Securing the Operating System
Most operating systems for PDAs and smartphones have been designed from scratch within the last decade, and security has been one of several important criteria. The early driving factors in the design phase were low memory usage, small OS footprint, always-on operation and the support of special hardware, such as low-power chipsets and small screens. Because the IT industry now recognizes the need for more secure computing models, additional security features such as VPN, SSL, crypto modules, login passwords, and code signing have been introduced. Microsoft and Symbian in particular, have made significant improvements to their mobile operating systems. Symbian 9, for example, has sophisticated security models, trusted computing concepts, data caging, applications rights, etc.
At the same time, other features continue to be added to these operating systems. The market and user expectations have largely driven OS providers and device manufacturers to more and more features, which introduce additional software complexity. And since each line of code can be the reason for an additional security exploit, the risk for additional security issues grows with each added feature. Additionally, mobile devices can be connected in many more ways than via a carrier’s network; no longer do mobile devices operate in a closed environment (e.g., Bluetooth, WiFi, infrared, corporate networks).
Know your options
Despite the high numbers of mobile devices that go missing, companies are apparently not doing enough employee education to help secure their mobile assets. The problem is not unique to the United States – a recent survey in the United Kingdom revealed that nearly two-thirds of UK business users do not use a password when they log-on to their laptops, and of the users who do use passwords, 15 percent use their name and 10 percent give password details to colleagues. A third of the respondents have not changed their passwords in the past year.
The ideal solution would be to prohibit all confidential data from being stored on mobile devices, but that is neither realistic nor practical. Of course, developing company policies and procedures to minimize the risk of theft or compromised data on employees’ mobile devices should be the foremost precaution taken by IT or IS administrators. The following safety measures could reduce the risk that confidential information will be accessed from lost or stolen mobile devices:
Provide training to personnel using mobile devices. People cannot be held accountable to secure their information if they haven’t been told how.
Remove data from devices that aren’t in use. Several incidents have occurred by people obtaining “hand-me-down” mobile devices that still had confidential company data.
Establish procedures to disable remote access for any mobile devices that are lost or stolen. Many devices store user names and passwords for Web site portals, which could allow a thief to access even more information than on the device itself.
Centralize management of your mobile devices. Maintain an inventory so that you know who’s using what kinds of devices.
Patch management for software on mobile devices should not be overlooked. This can often be simplified by integrating patching with syncing, or patch management with the centralized inventory database.
Fortunately, security products that can detect malicious code exist for most mobile device operating systems. Security technologies that can protect both the organization and the various types of mobile devices should also be implemented. Native mobile device security such as light encryption, basic passwords, and physical locks may deter some hackers, but rarely stymie a determined criminal.
A multi-layered approach to security is important; securing the end point, gateway and network is key. Endpoint security must go with security at the edge and core of the enterprise network; they are complementary and address different threats and entry points. That said, mobile enterprises should seriously explore the following security solutions:
(1)Intrusion detection solutions act as a “security force” inside the perimeter to spot intruders that penetrate the outer defenses
(2)Message security solutions filter spam and other undesired messages and content at the gateway and are essential to an overall email security solution
(3)Integrated firewall/VPN and virus protection/content filtering solutions offer protection from Internet-borne threats for the desktop and can protect data without slowing performance
(4)Anti-spyware solutions can provide real-time scanning, automatic detection and removal, and integrated tools for remediating the side effects that spyware can have on a user’s system
(5)Policy compliance management solutions help define and enforce policies from a central location as well as probe for network vulnerabilities and suggest remedies
(6)Administration solutions facilitate the management of hardware and software assets, and provide a way to plan, track, and apply system changes
For smartphones in particular, real-time automatic and on-demand virus scan capabilities can protect files that are stored on the smartphone’s file system, while the firewall should use protocol and port filtering to protect the data and applications being transmitted.
To ensure that devices are protected against new threats, users should be able to download the latest virus protection updates when the device has access to a wireless connection.
Smartphones, PDAs, and laptops are increasingly being used in much the same way as desktop computers, putting these devices at risk of the onslaught of threats that has been seen in recent years on PCs. Today’s enterprises are mobile enterprises, and deploying effective tools and policies to thwart the growing number of malicious attacks that can not only impair mobile devices, but could potentially breach enterprise security, compromise proprietary data, negatively impact regulatory compliance and legal agreements, should be a top priority.