From the iPhone to T-Mobile's G1, smartphones have become pervasive in today's enterprises.
What are not always pervasive are sound security practices for controlling them. While malware for mobile devices is not especially widespread, hundreds of unique pieces of smartphone malware such as -Sexy View' have been identified. Then there are the hacks.
In a demonstration, Trust Digital showed how it was possible to use an SMS control message to silently change the phone's configuration, for example, turning off security settings for e-mail transmission such as SSL. With all this in mind, here are a few things enterprises should consider when it comes to smartphone security.
1. Take a Business-Centric Approach to Planning
Philippe Winthrop, an analyst with Strategy Analytics, said businesses need to know how many smartphones they have and what they are being used for. "Go through and use cross-functionality teams ... within your organization to understand what the line of business is going to want to do with these solutions, but make sure of course that it's going to play nicely with what the IT department needs to do."
2. Develop a Configuration Plan
In a report titled "Q&A: 10 Smartphone Security Failures You Want to Avoid," Gartner analyst John Girard noted that any system that lacks a known, trackable and updatable configuration is impossible to properly manage, secure and support. The result is users handling troubleshooting and modifications on their own, which can in turn open up its own set of worms if their changes make the device less secure, he wrote. When it comes to planning operational requirements, smartphones should be treated like PCs, the report continues.
"When companies move to personal liability phones, or tell people to use their personal phones at work, serious vulnerabilities arise if the company does not at least have a plan for managing diversity and controlling exposures," Girard told eWEEK. "Ideally, companies would still invest in centralized management consoles for phones and take policy control of personal phones whenever possible."
3. Set Sound Default Browser Permission Rules
One of the main doors malware walks through to get on a system is the browser. "Today's smartphones increasingly include more fully functional browsers that are quickly moving toward a level of functionality rivaling that of desktop versions," said Scott Crawford, an analyst with Enterprise Management Associates. "Considering that attackers increasingly focus on both Web applications and the vulnerabilities not only of browsers but of their many multifunctional add-ons, this increases concerns that mobile devices may add to the Web and browser attack surface already highly targeted."
Gartner recommends setting conservative companywide security policies, disallowing Java applets and scripts and regularly cleaning up the browser cache.
Doing all this, however, depends not only on how much control enterprises want over the devices, but how much they can actually have, Crawford said.
"In the iPhone's case, for example, on-device control [a management agent, for example] is limited by what Apple is willing to make available via the App Store," he said. "Otherwise, the customer must either consider 'jailbreaking' the phone-not an option in the typical enterprise-or considering an off-device alternative. ... Other than that, organizations may want to deploy solutions that enable a secure 'wipe' of information from a lost or stolen device-whenever it connects to the network, for example."