Mobile Security

Be alert, be safe

Nikita Upadhyay on how securing mobile devices like laptops and smartphones has become a perplexing issue for both consumers and corporates

It seems the war between technology and safety is never-ending. Technology has brought in a revolution, not only with regard to features of devices like mobile phones and laptops, but also in terms of their size. For example, desktops have started giving way to laptops and smartphones in many situations.

The security and privacy of smartphones or other handheld converged devices is still in a nascent stage in India. The percentage of people using smartphones and laptops is growing every year. These devices are susceptible to various vulnerabilities like malware, spyware, spam, virus, ad wares, worms, etc. With humongous amount of data being stored in these small devices, securing them has become crucial for users.

Mobile threats and safety solutions

Most of us would like to acquire or already possess a feature-rich smartphone. The market for securing these devices has grown at a good clip. Its attributes have made it at par with a laptop for basic tasks such as checking e-mail or even conducting transactions. Substantial data can be stored on a smartphone. The flip side is that these phones are prone to infection attack at anytime.

“Malware hits the cell phones mostly while users are browsing. It enters the mobile and scans every transaction that happens through the device. It may enter while you are checking your mail, SMS, using infrared, Bluetooth or while downloading or uploading files when connected to a PC,” said Kartik Shahani, Regional Director, McAfee.

Introduction of financial transactions via smartphones has led to spurring innovation in electronic funds transfer, Internet marketing, online transaction processing, electronic data interchange (EDI), automated data collection systems and so on. This has led to the concern of how to go about securing these devices.

While using the credit card facility available on a handset, one has to be careful. This has emerged as a vital issue as the PIN and TIN numbers are stored on the handset. It should be safeguarded from key-loggers which transfer this critical information to a malevolent remote user.

Experts believe that there is no risk to wireless connectivity if one has normal security plugged into a device. Whereas, some believe that risk to Internet crime increases with the use of wireless connectivity.

We are all aware of Bluetooth technology. Few are aware of its potential for mischief. Improperly configured Bluetooth can result in a device being wide open to attack. A device with Bluetooth enabled must be kept hidden at all times and automatic connections should not be allowed. It is also recommended that you change the default synchronization password as all phone brands carry specific default passwords, which anyone can use to access the device’s contents. If not in use then Bluetooth should be turned off—this not only conserves power but also keeps a device safe.

“Wireless networking works by sending information over radio waves. That, in itself, makes it more vulnerable to outsiders. Cellular or cordless phones and signals from the wireless network can be intercepted. Since you can’t physically stop someone from connecting to your wireless network, we need to take additional precautions in order to maintain security on a wireless network,” explained Anand Naik, Director, System Engineering, Symantec India.

These innovations in the mobile phone have drawn attention towards their safety. Wi-Fi hotspots are coming up all over the world at an alarming pace. “These access points pose an inherent risk to information security as there is usually no encryption, for instance WPA (Wi-Fi Protected Access), WEP (Wired Equivalent Privacy) or authentication mechanisms in place since these zones are meant for free public access,” suggested Anand Nair, Technical Consultant, SecureSynergy.

Jagannath Patnaik, VP, Sales and Marketing, Quick Heal Technologies had a “fierce encounter” with the Bluetooth technology while he was in Malaysia as he noticed unrestricted access into his device.

“When you use Wi-Fi hotspots in public places, be extra careful. Reportedly, one popular ruse includes criminals who can ‘sniff’ Internet traffic and set up a fake hot spot that you might innocently log into. This “evil twin” is ready to steal passwords, financial info, or whatever else is transmitted,” suggested Naik.

Losing a mobile phone has become a menace in today’s scenario. “There are certain third party proximity alarm solutions that ring if the device exceeds a specific distance from the base module, which would be with the owner of the device. They are basically ‘stick it on’ devices with a base station which would be with the owner of the device,” said Nair.

In most cases of cell phones theft, the data in these devices is far more important than the hardware. It would be pragmatic to find out ways to prevent the sensitive data in these devices from being compromised even if a phone is lost or stolen. There are commercially available technologies which can do just that.

Elaborating on this concept, Ramkumar Balina, Director-Global IT, Information Security & Risk Management, Virtusa Corporation, said, “It is not practical to manage alarm systems against theft. However, precautions should be taken to ensure that the data is encrypted and cannot be accessed by third parties. Further, Internet based backup services shall be used to ensure that data is stored on the fly, even while someone is mobile. In this manner, the data is safe, even when an asset gets stolen.”

Venu Palakirti, Sales Director, India and SAARC region, F-Secure, said, “With the help of GPS (Global Positioning System) it may be possible to help locate stolen mobiles.”

There are numerous software applications available which secure mobile devices against a host of problems. Symantec provides Symantec Mobile Security Suite 5.0 for Windows and 4.x for Symbian offers comprehensive protection against threats on mobile devices. Its features cater to security requirements, provides data loss prevention and a Management Console for managing the mobile endpoint.

Smartphones permit e-mail access from outside the office and these systems are configured to disable services, once a handset is reported as stolen. The contents of a handset are erased as soon as a theft is reported. “There may be systems available to crack, but the tools in combination with policies make the system more fault-tolerant and dependable,” said Balina.

Palakirti informed that F-secure Mobile Security solution that comes with features like an integrated firewall, automatic scanning of memory cards and auto-updates of anti-virus patches. It also supports automatic detection of data connections such as GPRS/UMTS/Wi-Fi/WLAN, etc.; whenever a data connection is used the solution checks for software and the anti-virus database updates in the background.

