Whether companies are actively encouraging their employees to work on the move, or staff are simply using personal mobile devices of their own accord, security professionals face a major new headache in protecting their organisations from threats, writes Rob Buckley.
Thanks to smartphones and tablets, not to mention the trusty old laptop and the practice of hotdesking, more workers than ever are doing their jobs from multiple locations.
There are, of course, advantages to this. “Many senior decision makers are now embracing mobile a lot more than in previous generations of the technology,” says Dimitri Yates, a security consultant at KPMG. “The iPhone looks cool and workers want it for that reason, but it also gives them the ability to work outside of the office. Sure, if you have an idea in the middle of the night you could get out your laptop and fire up the VPN, but reaching for the iPhone removes one more barrier to working.”
Using a personal device at work, however, puts corporate data and applications at risk of running outside the enterprise on unsecured devices – which is a potential security nightmare. So how are information security professionals dealing with these problems, and what are the latest technologies available for securing mobile devices? In some cases, the problems are not being dealt with at all. Last November, Check Point surveyed 130 IT managers and senior staff on the use of personal smartphones for work purposes. The results showed that employees use personal devices for work in 55 per cent of the organisations surveyed, yet 39 per cent of respondents said they had no formal process for deploying security to these devices. Only 37 per cent of the organisations prohibited use of personal laptops or smartphones for professional purposes, although 61 per cent did restrict access to their network or data resources. Such an apparent lackadaisical approach to the issue is worrying – in independent research carried out by Damovo last year, 92 per cent of IT directors stated that employee use of mobile devices had led to an increase in security threats to their organisation.
“In the modern organisation, end-users are dictating IT priorities by bringing technology to the enterprise, rather than the other way around,” says Robert Ayoub, global program director, network security, at analyst Frost & Sullivan. “This is creating a new challenge of balancing openness with security, where the ultimate responsibility for the security of an organisation falls on the shoulders of end-users – because they can more easily than ever put all the systems and data of the organisation at risk.” He adds that mobile devices could pose the single most dangerous security threat to organisations in the years to come.
Laptops, to a certain extent, are a known quantity and organisations will have developed ways to secure them. Most companies will have corporate laptops that have been given a standard build and locked down to prevent new software from being installed. They will have the standard anti-malware tools installed to prevent infections as much as possible. For securely connecting to the corporate network, meanwhile, there will be a VPN. Support may be more difficult to deploy, but remote desktop and patch management tools can help.
Things get harder when people want to use their personal laptops, which could have anything installed on them or run an operating system, such as Linux, that the organisation does not support. Smart-phones and tablets take these concerns to new levels, with unfamiliar operating systems that have few of the standard tools and capabilities familiar to IT staff.
The best policy
So what, then, is the best response to consumerisation? The first step, as always, is policy. “Most organisations have security policies, but not for mobile devices,” says Yates. “It's best to start from a risk-analysis perspective and focus on the data.”
Since data loss is the main concern with mobile devices, any prevention programmes will already have done much of the hard work in establishing what can and cannot be stored on employees' personal kit. If no such programme has already been implemented, then an inventory should be taken of the organisation's data, establishing where it resides, its importance and the likely impact if it is lost or stolen. Decisions can then be taken about which resources employees can access when using their own devices or working remotely.
Various technologies can restrict what remote users can access. JanusGate Mobile monitors all traffic being passed through Microsoft ActiveSync's Exchange. It can filter messages, contacts and calendar information so that emails from or to certain senders or recipients, or those containing particular words and phrases, are blocked from being sent to mobile devices.
Organisations can then look at how they provide remote access for their employees. Partly because of consumerisation, and because many consumer devices are incompatible with standard VPN technology (or its interface is harder to use on smaller screens), many organisations are looking at more lightweight technologies, typically the SSL capabilities of browsers, to provide portals for access to corporate resources. “The focus is more on using mobile devices as entry points into the cloud. You can use Citrix and VNC to control computers at work, for example, and vendors are coming up with more brilliant ways of accessing data in a controlled way,” says Yates.
