Smart Phones – Convenience or Threat?

The use of smart phones to access sensitive corporate information away from the office is creating huge security gaps for enterprises. Smart phones are being used to access company mails and applications. Atleast one major breach involving theft of application code has been attributed to malware from smart phones. So how do we benefit from the technology while addressing the risks

 

There have been quite a few high profile security incidents that were reported in the last few weeks. Topping the charts, Google reported being hacked by Chinese hackers, and closer to the Google disclosure there were other companies in the US that reported loss of application code to hackers. The NSA of Indian Government reported that their network was targeted by hackers. The Suffolk County National Bank in Riverhead, NY announced the breach of a server that hosts its online banking system. These incidents have happened despite the fact that many of these organizations and government departments probably have some of the best security products and information protection mechanisms. So it brings forth the eternal question – What is going wrong and where.

 

The Smart phones are seen as one of the main culprits breaching IT Security. The use of smart phones to access sensitive corporate information away from the office is creating huge security gaps for enterprises. Smart phones are being used to access company mails and applications. Atleast one major breach involving theft of application code has been attributed to malware from smart phones. The following are the reasons why smart phones are proving to be big threats to an organization security. There are also some ideas on how organizations can overcome such security issues

 

Smart phones OS stability is still not proven – Users must be encouraged to make a backup/replication of data in mobile phones.

 

Mobile communications are not encrypted and it is possible today to sniff and decrypt mobile traffic. The GPRS and EDGE data protocols used in mobiles are based on GSM, and GSM authentication algorithms such as A5 have been broken. There are some security options, but many carriers choose not to implement all of the security controls available because of performance and handset compatibility. – When smart phones connect to enterprise servers they must always do so on a VPN connection.

 

Unencrypted data is stored in smart phones – Not many realize the fact, but smart phones may be configured to store a lot of data and configuration settings relating to the enterprise servers and IT set up. Data can be stolen from mobiles even before they can inactivated. When employees leave organization, there must be a mechanism for removing all such data and settings. Even otherwise, the possibility of mobile theft and resulting data loss has to be addressed by enforcing password protection on mobiles. Smart phones can be protected by setting the device to require a pass code. Some smart phones have the option that if the wrong pass code is entered ‘x’ times, local data is erased but can be restored by a remote password reset from administrator console.

 

Smartphone data is not deleted when it is removed. Most devices have relatively small storage capacities, and use variants of FAT file system. When a file is deleted, the markers for the beginning and end of the data on the storage media are removed so that it is no longer retrievable by normal means. However, the actual data remains until it’s overwritten. In fact, the whole practice of cell phone forensics rests on the availability of such data and logs. Currently there is no secure delete option on any Smartphone devices. It is upto system administrators of organization to devise someway for removing data from smart phones such as overwriting the complete memory with junk data.

 

Smart phones are operated on admin mode. This means that while desktop users can be restricted from administrator access, Smartphone users are given administrator access by default. They can install applications and software that cannot be done on desktops and these may contain malwares. There are very few anti virus/malware protection software for smart phones and their effectiveness is still being tested – When smart phones connect to the network, it must be ensured that they access network resources only from behind a firewall. The risks of malware propagating when mobiles are connected through USB hubs in desktops do remain which can be addressed only by updated anti virus mechanisms in the organizations.

 

In sum, smart phones are as much of a security threat as much as they provides user convenience. Organizations must evaluate the risks from such devices before permitting them to access IT Resources.