Exclusive Mobile Security Round Table
The roundtable, organised by cisco exclusively for mobile europe, was an opportunity for several pivotal players within the industry to discuss key issues on mobile security. Companies involved included Cisco Systems, GSMA Security Group, Orange Business
Services, Symbian and Trend Micro. The session was chaired by Mobile Europe editor, Keith Dyer and THE DISCUSSION focusES on three areas: Mobile threat landscape: Security and services – monitor and manage: Corporate mobile device and service management
Now that mobile networks have moved from closed, secure networks, and handsets with proprietary OS, to IP networks and access to IP services from open OS-based devices, does that put mobile on a footing with the threat we have seen to PCs? What is the current threat to mobiles from IP networks and the use of services over them?
Jon Hindle:
I don’t want to paint a picture of doom and gloom but there is a picture to be painted there. Clearly as we have gone from circuit-switched to IP-based networks so devices are accessing a much more open set of apps, and there’s clearly set of issues that are going to become increasingly prevalent through the network. We’ve seen some initial threats and attacks to devices and to the networks themselves, and have also seen operators react fairly sensibly to that. I guess the ongoing thing is that you can never ‘solve’ security you can only keep the risks at bay as much as possible.
Keith Dyer:
So where are the threats coming from?
JH:
There’s a whole host. As devices get more open in terms of OS there’s the potential from hackers to attack the device. But I think also there are some different ways of looking at threats – for example, if you’ve got access to the internet people can access things maybe you don’t want them to access – for example children accessing inappropriate content.
KD:
And on the device side how are those threats manifested?
Laurent Gondicart:
If we try to make a parallel between the PC world and the mobile world we are light-years away from the situation that we have in PCs. First we don’t have the same dominance of MS on mobile platforms. We do have the dominance of Symbian, and we have seen recent attacks have targeted Symbian, because virus writers tend to go for the most prevalent platform on the market. That said, what we’ve seen so far is proof of concept so I don’t want to scare the public. However, if we look at the shift in the malware industry, nowadays we see that all malware is related to making profit. We see spam, spyware, greyware really targeted at making profit. We think that when we see a clear market on the mobile, virus and malware writers will shift to that platform because it’s really easy to make money on a mobile platform. With Premium SMS, everything’s there.
KD:
So Craig, it is likely to be Symbian under attack.
Craig Heath:
That’s true. We do have the biggest installed base of all open OS of mobile phones and I have to agree that, especially with the introduction of IP networks, phones do face the same type of threats as PC desktops. Fortunately, though, because desktop PCs have experienced it we have an opportunity to learn from that. We at Symbian have done that and designed-in security with the aim of staying ahead. Just this year Symbian has introduced a new platform security architecture which we believe is a strong foundation and, touch wood, we have not seen any malware on this platform yet.
KD:
And Juliet, within the scope of the operators, is there a similar level of recognition?
Juliet Walker:
I think we see it as here but emerging. We don’t want to panic customers because we have to be realistic – it’s not a big threat at the moment. But there are really basic things they can do to protect themselves against it, such as not talking about sensitive company information on a train. So what we’re trying to do is provide good guidelines for our business customers about their own usage and that goes from mobile etiquette through to what are the steps you should take to protect against viruses and things like that. We have AV solutions available that customers can download – so we are really trying to address that whole spectrum. But basically I feel that fundamental things aren’t in place. Less than 40% of companies have a mobile security policy that’s enforced within their company. So it’s about trying to extend what’s fairly common in the desktop world into the market place.
KD:
Charles, have you perceived a change in operators’ approaches in order to tackle any of these particular problems?
Charles Brookson:
Certainly, they’ve got to begin to behave a lot more like ISPs, they’ve got to educate their customers as to what they can do. We’re just putting together all the good practice we’ve seen around the world for the GSMA website, for example, so people know what to do. I’d like to reinforce the point of view that it’s another way of people getting into telco fraud – that’s been a big business for many years – people are starting to get content and use that as a way to launch viruses and Trojans. And as well as talking about the mobiles themselves we’re also concerned about the infrastructure, because when you’re talking about an IP infrastructure, that’s far more well known by the hackers, whereas the old circuit-switched infrastructure was much easier to secure. So clearly operators as well have to be reinforcing all the things they’re doing in looking at their IP systems.
EDUCATION AND TECHNOLOGY
KD:
Is there more that the industry can do to combat this threat, given we’re not, as Laurent said, already there yet in the same way the desktop PC market is.
CB:
Well it’s going to be exactly the same messages such as not opening an attachment if you don’t now you can trust the source, not opening MMS if you don’t know where they’ve come form, looking for phishing attacks, education on people answering yes/no on security based questions, on whether someone’s going to open a Java applet on their phone. So yes, it’s a very strong way of trying to educate people and I think that’s a complete change from just receiving voice calls and receiving text messages.
KD:
So it’s about user behaviour there, but Craig, you’re taking a view that there is something you can do at a technical level as well.
CH:
In the desktop world you have Windows Vista coming in that will have a lot of the security features built in, and I think again here we need to stay ahead of the PC world and build those things into the phones and the entire service package. So the operating platform is an essential part but it has to work with other parts of the value chain.
KD:
Juliet, do I need a mobile security policy or do I need to integrate it into my existing security policy?
