תפריט נגישות

Mobile Security: Not Your father’s Oldsmobile

אתגרים באבטחה של ציוד מחשובי נייד (המאמר בשפה האנגלית)

Mobile devices require a totally different approach than the typical PC for protection against malware (e.g., viruses, trojans, phishing, etc.). They require an embedded component to act as a defense within the device that may be too “stupid” to be able to download and run an external security application.

Unlike a PC which has an accessible high level OS that can run applications, many dumb devices have a RTOS (real time operating system) that provides only the functionality written by the manufacturer into its firmware. That’s not to say it can’t be attacked and/or damaged (most firmware is written into alterable ROM these days, which can be damaged by the right type of attack). It simply means there is generally no way to write an adequate security application which can be loaded and run on the device. Smarter devices that run J2ME or BREW may offer some ability to download application layer security SW, but these applications are generally too high up the SW stack of the device to do much good (i.e., they can’t really protect at the network layer, like trying to protect the Bluetooth access). Security must run in the base level OS, not the top application layer, whether in a mobile device or PC.

Of course, the best way to defend these devices against attack is to completely secure the network from all malware of any kind. This is easier said than done. Most carriers do a good job of attempting to achieve such security levels within their server infrastructure, but for added insurance, it is always better to run a client side security app as well (just as virtually all organizations do for PCs - both server and client run a security package). Embedded systems represents a real challenge to security companies (e.g., McAfee, Symantec, F-Secure, Trend) since they have to custom tailor device specific security apps for each unique device to achieve maximum protection. And these apps must be loaded into the embedded OS. This requires a cooperative partnership between the device manufacturers and the security vendor.

In an ideal world, an industry wide body (like OMA) would come up with a structured approach that would allow all vendors to put a “connector” into their devices making them ready for standardized security apps (much like SyncML did for syncing services). Then security vendors could write security suites for a broad array of devices. Standards may not solve all the issues (there will still be device unique protection issues), but it would go a long way to helping the industry achieve higher levels of security by making it much simpler for security vendors to create and maintain their products. Further, it would allow users to buy aftermarket products; something impossible to do today.

Bottom Line:  As mobile devices become smarter, with more data, and more data connections, they will become attractive targets for malware writers. Malware for mobile devices is a minimal threat today. In the near future, smart devices containing customer lists, order information, and company mission critical data which can be lost, altered, or stolen, will be aggressively targeted. We expect this unfortunate scenario to happen in the next 2-3 years, and these types of attacks will prove costly. Companies need to implement strategies to protect these devices, and mobile vendors need to get better at producing “protectable” devices. Organizations should work with their current security vendors (e.g., McAfee, Symantec) to determine how to extend the Security Umbrella (i.e., antivirus, firewalls) to these emerging devices, and require disclosure by these security vendors of future plans and roadmaps, so a true assessment can be made of whether current vendors can solve the companies’ future needs.

  כותב המאמר הנו:

 Jack gold

 jack.gold@jgoldassociates.com

 

 

פרסום באתר