Typing errors: Because of the limited real estate on the keyboard, users are prone to errors while typing URLs and therefore could be landing on spyware-infested websites that could launch phishing attacks.
Small-screen display: The small screen size demands that the browser rendering of pages be optimized, and important information might be abbreviated or missing.
• Lack of security alerts and warnings: On a small screen, detailed security alerts and warnings may never be rendered. Check your smartphone right now and try to verify the appearance of a website and its content.
• Lack of e-mail source headers: E-mail clients often obfuscate the source headers of the e-mails for better rendering of the message. This kind of interface is ripe for phishing attacks because the headers are usually a dead giveaway for forged e-mails, and if this key indicator is missing, your users will be easily fooled.
• Lack of complete URLs: See Figures 9-5 and 9-6 for the URL obfuscation that happens in portrait mode in an iPhone versus landscape mode, which happens to display the entire URL in this case. Even your most alert users are easy prey to a phishing attack when they browse in portrait mode because the URL isn’t fully visible.
With this level of exposure to potential phishing attacks, it’s critical that you have an antiphishing solution available. Antiphishing solutions for mobile devices can have a similar approach as the antivirus solution: All of it can be localized on the device itself, or you could take a hybrid approach by leveraging the hosted server in addition to installing a lightweight agent on the device.
Figure 9-5: An iPhone in landscape mode with no URL obfuscation.
Figure 9-6: An iPhone in portrait mode with URL obfuscation.
A variant of the hybrid approach is the cloud-based approach where the antiphishing arsenal, e-mail, messaging and URL filtering, is entirely cloud-based. While this approach has a lot of appeal, without a smart agent running on the smartphone or device, an exclusive cloud-based approach falls short of the mark because of all the different interfaces it must maintain, which means that it has many different attack vectors.
For instance, even if the 3G interface is well-cleaned by the cloud approach, a local Wi-Fi or Bluetooth connection that is open can be used to compromise and delude your users to a phishing attack. Therefore, having a good on-device agent is key to providing that first line of defense against antiphishing attacks. (See Chapter 3 for more on cloud-based computing.)
Antispam
Antispam is the ability to identify and stop spam — typically in the form of e-mail — to the device, but note that for today’s mobile devices, the spam vectors increasingly include SMS as well. From your users’ perspective, the one distinct difference between e-mail–based spam and text-messaging–based spam is the latter sometimes costs your users (especially those in certain geographies; more on that in a moment) because some cellphone plans impose charges for messages received over a specified limit. Unlike e-mail spam, which is a major irritant (and a potential phishing mechanism), at least it doesn’t cost the user money.
In response to this, carriers have been pretty active. In the United States, for instance, AT&T advertises a service called AT&T Smart Limits, which allows the user to block or allow text messages from certain users. Yes, it’s an opt-in, paid service that users have to subscribe to. But according to research conducted by Ferris Research, in the United States users typically receive a couple of SMS spam messages per year, in Europe the frequency jumps to a couple per week, and in India it’s a couple a day, while in China users are bombarded with 5 to 10 spam messages a day! So it’s coming to a location near you. The geographical disparities in the SMS spam are a direct reflection of the SMS usage. In Asia and Europe where SMS usage is rampant, the spam frequency is also high, whereas in the United States, where SMS usage is relatively muted, the spam usage lags.
The other point is that there is a global uniformity component that needs to be factored in with any sort of solution you roll out. On the standards front, the GSMA (GSM Association), a consortium of nearly 800 members, has kick-started an initiative called GSM spam reporting service whereby users who receive spam can forward those messages to a standardized number. (It’s currently proposed as #7726, which spells SPAM on the handset.) This is a neat way to build a database of blacklists for the spam operators and eventually use this information to build an in-network spam-blocking solution! Information about spammers will also be shared among participating members who will receive correlated reports with data on misuse and threat to their networks.
Antispam solutions — for e-mail or messaging — have more value if they’re handled by the server rather than the client. This enables you to centralize the antispam solutions and apply remediation at the e-mail servers that you host — or apply it at your outsourced arm. For SMS-based spamming, the service is typically provided by the carrier, so you should actively work with your user’s carrier, or educate your users about their carriers’ services, to arrive at a solution that satisfies your needs.
A new variant of mobile spam is the use of applications on the mobile device to expose a new threat vector. For example, the Facebook app on your users’ devices is one of the most popular applications in use. A clever spammer recently discovered a vulnerability to autoreplicate links so that unsuspecting users clicking any of the application spam links, shown in Figure 9-7, is enough to “share” (publicly post) the application on the user’s Wall, and it spreads virally from there. Even though this isn’t a mobile-specific spam vector, it’s one that’s growing in popularity using the social network applications for posting for spam and phishing attempts.
