Consumerization of IT has already become a reality for many organizations

Your employees increasingly use their own mobile devices for business– a trend known as the consumerization of IT. Symantec recently conducted a short survey to learn more about end users’ experiences and perspectives on this trend. What it found is the consumerization of IT has already become a reality for many organizations.

The vast majority of respondents said their company allows employees to use the smartphones of their choice for work-related activities. And nearly identical percentages of respondents said their employer provided them with their smartphone (44 percent) as those who said they purchased their own (43 percent).

The survey also found that while end users realize the productivity and satisfaction benefits of allowing employees to use the smartphones of their choice for work, they don’t fully comprehend the extent of the security challenges this creates. In fact, 78 percent think that allowing employees to use the smartphones of their choice either has no impact on or only somewhat decreases the overall security of their company’s networks and information.

So what can small businesses really learn from this survey? Small businesses need to educate employees on the potential security risks these devices create and how to best keep them and the data on and accessible through them protected. Below are tips for small businesses to share with employees to help keep your information safe:

• Encrypt the data on mobile devices – The business-related and even personal information stored on mobile devices is often sensitive. Encrypting this data is a must. If a device is lost and the SIM card stolen, the thief will not be able to access the data if the proper encryption technology is loaded on the device.
• Make sure all software is up-to-date – Mobile devices must be treated just like PCs in that all software on the devices needs to be kept up-to-date, especially the security software. This will protect the device from new variants of malware and viruses that threaten a company’s critical information.
• Develop and enforce strong security policies for using mobile devices – In addition to encryption and security updates, it is important to enforce password management and application download policies for managers and employees. Maintaining strong passwords will help protect the data stored in the phone if a device is lost or hacked.
• Avoid opening unexpected text messages from unknown senders – Just like emails, attackers can use text messages to spread malware, phishing scams and other threats among mobile device users. The same caution should be applied to opening unsolicited text messages that users have become accustomed to with email.
• Click with caution – Just like on stationary PCs, social networking on mobile devices and laptops needs to be conducted with care and caution. Users shouldn’t open unidentified links, chat with unknown people or visit unfamiliar sites. It doesn’t take much for a user to be tricked into compromising a device and the information on it.
• Users should be aware of their surroundings when accessing sensitive information – Whether entering passwords or viewing sensitive or confidential data, users should be cautious of who might be looking over their shoulder.
• Know what to do if a device is lost or stolen – In the case of a loss or theft, employees and management should all know what to do next. Processes to deactivate the device and protect its information from intrusion should all be in place. Products are also available for the automation of such processes, allowing small businesses to breathe easier after such incidents.

Android malware grow 400% in six months

Android OS has shaken up the mobile market in many ways. The Google’s ‘open source’ platform has already overtaken Apple in terms of both mobile market share and in terms of the number of apps in their appstore. However, all is not well with Android. With growing popularity, Android is also becoming a target for malware writers and cyber criminals. According to Juniper Networks’ latest released, samples of malware strains targeting devices running the Android operating system increased 400% between June of 2010 and January of 2011.

“These findings reflect a perfect storm of users who are either uneducated on or disinterested in security, downloading readily available applications from unknown and unvetted sources in the complete absence of mobile device security solutions,” said Dan Hoffman, chief mobile security evangelist at Juniper Networks.

“Mobile malware attacks and other exploits are no longer just theoretical occurrences discussed by security researchers and vendors keen on cashing in on a projected market. The threats to mobile devices are real — and reach far beyond simple viruses to include malware, loss and theft, data communication interception, exploitation and misconduct, and direct attacks. This report details specific attack vectors on mobile devices over the past year, defines new and emerging mobile threats expected in 2011, and gives mobile users practical advice to protect themselves from malicious attacks,” the report abstract states.

The report notes that there needs to be an increase in diligence by those who approve applications for distribution in the marketplace, as well as more proactive security efforts on the part of consumers.

Other key findings in the Juniper report include:

App store anxiety: The single greatest distribution point for mobile malware is application download, yet the vast majority of smartphone users are not employing an antivirus solution on their mobile device to scan for malware.

Wi-Fi worries: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications.

The text threat: 17 percent of all reported infections were due to SMS trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise.

Device loss and theft: 1 in 20 Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued.

Risky teen behavior: 20 percent of all teens admit sending inappropriate or explicit material from a mobile device.