Authentication is an area that needs to be looked at. Eric Maiwald, research vice president at Gartner, says this provides the first line of defence against an unauthorised person picking up a handheld device and accessing the information on it. A suitable authentication mechanism will mirror the mechanisms found on client computer systems, with authentication required at power-on, an inactivity timer so that re-authentication is required after a period of non-use, and protection from too many failed login attempts, such as an additional locking mechanism or a wipe of the device. Many devices have these features built in, although Google's Android does not have built-in support for strong passwords.
“Handheld devices are different from client computer systems, and therefore some allowances must be made for how the devices will be used,” warns Maiwald. “For example, it's not appropriate to force authentication on a mobile device before a user can answer a call or make an emergency call.” Inactivity time-outs may also require adjustment, depending on how the device is being used. “If the handheld device is being used for driving directions with a GPS application, an inactivity time-out that forces the driver of a vehicle to re-authenticate is inadvisable,” adds Maiwald.
Swivel's PINsafe offers an alternative to standard authentication. The user chooses a four-digit PIN, and whenever they wish to access an application, PINsafe delivers a one-time security string of randomly generated numbers to their mobile phone or browser. The user enters the numbers from the security string that correspond with the numbers in the PIN – if the user's PIN is 1234, they will enter the first, second, third and fourth numbers of the string.
Authenticating for access to corporate resources is also a concern. Few mobile devices offer USB ports to connect biometric devices et al for two-factor authentication. But applications from companies such as RSA and Signify are available for most smart devices that can create software tokens for authentication, avoiding the need for separate key fobs. If the device is a phone, it can be used as a second factor – SMS messages can be sent to the phone number associated with the device with an authentication token, ensuring that only specific devices can be used to access corporate resources. Importantly, according to David Emm, senior regional researcher UK at Kaspersky Lab, “two-factor authentication is great because it's not enough for Trojans such as Zeus to get hold of”.
However, Jim Tiller, vice president, security professional services, North America, at BT Global Services, has concerns. “When you take away the separate fob, that's really only pseudo two-factor authentication,” he says.
Network access control or mobile device management systems, such as Bradford Networks' Network Sentry and Sophos Mobile Control, can determine what kind of device is accessing the network and assign rights according to policy, as well as configure the devices.
“There are a number of tools in the arsenal we can use,” says Arabella Hallawell, Sophos's vice president of corporate strategy; she explains that these include whitelisting and locking down of phone functions. “But it's a balancing act. You can use more restrictive technology, but it will take a lot longer for you to get the advantages of consumerisation,” she adds.
Terms and conditions
Before employees can access corporate resources, they should agree to policies regarding acceptable usage. This can include terms requiring security software, such as BullGuard's Mobile Security anti-malware and management software, to be installed where necessary; device encryption to be turned on – a default for most, but not all; and for some configuration to be undertaken by administration software such as Sophos Mobile Control.
Some terms may cause problems. If employees are using their own devices, while setting a minimum password length or requiring data to be encrypted on the device are things that many members of staff will be happy to abide by, saying that the organisation can remotely wipe the data from the phone if it is lost or stolen may be balked at. Although employees do need to accept some degree of personal responsibility if they are to be extended the benefits of remote working and use of their own devices, it is possible for data to be segregated on phones, so that only certain parts of the phone need be wiped in the event of loss, rather than all of it – which should cushion the impact. RIM's BlackBerry Balance – so called because it aims to enhance users' work-life balance – allows its phones to be partitioned, for example, while BlackBerry Protect provides back-up, location and remote wipe facilities. McAfee's WaveSecure and Kaspersky Mobile Security offer similar remote wipe facilities, among other functions.
