IT managers battle mobile viruses
Your fixed clients are secured. Now, what about the mobile computers?
By Bob Francis, InfoWorld | InfoWorld | Published: 13:00, 14 March 2005
Worms and viruses are increasingly sprouting wings, taking to the air, and nesting in wireless phones, PDAs, and other devices. If none of these assailants have found their way into your users' devices and data, then it's likely no more than a matter of time until they do. But there are steps IT can take now to help protect against this new breed of airborne virus.
Earlier this week antivirus vendors spotted what they consider to be the first virus that propagates via the Mobile Messaging Service. CommWarrior.A, in fact, is striking mobile phones with Symbian Series 60 software.
And the industry has seen the airborne virus Cabir spread throughout Singapore, the United Arab Emirates, China, India, and other countries since it first showed itself in August 2004 in the Philippines. Users in France and Japan earlier this month found their cell phones contaminated with Cabir.
But mobile viruses, to date, have not tallied considerable damage to enterprises. There is reason for concern, however. A recent survey conducted by security specialist netSurity for RSA Security found that in the London the number of wireless local area networks (WLANs) increased by 62 percent in 2004, with access points growing to 1,751 from 1,078. At the same time, security on the wireless networks got worse, leaving 36 percent of the firms open to potential attack, up from 25 percent in 2003.
The report warns that this increase in unsecured wireless networks - which is also occurring in other cities around the globe - leaves businesses vulnerable to corporate information theft, sabotage, and compromised networks. And it is not just sophisticated criminal activity that is leading to this vulnerability. The report says that basic security precautions have not been taken. Forty-three percent of companies failed to switch on the default wired equivalent privacy (WEP) encryption standards found in most wireless products.
Jim Stickley, co-founder and CTO of TraceSecurity, a security consulting and software firm, is not too surprised by the report's findings. "Two years ago, plenty of people were still saying this wasn't going to be a problem," said Stickley. "Now we're getting plenty of calls about it. People are concerned, and they should be."
But there are measures that IT can put into practice to help lessen the damage if a strike does occur, or at the very least steps that can be taken to educate users about the dangers.
Prepare for the worst
Stickley has some advice for IT managers who are now being asked to deal with the issue: Prepare yourself, prioritise, and encrypt.
"First off, be concerned. Prepare for the worst-case scenario. Ask yourself, what you are giving people access to when you set up a wireless system," he said.
Stickley also advises IT managers to prioritize their risk factors. For example, he notes that laptops carry a lot more risk than a cell phone, and that laptops with wireless capabilities carry even more risk. "When people switch off their default wireless security, they often don't switch it back on again, so it helps to build in some reminders," he said.
Stickley also said perimeter security is not the only place to look when dealing with wireless systems. "If you think your database is possibly vulnerable, think about encrypting the data. That's probably good advice anyway, but if your salespeople have mobile devices and they are connecting to your database, you want to protect it," he said.
Mark Komisky, founder and CEO of Bluefire, a security company that provides security software for wireless and mobile devices, offered advice for IT administrators looking seriously at wireless technologies.
"If you are an IT administrator looking at smart phones, you need to think about what will happen if these devices are lost or stolen. Use the password capability, and if you have an encryption product, you should use it at least for some of the data," Komisky said.
He also suggested using the data wipe capability of the phones if someone is logging into the device too often. "We're starting to see tools that allow for remote data wipes, and I think these can be very useful to keep someone off your network," he said.
Komisky also has some practical information for users of wireless devices and smart phones. "A lot of people keep credit card numbers on their devices and that's not very smart. Any sensitive personal or business information should at least be protected by some passwords or encryption."
What to expect from vendors
Security vendors have not been ignoring the problem of wireless security. They continue to add features to their products designed for wireless computing. StillSecure, for instance, recently updated its StillSecure Safe Access endpoint policy compliance product with agentless and agent-based options for testing endpoint devices, including internal, remote, foreign, and wireless endpoints.
Offering agentless and agent-based options gives network administrators more options, said Mitchell Ashley, CTO and vice president of customer experience at StillSecure.
“Because networks are configured differently, there’s no one-size-fits-all approach to securing endpoint devices. We give users the option to choose the method that works best for them based on preference, network infrastructure, type of devices, and a cost-benefit analysis,” he said.
Networks themselves will become more secure from wireless threats when wireless security features begin to be built into the infrastructure. For instance, Cisco Systems Inc. and other network vendors are expected to include 802.1x features in routers later this year. The 802.1X standard secures the credentials exchange between a wireless device and a network, offering a unique network encryption key and providing the option to regularly change that key without user involvement beyond the initial log-in.
And while vendors such as T-Mobile have taken it on the chin for recent security glitches involving Paris Hilton, those same mobile vendors are working to provide IT managers with secure solutions for wireless devices. Recently, for instance, Newsweek signed a deal with JP Mobile and Sprint Corp. to provide the newsweekly with SureWave Mobile Office, a secure wireless e-mail and personal information management (PIM) system. The system integrates a variety of Sprint PCS Vision Smart Devices and gives the users secure wireless access to the corporate e-mail, personal information managers, and other Notes-based productivity applications.
"The mobile vendors are very aware of the problem and they are partnering to provide secure solutions," Bluefire's Komisky said.
To be sure, there is no rock-solid way to prevent airborne viruses from attacking and, in so doing, wreaking havoc. Even the most prepared, educated and encrypted IT shops will find the same challenge on mobile devices that plagues hard-wired PCs and networks: Virus writers are very adept at staying one step ahead of the vendors and enterprises.
In addition to putting mobile virus-specific practices into operation, perhaps the most significant change IT managers should begin is to transform the way they approach the use of mobile devices. Cell phones, PDAs, and multifunction wireless devices are no longer isolated from the corporate network. As the devices themselves are permitted to access deeper crannies of the network, such as data residing in enterprise applications, they are becoming another target for attackers.
In short: IT had better be sure that it is managing users' cell phones and handheld devices, because more and more employees are going to be using them.
"I was listening to Ed Zander of Motorola showing off their new phone and he said, 'This is really just a small computer on a giant worldwide network,' and I think he's right," Komisky said. "That's how IT managers need to think about these devices."