Executive Guide. Sponsored By:

Mobile Device

Security—The Eight

Areas of Risk

It’s common knowledge that adding mobile devices to your network increases security risks. There are multiple facets to mobile security, all of which should be paid close attention to. To give you a more in depth look into the key areas of securing your wireless devices, we’ve compiled some of the best articles from SearchMobileComputing.com and included them for you in this Executive Guide.

Sponsored By:

Table of Contents:

Controlling risks and costs for better security Mobile security: Top oversights

Understanding wireless security Resources from Nokia

Mobile Device

Security—The Eight

Areas of Risk

Page 2 of 11 Sponsored by:

Mobile Device Security—The Eight Areas of Risk

Table of Contents

Controlling risks and costs for better security

By Simon Forge

Learn the eight areas of risk associated with mobile devices and how better mobile device management can save money and guard against threats to enterprise data security.

Moving mobile devices and PDA devices into the workforce really means a new sort of computer is being given away—perhaps with very little supervision—as that computer is not in a central location for most of its working life. These are early days for mobile network management and security. Many organizations still have no central team to manage mobile devices; they react to their current situation using existing network management teams. Consequently, many companies do not have adequate control over either the security of new mobile devices or the threats to company operations that mobile networking may present.

What seems to be a simple approval for a low-cost item may turn into a series of big headaches when cell phones are lost—and at least 10% of them will be lost in an average year. It is notable that most large cities in the U.S. and Europe now have 10,000 to 15,000 mobile phones left in taxis every month.

Employees with mobile devices are actually carrying around eight areas of risk:

1. Loss of general company data and files from these increasingly memory-laden devices. 2. Key sales contacts could go to a competitor—or be lost altogether.

3. Physical loss of the device.

4. The employee's time to recover from the loss—which can be a few hours or a few days—is usually worth far more than the replacement costs of the device and software.

5. The time the network administration team needs to replace the device and handle the loss.

6. Introduction of viruses and malware into the company's installed computer base, usually when synchronis-ing PC and handset in the office and on a home PC.

7. Phone fraud of various types—e.g., employees making unauthorized long-distance personal calls; this is less of a problem now because many companies accept that personal calling is going to happen, and corporate rate plans for bulk long-distance can cut the cost significantly. The co-operation of the mobile operator is required to control this.

8. The use of such devices as means of stealing company information. The "inside job" on data theft can be pulled off using a wide variety of mobile devices, from PDAs to lowly MP3 players.

Thus, the corporate mobile management task is unlike a fixed network for voice or LAN-connected servers and PCs—it is much harder. Mobile management support costs are up to 15 times as much as those for fixed data or voice networks, as the types of support required are so much more varied. These costs range from initial device

Controlling risks and costs for better security

Controlling risks and costs for better security

configuration to negotiating company-wide mobile carrier contracts. Devices next have to be updated, accounted for and replaced, with new applications being added whenever ready and tested, possibly requiring further handset activation, end-user instruction, and so on.

So what should you do?

Several ways to improve security through mobile device management can be quickly outlined. One first step is to section up the databases into authorized segments by user, "rather like an orange," as one manager remarked. Each user may see only the selected partitions for which she/he is authorized. This requires structuring data access by permissions with a policy engine rather than by subject.

The next step is protection for a lost device. Now coming onto the market are management systems that to some extent take the responsibility for data protection from the employee and return it to the network manager. A num-ber of systems can now destroy any data on a smartphone or PDA and also allow only authorized devices to attach to the network for both mobile and PC synchronizing activities. An increasing number of suppliers have taken up the challenge; their products either look at mobile networking as an extension of existing management systems or as a new field in itself (e.g., Securewave, Synchronica).

The final word

You can have the last say when devices are lost or stolen. Some of the latest models of mobile handsets can be switched to "scream mode" until their batteries run down.

An Introduction to Mobile Management

Controlling risks and costs for better security

Email for businesses on the move.

