Symantec: Heavy price for smartphone security inaction
- 25 May, 2007 07:48
It may have taken enterprise customers years to get proper security tools in place to defend their PCs, but if large businesses drag their feet in aligning the applications necessary to protect their smartphones, they will pay a heavy price, says Symantec.
As part of a media tour to call attention to the planned launch of its Symantec Mobile Security Suite 5.0 package on June 4 -- touted as its most comprehensive product to date for protecting handheld devices against loss or attack -- experts with the company said hackers and electronic scammers are already creating a mobile environment that will soon rival the dangers of today's PC security landscape.
All of the attack profiles that have become standard fare for desktops and laptops, from root kit-like programs that attempt to infect device operating systems, to ingenious social engineering attempts that play on the multimedia footprint of smartphones, have already arrived, said Khoi Nguyen, group product manager for mobile security at Symantec.
How quickly the attacks multiply and proliferate will be determined only by the pace with which people adopt more powerful handhelds and how aggressive they are in defending the devices, he said.
Unlike in previous years where much of the buzz around wireless security could be attributed to forward thinking, Symantec believes that handheld platforms are about to be deluged by a storm of different types of attacks.
"Since the first mobile threats started arriving several years ago things have evolved dramatically, these attacks are real and people are being impacted by them today, particularly in other regions of the world where smartphone use is higher than in the U.S.," Nguyen said. "We are still in the early stages here, but things are evolving much more rapidly than they did on the PC side; as more enterprises adopt smartphones and they are being used more frequently to carry out financial transactions, the attackers will be there waiting."
While Symantec estimates that there are still about 450 PC-oriented threats for every attack designed to assail mobile devices, the company expects the gap to close rapidly over the next several years.
As new devices and applications that are expected to drive adoption of smartphones hit the market, such as those built to run on Microsoft's Windows Mobile platform, more enterprises will buy the memory-heavy handhelds and hackers will follow, the security expert said.
In the last month alone, Symantec has uncovered root-kit style threats attacking Symbian smartphones which attempt to modify the devices' operating system files to bypass onboard security features.
The company has also observed so-called snoopware programs, which add voice-driven schemes into the malware mix. One snoopware attack, which had the ability to remotely activate a smartphone's microphone to secretly eavesdrop on calls, take control of its camera to surreptitiously take pictures, and forward all of a user's text messages to another account, was aimed at users of Windows Mobile
With an estimated 60-70 percent of the world's smartphones running on Symbian software today, most mobile previously-identified device attacks have targeted the company's OS. In moving to target Windows Mobile users in such a way, hackers illustrate how they are already preparing to cash in on the projected growth of Microsoft's platform, according to Nguyen.
"Basically the threats have gone from proof-of-concept to full-blown spyware in a span of three years, whereas it took over a decade for the same type of evolution to occur on the desktop side," said Nguyen. "On the enterprise side, companies are finding that the smartphone is just another endpoint that is going to need to be protected in the same way that desktops and laptops are protected today."
As a result of the need for PC-like protection for their handhelds, Symantec is pitching a range of applications in Mobile Security Suite 5.0 that mimic its products for larger computers.
Included in the package will be what the company is touting as the first network access control (NAC) system for smartphones, with NAC applications still existing as a fairly new security development in the PC space.
Much like a PC-oriented NAC system, the smartphone tools -- which must be used in concert with Symantec's standalone mobile VPN product line -- promise to perform a series of security health checks on devices before the handhelds are allowed to access corporate networks.
Another capability unique to the company's latest enterprise smartphone defense package is a tamper-protection feature that monitors devices' operating systems to detect any attempts to modify the code, such as in root kit attacks.
As with its Norton consumer smartphone offerings, the Mobile Security Suite 5.0 package will also include more traditional anti-virus and firewall tools as well.
Other industry watchers agree that enterprises must have their smartphone security plans firmly in place as they hand out more of the devices to employees.
And according to executives at Nokia, the world's top producer of mobile devices, more customers than ever are asking about security implications upfront as they consider wider smartphone distribution.
One of the most significant concerns among customers remains the use of unsanctioned devices in the enterprise, typically occurring when workers who have not yet been offered smartphones by their employers instead begin using their own handhelds to carry out business tasks.
"A lot of people are still asking us about dealing with unsanctioned devices, the administrators realize that there are often a lot of people using their smartphones in the enterprise without authorization, and they need to find a way to protect themselves," said Kara Hayes, senior product marketing manager for Nokia's Security & Mobility Connectivity group.
"People are also very concerned about device loss and theft, they want the ability to wipe the data on the device and kill service," she said. "They want mobile e-mail protection and they're concerned about preventing against data loss; security really has become a big part of the conversation with customers looking to adopt smartphones across more of their organization."
Sam Bhavnani, an analyst with Current Analysis, said that organizations should take the best practices they have developed for laptops and port them directly into their smartphone adoption plans.
"This all goes back to the migration from desktops to laptops. There are a lot of common sense implications, and people need to be sensible about creating realistic policies that both protect the data on the device and allow users to tap into the potential of the smart phones," Bhavnani said.
"Some people are still scared to go there, they know that adopting these devices will open another can of worms, but creating smart policies ahead of time and building on their laptop experience will be the best ways to foster strong mobile security."
- Acronis delivers backup and protection with Microsoft Active Directory
- Rate of innovation remains high in enterprise: Motorola
- Veeam Cloud Provider program growing more than 100 per cent YoY
- New virtual currency stymies Christmas traffic torrent
- Immense growth pushing datacentres to unsustainable point: Gartner
iiNet's new NBN service to bring regional customers up to speed
Unstructured data growth is big, but not surprising: CommVault
Interview: Symantec unveils new channel strategy
French government sub-CA issues unauthorized certificates for Google domains
Microsoft ends Windows 7 retail sales