Figure 9-7: Facebook spam.
These kinds of social engineering–based spam are the hardest to mitigate and prevent, as these are predominantly tied to user behavior and tap into the psychology that the spammers become expert in exploiting.
You can fight Web 2.0–based spam more effectively by using the following:
Constant vigilance
Security posture adaptation
Relentless education of your users
Using Backup and Restore Capabilities
Many smartphone OS vendors already offer some version of backup and restore. For instance, iPhone already comes with backup and restore capabilities whenever the device syncs with iTunes. But this is ultimately designed for end users, and the backup destination is anywhere the user chooses it to be. It also relies on diligent users who turn on this functionality in the first place. So this isn’t something you can rely on. You need an enterprise-grade backup and restore capability that you can control.
A top-grade enterprise solution that RIM (Research In Motion) offers as part of their BlackBerry Enterprise Server automates backup and restore, as the BlackBerry Enterprise Server automatically syncs over the air with the BlackBerry devices and provides you with the ability to back up the BlackBerry Enterprise Server. (Typically, it’s on secure premises.) In fact, RIM is even extending this traditional enterprise server–based backup to the actual individual users so the users can take the matter into their own hands. Figure 9-8 shows one of the backup and restore management screens in the BlackBerry Protect user interface.
Figure 9-8: My BlackBerry Protect.
The basic components of any backup and restore capability should
Be able to do backups of smartphone data at a predefined frequency using over-the-air technology (as well as local backups when possible).
Be able to do restore of smartphone data on demand using both over-the-air technology as well as a local connection.
There are a variety of ways you can provide this support, depicted in Figure 9-9 and explained as follows:
Figure 9-9: Backup and restore solutions.
Vendor supported: The BlackBerry fits nicely into this category, and very little mental exercise is required from you when you adopt this option. However, other smartphones and most devices don’t support this option.
Provider supported:
Increasingly, carriers are starting to provide this as a service offering, and you may be able to capitalize on this by entering into agreements with operators and getting this provided as a managed service offering.
End-user supported: This relies on end users regularly using the supported options to back up their smartphones. However, as noted earlier, the backup is typically local to their desktops and laptops only, so this solution in turn relies on your (hopefully) existing enterprise backup of their local machines to enterprise backup servers thereby backing up their smartphone backups. Wow! That sounds convoluted, and it is.
You should not adopt an end-user–supported option as your primary backup solution because it relies on end-user best practices, and while the workforce education is getting better all the time, relying on an informed workforce to guarantee backups is simply not recommended. Ultimately, you are responsible for protecting your company asset — the intellectual property — and need to exercise controls to do so. Therefore, you need to have backup solutions that can be scheduled, archived, and audited by you (and your stakeholders).
Adding Loss and Theft Protection
Your users are wedded to their mobile devices, perhaps more than they realize. A brief divorce from their beloved smartdevice is enough to cause heart palpitations and sweaty palms. These devices have become an extension of the owners themselves, so protecting them becomes a necessity — not a luxury!
The most fundamental defense against loss or theft of mobile devices is over-the-air (OTA) disabling. With enterprise-friendly devices like the BlackBerry, this is a breeze, but with most mobile devices, including the iPhone, iPod, iPad, Android-based devices, and others, this is a trickier proposition.
Thankfully, loss and theft protection is a rapidly evolving area, and all the leading device security vendors are rolling out various OTA device-disabling solutions to cater to this security need. Their antitheft solutions can be classified into these three broad categories:
Encryption and authentication techniques
Immobilizing techniques, including active data obfuscation following the loss of the smartphone
Recovery techniques to locate the smartphone
The following sections cover each of these categories in greater detail.
Encryption and authentication techniques
As the name suggests, this technique obfuscates critical data on the device itself using encryption technologies. As you see in earlier chapters, extensible memory on the devices, including removable storage, makes the loss of the device quite dangerous. One mechanism that can mitigate this is encrypting the data on these memory cards so that in the event of a loss, the perpetrator can’t access the memory card data using a card reader. Likewise, for onboard memory as well, using strong authentication techniques should be mandatory.
Your users will likely balk at the convoluted multilevel authentication techniques when you try to impose this on them and, worse, will always try to subvert this. You can never completely prevent this, so your best form of defense is education, education, education. In fact, you could use some provocative videos and scenarios where real users lose their devices and focus on the muted impact of someone who has followed the best practices versus a more damaging situation for a user who has grossly violated the encryption policies.
