Companies should be worried about the very real threat of security breaches in the mobile device space and ensure that effective counter measures are put in place. Alan Duerden explains.
In August last year, security software company Trust Digital undertook a piece of research involving the acquisition of 10 smart phones and personal digital assistants (PDAs) from eBay, the online shopping and auction website. Trust Digital engineers recovered nearly 27,000 pages of personal, corporate and device data from nine of the 10 mobile devices purchased, including a smart phone sold by an employee of a major corporation.
The salvaged data included personal banking and tax information, corporate sales activity notes, corporate client records, product roadmaps, contact address books, phone and web logs, calendar records, personal and business correspondence, computer passwords, user medication information and other private, competitive or potentially damaging material.
Now if you are reading this as the chief information officer or chief technology officer of an organisation and these figures do not send an icy chill running down your spine then you need to re-assess your risk mitigation objectives. The figures are mind-blowing, but not surprising, apparently.
“With nearly two billion smart phones currently on the market, the potential for having this information fall into the wrong hands is staggering,” says Nick Magliato, CEO of Trust Digital. “Whether you’re talking about pilfering an individual’s private files or stealing corporate secrets, this adds up to a very real data theft epidemic.”
Service expansion
There has been rapid growth in the smart phone and PDA market in recent years with technological innovation allowing faster and more reliable network connections through mobile telecoms providers and greater functionality on the mobile devices themselves. The financial business space is saturated with mobile devices to the point at which you are almost ‘out of the club’ if you do not have one.
Shane Hughes, president and CEO of Pixys Mobile, the wireless software provider, believes that one of the drivers for growth in the use of handheld devices within financial services has been the exposure that end users have had to the devices. “The BlackBerry in particular is one of the few technologies that was introduced into the financial services enterprise through the boardroom rather than through the technologists. It was the senior executives that had these devices first and there has been a huge knock-on effect,” he says.
One only has to look at the growth rate of subscribers to the BlackBerry service, growing from 534,000 in 2003 to nine million in June 2007, to see how quickly the uptake has been in the mobile device market.
As the desire for mobile devices increases, there will be a continued growth in the use of wireless applications designed for these machines. People increasingly want to be able to access their information from anywhere at anytime and mobile devices are perfect for staying in touch all the time, and with this comes the constant need for access, particularly to time-critical applications.
Working on the move
“As working patterns change and nine-to-five becomes a thing of the past, people are looking to work while on the go and away from the office, leading to a dramatic rise in the use of mobile devices,” says Jason Langridge, UK and EMEA mobility business manager for Microsoft’s Mobile Communications Business. “According to the Future Laboratory, by 2012 there will be more than 5.5 million workers working away from their desks, which suggests that mobile technology is the way forward.”
It is a widely held opinion that the trend in using mobile devices will grow, and with it the number of wireless applications for the financial services industry. “Access to fast, accurate information is the life blood of the financial services industry, and the ability to make timely decisions and take appropriate action is a key element of success,” agrees Andrew Moloney, director of financial services at RSA, the security solutions provider. “It follows that those individuals able to maximise the time they are ‘connected’ will inevitably have the upper hand over those who are not.”
While having everyone ‘connected’ and able to work remotely is seen to make perfect business sense, there are a a number of security issues behind smart phones and PDA use. The use of internet-based applications poses similar issues on a mobile device to that of any browser-based application used over the public internet, and data can potentially be intercepted or users fall prey to Trojans and phishing attacks.
Trojans are programs that install malicious, security-breaking software while under the guise of something benign, while phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as established, legitimate enterprises.
“There is quite a broad range of threats here, and what we are seeing out in the world is attacks that can be targeted not just at corporations but at individual users in those corporations,” explains Chris Mayers, principal security architect at Citrix, the enterprise software company.
“Usually the most senior people in those organisations are the types of people that are likely to have mobile devices and these can be very accurately targeted and also at application level as well.”
