Smartphones collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and the intellectual property of the company.
Mobile security or mobile phone security has become increasingly important in mobile computing. It is of particular concern as it relates to the security of personal and business information now stored on smartphones.
More and more users and businesses employ smartphones as communication tools, but also as a means of planning and organizing their work and private life. Within companies, these technologies are causing profound changes in the organization of information systems and therefore they have become the source of new risks.
More and more users and businesses employ smartphones as communication tools and also as a means of planning and organizing their work and private life. Within companies, these technologies are causing profound changes in the organization of information systems and therefore they have become the source of new risks. Indeed, smartphones collect and compile an increasing amount of sensitive information to which access must be controlled to protect the privacy of the user and the intellectual property of the company.According to a research, the Mobile Security Services market will total around $1.88 billion by the end of 2013.
All smartphones, as computers, are preferred targets of attacks. These attacks exploit weaknesses related to smartphones that can come from means of communication like Short Message Service (SMS, aka text messaging), Multimedia Messaging Service (MMS),Wi-Fi networks, Bluetooth and GSM, the de facto global standard for mobile communications. There are also attacks that exploit software vulnerabilities from both the web browser and operating system. Finally, there are forms of malicious software that rely on the weak knowledge of average users.
Emerging Solutions
In the wake of frequent security breaches and data theft, enterprises globally are under tremendous pressure to provide an end-to-end secure framework. The BYOD (Bring Your Own Device) trend is adding to the woes of the modern day CIOs. Devices nowadays are extremely powerful and a small incident like misplacing or losing a mobile device can translate into a major security breach. For optimal security, organizations should seek out solutions that are capable of meeting corporate network requirements while concurrently providing three layers of security at the device, server and network level. With the right mobile container solution, organizations don’t have to compromise their security requirements to allow employees to carry the devices they choose. But the challenge becomes preventing the secure mobile computing environment from encroaching on the user experience.
Manoj Khilnani, Country Marketing Head – Enterprise, BlackBerry India suggested some points to set up a secure Security Solution. These are as follows:
Encryption of Data: A key element of security is encryption technology, which is critical to protecting the confidentiality and integrity of a digital transaction between two endpoints, such as a mobile device and a corporate server located behind a firewall. Providing an integrated approach to mobile security, in which data is encrypted while at rest (stored on a digital device) or in transit, is the best protection against the loss of data or a security breach that could impact the profitability, competitiveness or reputation of an organization. Strong encryption guards against data integrity compromises in these environments, which are typically treated by network engineers or mobile security experts as hostile and untrustworthy. It is important to note that encryption technologies differ significantly in the degrees of protection they offer.
Containerization: For employees, the ultimate value in BYOD is the ability to have both work and personal functionality on a single device that is capable of keeping their data separate and secure. With the right BYOD solution, organizations will be able to strike the right balance between security, user experience and total cost of ownership. This concept is known as containerization. The concept of containerization refers to a solution that creates an encrypted zone or container on a device within which corporate apps and data can reside. Policy controls apply only to what is included in the container, instead of the entire device. It simply means separating the corporate mobile apps and data from the personal. Access to data in the container requires secure authentication independent of any other device settings or restriction.
“Mobile security is an extremely fast growing area and focusing on how these changes and trends impact the way BlackBerry delivers products and services is a huge part of our business. Blackberry is the only Enterprise Mobility Management provider that can secure a multi-platform environment based on varying levels of risk and compliance, from meeting the strictest requirements with BlackBerry 10 to providing the most flexibility with support for third-party devices,” said, Khilnani of BlackBerry India.
“BlackBerry has delivered that solution for the past 15 years and we will continue to deliver that solution to our valued customers for years to come. Our focus is on building the most resilient platform in the industry that enables our customers to better protect their key assets. We engage with governments and enterprises around the world to understand the corporate needs as it relates to security and we actively work with the independent security research community to get insight into the state-of-the-art thinking around both attacking and protecting platforms. We support responsible disclosure to ensure that security vulnerabilities are patched in a timely manner,” he added further.
“eScan range of security solutions for Android comprises of two editions; eScan Mobile Security for Android and eScan Tablet Security for Android. These security solutions are tailor-made to fulfill the security needs of IT users and ensure advanced protection from viruses, malware, Trojans and other such cyber threats,” said, Govind Rammurthy, CEO&MD, eScan.
According to Pankaj Jain, Director at ESET India, as per ESET’s 2014 Annual Threat Trends Predictions, three main areas of trends for 2014 are loss of privacy and mechanisms to improve protection on the Internet – The trend of going to the cloud and how it effects privacy; the NSA and the privacy debate and how the user can protect his information on the Internet (e.g. data encryption). Computer threats for Android OS – Already in its 2013 report, ESET has predicted major increase of Android malware. Comparing the detections that occurred in 2012 and 2013, the threats have increased by more than 60%. This significant increase continued in 2014. Other trends are new spread of malicious code in form of ransomware (e.g. filecoders like Cryptolocker); vulnerabilities in Java, ever-present and more complex botnets.