Nokia Intellisync Wireless Email gives professionals on the go the freedom they need. Freedom to do business whenever they want, wherever they are, using virtually any mobile device. Simplifying access to email, calendars, contacts and tasks means virtually no delays, complications or confusion. You know, exactly how business should be run. www.nokiaforbusiness.com/intellisync © 20 07 N ok ia . W ire le ss s er vi ce is re qu ire d to u se m an y fe at ur es . S om e ne tw or ks h av e lim ita tio ns th at a ffe ct a pp lic at io n [or f eatur e] av ailability

. Contact your servic

e pr

ovider about applic

ation [f

eatur

e] support and av

ailability

.

Nokia for Business

wherever

you go, it’s

there waiting

Mobile security: Top oversights

By Kevin Beaver

Most people are aware that mobile systems create business risks. Knowing this, some network managers take every measure to ban mobile computing. No laptops, no wireless networks, no handhelds, nothing. On the other hand, many allow mobility openly, with very limited controls, to the extent where it becomes an employee "right." Both are extremes in the classic struggle of trying to balance security with usability, but I see both frequently. Whether you support mobility in one of these fashions or fall somewhere in between, it's almost guaranteed that mobile security problems still exist.

Here's what I'm seeing as critical mobile security mistakes—things to look out for and gain control of going forward. 1.Not knowing what is really at risk.Most employees and managers haven't really thought about what

there is to lose—especially when it comes to the lack of physical security controls with mobile devices. Simply put, people aren't valuing business assets and treating the threats and vulnerabilities seriously enough. Making matters worse, many in business don't know what information they have, where it is located, or even what it is worth. In most cases, this stems from management's failure to instill a culture of privacy and security—often leading to security oversights and unfortunate breaches that create business-level problems.

2.Not taking the complexities involved seriously enough.It is easy to assume that mobile security is simply achieved. You just encrypt wireless traffic and laptop hard drives and all's well, right? Not really. For starters, it's all in how encryption is used and when it's used. Time and time again, I see and hear of net-work managers implementing these types of controls in all the wrong ways -- often in the name of getting it done quickly to make users happy. There is also this problem of islands of unstructured files scattered about laptops and handhelds. It's everywhere and then means a literally unlimited attack surface against sensitive information.

With the lack of physical controls, unauthorized usage is very difficult to prevent or trace back. Finally, I strongly believe that the whole problem of policies and people is underestimated—that is, the security poli-cies, processes and user buy-in required to keep mobile systems secure. The software side of mobile secu-rity is a complex beast, and it cannot be taken lightly.

3.Being too trusting of people.Speaking of people, many in IT and upper management are too trusting of employees and even outside contractors and other visitors. They are often given a lot of privileges with mobile devices, both on and off the network, but no one really knows how they're using them. Quite often, we're depending on these users to do the right thing and help limit mobile security weaknesses, but that is not likely to happen, considering that this is the last thing on the minds of people who have a hundred other things to worry about during their workday.

4.Not using technology for help.There is a great over-reliance on policies to keep information safe—espe-cially at the management level. The assumption is that a policy is in place, so everything is safe and sound.

An Introduction to Mobile Management

Mobile security: Top oversights

There are lots of security controls that come free with most computers, handhelds and wireless LAN sys-tems. From power-on passwords to BitLocker drive encryption in Windows Vista, from WPA encryption to the Microsoft PPTP VPN (among other freebies), many solutions exist. The key is making the choice to use them. If the controls you need are not there by default, there are solutions available (at reasonable prices relative to the consequences) to keep mobile systems secure from the elements.

5.Not understanding how the bad guys work.One of my biggest pet peeves—it is near and dear to my heart—is the fact that a lot of mobile systems (wireless LANs included) aren't being properly tested for security exploits. In fact, mobile systems are often outside the scope of security assessments. We look at firewalls, operating systems, Web apps and databases but tend to ignore mobile systems because some basic controls are in place. Of the testing that is being done, it is often checklist audit with no in-depth testing ethical hacking to find out just what controls can be bypassed and exploited. Looking at mobile systems with a malicious attitude and good tools is absolutely necessary to find the real problems. Mobile security problems aren't going away. Whether or not mobility is supported by management, it is probably still present in some form. Most mobile weaknesses are out of sight and out of mind. But don't be fooled—they're still there.

