Security

=**Introduction**= The vast majority of people utilize technology without thinking of the implications of using that technology. Just as every government policy has unintended consequences, so does every piece of technology. It is not uncommon for IT security professionals to be the only ones that see the unintended consequences before they happen. The IT Security site is a collection of IT security experts who blog on security topics.

No IT security expert knows everything about IT security because within IT there are dozens of specialties. For instance, you could be a database security expert and not know anything about how to secure servers, networks, PCs or applications. I see this all the time in the IT industry. One of the most frustrating things is when I hear from a business owner that their office manager's or secretary's spouse works in IT and told them that something like CA Antivirus is what the business should be using. I have one word for that. Asinine.

Put yourself in that business owner's shoes. Unless you are an IT consultant by trade, you probably don't know that there are all these different specialties within IT. You think if someone works in IT, they must know about antivirus, networks, servers, PCs, etc. That isn't the case at all. One of my friends, Shane, works in IT. He manages a network of about 8 servers and 120 PCs. HE knows about antivirus and taking care of PCs and servers. Even network security experts tend not to know too much about PCs and servers. Yet that is the bulk of what you have to know about to support small business. Better yet is a consultant that services many businesses and sees many environments. A consultant will know what antivirus is the most effective, easiest to upgrade and maintain, and thus has the lowest total cost of ownership. My point is that you should be very careful about who you get your advice from.

=**Security issues related to smartphones**= So who am I? [] I have worked in several major Fortune 500 companies. For four years, I was one of 8 top engineers who managed an environment of 10,000 computers, 500 servers, in 67 countries. I've been in the IT industry since 1993 and was programming in basic in 3rd grade. But more importantly, I support smartphones for businesses utilizing Exchange and secure communications requirements. I have been using Windows Mobile devices since 2004.

So my personal exposure as well long-term experience supporting large enterprise networks that have strict security requirements has given me a unique perspective on security-related issues regarding cell phones and smartphones. I covered many of these issues in a blog post dated June 16, 2010. Blog post on phone security issues Before you continue with reading this wiki page, I highly recommend that you read the blog post on phone security so that you can really get an understanding of the issues that businesses must consider when using this technology, and what steps they must go to in order to mitigate the risks.

I am by no means the only IT security person who has thought of these issues. In fact, many others have touched on other related aspects of the security issues of smartphones and cell phones in general.

In April of 2009, CSO online published an excellent article with video clips of how to hack a smartphone in three simple steps. How to hack a smartphone It basically involved the use of easily-obtainable software and text messaging. It proved that if you disable text messaging on smartphones, you are removing the largest attack vector on those devices.

WTHR in Indianapolis did an investigative reporting piece on a disturbing trend in cell phone hacking. The cell phones were being used to stalk their owners. Tapping cell phones Their piece was originally dated November 2008, so these hacking techniques have been around a long time.

David Bach wrote an article in April 2007 regarding the police and authority notification side of cell phone security. I consider his list to be severly limited. It is a good article, but keep in mind it only covers 10 of ~35 things you need to do to have cell phone security. CSO published another excellent article in November 2008 regarding the top 5 stupid things people do with cell phones. I wish they would have gone with the top six and included the stupidity of having texting enabled. Top five stupid things people do with mobile phones

=**What can businesses do to be secure in their use of mobile phones?**=

Disable texting
Hacking a smartphone with texting Second part of hacking your phone
 * // Smartphones or cell phones, texting should not be enabled. //** Just take a look at the videos of Meir Machlin of Trust Digital hacking a phone using SMS. He's using freely available software to do this. How many times have you handed out your business card? So anyone who has that has your phone number. They can send you a maliciously-crafted text message and they own and control your phone.

Your phone can be used as an attack vector against everyone in your contacts list and global address list. The typical Fortune 500 company has 10,000 employees. Even if you figure only 1% of them have cell phones, that means you still have 100 hacked phones to deal with in your environment. They can be used as corporate espionage devices. They can remotely deliver sound and video to the hacker. Is texting really worth that when you have email on the phones?

Lock the phone

 * // Put at least a 4-digit PIN on the phone. //** And the timeout to lock the screen should be ** one minute or less **. CSO's article on the top five stupid things that people do with their phones also covers this. They talk about leaving the device open to access. This is part of having a PIN on the phone that will lock it, AND having an appropriate timeout setting.

Encrypt the smartphone
You would need to buy PhoneCrypt, and yes, I know it's expensive. But what other option do you have? Is that one time purchase worth it for your executives smartphones? I think so. When you encrypt the entire phone, not just the microSD card, you avoid the issue of having sensitive data on the phone. Many people put passwords in the Notes feature in Outlook, which then synchronizes with their phone. This is also stupid. Use a program like Password Safe to store your passwords.


 * // Full phone encryption is also your only way to ensure that if the phone is stolen or lost, the data is not compromised. //**

Internet and WiFi
Don't browse the Internet from your phone unless you have to. You have no antivirus software on that phone. So what security exists to protect the phone from being compromised by malicious content? I address this issue in greater detail in the blog on smartphones. I'm sure you've heard of WiFi hotspots. These are a treasure trove for hackers. I won't even hook up my laptop to a WiFi hotspot and my laptop has very good security on it. So why would I put an unprotected device like a smartphone on a WiFi hotspot? I wouldn't. I know some people that do, but they think you should have to have a data plan on your phone to have send/receive email on the phone. From a business usability perspective, the data plan makes sure that a reliable connection is always there (or nearly always). This is much more supportable for business people than a strategy where they are expected to magically find a WiFi hotspot and then configure the wireless in the phone. My clients would tell me to go pound sand if I told them to find wireless and configure it whenever they wanted to send/receive email from their phone. This is the same reason that most of them buy broadband aircards for their laptops instead of relying upon hotspots. The hotspots in hotels often block RPC over HTTPS, which blows up their ability to send/receive email anyhow.

Phone should match expected use
I don't think you should take an iPhone and expect it to be as secure as a Windows Mobile phone when used against an Exchange server. Nor should you expect it to have the same level of security. If you are using Gmail for your business email, then get an Android. It syncs really nicely with Gmail. But if you have an Exchange server as your business email solution, don't waste your time with anything other than Windows Mobile. My recommendation isn't purely about security, it's about ease of use, functionality, and reliability.

I have a client that went and bought an Android phone. In her words, "nightmare from hell". According to what she told me, it required that you link your regular email address to a gmail account and that you make a Gmail account. I talked about this in more detail in the blog posting on smartphones. Suffice to say that she did not end up with a reliable, secure email usage mechanism on her smartphone.

I have also had issues with iPhones syncing mail properly on client phones. Sometimes I have to do a pull setup rather than a push setup. Why can't they just sync bi-directionally like Windows Mobile?