Network Security Audit Risk Assessment Information Security Consulting Computer Forensics

 



Smartphone Security

Today's smartphones come with advanced features such as the ability to connect to the Internet, download applications, store pictures and videos, use wireless connectivity, etc. While smartphones increase productivity, they also come with risks.

Smartphones can be used to access corporate information systems. By exploiting smartphone and browser vulnerabilities, hackers have access to your applications and data.

Application based attacks are a big threat and can target your logon credentials, memorized passwords, financial data, etc.  The software is typically installed by the phone user when visiting an infected web site, downloading and installing applications, or clicking on links in messages. However, it can also be installed by someone else who has physical access to your phone. All it takes is a few minutes to install the software and then it runs behind the scenes without your knowledge.

Not just restricted to PCs, phone spyware that can:

  • Listen in on your phone calls
  • Record your text and e-mail messages
  • View your photographs
  • Access your files

When your phone is not in use, spyware can turn on the microphone and listen in on conversations in your vicinity. Spyware can even track your location through the Global Positioning System (GPS) feature on your phone. Some spyware can automatically forward text messages to a designated phone number.

Smartphone security tips
According to industry statistics, two thirds of fresh and critical business data is not stored on corporate servers.  Smartphones and other intelligent devices frequently hold the most current customer contacts, communications with suppliers with vendors and suppliers, etc.

Many phone users adopt new technology before they are fully aware of the risks involved. Securing smartphones is the responsibility of both the phone user as well as the organization. Successful firms use a multi-layered approach to protecting smartphones and related "information assets".

The IT Department should establish standards for smartphones, phone protection software, etc. This reduces IT administration costs and offers better protection for the enterprise.  IT must identify controls that address infrequent smartphone software patch updates compared with daily or weekly updates provided for servers and desktops.  IT should have a firm policy that identifies devices that are allowed to connect to the network. Where possible, smartphone operating systems should support encryption.

Where possible, smartphone users should minimize their attack surface by disabling:

  • Global Positioning System (GPS) - announces your location.
  • Bluetooth - default configurations may allow vulnerable to pairing to unauthorized devices.
  • Wi-Fi - smartphones using Wi-Fi are vulnerable to the same risks faced by laptops.  Access using a provider's 3G or 4G service tends to be more secure.

The phone should have a very strong password and a short screen timeout. This helps prevent an unauthorized person from accessing sensitive data or downloading and installing unwanted applications.  Take advantage of smartphones that allow stronger passwords:

  • Passwords longer than four digits
  • Create a security code by tracing a pattern with a finger
  • Biometric security features

Employee security education and awareness training should be provided on a regular basis. Employees should only download and install applications from trusted sources. In addition, employees should not click on message links from unknown senders or visit unknown web sites.

Like a traditional computer, smartphones have the ability to remember website logon usernames and passwords. This can present a security risk if the phone is lost or stolen. Configure the smartphones to disable the browser's auto-fill feature.

Security can be cumbersome when users must remember a different password for each application or website.  Applications such as PasswordWallet, 1Password, LastPass, and SplashID help users manage multiple logon credentials.

User activities can download malware to a smartphone. Once installed, the malware can launch attacks against your internal network. Phone protection software should be installed on all devices that access the Internet and especially phones that access corporate information systems. Smartphone security and device management software typically provides the following services:

  • Access - notifies user when applications attempt to access sensitive data
  • Alerts - when user visits a suspicious website
  • Backup - contacts, calendars, text messages, etc., browser access to service to restore files
  • Blocking - block spam, unwanted text messages, phone calls
  • Locate - helps you find a missing phone by locating the phone on a map, sounds an audible alarm
  • Malware - scans applications for viruses and other forms of malicious software
  • Parental control - view messaging and photo activity
  • Remote - remotely lock phone, remove contents on device if lost or stolen (wipe)
  • Device management - mobile device management (MDM) software helps IT departments manage data boundaries so IT can wipe organization information from the device without erasing the user's personal data

Not all smartphone security software products include the features listed above.  In addition, some features such as backing up call log files, photos, etc. may be an additional charge or may only protect the information on the phone and not on SD cards.  Popular security software includes:

  • BullGuard Mobile Security
  • F-Secure Mobile Security
  • Lookout Mobile Security
  • McAfee WaveSecure
  • Norton Mobile Security
  • Trend Micro Mobile Security

Risk assessments help organizations identify, manage, and reduce their risks.

Tags: smartphone security | cell phone security | phone security

Take our Challenge.   Copyright © 2006-2011 Altius Information Technologies, Inc.  All rights reserved.    On-line Support.    Privacy.    Site Map.    Contact Us.