Security policies needed for mobile access

The proliferation of mobile devices means IT managers now have more to handle, and both organizations and developers can do more to get a better grip on mobile threats, according to security experts.

Ronnie Ng, Symantec Singapore's systems engineering senior manager, said in an e-mail interview with ZDNet Asia that the proliferation of advanced, connected devices in enterprises will lead to a corresponding rise in security risks.

In general, Ng said, the number of attacks targeting an OS is directly related to its market share so the popularity of smartphones will entice more attackers to devote time to creating mobile malware.

He pointed to a botnet called Sexy Space, which targeted the Symbian OS last year. Other attacks have employed a combination of phone infections to send premium SMS messages from the device, prompting money to be deducted from the user's bank or credit account, he said.

One way companies can increase mobile security could be through data loss prevention software, which monitor devices and servers that hold sensitive data and flag warning signals when confidential information is about to leave the network. Ng added that such dashboards also allow IT managers to enforce policies by blocking transmissions of such sensitive data.

Kill by remote
Chia Wing Fei, senior response manager of F-Secure, said confidentiality leaks are proving to be another headache for IT administrators.

Organizations must ensure there is a way to securely and remotely erase all data in a mobile device in the event of a loss, said Chia in an e-mail interview.

He said organizations should also establish a list of mandatory requirements that mobile phones must meet before they are allowed to access the network.

Victor Dronov, product manager of mobile solutions at Kaspersky, said the "inevitable headache" for IT managers, due to the growing number of mobile devices, stems from the organization's demand for employees to continue being productive on the go while having to balance that with managing new entry points to the corporate network.

Dronov said via e-mail that corporations could asses which functions are crucial in order for work to be done and lock others that are not necessary.

He added that the variety of devices in the market also helps mask cybercriminals so that they can get "lost in the crowd", making it harder for the ordinary user to distinguish between safe and malicious apps.

And while typical office workers are more aware and careful regarding PC threats, they tends to let their guard down when it comes to mobiles due to a lack of awareness of mobile risks, he noted.

Due user, developer diligence needed
Chia said users should employ the same best practices on their mobile devices as they do with their PCs. They should check for valid certificates before downloading apps and ensure the app is from a reliable vendor and proper download location, he said.

"By all means avoid using pirated versions or downloading them via peer-to-peer, warez sites and such," he said.

Ng said companies should also educate employees on such best practices and help by identifying sites that scrutinize published apps and those that do not.

"Acknowledge that employees are going to want to download personal, as well as business applications, and deploy the appropriate protection and controls," he noted.

Mobile app developers should also put in due diligence to ensure users are protected.

Tyler Shields, senior security researcher at Veracode said developers need to maintain the same security development lifecycle with their mobile apps as they do with PC-based software.

Shields said in an e-mail: "Developers need to examine the security of the application from all angles, conduct threat modeling exercises, and analyze both the code and the compiled binary for security deficiencies."

In addition, mobile developers should minimize the attack surface on their apps by limiting input functionality to only the components of the app required for input, he noted.

Developers should also keep access permissions to an app's base code to the minimum, in order to keep flaws from being exploited by hackers, he said.

Shields added that there should be a minimum standard of safety recognized in IT, similar to the auto industry. Meeting those standards could see mobile vendors engaging third parties to have apps tested for security, he said.

Mobile platform providers could also maintain a whitelist--identifying safe apps--on their stores that will prevent apps not on the list from installing or running, he said, noting that Apple, for instance, has a whitelist of sorts in place.

One expert: Mobile risks limited
According to Panda Security, however, mobile devices do not introduce as many security vulnerabilities as the industry thinks.

Luis Corrons, technical director at the company's research facility, said most enterprises do not need to practise additional security measures to account for mobile devices because the limited reach of viruses on mobiles, as well as security screening done by app store providers, is sufficient to keep mobiles in check.

"Talking about phones is not like talking about computers," Corrons said in an e-mail, adding that with the vast majority of PCs running Windows on Intel architecture, most threats to companies will come via the PC on Microsoft's OS.

Contrary to what Symantec's Ng said, Corrons noted that the heterogeneity of mobile hardware and software OS combinations make it difficult for malware to get far.

Furthermore, while users are capable of running administrator-level tasks on their PCs, they often do not have access to all the functions on their phones, he said.

"Mobile users can install different apps but these are approved by [mobile OS makers]--it doesn't guarantee a 100 percent safety, but compare that to a standard PC, where users will install almost anything.

"Mobile phones shouldn't cause a big headache for IT administrators," Corrons said.