It's no secret that mobile devices -- from smartphones to Apple iPads to Android tablets -- are appearing in the enterprise in record numbers. Some
reports already indicate that more smartphones than PCs were shipped in 2011, and that trend will undoubtedly continue. The PC isn't going away, but
it's being joined by a large assortment of new mobile devices in a variety of form factors.
Although all these new and powerful devices are boosting worker productivity to even higher levels, they're also introducing some thorny security
problems for IT managers and security professionals. Your VP of human resources might be more effective on the road with her smartphone, but what if
she leaves her unlocked BlackBerry -- along with a Microsoft Excel spreadsheet listing executive salaries -- in the lunch room at an HR conference? Or
what about the engineer who has the detailed specs for your new product on his iPad, which he inadvertently left on the subway on the way to work? Then
there are the programming interns who regularly download apps for their Android devices outside the Android market -- including apps that are infected
with malware and viruses.
These scenarios are all security issues, and I haven't even touched on the compliance and auditing demands that are placed on businesses and
organizations that must abide by such regulations. "All of these factors are putting more pressure than ever on IT professionals, who are being
pressured into allowing the use of social media tools like Facebook, who are dealing with the consumerization of IT, and who now have additional mobile
devices to secure and keep track of," says Don DeBolt, director of threat research for Total Defense, which was spun off from CA earlier this year and
which serves as an independent business focusing on mobile security.
The State of Mobile Security
Judging by the mobile-security headlines of 2011, malware authors are being attracted to mobile devices in record numbers -- and to the Android
platform in particular. Android has emerged as the dominant smartphone OS, and with that distinction comes the attention of malware authors. There have
been plenty of news reports about Android malware, ranging from infected apps in the official Android Market ("Up to 120,000 users download infected apps from Android Market," ) to key-logger applications masquerading as legitimate apps ("Bogus Netflix Android App Attempts to Steal User Information," October 2011, InstantDoc ID 140886).
"Android has been a victim of its own success partly by becoming the most popular smartphone OS," says Kevin Mahaffey, CTO of mobile-security software
provider Lookout. "That one argument [is] why Android is afflicted with more malware than other mobile OSs. It's also a much more
popular OS in countries like China and Russia, where most malware seems to be written." Mahaffey also suggests that the ubiquity of the Java
programming language makes it widely available to programmers who might consider creating malware to attack the Android OS.
Both Mahaffey and Eric Sites, chief scientist for GFI Software, draw parallels between the dominant market shares of Windows and Android as significant
reasons for malware authors to target those platforms. Today's cybercriminals are just as concerned about return on investment (ROI) as any business
manager would be. Why shouldn't they direct their efforts toward the mobile OS that has the most users and, logically, the best possibility of a return
on their malware-coding investment?
"A lot of the trends we're following for mobile malware mirror that of the PC market," Sites says. "Ten years ago hackers were doing things for fame or
the thrill of it, but now there are organized networks of criminals out there who are attempting to control devices for more nefarious reasons, like
obtaining credit card numbers, stealing corporate information, and gaining access to other sensitive data."
Sites points out that cyberattacks from groups that are funded by nation-states are on the rise. He uses an aerospace-component manufacturer as a
hypothetical example: If a nation that's hostile to the United States wants to find out the specifics of a component that is used on a B-2 bomber, it
can make a targeted attack -- involving phishing, malware, and vulnerability exploits -- to try to access that information. (This type of maintained
attack is sometimes referred to as an advanced persistent threat [APT].) Sites contends that mobile devices open up even more avenues for attacker
exploits, ranging from obtaining misplaced devices and using malware to redirecting email and text messages or recording and forwarding spoken
conversations.
The Social Engineering Threat
Despite spending billions on endpoint security -- firewalls, antivirus software, blacklisting and whitelisting solutions, and so on -- cybercriminals
are still able to gain access to the most sensitive information. The culprit is social engineering, which criminals use to fool people into thinking
they're replying to an email message or clicking a link from a trusted source. Social engineering is too broad a topic to go into here (see "Protecting Yourself Against Social Engineering," for an excellent treatise on the subject), but many experts believe that
social engineering tactics are being used with greater frequency than ever before. The highly publicized attack on RSA ("RSA Reveals Details of Phishing Attack," ) was caused directly by an RSA employee clicking on a file attachment in an email message
that the employee believed was from a legitimate source.