- Category: March 2011
Working with smartphones to access important data or to interact quickly with colleagues is already a quite common business practice as this enables higher productivity.Unfortunately up to now, the specific vulnerabilities of these handy communication tools still seem to be underestimated by many companies.
Basically, there are two security vulnerabilities when using smartphones in the enterprise, namely the user and the device itself. For the integration of such devices into the corporate network, IT is too seldom on the list of "usual suspects": authentication, mobile VPN clients, firewalls, encryption, and malware scanner. So security settings can be made on the handheld in accordance with company policies.
While IT managers and administrators should be aware of these risks, user rights and security settings on mobile devices are not defined in most companies. The majority of businesses are dealing with applications and settings quite carelessly, compromising in that way sensitive corporate data. Therefore, confidential emails and documents, network access, customer contacts and supplier data are saved unsecured on most company smartphones. The IT department is transferring the responsibility for data security to their fellow staff and expects them to take care of their own data in accordance with the company’s security policy. In many cases, this assumption often fails due to user ignorance, irrationality, or lack of technical understanding. Taking adequate measures is often the key weak point.
Human Interface as security guard
The "human interface" or human factor still remains the biggest security risk, if the smartphone has been configured according to the appropriate IT security policy. Keep in mind that each user is always an administrator, so with enough technical knowledge they can modify their device’s configuration in the way they want which may likely disable security software. The configuration database of the operating system, the registry, is for most users easily accessible on smartphones. With the remote registry editor or the editor of other manufacturers, any experienced user can, for example, disable encryption software and firewalls.
In order to watch over the safety-critical settings in the registry, it must be protected against write access. This can be achieved by deploying a security solution such as ubiControl that runs as a secure kernel application on the handheld and is not closed or set aside by buffer overflow attacks. It prevents the execution of the registry editors and disables the import of registry changes.
Attack on the company network via hotspots
If a sales representative, for instance, is logging onto the corporate network over an unsecured connection like an airport hotspot, to download say an important chart for their presentation, uncontrolled access by third parties on the corporate network is possible. IT managers can stop such security risks by installing a firewall or a permanent VPN-protected connection to the corporate network. The connection, however, has to be fixed permanently, as even with dial-up connections, the experienced user has administration rights, which means that they could potentially annul the dial-up security for various networks such as GSM, GPRS, UMTS, Bluetooth and Wi-Fi and set up their own POP3 accounts for private e-mail communications.
Sensitive data on a silver platter
As mobile workers around the world always have their smartphone at their fingertips it is no wonder that these handy devices are often left behind in restaurants, trains, airports or taxis. This makes easy game for the skilful and malicious to get access to all data on the handheld. The built-in power-on password is not an obstacle.
If the device is, for example, started-up in the boot ROM mode of its network card, the input of the power-on password can completely be bypassed. All memory contained can then be easily read on the connected computer - the entire email traffic, addresses and customer data, all stored documents and the access data for the corporate network. This data espionage can be prevented by IT managers with secure VPN or encryption systems that are used in conjunction with a registry-blocker.
Policy enforcement module takes users’ admin rights
Risks due to missing data security on smartphones as well as the resulting opportunities for attacks on the company IT systems can be eliminated only if user rights and company security settings are permanently stored on the device. With the installation of a policy enforcement module on employee handhelds, the company-specific user rights and device configurations can be controlled and the call-up of critical functions and applications specifically prevented. Users, therefore, should have no administrative rights on their company's handheld, meaning they cannot even subconsciously override the device’s security settings. In addition, companies can reduce support costs since potential corporate communication incidents and the time required for the administration of mobile devices can be reduced.