“Droid Distress”: The number of Android malware attacks increased 400 percent since Summer 2010.

“App store processes of reactively removing applications identified as malicious after they have been installed by thousands of users is insufficient as a means to control malware proliferation. There are specifics steps users must take to mitigate mobile attacks. Both enterprises and consumers alike need to be aware of the growing risks associated with the convenience of having the Internet in the palm of your hand,” Hoffman added.

Kaspersky to remote ‘wipe’ your phone and give phone the thief’s number, if phone is lost

Kaspersky Lab, the Russia-based anti-virus provider, has announced a ‘privacy guard’ cum anti-virus software for smartphones. The software will not only protect phones from viruses, but also enable users to create white lists and black lists of contacts. No call records or contact details will be visible if persons are added to the ‘black list’, allowing users to ‘hide’ such contacts. They can, of course, retrieve such contacts by entering their secret codes or upon time out.

The software, ‘Mobile Security’ will also allow users to block unwanted calls and SMSes by creating similar ‘black lists.’

It also helps users locate missing devices by activiting the GPS system remotely and can also help wipe all data, including messages and contacts, by sending an SMS to the phone, if lost.

If the thief puts in a new SIM, you also get an SMS with the details of the new SIM, including the phone number.

Higher productivity of mobile devices means lower security: Forrester

While the use of personal mobile devices improves productivity in the workplace, there is a growing concern among IT administrators about the security risks associated with their use, Wang argues in her report “Managing the Security and Risk Challenges of Personal Devices in the Workplace”.

“The number one security risk that every always talks about is data protection”, Wang said. “If employees are accessing sensitive data from mobile devices, especially from personal devices, there is a question about how much control you should have on those devices for data protection”, she added.

In the report, Wang identified four major data security risks from the use of personal mobile devices in the workplace. First, there is a risk of device theft or loss. “From the corporate perspective, device loss could lead to data compromises if sensitive data lives on the device”, the report said.

Second, the mobility and portability of the devices increase the threats to data protection. “To defend against casual data access, you can implement PIN-based entry and device lock. To protect against active attacks, you will need measures like full disk or file encryption”, the report argued.

Third, employees could use personal mobile devices to carry out malicious insider attacks. “If you are concerned with employee misuse or malicious insider threats, encryption alone does not do the job. You need to actively restrict data manipulation operations like cut-and-paste and control which mobile apps can handle the corporate data”, Wang argued in the report.

Fourth, data-stealing malware is increasingly attacking mobile devices. “These malware attacks have the ability to root the device and therefore bypass all local security measures. Personal devices that have the freedom to download any apps are a ripe source for infection”, the report warned.

“When employees bring in personal devices, they may not conform to the company’s security standards. When that happens, the IT department is left with two choices. They can either demand that the employees’ devices conform to those standards, or they take the risk of having nonconforming devices in the environment. Those risks are often unknown”, she told Infosecurity.

Wang recommends that enterprises take a number of steps to reduce the risks posed by mobile devices in the workplace. “The first thing you need to do is have a policy governing the use and operation of these personal devices in your enterprise network. This policy should demand that the owner of the device take on certain responsibilities in safeguarding the corporate information on the devices, as well as keeping the device in a reasonable state regarding security”, she said.

In addition, enterprises should perform a risk/benefit analysis. “Are the risks posed by these mobile devices reasonable enough for you to tolerate. And what sorts of enterprise applications and resources will you allow the device to access”, she added.

Finally, enterprises need to decide whether deployment of additional technologies are needed to secure these devices “in order to meet your security goals and policies”, she concluded.

Why pay for mobile security, when it comes for free

About 97% of all research data is ambiguous. I’m sure you notice the oxymoron in the statement. But that’s truly what security vendors are as well. On one hand they’ll bombard you with research reports on how mobile phones can be hacked and why you need to empty your pocket to secure your smartphone and on the other hand their own statistics would speak against their claims.

Let’s talk statistics. There are about 400 odd known viruses on the mobile platform. Also, there are about as many known Linux viruses. However, for windows there were over 280 million unique malware detected in the year 2010 alone. So as far as probability is concerned, you’re less probable of getting infected with a mobile virus than getting killed in a terrorist attack (which in fact is so minuscule that you never have to worry about it).

That said, mobile security tools do offer certain benefits, which however, you can manage to do without emptying your pockets.