Laptop threats and security

Almost everyone working in today’s corporate environment uses computers as an essential business tool. A company’s IT department is responsible for managing and maintaining these computers. Increased security to assets, compliance with security regulations, protecting company data and IP has posed a challenging question to the corporate world.

Data protection is a critical issue in many organizations as an increasing amount of valuable information travels across various environments and is stored on an ever-growing array of endpoint devices including PCs, laptops, and removable storage devices such as portable hard drives and USB memory sticks.

Laptops play host to loads of data, some of it sensitive. A wide spectrum of holistic solutions are provided by laptop manufactures to secure these devices. Some preventative measures include securing login with a strong password. Laptops facilitated with biometric authentication like fingerprint access nullify the threat of someone hacking into the device.

However, it is quite possible for a thief to unhook the hard drive and access data to bypass Biometric Fingerprint Readers and password authentication security. “One of the best laptop security measures is file encryption. A private unlock key is provided to the user, and as long as your private key is kept safely, no one but you and your intended recipients will be able to view your data,” said Raghu Raman, CEO, Mahindra Special Services Group.

There is no doubt that wireless computing is part of the new wave of advances, changing the way we use our computers at home or wherever we take our laptops. As more and more venues and public areas such as city parks, restaurants, and libraries—provide wireless access, business can be conducted almost anywhere. “Ideally it would be advisable to refrain from using Wi-Fi access from a non-reliable public zone, but as that is not always possible, it is advisable to always keep anti-virus software updated with the latest definitions and a firewall with tight policies. It is also prudent to stick to browsing generic Web sites or news sites and not access your corporate e-mail or Internet banking account on a public hotspot which attracts eavesdropping,” stated Nair.

Many methods to protect data and prevent theft have been developed, including alarms, laptop locks and visual deterrents such as stickers or labels. The analysis of a computer theft reveals that laptops connect to the Internet soon after they have been stolen. It could be because the thieves are reinstalling software, connecting through a wireless card or just using a stolen device for surfing. Once the computer connects to the Internet, there are several trace applications which report the location of a stolen laptop enabling the recovery of a stolen device in conjunction with local law enforcement authorities. HP Business Notebooks comes with a Kensington cable lock slot. Users can buy a Kensington cable lock which comes with an alarm system, so that anyone trying to break or fiddle with the cable lock sets off the alarm.

Endpoint encryption for data stored in mobiles or laptops is the need of the hour. This avoids data falling in the hands of the thief, hacker or even envious competitors. Encrypted data is hard to hack and decode. “Seclore File-Secure provides solutions for document security on laptops. It puts usage control policies and enables changing usage rights dynamically, which helps align them with the dynamic business relations with customers, vendors and employees,” said Vishal Gupta, CEO, Seclore Technology. There are several alarms that can be downloaded; in addition there are programs that will trace a laptop if it is stolen.

About a million laptops are reported stolen every year worldwide with a retrieval rate of less than 2%. Users are concerned more about the data in the laptop rather than the device itself. “HP PC Tracing and Data Security Service (TDSS) service for notebooks is a data protection and laptop tracking service that protects data and helps organizations comply with data protection regulations,” informed Anurag Arora, Country Manager-Business Notebooks, Personal Systems Group, India, HP.

Most laptops have an in-built feature that not only helps locate the stolen device but also lets you permanently destroy sensitive data remotely. “HP business notebooks come with drive encryption which allows you to utilize full-volume encryption to automatically protect the sensitive information stored on your disk volumes. This module helps ensure your data cannot be accessed if the notebook or hard drive is lost or stolen,” added Arora.

The basic security controls implemented and configured properly on the device would greatly mitigate the risk of any type of attacks. Keeping the operating system, applications and drivers up to date is crucial, and having a personal firewall with the rules configured correctly to deny all untrustworthy traffic is essential.

The implementation of a ‘tolerated’ security zone is a concept wherein access by devices that are not owned by a business are controlled so that they cannot compromise security.

If the use of a wireless network is required because of business need, it is recommended that you have a segregated network that is monitored and controlled by using various other security devices. “This network should not have any access to sensitive information. If access to sensitive information is required, it is good to have a VPN (Virtual Private Network) tunnel established over a wireless link,” suggested Nair.

“It is also good to have periodic wireless audits to identify the signal reach and the information that is being exposed via a ‘borderless network’,” Nair added. Any susceptible devices, if present, can also be identified during these audits and can be removed before sensitive information is lost.

Companies can secure information by adopting a proper information security initiative within an organization. Some of the ways they could do that would be by developing an IT Governance Framework or an Information Security Initiative, which would drive policies to protect information and information systems of the company. From a technological standpoint, companies can look at data encryption software and endpoint control to mitigate data theft. Employees must undergo basic information security training to make them more vigilant and alert.

It is important that both users and organizations be aware and equip themselves against the threats faced by handheld devices. These are becoming ubiquitous and are largely unattended with respect to security. As more services such as e-banking, m-commerce, etc., become accessible from smartphones, we can expect to see sophisticated worm and bot attacks on these platforms as well. So a proactive defense in-depth strategy is needed and businesses should wake up to this fact immediately.

Traditional security solutions are proving inadequate against the latest threats. Securing endpoints is essential to protect assets and maintain a solid business reputation. We must always bear in mind that while this new technology brings us convenience and flexibility, we need to be extra vigilant about how we transmit valuable information.

nikita.upadhyay@expressindia.com