Securing Mobile Devices from Malware: Paradise Not Lost

Written by: Hongwen Zhang, President and CEO, Wedge Networks

Mobile devices are coming at you from every angle – your C-level executive is in love with his iPhone; your sales rep has purchased a new netbook on Verizon’s $99/month plan; it goes on and on. What is common is that they want to take these devices to work and expect you to develop ways to support these and other new soon-to-be-released mobile devices. That is not surprising. With mobile devices providing quick and easy access to wireless networks, and sporting business productivity tools and applications, using these devices for access to corporate data and applications is the next logical step.

Regardless of your approach to the level of support you should provide for these devices — getting the device to be used for communication, PIM, email, telephony and browsing applications (so called concierge services), or getting the device to be further integrated with your enterprise’s business productivity systems — securing devices from malware should be on your plan.

At first glance, the number of reported malicious code for mobile devices might make it irrelevant; however, malicious programs inevitably mutate from innocent tools for amusement to the hands of professional criminals and hackers, creating these expressly for financial gain. The new breakthroughs in mobile devices are making these a potential target to the extent that most security response managers are pegging the probability of malware targeting these devices, including the iPhone, at 80% to 90%.

Why is it hard to secure a mobile device against malware?
Mobile devices, with their increased business productivity functionality, remain limited in processing power and battery life since these are constrained by physical dimensions. The fact they are mobile and using metered access (e.g., wide-area cellular networks where end-users paid per kilobyte) further adds to the complexity.

First, securing these devices using typical endpoint security solutions proves to be impractical: difficult to install, slower performance, shorter battery life, and expensive to update on metered networks where signature updates can eat up to 2MB each time (sometimes as frequently as once ever hour).

Second, mobile users demand better quality of information, such as zero-spam messages and ad-free web access. Plus, given that a mobile device can be misplaced is concerning given that its information can be easily stolen, and, more importantly, it could be compromised to launch a concerted attack.

How to secure these devices?
Mobile device management (MDM) suites intended to provide Over-the-Air (OTA) management for these devices such as provisioning, version-management and remote wipe-out, coupled with best-practice layered security (e.g., virtual private networks and network access control) to ensure clientless and secure access are readily available; however, neither provide malware protection for these devices.

Network-based content security appliances with the ability to intercept network traffic to and from these devices, scanning it for malware, spam, and content that does not meet use-based policies, and stopping it before it hits the endpoints is proving to be invaluable for three reasons:

• First, with mobile devices where it is not possible to install endpoint anti-malware/content filtering applications, this is a must to prevent mobile malware to compromise such devices, and worse, to protect the enterprise network if these devices where lost and are used to launch malware attacks on enterprise resources.
• Second, with these devices using metered networks, substantial savings are possible on three fronts: accurate spam and advert-filtering provide a double-benefit of not using bandwidth to deliver unwanted messages and adverts and not occupying the end-users’ time sifting through this content; and end-point signature updates that could be expensive are not required.
• And third, use-based policies can be deployed at a network level to provide finer-control over enterprise content and resources (e.g., prevent access to customer credit card information while mobile).

The premise of network-based content security is promising to the extent that it is easy to build a business case around a very short return on investment. However, being in control beyond managing “access” to managing what “content’ is delivered to these devices, is priceless.


SIDE BAR: Questions to ask when considering network content security for mobile devices:

1. Do you have to re-image mobile devices (even though they might have an end-point security solution)?
2. Are your mobile users complaining of downloading ‘spam’ on their device?
3. Are you paying ‘excess’ data usage charges for these devices?
4. Are you concerned as to the content your users are accessing with their corporate mobile devices?
5. Are you worried that a mobile’s user’s end-device could be infected and using your network resources to launch malware attacks (send out email messages/serve web-exploits) to your employees, customers, partners, suppliers, etc.?
6. Would you like to enforce ‘mobile’ specific use policies to your enterprise data?
7. Would you like to enforce ‘mobile’ specific use policies to your enterprise data?

Hongwen Zhang is the President and CEO of Wedge Networks Inc., which provides network-based Web security solutions and specializes in malicious-code detection and filtering at the network layer.