If we look at today’s drivers for attacks, these are very different to what they used to be in the PC world in 2003/04 and the tales of ‘geeky’ Harvard technology wizards writing viruses just for the sake of it are long gone. Now the motivation behind attacks is financial. There is so much potential to make money from cyber-crime and the mobile device is just one of the attack sectors waiting to be explored. As attackers gain more and more expertise the attack levels will increase significantly.
“Once an attacker has access to a BlackBerry or a smart phone, they can then link it to their laptop and get into everything that the executive has access to, whether that’s e-mail, databases or other information resources, so that is really a big potential problem,” says Katie Gotzen, industry analyst for security group, Frost Sullivan. “They can be commissioned by competitors to obtain intellectual property which can then be used to extort the company otherwise the information will be exposed.” There are even auctions on the internet when hackers or cyber-criminals have obtained information and they are selling it to the highest bidder, explains Ms Gotzen.
Fighting back
The story is not completely bleak, however, and there are a range of solutions that can be used from a technical point of view in terms of using encryption, authentication and firewalls, and solutions are being produced companies such as McAfee, Symantic and SunMicro to tackle the security problem.
One of the major technology concerns is ensuring that remote transportation of data is secure and that the entire data transport path is secure from getting data from the firewall, transmitting that data securely and then how the data is secured on the device. Depending on what type of mobile device is used, there are many ways to do this. BlackBerry has the BlackBerry Enterprise server which is encrypted with NSA (National Security Association) level security with high levels of encryption, while other devices, such as Microsoft Windows PDAs, typically use a secure VPN (virtual private network) connection that uses public telecommunications networks to conduct private data communications.
“You need to have strongly encrypted communication and that is pretty much a standard feature available for these devices now,” says Mr Mayers of Citrix. “Then strong authentication – you need to be certain that the user is who they claim they are when they are accessing a corporate application, and again that can be built into the handheld device.”
Remote deletion
Security measures can also be placed around the applications on the mobile devices themselves. Citrix uses one such security measure with its applications, called DataGuard, which gives the ability to remotely delete the application from the device, or to set a configuration setting so that if a user does not log into the application within a certain timeframe then it deletes the application. While this seems like a drastic measure, the deleted application can be installed onto the device again remotely.
In the past few months, the media has had a field day with stories about company data being stolen by syndicates of criminals and one of the simplest security approaches that can be adopted is to minimise the amount of data that is stored on the device.
It is down to individual organisations to determine how much data they want kept on their mobile devices and responsibility needs to lie with the CIO as to how the devices are set up. All mobile devices, BlackBerry in particular, have different ways in which they can be configured to limit what the device can download and this is the most security-conscious way of setting up the device without degrading the user experience.
The hardest risk to mitigate, however, is the dependence a company has on the responsibility of its employees. For many users, mobile devices are still considered a personal gadget, yet corporate information inevitably finds its way onto them and is used day-in and day-out outside the perimeter of control for the business.
Many of these handheld devices get lost and if there is any data left lying around on the device then that can be extremely damaging. “This risk should not be underestimated,” says Mr Langridge of Microsoft’s Mobile Communications Business. “In the past six months of 2006 in London alone, a staggering 55,000 mobile phones and 5838 pocket PCs were left in licensed taxi cabs. While travelling, people may also use their devices on insecure WiFi networks that could allow anyone else to browse the files.”
The size and portability of mobile devices coupled with their many leisure applications means they are far more susceptible to accidental loss or theft, making them a vulnerable source for data leakage. There is currently little or no auditing of what such devices may contain at a corporate level and no legislation that specifically covers handheld devices. The need for due care when using these devices needs to be the focus of change as all users know that such devices are likely to be lost or stolen and it is the responsibility of the organisation to put security measures in place to limit the damage that might happen.
There have been some prominent examples in the financial services community over the past two years where organisations have been fined because they did not take such measures. Given the amount of publicity in this space, effective counter measures need to be put in place and CIOs should be worried about the very real threat of security breaches in the mobile device space.