1. Mobile backup tools: Some of the mobile security tools come with a mobile backup utility which takes a backup of all the important data on your phone. So, in case you end up losing your phone or in case you drop it in the toilet, your data (pictures, contact, messages, notes etc) remains intact. But why pay for something that is free! Every smartphone today comes with a PC suite software that helps you take regular backups on your PC. Apart from being free, this helps you avoid the heavy application on your phone that makes it slow down significantly and if you’re not using a high-end smartphone, it can also crash your phone on a regular basis.
2. Mobile anti-theft tools: This is definitely what you think might be worth investing in. These tools, which are also often a part of the mobile security bundle help you track down your phone by sending you your phone’s location. The good news is, if you’re using an android phone, this utility comes for free from the android marketplace (I’m personally using Where’s My Droid for my Samsung Galaxy). Moreover, many handsets come with a device tracking software built into them, so that you don’t have to invest in them. So, if you look at your phone’s manual or google for some mobile tracking tools for your handset, there’s a high probability that you may not have to spend a single peny on any security tools.

As far as the entire risk landscape portrayed by various security vendors is concerned, they are right. There are certainly possibilities of virus infections on your mobile but I don’t think you would want to spend your money for to prevent some event whose probability of happening is less than 0.001%. In case you still love to install such a tool on your phone to impress your friends, try AVG mobile antivirus, which is available free of cost.

P.S. If you think you’ll pirate a paid anti-virus for your mobile to save money, then you should know that there is a higher probability of you getting infected with the pirated anti-virus itself rather than any other virus or malware.

Android, Anonymous Hacktivist Group Feature in the Most Serious Issues of Q1 2011

>

According to a PandaLabs Quarterly Report of 2011, the first three months of 2011 witnessed some particularly intense virus activity and there have been three serious incidents during this period: the largest single attack against Android cell phones, intensive use of Facebook to distribute malware, and an attack by the Anonymous hacktivist group against the HBGary Federal security firm.

At the beginning of March, the report cited, the largest ever attack on Android to date. This assault was launched from malicious applications on Android Market, the official app store for the operating system. In just four days these applications, which installed a Trojan, had racked up over 50,000 downloads. The Trojan in this case was highly sophisticated, not only stealing personal information from cell phones, but also downloading and installing other apps without the user’s knowledge. Google managed to rid its store of all malicious apps, and some days later removed them from users’ phones.

Turning to Facebook, George S. Bronk, a 23-year-old from California, pleaded guilty to hacking email accounts and blackmail, and now faces up to six years in prison. Using information available on Facebook, he managed to gain access to victims’ email accounts. Having hijacked the account, he would search for personal information he could then use to blackmail the victim. It would seem that anyone could become a victim of these types of attacks, as even Mark Zuckerberg, creator of Facebook– had his Facebook fan page hacked, displaying a message that began “Let the hacking begin”.

Meanwhile, the Anonymous cyber-activist group responsible for launching an attack in 2010 against SGAE (the Spanish copyright protection agency), among other targets, is still making the headlines. The latest incident was triggered when the CEO of US security firm HBGary Federal, Aaron Barr, claimed to have details of the Anonymous ringleaders. The group took umbrage and decided to hack the company’s Web page and Twitter account, stealing thousands of emails which were then distributed on The Pirate Bay.
As if that were not enough, the content of some of these mails has been highly embarrassing for the company, bringing to light certain unethical practices (such as the proposal to develop a rootkit) and forcing Aaron Barr to stand down as CEO.

So far in 2011, there has been a new surge in the number of IT threats in circulation: in the first three months of the year, there was a daily average of 73,000 new samples of malware, the majority of which were Trojans. This means that hackers have created 26 percent more new threats in the first months of 2011 than in the corresponding period of the previous year.

Once again, over this quarter Trojans have accounted for most new threats, some 70 percent of all new malware created. Yet there is a logic to this, as these types of threats are favoured by organized criminals for stealing bank details with which to perpetrate fraud or steal directly from victims’ accounts.

In the ranking of the countries with most infections, drawn up from data generated by the Panda ActiveScan online antivirus, China, Thailand and Taiwan continue to occupy the first three places, with infection ratios of almost 70 percent. The last three places in the Top 20 ranking are occupied by Ireland, Peru and Ecuador.