- Category: September - October 2009
Working with mobile devices is on the rise in almost all companies. Besides the already established laptop, employees revert more and more often to the PDA or smartphone to access important data, or to interact quickly with colleagues, when outside office. Companies hope in general to achieve higher productivity through the use of handhelds however to-date, the specific vulnerabilities of these handy communication talents are still largely ignored.
Basically, there are two security vulnerabilities when using PDAs and smartphones in the enterprise - namely the user and the device itself. For the integration of such devices into the corporate network, IT is too seldom bedding on the "usual suspects": authentication, mobile VPN clients, firewalls, encryption, and malware scanner. So security settings can be made on the handheld in accordance with company policies.
Although IT managers and administrators should be aware of these risks, user rights and security settings on mobile devices are in most companies not defined. The majority of all businesses are dealing with applications and settings quite carelessly, compromising in that way sensitive corporate data. Thus, confidential e-mails and documents, network access, customer contact and supplier data are saved unsecured on most company PDAs and smartphones. The IT department is transferring here the responsibility for data security to the staff and expects that employees take care themselves of the data in accordance with the Security Policy of the company. In many cases, this assumption fails due to guilelessness, unreasonableness, or the lack of technical understanding of the individuals. Taking adequate measures is often a weak point.
Human Interface as security guard
The "human interface" or human factor still remains the biggest security risk, if the PDA or smartphone has been configured according to the appropriate IT Security Policy. And keep in mind that on smartphones and PDAs, each user is always an administrator. So, with the right technical knowledge they can modify the device configuration the way he wants it and disable security software. The configuration database of the operating system, the registry, is for the user easily accessible on PDAs and smartphones. With the remote registry editor or the editor of other manufacturers, any experienced user can for example disable encryption software and firewalls.
In order to watch over the safety-critical settings in the registry, it must be protected against write access. This can be achieved by deploying a security solution such as ubiControl that runs as secure kernel application on the handheld and is not closed or set aside by buffer overflow attacks. It prevents the execution of the registry editors and disables the import of registry changes.
Attack on the company network via hotspots
If a sales representative for instance is logging onto the corporate network over an unsecured connection like a hotspot at the airport, to download e.g. an important chart for his presentation, uncontrolled access by third parties on the corporate network is possible. IT managers can stop such security risks by installing a firewall or a permanent VPN-protected connection to the corporate network. However, the connection has to be fixed permanently, as even for the dial-up, the experienced user has the administration rights, which means that he could for instance annul the security of the dial-ups of various networks such as GSM, GPRS, UMTS, Bluetooth and Wi-Fi and set up own POP3 accounts for his private e-mail communications.
Sensitive data on a silver platter
All mobile workers around the world have their PDA or smartphone always at their fingertips - no wonder then that the handy devices are often left behind in restaurants, trains, at the airport or in a taxi. Easy game then for the skilful and malicious to get access to all data placed on the handheld. The built-in power-on password is not an obstacle.
If the device is for example started-up in the boot ROM mode of its network card, the input of the power-on password can completely be bypassed. All memory contents can then be easily read on the connected computer - the entire e-mail traffic, addresses and customer data, all stored documents and the access data for the corporate network. These data espionage can be prevented by IT managers with secure VPN or encryption systems that are used in conjunction with a registry-blocker.
Policy enforcement module takes users’ admin rights
Risks due to missing data security on smartphones and PDAs as well as the resulting opportunities for attacks on the company IT security officers can be eliminated only if user rights and security settings of their company are stored permanently on the device. With the installation of a policy enforcement module on the handhelds of the employees, the company-specific user rights and device configurations can be controlled and the call-up of critical functions and applications specifically prevented. Thus, the users have no administrative rights on their company's handheld, meaning they cannot even subconsciously override the security settings of the device. In addition, companies reduce in this way the support costs since incidents in the corporate communications and the time required for the administration of mobile devices can be reduced.