Cell phones tend to be a forgotten technology when considering devices that need to be secured in Information Security. Think for a moment about how your users actually use their cell phones. Do they have mobile applications that give their phones access to proprietary information? Do your users have their email and calendars synchronized with your mail server? If someone broke into their phone, what could the attacker find out about your company? The cell phone, with its ever growing feature set, is quickly becoming the easiest door way into your corporate information.

Today cell phones are much more than phones. Blackberry, iPhone, Samsung Instinct: these phones allow application access, internet browsing, email, SMS, and even updating your Facebook status. All of this translates to an enormous attack surface for would be hackers. When you add communication methods such as Wi-Fi and Bluetooth, the mess gets even more complicated. The dangers are not only from hackers, pick pockets and general thugs can simply grab the phone and run. The data contained on cell phones is growing in volume and importance, so what can we do to protect our company’s against data theft?

1. Audit

Determine who has phones, what is on those phones and what your enterprise communication system can do. Systems such as the Blackberry Enterprise Solution has many security features built into the product to respond to a phone being stolen. (http://na.blackberry.com/eng/ataglance/security/) Familiarize yourself with what your enterprise communication system (BES, Windows Mobile, etc…) offers in the realm of security. Can you remotely wipe the data on the device? Can you control what applications can be loaded?

2. Educate

After you know what you need to protect and what you can do to protect the devices, ensure that the users understand the possible threats they might encounter. Most users do not understand that the cell phone is basically a mobile computer and is exposed to all the same threats as any other computer. Teach users that their cell phone cannot only be a door way into the business but their personal lives as well.

3. Threat Model

Setup attack scenarios and model them on a white board. Use these models to determine where your defenses are weak as well as where they can be totally circumvented. The more you attempt to break in to your own systems the more possible attacks you will find. Use these successful attack scenarios to drive your business policies and decisions regarding cell phone security.

The role of the cell phone has changed drastically over the past few years. As Information Security professionals our job is to ensure we secure all doors into our systems. Today’s cell phones are giving their users unprecedented access to information from banking to the weather but with this new connectivity comes new attack surfaces. Cell phones can be secured with proper planning. Knowing your exposure level, teaching users about how much information their phone actually has and then testing your security will improve your ability to react to attacks in the future.

Tags: BES, Blackberry, Blackberry Enterprise Solution, Bluetooth, calendars, Cell Phones, corporate information, data theft, email, enterprise communication system, Facebook status, hackers, Information Security, internet browsing, iPhone, mail server, mobile applications, pick pockets, Samsung Instinct, SMS, technology, Tim Kulp, Wi-Fi, Windows Mobile

This entry was posted on Wednesday, January 28th, 2009 at 10:39 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.