Smartphone risks
Today's smartphones come with advanced features
such as the ability to connect to the Internet,
download applications, store pictures and
videos, use wireless connectivity, and perform
on-line banking. While smartphones increase
productivity, they also come with risks.
Smartphones can be used to access corporate
information systems. By exploiting smartphone
and browser vulnerabilities, hackers have access
to your applications and data.
Application based attacks are a big threat
and can target your logon credentials, memorized
passwords, financial data, etc. The software is
typically installed by the phone user when
visiting an infected web site, downloading and
installing applications, or clicking on links in
messages. However, it can also be installed by
someone else who has physical access to your
phone. All it takes is a few minutes to install
the software and then it runs behind the scenes
without your knowledge.
Not just restricted to PCs, phone spyware
that can:
- Listen in on your phone calls
- Record your text and e-mail messages
- View your photographs
- Access your files
When your phone is not in use, spyware can
turn on the microphone and listen in on
conversations in your vicinity. Spyware can even
track your location through the Global
Positioning System (GPS) feature on your phone.
Some spyware can automatically forward text
messages to a designated phone number.
Establish standards
According to industry statistics, two thirds of
fresh and critical business data is not stored
on corporate servers. Smartphones and other
intelligent devices frequently hold the most
current customer contacts, communications with
suppliers, vendors, and other service providers.
Many phone users adopt new technology before
they are fully aware of the risks involved.
Securing smartphones is the responsibility of
both the phone user as well as the organization.
Successful firms use a multi-layered approach to
protecting smartphones and related "information
assets".
The IT Department should establish standards
for smartphones, phone protection software, etc.
This reduces IT administration costs and offers
better protection for the enterprise. IT must
identify controls that address infrequent
smartphone software patch updates compared with
daily or weekly updates provided for servers and
desktops. IT should have a firm policy that
identifies devices that are allowed to connect
to the network.
Encryption
Where possible, smartphone operating systems
should support encryption. Many smartphones
include a system encryption feature that
encrypts all data, applications, and files. When
a user powers on the phone they enter a password
or PIN to gain access to the information on the
device. The smartphone then uses the password or
PIN to decrypt the data and make it readable.
Phone security configuration
Where possible, smartphone users should minimize
their attack surface by disabling:
- Global Positioning System (GPS) -
announces your location.
- Bluetooth - default configurations may
allow vulnerable to pairing to unauthorized
devices.
- Wi-Fi - smartphones using Wi-Fi are
vulnerable to the same risks faced by
laptops. Access using a provider's 3G or 4G
service tends to be more secure.
The phone should have a very strong password
and a short screen timeout. This helps prevent
an unauthorized person from accessing sensitive
data or downloading and installing unwanted
applications. Take advantage of smartphones that
allow stronger passwords:
- Passwords longer than four digits
- Create a security code by tracing a
pattern with a finger
- Biometric security features
Like a traditional computer, smartphones have
the ability to remember website logon usernames
and passwords. This can present a security risk
if the phone is lost or stolen. Configure the
smartphones to disable the browser's auto-fill
feature.
Security can be cumbersome when users must
remember a different password for each
application or website. Applications such as
PasswordWallet, 1Password, LastPass, and
SplashID help users manage multiple logon
credentials.
Protection software
Phone protection software should be installed on
all devices that access the Internet and
especially phones that access corporate
information systems. Smartphone security and
device management software typically provides
the following services:
- Access - notifies user when applications
attempt to access sensitive data
- Alerts - when user visits a suspicious
website
- Backup - contacts, calendars, text
messages, etc., browser access to service to
restore files
- Blocking - block spam, unwanted text
messages, phone calls
- Locate - helps you find a missing phone
by locating the phone on a map, sounds an
audible alarm
- Malware - scans applications for viruses
and other forms of malicious software
- Parental control - view messaging and
photo activity
- Remote - remotely trace and lock phone,
remove contents on device if lost or stolen
(wipe)
- Device management - mobile device
management (MDM) software helps IT
departments manage data boundaries so IT can
wipe organization information from the
device without erasing the user's personal
data
Not all smartphone security software products
include the features listed above. In addition,
some features such as backing up call log files,
photos, etc. may be an additional charge or may
only protect the information on the phone and
not on SD cards. Popular security software
includes:
- BullGuard Mobile Security
- F-Secure Mobile Security
- Lookout Mobile Security
- McAfee WaveSecure
- Norton Mobile Security
- Trend Micro Mobile Security
Security education
Staff security education and awareness training
should be provided on a regular basis.
Smartphones are portable and easily misplaced
or stolen. Ensure staff follow physical security
best practices that include locking the device
when it is not in use.
Staff should only download and install
applications from trusted sources. Before
installing software staff should read the
application reviews and only install apps from
trusted sources. Staff should read and
understand the Permissions used by the
application.
Staff should not click on message links from
unknown senders or visit unknown web sites that
can download and install malware to a smartphone.
Once installed, the malware can launch attacks
against your internal network.
When using the phone for personal activities
such as banking, shopping, etc., the user should
use a dedicated application provided by the
retailer instead of using the smartphone's
browser. Staff should periodically clear the
browser history to prevent someone from
retracing the user's activities.
Staff should be made aware that text messages
are sent in unencrypted, clear text that can be
read by others. In addition, most messaging
applications do not offer security protection.
Summary
With immediate access to corporate systems,
data, e-mail, and the Internet, smartphones
offer enhanced productivity. Smartphones also
present a variety of risks that must be managed
using a proactive approach to security.
Network security audits and
mobile security audits
help organizations identify, manage, and reduce
their risks related to smartphones. Formal
and documented
policies ensure a top down approach to
managing smartphone related risks.
Security Blog menu
Tags: smartphone security | cell phone
security | phone security | mobile device
security
|