“Nowadays, people are using several devices in their households, PCs, smartphones and tablets, that all have access to the Internet. All of them are susceptible to a growing list of increasingly complex online threats. However, are all these devices need equal protection and hence multi-device protection concept is gaining popularity. We have Kaspersky Internet Security – Multi-Device, easy-to-use, one-license, multi-platform security solution that protects virtually any combination of PCs, Macs, Android smartphones and Android tablets,” pointed out Altaf Halde, MD, Kaspersky Lab–South Asia.
“Trend Micro is an industry leader in mobile security solutions. With more than 25 years of online security expertise and cloud infrastructure development, we deliver trailblazing apps and services that protect and enhance your mobile experience. Trend Micro Mobile Security Personal Edition stops threats before they reach you. This cloud-based security helps keep you safe from online threats, data theft and the loss of your smart phone or tablet. Mobile Security offers multi-platform available on iOS in addition to Android and Kindle. Mobile Security has antivirus, antispyware, web filtering, backup, social networking privacy protection and anti-theft features. It’s powered by Mobile App Reputation technology, which is fast, light and effective. Additionally, it identifies bad apps and fake websites that try to steal your information, as well as sneaky apps that automatically sign you up for expensive services. Mobile Security also helps you select the right privacy settings on Facebook. If your smartphone or tablet is ever lost or stolen, Mobile Security can even help you find it via the web and protect your information from the prying eyes. And with the data backup feature, you can restore your data if your device is lost, upgraded or erased,” said, Dhanya Thakkar, MD, India & SEA, Trend Micro.
“We offer Trend Micro Mobile Security, which is a 4-in-1 solution that gives you full visibility and control of mobile devices, apps and data through a single built-in console. It strikes the right balance between user productivity and IT risks. Mobile Security combines Mobile Device Management (MDM), Mobile Application Management, Application Reputation Services and Device Antivirus (Android). A key part of an overall complete user protection strategy, Trend Micro Mobile Security reduces complexity and costs compared to standalone mobile security and MDM solutions that require new management structures,” Thakkar added further.
Best practice for data safety
Altaf Halde, MD, Kaspersky Lab–South Asia suggested some points regarding data safety. He said, “Enable automatic updates in all applications you use daily. First of all, take care of your operating system, Web browser, mail clients and instant messengers. Also keep in mind PDF readers, Flash player and Java. All should be done on a single occasion. It takes just three minutes, but it strengthens your PC’s protection against viruses and malware multifold. You wouldn’t start eating a meal without washing your hands – so why wouldn’t you apply the same habits to your PC? Don’t use a ‘dirty computer.’ If it is your own machine, it has to have an up-to-date and reliable antivirus software installed. The more the better here – consider an end-to-end solution like Internet Security. Run a five-minute scan before typing-in your passwords to your corporate email, online banking tool or social network sites. Checking your firewall sounds complicated, but it really isn’t. If you own a Windows-based system, just go to your control panel and type ‘firewall’ in the search box. If your firewall is ‘on’ or ‘connected,’ then you’re good to go. If you own a Mac, click the Apple icon on your toolbar, go to ‘system preferences,’ then ‘security,’ then ‘firewall.’ Making sure you have a firewall in place can go a long way toward keeping criminals out. Backing up your data protects you in the event of a computer crash or electrical outage or surge, like a lightning storm might produce. It also helps if you fall prey to the newer type of ransomware, which encrypts your sensitive data.”
“Spotting a rogue website can be difficult, but there are a few things you can do to hone your skills. Look for a green lock in the address bar and the code prefix “https://” at the beginning of the URL while visiting banking sites, entering your credit card data or accessing your web mail. Be careful when shopping at a website that ships items from overseas, and don’t click on links sent to you in email messages, go directly to the website itself instead. No matter what website you’re on, be careful of the sensitive information you reveal. Although it’s pretty much common knowledge not to give out your social security number or credit card information unless you trust a website completely, you should be just as careful with your social media profiles as well. Never open an email from an unknown or suspicious source, and definitely never open any attachments contained in them. You have to be careful of emails coming from people on your contact list as well, especially if the sender’s account has been hacked. If an email from someone you regularly communicate with has a suspicious link and unusual content, delete it and immediately alert this person that his or her account may have been compromised,” added Halde.