Equally, by ensuring that little or no data is on the device, employees can be spared this dilemma. Browser-based access to resources avoids anything being saved to the device, since everything is stored within the session. Meanwhile, desktop virtualisation technology, such as Windows Terminal Services or Citrix and VMware's various products, allows corporate desktops to be run from a server.
“This way, the device becomes a presentation mechanism and the app is just a window into the organisation through which you see things,” says Mark Carter, head of security at Deloitte. This can make it far easier to support different devices: rather than having to develop corporate applications that run on any number of platforms, including iOS, Android, Symbian and Windows Mobile, the organisation can simply tell employees to install the relevant virtual desktop client on their phone and run all the applications on the server.
However, virtualisation can be expensive, not just because of the server hardware and software required, but also because of licensing, resulting in high initial costs. “It's a decision that hits CIOs more and more as you start to invest in supporting mobile. However, although it's expensive at first, the economies of scale kick in and the cost diminishes per unit. With use of mobile devices increasing in the future, it's an issue in front of CIOs,” says Carter.
BT's Tiller says he is aware of only two companies discussing virtualisation as a means of becoming more flexible in relation to consumerisation, rather than for other business reasons.
As a result, many organisations instead decide to deploy applications onto mobile devices. To do this, they need to consider the same things as they would when apps are deployed on more conventional devices. Proper checking of apps' security – for both those written by the organisation and those bought – is a must. To avoid the inevitable problems of support for multiple platforms, mobile enterprise application platforms such as AT&T's Workbench or Antenna's Volt, that are either hosted or on site, can be used to create, publish and manage web applications securely.
“It's essentially a native container for HTML 5 web apps,” says Martin Jones, senior product manager at Antenna Software. “It enables the enterprise to have much more control of these apps by having a ring-fenced area. You can wipe individually or the whole thing – or, since the keys will expire, the need to wipe is removed.”
Consumerisation will only increase alongside mobile working, which will affect not just corporations but society, too. “We're facing a big chunk of the population being always on, 24/7,” says Kaspersky's Emm. “The negative side of this is that people's devices will need to be protected inside and outside the office. It's a perfect storm.”
Even if an organisation doesn't feel it needs a mobile security policy now, it will do soon.
Security at the network operators
Mobile security is as much an issue for network operators as it is for their users, which is why so many of them are taking it seriously. At the simplest level, if customers have problems with their phones, they're more likely to call their network operator and expect it to fix the problem, even if the operator is not responsible for it. But as Gareth Maclachlan, COO of AdaptiveMobile, points out, malware infections and other security problems can cost operators dearly.
“One operator lost £2m over a four-day period because SMS messages were coming through as missed call alerts. When the customers hit reply, they dialled an international number at $4 a minute that was a recording of a dial tone. The operators transferred money to the satellite phone operator, and only 30 days later, when people started getting their bills, did the complaints come in,” he says.
AdaptiveMobile now provides a security platform to 35 tier one mobile phone operators around the world, including some in the UK, that can monitor every SMS, MMS, email, IMS and voice message in real-time to observe customer behaviour and spot changes. “The platform can monitor a huge range of behaviours and build profiles of the subscribers. These cues help us to identify threats and actions to take,” Maclachlan explains.
Largely, network operators are unwilling to discuss the security measures they take for their consumers, although Vodafone admits to content filtering and automatic malware protection in its data network. However, for business customers, they do offer more services.
“We do a number of things,” says Scott Petty of Vodafone's business products and services. “We look at device security, including encrypting data – we've launched some tools ourselves for that. We also offer remote lock, VPNs and help organisations set up app distribution whitelists and blacklists.” Vodafone also offers a managed mobility service.
Orange works with SMEs and larger enterprises to enhance their security. “We've had in our portfolio for some time the Orange Link Voice and Data VPN, which provides secure, easy connectivity,” says Orange UK's head of corporate propositions, Michael Lawrence. “That can not only identify the user by mobile telephone IMEI but also tell when the SIM has been taken out of the device and put in something else.” It's a service available for a monthly charge, and requires users to have Orange SIMs. The company also provides a higher level of security at CESG impact level five through measures such as a Becrypt partnership, and has consultants who can discuss mobile security policies.
