By Stacey McDaniel
Most IT managers at today's financial institutions are accustomed to having some percentage of their user base working outside the main corporate network. However, in recent years, that percentage has grown dramatically and in sometimes unexpected ways. For example, notebook computers are becoming more popular as standard business equipment because they can make it easier for IT staff to relocate employees within the corporate building or campus. And once an employee has a portable system, it almost invariably gets carried offsite and used remotely. The rise in telecommuting has also spurred deployment of portable systems.
This increased mobility is a bonanza to potential attackers. After all, the corporate perimeter defense has dissolved into hundreds or thousands of individually and uniquely vulnerable client endpoints. In contrast to the overlapping perimeter defenses that generally offer a single point of entry, attackers now have a wider field to search for weaknesses.
This article looks at how criminals are changing their tactics to focus more closely on mobile devices. It then shows that, as corporate networks grow more complex, protecting individual endpoints will become more and more crucial.
Spam and phishing go mobile
SMS (short messaging service) and MMS (multimedia messaging service) are emerging as new vectors for spam and phishing activity. SMS is a service that is used for sending short text messages to mobile phones and other mobile text devices such as pagers. MMS is a service that allows mobile devices to send phone messages as well as multimedia files, such as images, audio and video.
There is a logical evolution from email to SMS and MMS as transport mechanisms for spam and phishing attacks. This is due in part to the fact that the technological and procedural defenses for devices deploying these services may not be as well developed or as widely deployed as those for other platforms. Additionally, users of mobile devices typically perceive messages received by SMS and MMS as being more personal than those received by email on a desktop computer. Furthermore, threats against these surfaces have been rare thus far. As a result, users are more likely to trust those messages and to act on them.
The term "SmiShing" was even coined by the industry to describe such threats.
Targeting SMS and MMS may also offer attackers a significant benefit over targeting a specific mobile operating system. SMS and MMS are sufficiently well established and are deployed widely enough that they are available on almost all handsets on all networks.
Mobile security researchers speculate that SMS- and MMS-based phishing and spam will continue to increase. There are a number of different Internet-based SMS gateways that could allow users to supply their own originating number or name, which could be spoofed and used to send spam. As the costs of SMS services goes down, the likelihood that these gateways will be used for spam activities will likely increase.
The increase in threats to mobile devices is in keeping with the fundamental shift in Internet security activity that researchers have observed recently. The current threat environment is characterized by an increase in data theft and data leakage, and the creation of malicious code that targets specific organizations for information that can be used for financial gain. It's no surprise, then, that worms or Trojans exist on every major mobile operating system, from Windows to Symbian to Palm.
The challenge of endpoint protection
It's also the case that mobile PCs connect to the main corporate network sporadically and unpredictably. Inconsistent connections make it more difficult for IT staff to keep those machines updated with the latest security software, operating system and application updates. Needless to say, systems running outdated software are significantly more vulnerable to attack.
As a result, many companies have started to build an endpoint protection strategy that's based on far more than antivirus and firewall protection, encompassing technologies that relate directly to securing and managing the whole enterprise environment. For example, network access control technologies provide pervasive endpoint coverage for managed and unmanaged devices, both on and off the corporate network. Increasingly, these technologies are enabling CIOs to move toward a three-part strategy that depends on the network's ability to protect network traffic coming in and out of the endpoint itself. Such a strategy:
1. Uses network technology to prevent threats from getting onto a machine,
2. Uses file system filtering to prevent threats from being written onto disk,
3. Prevents any unknown or zero-day threats that get through #1 and #2 from doing any damage.
Ultimately, this strategy helps to ensure that all connected devices are in compliance and block or remediate non-compliant devices with automatic software and patch updates before granting any network access. A compromised or infected mobile device is effectively brought into compliance, insulating company information and IT systems from disruption.
Conclusion
The ubiquity of mobile devices within financial services institutions requires that they be viewed strategically as a completely new endpoint, just like desktops and laptops. At the same time, the sophistication of today's online attacks demands that mobile security encompass more than just antivirus and firewall protection. Real mobile security relates directly to securing and managing the whole enterprise IT environment.
Stacey McDaniel has been writing about high-tech issues for more than six years.