“The following tips can help users to keep their personal information safe and secure. Secure your device with strong password: As the first step to protection, it is essential for users to set a password on their smartphones. The BlackBerry Password Keeper allows users to securely store passwords or banking PINs on their BlackBerry smartphone. User information is encrypted and protected by a single user-determined password. Install tracking/protection apps: There are various apps that allow users to track and remotely wipe data in case of device theft or loss. BlackBerry Protect app allows users to remotely lock, locate, and if necessary, wipe the data from their BlackBerry smartphone remotely (provided a network connection is still available). The free application also allows users to take advantage of several features such as automatic backups of their contacts, calendar entries and more. Use File Encryption for your Media Card: Enabling file encryption ensures that user files stay unread should their media card fall into the wrong hands. Keep smartphone software updated: It is a good rule of thumb to keep apps updated to their latest versions,” said, Khilnani of Blackberry India.
“With technology becoming a big part of how employees work, it makes no sense to segment mobile devices away from everything else. Instead, IT organizations should be adapting, integrating new technologies and operating the core company systems via control of these devices that employees bring in. Mobile devices left unchecked within a company can mean multiple security holes and chances for breaches or data leaks, but if there is a good system in place, businesses should be able to see cost savings and improvements in efficiency,” said, Thakkar of Trend Micro.
Ritesh Chopra, Country Manager, India, Norton by Symantec, suggested that some best practices that consumers can keep in mind for their mobile devices are be careful when clicking on advertisements for free software. Many times these ads may direct you to a fake Android Market that hosts malicious versions of known applications. Avoid opening unsolicited text messages; attackers can use text messages to spread malware, phishing scams and other threats among mobile devices. Don’t click on links sent from unknown sources, this includes email, messaging, Facebook, Twitter and other Social websites. Be suspicious of applications that ask for root privileges. Make sure you have the latest mobile OS version, and all software is up-to-date. Vendors are always releasing new versions or updates of their software to protect from known vulnerabilities and flaws in their programs. Use caution when enabling Bluetooth connections. The Bluetooth setting is typically on by default, and should be disabled or paired with a device. If not, the phone will look for other Bluetooth-enabled devices to connect to, and could result in malware being loaded onto the device.
“If possible, use security software on your smartphone. For the Android OS, use applications like Norton Mobile Security or Norton Mobile Security Lite to protect your device, and the Norton Snap QR Code Reader to protect you from dangerous QR codes. For IOS, use the Norton Snap QR Code Reader to protect you from dangerous QR codes. Use caution when scanning QR codes, only scan codes from a reputable source. Encrypt the data on your mobile device. If you use your device for business or just want to protect your personal data, encrypting data is a must. If you lose your device and the SIM card stolen, the bandit cannot access the data if the latest encryption technology is loaded on the device. Users should password protect their devices, this can help protect your sensitive data when your device is lost, stolen or hacked,” Chopra added further.
“We strongly advice to secure your mobile devices physically as well as digitally. Physical protection will include: password protection, data backup, use of tracking software, not keeping your phone unattended, encryption of sensitive data, etc. Digital protection will include the use of mobile antivirus software, using two factor authentication, reading the permission screen while installing apps, being careful while paying for something with your phone, etc,” said, Jain of ESET India.
“Some of the best practices that eScan suggests for the security of personal data stored on your Android device are always use reliable antivirus software for Android that can efficiently provide protection against evolving malware. Before installing any application, do through research about the reputability of the company that is selling the program or software. Check the reviews of the application posted by other users. Always install applications (apps) from trusted sources. Never download apps from unauthorized or illegitimate apps stores. Never download untrusted third-party apps. Backup the data stored in your device wirelessly, so that you can quickly restore the information on your device, in case the data is lost or accidentally deleted. Never save usernames and passwords in your mobile browser or apps as it can be dangerous if your device falls into the wrong hands. Never open an email attachment sent from an unknown sender on your mobile. Open it only if you are positive about the source,” concluded, Rammurthy of eScan.
At Last
Mobile phones have become a point of danger for cyber crime, either by hacking mobile devices or simply accessing confidential information by stealing phones. Attacks can exploit weaknesses in text and data messaging services, Wi-Fi, Bluetooth and other mobile communications. There are also ways to exploit software vulnerabilities in web browsers and operating systems, sometimes caused by downloaded apps from third party sites that contain so-called ‘malware’ or ‘spyware.’
Many companies increasingly use ‘bring your own device’ and ‘corporately owned personally-enabled’ strategies, according to BT, with 95% of UK organizations allowing employees to use their own phones for work purposes. This has heightened the risk of attack on mobile devices, which are often used for both work and personal purposes. Executives at more than four-fifths of companies said there were insufficient resources in place to prevent a mobile security breach.