Both Orange and Vodafone are evolving their security portfolio as mobile threats change. “Device management for end-users is an evolving ecosystem, because of things like the bring-your-own-device trend,” says Lawrence. “We want to make sure our portfolio responds to needs and enables IT managers to deliver benefits. So we are developing device management capabilities and moving into partnerships to enrich our offer around AV, for example.”
Vodafone's Petty says a lot of effort is going into ensuring mobile internet connections are as secure as possible. “That will continue to be the focus. We're also leveraging SIMs as a second factor in authentication. We have large teams dedicated to products and technologies.”
Ten of the best business apps
1 Cisco WebEx (iPhone, Android, BlackBerry)
Connect to a Cisco WebEx meeting wherever you are, on 3G or WiFi. You can also schedule and start meetings, as well as view documents and applications and access screen-sharing with live annotations.
2 Dropbox (iPhone, Android, BlackBerry)
Dropbox allows users to synchronise files in a folder on their computer with the cloud, other computers and smartphones. The Dropbox mobile application lets users upload files and sync them to Dropbox, as well as share links to files in their Dropbox with other people, so they can download them to their own computers or mobile devices.
3 LinkedIn (iPhone, Android [beta], BlackBerry)
LinkedIn, the social media site for business professionals, now offers dedicated mobile applications for keeping up to date with colleagues, arranging meetings with them, messaging them or finding out what the latest ‘buzz' is.
4 iShare (iPhone)
Connect to SharePoint Server securely to access company and team collaboration information, including documents, lists, announcements, tasks and meetings.
5 Citicus MoCA (iPhone)
MoCA provides a simple way for decision makers to identify the business impact of their organisation's assets and processes being disrupted. Worst-case loss scenarios are used to identify the types of harm that could ensue and the severity of each type. As soon as an assessment is complete, graphical results are presented, highlighting the asset's calculated critical rating, maximum credible loss, and required protection.
6 RSA SecurID Software Token (iPhone, Android, BlackBerry)
Now there is no need to carry a separate RSA fob for secure two-factor authentication. Instead, you can install the app on your mobile device and get the authentication token sent to that, where it can be copied and pasted if necessary.
7 Cisco SIO (iPhone)
This provides real-time access to Cisco Security Intelligence Operations. The app provides actionable security information and enables users to personalise alerts to show only those security threats that could affect their network, and provides added assurance that they are being protected by their chosen Cisco security solution.
8 Documents to Go Premium (iPhone, Android, BlackBerry)
Create, open and edit Microsoft Office and PDF documents on your mobile device then sync them back to your computer without disrupting the formatting. Also includes support for Google Docs so that you can work through the cloud.
9 TravelTracker Pro (iPhone, Android, BlackBerry)
Keep track of all your travel information using the TripIt service. TravelTracker Pro can record expenses in multiple currencies, synchronise with TripIt, get updates of changes to flights, get maps to destinations and more.
10 Salesforce Mobile (iPhone, Android, BlackBerry)
Users can access their Salesforce CRM data wherever they are, as well as log calls and respond to leads. The iPhone version is unstable, but other versions work better.
Near field communications
Will it or won't it? Rumours have been circulating that the next version of Apple's iPhone will join a few other select handsets in having Near Field Communications (NFC) incorporated into its chipset, thus giving the nascent mobile payment technology an instant headstart that will no doubt take the technology into the mainstream. Much like contactless payment cards provided by suppliers such as Barclaycard, NFC allows a user to tap a phone against a reader to make a payment.
