By Jeff Porn
With every new generation of cell phone or personal digital assistant (PDA), the technologies allowing these devices to connect to various networks become more common place. Along with these technologies, whether Bluetooth, WiFi or even IR, comes new ways of exploiting mobile devices – potentially opening your institution to possible attack.
These devices can easily connect to your infrastructure to access e-mail, share files or even print documents, making them easy targets for potential attackers. These days, almost every cell phone, regardless of price, comes standard with all or some of these methods for communicating and, in most cases, they are active by default. An attacker can easily gain access to your mobile device using tools that are freely accessible on the Internet. Once connected, a number of functions can be performed without the device owner’s knowledge. E-mails, contact lists and files can be retrieved remotely and the attacker can even turn a cell phone into a listening device by sending it commands to place an outbound call. With the proper equipment, Bluetooth can be accessed from up to a mile away and WiFi from even greater distances. An attacker doesn’t need to be close by to pose a major threat to the integrity of your personal and confidential information.
The security threats to mobile devices continue to rise as each new generation becomes “smarter” and more PC-like. The first viruses targeting cell phones were discovered in 2004; their objectives ranged from disabling devices to opening backdoors into private information. Experts predict that viruses will be the fastest growing and most pervasive threat to the enterprise when dealing with mobile devices. McAfee Inc., an industry leader in desktop and mobile security software, recently commissioned a worldwide study of 200 mobile operators in which 83 percent of respondents reported having been infected by threats that directly affected the mobile devices that connect to their networks.
So, what can be done? Every organization, regardless of size and complexity, must weigh the pros and cons of allowing mobile devices to connect to their infrastructure. Will productivity greatly increase? Will the overall effectiveness of the current security measures within the institution be hindered? The Gramm-Leach-Bliley Act does not specifically refer to control of mobile devices, however it clearly addresses the control of personal, financial and corporate data wherever it resides – this most definitely includes mobile devices.
If the use of mobile devices is allowed within your institution, policies for the appropriate use and protection of PDAs, cell phones, or other mobile devices must be developed and documented. For example, employees should store these devices in a secure place when not in use. Consider what types of connections are allowed; who is allowed to connect to the network; what security settings should be applied; how is virus protection handled; and what factors must be considered in the case of theft or loss of a device. While these factors do not comprise an all-encompassing list of considerations, they provide a starting point to the planning process that must be applied when establishing and enforcing these policies.
In a recent report, Gartner Research Group predicted that “by 2010 there will be over 450 million smartphones shipped globally compared to 168 million laptops.” Judging by this pending reality, it is not so much a matter of if but of when your institution will need to address these concerns. A smart institution considers all aspects, concerns, benefits and risks before allowing mobile devices within the infrastructure. Be sure to conduct thorough research on the devices and mobile operating systems being considered, enlist outside subject matter experts and, most importantly, determine that a valid business need exists for the use of mobile devices within your institution. The more planning conducted beforehand, the better prepared you will be if, or when, a security breach or similar incident occurs.s
Jeff Porn is an information technology consultant for the risk and compliance group at Orange County, Calif.-based Compushare Inc. (www.compushare.com), a financial technology management company.