Immobilizing techniques
Here are the two most common immobilizing techniques:
Remote lockdown: This technique involves an over-the-air kill message that is issued by the enterprise to the smartphone, which will essentially render the smartphone lifeless.
Remote wipe down: This technique involves wiping out the critical smartphone data — contacts, local files, e-mails, SMS, and memory card.
Recovery techniques
These are the most common recovery techniques:
Smartphone locator: Most of the modern day smartphones have a GPS chip built in. Using location software, the ability to track down the smartphone is becoming increasingly practical.
SIM snooping: One of the first things that a stolen smartphone is subject to is swapping the SIM out. This provides an insertion point to use a technique called SIM snooping, which surreptitiously sends the newer SIM’s telephone number to the original user, and this key piece of data can be used to locate the user with the carrier’s assistance.
Carriers are getting into the act as well to provide protection against loss and theft. For instance, Verizon Wireless now offers to its customers the Mobile Recovery app shown in Figure 9-10.
Figure 9-10: Verizon Wireless’s Mobile Device recovery app.
If it’s possible to strike up agreements with the key operators that service your locations, you may be able to provide carrier-managed recovery services.
Controlling and Monitoring Applications
Applications, or apps, are fast becoming the de facto user interface for mobile devices. Therefore, you need to be in sync with this trend and be able to provide adequate monitoring of these applications using various approaches (which we discuss in this section), identifying harmful applications in a timely manner and intervening when necessary.
Let’s get real: Your users will download content (willfully or involuntarily) that is in violation of your enterprise policies. It’s in your best interests — and your users’ best interests, even though they may not embrace this notion right away — that you have good visibility into their application usage behavior and intervene where appropriate.
Be aware of any local regulatory matter that might forbid these intrusive policies, as in some regions they could be a violation of citizens’ rights.
Methods to control and monitor applications
Now that you understand the importance of monitoring and controlling applications on your users’ devices, you need to determine what type of solution you want to deploy.
There are two approaches to application control and monitoring:
Client-only: In a client-only approach, you have a monitoring application running on every mobile device that you need to configure in the enterprise. While daunting, it provides you with an unparalleled degree of individual control, and you can set up policies that are unique to every user in the enterprise. More impressive is that you can take into account the real-time characteristics of the device — such as location, battery life, and other applications running — to make a much more customized strategy.
Server-based: At the other end of the spectrum is a server-based approach that employs a centralized gateway to which all device traffic is backhauled and generic policies are applied. While user and device identification are still possible in this approach, and policies can be tailored to cater to the individual smartphone, the specific characteristics that an agent could supply in the previous approach are no longer available here. However, the economies of scale are evident, as you can have a centralized console for configuration, monitoring, and enforcement without having to worry about connecting to every individual device.
A more common hybrid approach is to tie in a lightweight agent with a server back end that can benefit from the agent providing the instrumentation and lightweight policy enforcement, with the server doing more complex application usage analysis and determination of policy changes that can then be relayed to the agent when appropriate.
Identifying harmful applications
You have to be on the lookout for seemingly harmless applications that your users download to solve a business issue. The application might seem innocent, but it could have an underlying security loophole that when exploited can cause all kinds of issues.
For example, an increasing number of new laws are mushrooming that ban automobile drivers from using their cellphones while driving. This has given rise to a number of text-to-voice applications that convert your text messages and e-mail into voice and play it back to you while you’re driving. Seems like a very useful function. Bad idea! A number of these applications also use the “hybrid approach” whereby their app is actually a lightweight agent,
and a bulk of the transcription happens in the cloud. So your users may actually be compromising valuable corporate data in the quest to be more productive while they’re driving.
If you have an application-monitoring function in place, you can identify a harmful application by using the agent on the device, which would flag an unapproved application at install time. Alternatively, in a server-based environment, you can use tools to look for specific traffic patterns to identify corporate e-mail and texts that are going to unknown destinations and take appropriate action.
Enterprise Management of Mobile Devices
There is a lifecycle to which a mobile device in an enterprise needs to adhere to allow you a predictable process to get enterprise-ready mobile devices into and out of the workplace.
Enterprise management of mobile devices can be broken down into the following activities:
Device deployment
Device discovery
Device provisioning
Device monitoring
Compliance enforcement
The following sections give you a complete overview of enterprise mobile devices lifecycle management. We delve into detail about each of these important phases of the mobile lifecycle.
Device deployment
Device deployment is relevant only if you intend to issue enterprise devices to your employees. If on the other hand (as is becoming the norm), the devices in your enterprise are predominantly owned by the employees themselves, this activity can be easily skipped.
Mobile Device Security For Dummies Page 22