In the end, there are two options:

1. Action to prevent mobile security breaches 2. Reaction after a breach

Based on what we're seeing, the former is a lot easier and cheaper than the latter. Make mobile security a top pri-ority and start seeking out these vulnerabilities. Eventually, you can gain the control you need.

An Introduction to Mobile Management

Mobile security: Top oversights

© 20 07 N ok ia . W ire le ss s er vi ce is re qu ire d to u se m an y fe at ur es . S om e ne tw or ks h av e lim ita tio ns th at a ffe ct a pp lic at io n [or f eatur e] av ailability

. Contact your servic

e pr

ovider about applic

ation [f

eatur

e] support and av

ailability

.

Nokia for Business

Nokia Intellisync Mobile Suite allows data

to flow just about anywhere.

From Email to crucial business applications like CRM, data flows securely to virtually any mobile device, over almost any network. With advanced device management and productivity solutions, there´s no limit to where your business can go.

www.nokiaforbusiness.com/intellisync

discover

business

Understanding wireless security

By Craig J. Mathias

Suppose I were to say to you that there's really no such thing as wireless security. That would sound pretty silly, especially since (a) data is clearly flying through the air, in range of anyone nearby with the right equipment, and (b) wireless security has historically been the number one concern of IT managers and often a roadblock to the deployment of mobile and wireless computing solutions. Silly, indeed.

And yet, when we look at wireless security as part of the overall value chain between client and server, the wireless part suddenly seems small and insignificant. This is because wireless deals only with that portion of the chain known as the airlink – the connection between a wireless client and (typically, in the case of wide-area mobility) a cellular base station. But consider all of the other connections between the cellular base station and your server—a collection of equipment within the cellular network and the Internet or other wide-area connectivity—and you'll see many points of vulnerability that far outweigh those of the airlink.

I am a big believer in end-to-end security. This means that, subject to a given enterprise's security policy, sensitive data is always stored securely and appears in the clear only to authorized users. And this doesn't just mean end-to-end over the airlink but rather end-to-end-to-end-to-end between the client device and the server that stores the data.

This further implies two key requirements:

•Encryption:This means that all sensitive data is encoded while stored and during transmission, so it cannot be read by unauthorized users, legitimate or not.

•Authentication:This means that users must identify themselves to their devices and the network before any access is allowed. Ideally, authentication is mutual, so a user cannot be fooled into sending sensitive data to a spoofed server.

If we put this together, the core requirements are that all sensitive data must be stored encrypted on the server and the mobile client device (notebook computer, smartphone, memory key, etc.). It also means that authorized users must authenticate with the server before any data can be obtained. I recommend "two-factor authentication" using (typically) a hardware key and a password. That way, if one is lost or stolen, the data is still secure.

Now comes the hard part.

I also recommend that authorized users authenticate with their mobile device. This means at a minimum having to log in to one's notebook and use a PIN or similar mechanism on smartphones. Lots of users just hate this, but they need to understand enterprise security policies and also develop what we call a "culture of security"—just as those "loose lips sink ships" posters used to remind everyone of the need for security during World War II.

An Introduction to Mobile Management

Understanding wireless security

As it turns out, modern digital cellular networks include basic data security, and user traffic is by default encrypted over the air. I recommend, however, that enterprises use their own virtual private network (VPN) techniques on all wireless links; security really should be under the control of the enterprise, not the carrier.

Basic security really isn't all that hard to plan, implement and manage. But again, it's not a matter of wireless secu-rity alone. Rather, it's end-to-end secusecu-rity across the entire network. Secure the whole value chain, and wireless security almost comes for free.

Maybe there really is no such thing as wireless security after all.

An Introduction to Mobile Management

Understanding wireless security

Mobile Device Security—The Eight Areas of Risk

Resources from Nokia

Sponsored by: Page 11 of 11

Resources from Nokia

Mobile solutions by Nokia Intellisync

www.nokiaforbusiness.com/intellisync

About Nokia

Nokia is the world leader in mobility, driving the transformation and growth of the converging Internet and com-munications industries. Nokia makes a wide range of mobile devices and provides people with experiences in music, navigation, video, television, imaging, games and business mobility through these devices. Nokia also pro-vides equipment, solutions and services for communications networks.