Mobile security can no longer be ignored

ID THREATPOST:75A55E3C0ACF943745C0A64A855056A9
Type threatpost
Reporter Paul Roberts
Modified 2013-04-24T21:32:39


By Paul F. Roberts, The 451 Group

Starting this week at the annual CanSecWest conference in Vancouver, British Columbia, some of the world’s best hackers will crack their knuckles and get to work on a different kind of problem: hacking mobile devices including Apple’s über popular iPhone. The annual Pwn2Own contest is likely to be a wake-up call to companies about the dangers posed by BlackBerrys, iPhones and other mobile devices. Despite that, many security firms are still playing catch up on mobile device management and security. Their enterprise customers may pay the price.

Pwn2Own gained notoriety last year for exposing vulnerabilities in Apple’s sexy Macbook Air and is sponsored by 3COM’s TippingPoint division. The contest promises participants $5,000 for each bug in the IE8, Firefox, Apple Safari and Chrome Web browsers, and double that amount for exploitable holes in fully patched RIM BlackBerry, Google Android, Apple iPhone, Symbian and Windows Mobile phones.

Why mobile devices? And why now? As with the Apple hack last year, Pwn2Own’s organizers are smelling change in the air. Consider the iPhone: Apple sold 4.4 million handsets in the December quarter (Q1 of Apple’s fiscal year), and 13.7 million of them in 2008. Revenue generated from iPhone and accessory sales totaled $1.25 billion that quarter, compared to $241 million in the same quarter a year ago. Though early iPhones were sketchy on features that make them useful to most workers, a lot has changed since 2007, when the phones were first introduced. By one account, iPhones accounted for 66 percent of mobile traffic browsing the Web in February, ten times that of its nearest competitors (Windows Mobile and Google’s Android).

For business users, iPhones now sport integrations with Microsoft Exchange Server and Cisco Systems virtual private networks (VPNs). Even more important is the iPhone SDK, which can be used to develop third party applications to run on the iPhone. The company’s AppStore currently provides access to more than 15,000 applications – both free and premium. Between July and the end of December, there were more than 500 million AppStore downloads.

But market pull doesn’t necessarily translate into enterprise mindshare. I attended a hands-on session last week for an enterprise mobile device management tool from a large, U.S. based security software firm. In its latest incarnation, the product in question, which can be used to block mobile device spam and scan for virus infections, didn’t support the iPhone, or the BlackBerry, for that matter. Those facts didn’t surprise me as much as the instructor’s answer when asked about the prospect of iPhone support in future releases: “We’re waiting to see if the iPhone gets picked up in the enterprise before we add support.”

It was an answer that was met with silence and more than a few quizzical looks from an audience of IT administrators. The attendee who asked it turned to me and whispered, “From what I can tell, all the executives are already using it!” Of course, reliable statistics about iPhone use in the enterprise are hard to come by. But if the number of e-mails in my inbox with the phrase “sent from my iPhone” is any indication, iPhones have arrived.

So what’s going on? At the most basic level, the disconnect over “enterprise adoption” of the iPhone underscores the continuing growing pains caused by the influx into the workplace of devices and applications that were designed for personal, not office use. This is what some have called the “consumerization of IT,” and it’s hitting IT departments and the companies that sell to them big time. Workers are bringing their non company-issue BlackBerrys and iPhones to the office, syncing them to work PCs and using them for official business, just as they’re using Web based e-mail and IM as well as social networking platforms like Facebook and LinkedIn both for business and personal use at the same time.

The days of a corporate “gold image” – a standard and company-approved hardware, OS and suite of applications that’s tightly controlled by the IT department – have long since passed. Covetous employees and desirous consumer applications like the iPhone shattered it. But that doesn’t mean that software firms – security focused and otherwise – aren’t still marketing and selling products as if IT still ran the show. They are.

The other issue at play here is the long and checkered history of mobile malware protection, a market into which security companies rushed headlong in years passed. Worms and viruses, we were told, would soon be crawling across mobile phone screens just like Windows desktops. Using SMS and other vectors to spread, causing massive blackouts and spreading mobile spam through the ether. It never happened, first: because the mobile device market wasn’t an operating system monoculture like the PC market. Second: Mobile devices generally didn’t hold the kinds of data that professional criminals groups were interested in going after.

Today, most anti-malware companies make, market and sell security software for detecting and preventing mobile malware, spam and a host of other ills. Much of it is directed at the telecos and other carriers who run mobile communications networks. On the enterprise side, it’s still early days for mobile device management – but that may not be the case for long.

What do enterprises want? I think it’s a safe bet that the market for mobile device security will proceed in the opposite direction of the enterprise anti-malware market, which started with threat protection before making its way to data encryption, anti-data leakage and configuration management. While they aren’t too concerned about SMS worms spreading over mobile networks (which they don’t own or control anyway), enterprise IT shops are deeply concerned about the sensitive information that’s stored on their CEOs’ iPhone or BlackBerry, and anxious about what it would mean for their company if that device goes missing.

First, companies want to be able to manage and provision mobile devices alongside their other IT assets such as servers, desktops and laptops. Knowing what kind of mobile device an employee uses and making sure they have secured it with a password would seem like low hanging fruit, but its still rare within enterprises, and downright impossible in an environment where employees use a half dozen or more different mobile platforms. As my experience at last week’s user conference suggests, mobile device management is still the forgotten child of systems and security management. Expect that to change.

Next, enterprises want to be able to monitor and enforce policies to protect sensitive data. One example would be mobile device encryption tools that protect data at rest on mobile devices. Security vendors like McAfee, Check Point and Sophos have found their way to this market in recent years. As for handset makers, RIM is at the front of the pack when it comes to mobile device data encryption with its BlackBerry Enterprise Server. But others, including Apple, are still far more focused on satiating consumer demand to focus too long on security features that enterprises want. That may be understandable, but in the long run, both consumers and enterprise users will be clamoring for more platform security.

Last but not least, mobile device makers, carriers and even enterprises will need to invest more in mobile threat protection software, even if the prospect of Blaster-style worms that race across the mobile landscape is still slim. As mobile use patterns change, carriers and enterprises alike will need to extend the same umbrella of protection against threats like e-mail and Web-borne malware to the mobile devices their employees carry, as well. At the same time, more traditional mobile threats such as SMS text based attacks and even Bluetooth-borne attacks will continue to be a concern.

* Paul F. Roberts is a senior security analyst for enterprise security at The 451 Group. He has reported on security for The IDG News Service, eWEEK and InfoWorld.