To ensure wireless safety, all mobile devices must include some type of wireless security technology. The first wireless network security standard — Wired Equivalent Privacy (WEP) — was a relatively weak technology. But more recent specifications, such as Wi-Fi Protected Access (WPA), WPA2 and IEEE 802.11i, can be powerful security tools, reckons Nick Magliato, CEO of Trust Digital, a mobile security software company.
Rapidly proliferating Bluetooth technology, which allows connectivity between mobile phones, PDAs, laptops and other gadgets at short distances, is another prime wireless weak spot. As with Wi-Fi, attackers may take advantage of Bluetooth connections to access or download information onto a device.
“Technically, Bluetooth is one of the most insecure wireless technologies” says Bill Nagel, a security, risk and identity management analyst for technology research firm Forrester. “There has been anecdotal evidence of data being stolen via Bluetooth.” To keep snoops at bay, Nagel recommends that users be required to turn off Bluetooth technology whenever it’s not being used.
Wireless VoIP, which allows users to send phone calls over laptops, PDAs and other portable gadgets via a Wi-Fi link, also worries IT security experts. Because VoIP is data-based, it’s vulnerable to many of the malware threats that plague desktop computer users, including viruses, worms, spam and phishing. Wireless VoIP mobile devices can be protected with the same technologies that are used to safeguard wireless data.
Down the road, new wireless technologies like WiMAX, which will blanket entire cities with wireless internet access, will arrive to challenge enterprise management with new security issues. That’s why it’s important to stay on top of emerging trends. Nagel suggests that companies focus on data security as well as device security. “That means knowing what data is most dangerous to lose and where it is stored.”
While BlackBerrys, PDAs and laptops are the devices most closely associated with mobile security lapses, a variety of other “stealth gadgets” are also a potential security trap. MP3 players, for example, can be linked to PCs to store items beyond songs and podcasts — such as confidential reports and top-secret customer lists.
Magliato notes that portable USB drives and memory sticks pose a similar menace. “You never know what’s going to be loaded on or downloaded from these things,” he says. “They’re also very portable, very easy to lose.” Memory sticks can be particularly difficult to control. “People send them in the mail with advertising,” he says.
Even more sinister is the emergence of new pocket-sized gadgets that are designed solely to extract data files from mobile devices. One such product is the Cellular Seizure Investigation Stick (CSI Stick). The size of a cigarette lighter, the unit plugs directly into most Motorola and Samsung mobile phones to grab the data they contain. “When new storage cards, etcetera, are inserted in the handset the user should be prompted to enter a PIN,” advises James Moran.
Getting a handle on mobile device security requires building a strategy that will protect enterprise data while giving employees the flexibility to use emerging technologies in new and productive ways. Sybase’s Morgan recommends developing a formal policy that’s based on balancing business needs and understanding the challenges mobile security poses. “The enterprise needs to define a security policy for mobile devices and then ensure that policy is centrally enforceable through a comprehensive management tool,” he says.
Winthrop notes that security planning needs to keep pace with evolving technologies and threats. “Changes in business, legal and regulatory environments, or the results of audit and risk assessments, may each necessitate a policy update,” he says. He adds that CFOs can’t work in a vacuum. “You need to have business and technical people involved and you have to make the case why the enterprise needs a mobile security plan,” he says.
Morgan observes that mobile security’s ultimate price is never-ending vigilance. “Security in general, and mobile security in particular, is a task that’s never finished,” he states. “Enterprises should accept that mobility, and the challenges that go along with it, are here to stay.”