JW:
I think it’s integrating it into your total business, so you need to understand what are the risks – considering laptops, PCs, mobiles and PDAs within that; having view on what are the appropriate devices; recognising what people have already got; having amnesties around technology; recommending devices people can use within some level of choice. Guidelines need to be clear and well written and then make it clear those things are going to be enforced. Also it’s about recognising that the risks are different for someone out and about on their voice device and the CEO on his BlackBerry in the airport lounge.
CB:
These devices will also have considerably more storage on them, and will have a lot of sensitive information on there, so you’ve really got to have policies as you do with any other device.
JH:
You can try and educate users but it’s a very dynamic area and most users are not educated, so there’s an opportunity for IT departments to take away the complexity. Otherwise it’s too dynamic for the user concerned.
LG:
User education is important but it’s just one piece of the policy. We’ve seen reports in the PC world in Germany of a phishing attack on a German bank and, even though users were aware of the threat, nonetheless 70% of this bank’s users keyed in their login, password and even transaction codes. So education is one way to deal with security but you still need the proper tools on the devices to make sure that if education fails you have a fall back. We’re seeing in enterprises great interesting mobile security solutions. Primarily because enterprises aren’t talking about threats, they’re talking about risks. I’m not sure that the mainstream public is really ready for smartphones so we’re focusing on the enterprise and the operators themselves.
MANAGEMENT OF SECURITY … and security of management
CH:
One of the things that mobile manufacturers are working on right now is management of security, being able to configure the security policies of devices that are in the field, and that’s a clearly a very valuable thing: you can adjust your security policy based on the threats that you can see. That is, you don’t maintain an extreme threat level all the time because there are times when that is inconvenient to people. So we’re very keen on enabling that kind of approach, but there is in my view a missing piece to that, which is, that if you turn it around, you need security of management, and right now phones are quite trusting. If they get a request to upload a security policy then generally they’ll do it and you risk having a situation where an attacker may tell a security guard to go off shift now, as it were. We’re working with phone manufacturers, device creation partners, ISVs such as Trend Micro, network operators who are obviously a crucial part and also enterprise organisations to make sure we’re able to support the kinds of policy settings they are able to do.
FREEDOM AND CONTROL
JH:
I think we are seeing users getting cleverer and cleverer and there’s an onus on the industry to protect users because often they don’t know what they’re getting into. So we’re seeing a lot in the States and the UK about protecting minors. There’s a strong obligation to give everybody the freedom to do what they want within sensible boundaries.
JW:
I think it’s the same for business customers. We have customers saying they’d be comfortable to pay a nominal amount for us to put security in place to help them manage that and to help them control what happens to their information. Companies recognise the value of mobility and have seen that it makes a real difference to their business – you can close it down but that doesn’t solve the problem so you need to find a balanced view to allow people to exploit the benefits of the technology.
CB:
Which in the end comes down to risk management – taking a practical point of view as to whether it’s good enough to your business.
LG:
It’s very important that the user isn’t burdened by security tools. So if you take the burden of different security tools just for firewall, encryption etc, so it becomes about the management of security solutions on those devices.
CH:
And it’s very important for those security solutions to work together. If you look at the range of security solutions, including hardware security technologies, in newer chipsets, also the OS security model and the layered security solutions such as malware detection, and try and put those together in a way that the security policy is proportionate to the threat you end up with a much better user experience.
JH:
Users are desperate for somebody to package that together.
KD:
So are we going to see on our mobile bills a check box saying ‘yes, give me security’?
JW:
I suspect that’s where we going. I’m not sure any of us have got there yet, but certainly things like backup are already starting to appear. It varies whether it’s included in the application or not, so for email it would be included in the solution. So, for a small business just simple things like backing up contacts is so easy – but I spoke to one customer in a small business who said she’d move to Orange just for that simple solution to that problem. Because we’re in the industry we tend to know and worry about the future big stuff, but we’re not letting people get aware of the basics, as well as helping the big guys.
PROTECTION, SPYING AND SIGNING ON
JH:
Protecting users from inappropriate content – is that spying on users? Is it intrusion or protection? It’s about freedom of choice and some of that is about having the freedom of choice to be able to select not to receive that, or protect my children from that.
CH:
Standards differ so we have to be careful not to be drawn in to make moral judgements. For example when an application is included in Symbian signed programme, it’s available globally. Some devices by default will not allow applications to install if they are unsigned,and some will. This is all dependent on the configurations by the device manufacturer and, going forward, this will also be manageable in the field.
LG:
I have a slightly controversial view on signed applications. We as an AV vendor have the view that as long as you authorise third party applications on any OS, as secure as it might be, you have the risk of having malware on it. With Microsoft Vista, which is the most secure platform that Microsoft has produced, we already have indications that the Vista platform can be breached by malware using the signed drivers from MS, and that’s something really scary. If the malware writers really want something to happen on a platform, it will, because now it’s really an industry. The FBI says malware in 2005 amounted to $62 billion, that’s more than twice the revenue of the AV industry alone. So we really have to be aware of this and careful about this.
CH:
I completely agree. I mean no signed in system is completely secure. That’s why it’s important not just to focus on prevention but to detect things as they happen and respond to them. Signed is no guarantee but even so you’re better off with them.
LG:
I certainly agree with that!