturer. Given this, device traffic security using IPSEC tunnels should be a given, in addition to the firewalls, antivirus and encryption that should also be considered.
Device data protection in recent times has evolved out of the requirement for information management. The evolution of user technologies from RIM, Apple, Google and other software and hardware manufacturers have created a user base that expects to be able to easily access and create content from any location 24x7. Just like with PCs, this data should be protected and restorable.
Perhaps the most crucial element of the mobile security strategy, user education begins with an understanding of what information users need, and what additional information becomes accessible by having email enabled on their mobile device. A simple brainstorming can ensure exposures are understood.
Understanding where data is stored, transferred and created is the first stop to tackling this topic.
Lannon Rowan is a managing security consultant within global services at Orange Business Services