Using a phone provides an added benefit – the keyboard or touchscreen, which provides the ability to enter a code like a PIN. This means that the contactless payment can be extended beyond the current £15 limit for cards. “Clearly, this introduces a security headache. What if the phone is stolen? What if mobile malware can capture the code? What if the payment data can be captured?” asks Richard Allen of Consult Hyperion, which has worked on technologies such as Oyster Card.
NFC includes measures to counter these problems. It is secured using a mechanism known as Global Platform, which allows card issuers to issue the payment card application securely over the mobile network. “American Express, MasterCard and Visa are working with the mobile phone industry on securing payments,” says Allen. “This has been challenging if only due to the number of new relationships required. The mobile network operators, handset vendors and so-called trusted service manager are all involved.”
The payment application is secured in the mobile phone in a ‘card' known as the Secure Element. It contains the code, which is stored as securely as a PIN. Other software applications running on the mobile device are authenticated to stop rogue apps capturing and using the code; the communications between components on the mobile device are also secured. The electronics are protected against physical tampering to prevent eavesdropping, and any code entered by the user is invalidated after a minute or so. As with a contactless card, there will be some losses from lost and stolen mobile devices, but these are limited to £40. The phone can also be used to accept contactless payments.
“This involves the tricky subject of trust. How many of us will happily use our contactless cards to buy something from a roaming merchant with a mobile phone? Education and trust may be more of an issue than technology here,” says Allen.
However, John Arnold, chief security architect at Capgemini UK, says NFC is vulnerable to network attacks such as eavesdropping, jamming and man-in-the-middle attacks. “The protection offered by the Bluetooth pairing system is not included in the NFC standards. There is no reason why an NFC app for an iPhone cannot be made secure, but developers may be tempted to take shortcuts. From the end-user's point of view, there is a big difference in the risk posed by losing a £10 Oyster Card and an NFC iPhone app that may have access to an enormous amount of personal data.”
The rise of mobile malware
Mobile malware finally came of age in March when Google removed 50 free apps from its marketplace after they were discovered to be carrying malicious code. An estimated 20,000 to 500,000 users could have downloaded the infected apps, most of which were pirated versions of legitimate Android apps and contained a piece of malware called DroidDream.
DroidDream wasn't the first piece of mobile malware, but it was the first serious infection. The creators of the Zeus Trojan have also begun targeting mobiles, with Zitmo (Zeus in the mobile) able to intercept SMS messages from banks to BlackBerrys. KPMG's Dimitri Yates argues that until recently, there has been little incentive for criminals to target handsets. “They didn't contain much data, they weren't very powerful and there were such a variety of platforms, so it was hard to target them,” he says. Consolidation in the industry, as well as more powerful handsets, however, might cause criminals to reconsider.
Malware is likely to be a different beast on mobile because, unlike with viruses, it is in the interest of criminals to stay unnoticed. Malware apps that send text and phone messages to premium-rate numbers at 2am every Thursday can raise a lot more in the long term than a Trojan that makes its presence known instantly. Corporate-issued handsets may be a bigger problem than consumer devices, since employees rarely get to see their bills and spot texts and calls they didn't make.
Until the Google outbreak, mobile malware was largely nothing more than ‘proofs of concepts', particularly on the iPhone – Apple's insistence that all apps have to be downloaded from its App Store, as well as built-in security measures, mean that outside of ‘jailbroken' iPhones (whose owners have circumvented their security measures), malware has been non-existent.
“There has been mobile malware for almost as long as it's been talked about, and some of the fairly recent attacks have had botnet capabilities. However, the difference is that individual threats tend not to have the same impact of a fast-spreading worm or PC virus,” says David Harley, senior research fellow at anti-virus software provider ESET. “It seems that attacks such as phishing and smishing on smartphones are more widespread and more consistently successful, and they attract the most attention from cyber criminals,” he adds. “Smartphone operating systems that implement tight controls such as application whitelisting and restricting the user's ability to compromise his own device are far less vulnerable to direct malware attacks.”