Data safe in cloud storage
Today, the world is more connected than ever before but in a decade wearable technology will be the norm – whether a smart glass or a smart watch you wear at the gym hooked up to your heart rate and connected to the cloud. “As the cyber threat environment evolves, threat protection must evolve as well. With the emergence of targeted attacks and advanced persistent threats, it is clear that a new approach to cyber security is required in cloud. Traditional techniques are simply no longer adequate to secure data against cyber attacks. Advanced persistent threats (APTs) and targeted attacks have proven their ability to penetrate standard security defenses and remain undetected for months while siphoning out valuable data or carrying out destructive actions. And the companies you rely on most are some of the most likely targets – financial institutions, healthcare organizations, major retailers and others. The ideal solution would weave your entire security infrastructure into a custom and adaptable defense tuned to your particular environment and particular attackers. It would enable you to not only detect and analyze these attacks, but fight back against your attackers. Businesses today are intrigued by the promise of cloud computing – the agility, flexibility and cost savings. Invariably, questions such as ‘How secured is the cloud?’ arises. In addition to Trend Micro’s portfolio of security solutions for cloud computing, Trend Micro is proud to announce a new, cloud-based, productivity tool for enterprises as well as SMEs to secure their journey to cloud,” said, Mr. Dhanya Thakkar, MD, India & SEA, Trend Micro
Mr. Manoj Khilnani, Country Marketing Head – Enterprise, BlackBerry India
“BlackBerry has delivered that solution for the past 15 years and we will continue to deliver that solution to our valued customers for years to come. Our focus is on building the most resilient platform in the industry that enables our customers to better protect their key assets.”
Mr. Govind Rammurthy, CEO & MD, eScan
“eScan range of security solutions for Android comprises of two editions: eScan Mobile Security for Android and eScan Tablet Security for Android. These security solutions are tailor-made to fulfill the security needs of IT users and ensure advanced protection from viruses, malware, Trojans and other such cyber threats.”
Mr. Pankaj Jain, Director, ESET India
“We strongly advice to secure your mobile devices physically as well as digitally. Physical protection will include: password protection, data backup, use of tracking software, not keeping your phone unattended, encryption of sensitive data, etc.”
Mr. Altaf Halde, MD, Kaspersky Lab–South Asia
“We have Kaspersky Internet Security – Multi-Device, easy-to-use, one-license, multi-platform security solution that protects virtually any combination of PCs, Macs, Android smartphones and Android tablets.”
Mr. Ritesh Chopra, Country Manager, India, Norton by Symantec
“Encrypt the data on your mobile device. If you use your device for business or just want to protect your personal data, encrypting data is a must. If you lose your device and the SIM card stolen, the bandit cannot access the data if the latest encryption technology is loaded on the device.”
Mr. Dhanya Thakkar, MD, India & SEA, Trend Micro
“Mobile Security combines Mobile Device Management (MDM), Mobile Application Management, Application Reputation Services and Device Antivirus (Android). A key part of an overall complete user protection strategy, Trend Micro Mobile Security reduces complexity and costs compared to standalone mobile security and MDM solutions that require new management structures.”
Prime Targets for Attackers
Data: Smartphones are devices for data management, therefore, they may contain sensitive data like credit card numbers, authentication information, private information, activity logs (calendar, call logs).
Identity: Smartphones are highly customizable, so the device or its contents are associated with a specific person. For example, every mobile device can transmit information related to the owner of the mobile phone contract, and an attacker may want to steal the identity of the owner of a smartphone to commit other offenses.
Availability: By attacking a smartphone one can limit access to it and deprive the owner of the service.
Who are the attackers?
Professionals: Whether commercial or military, they focus on the three targets mentioned above. They steal sensitive data from the general public, as well as undertake industrial espionage. They will also use the identity of those attacked to achieve other attacks.
Thieves: They want to gain income through data or identities they have stolen. The thieves will attack many people to increase their potential income.
Black hat hackers: They specifically attack availability. Their goal is to develop viruses, and cause damage to the device. In some cases, hackers have an interest in stealing data on devices.
Grey hat hackers: They reveal vulnerabilities. Their goal is to expose vulnerabilities of the device. Grey hat hackers do not intend on damaging the device or stealing data.
When a smartphone is infected by an attacker?
# The attacker can manipulate the way smartphone can communicate and send commands which will be used to send unsolicited messages (spam) via SMS or email.
# The attacker can easily force the smartphone to make phone calls.
# A compromised smartphone can record conversations between the user and others and send them to a third party.
# An attacker can also steal a user’s identity, usurp their identity and thus impersonate the owner. This raises security concerns as smartphones can be used to place orders, view bank accounts or are used as an identity card.
# The attacker can reduce the utility of the smartphone by discharging the battery. As they can launch an application that will run continuously on the smartphone processor, requiring a lot of energy and resulting in draining the battery.
# The attacker can remove or misuse the personal (photos, music, videos, etc) or professional data (contacts, calendars, notes, etc) of the user.