Mobile Insecurity

This article is reproduced with the permission of CAmagazine, published by the Canadian Institute of Chartered Accountants, Toronto.

By Jan Barcelo

The proliferation of mobile computing has brought on a number of challenges, specifically around security issues

Life in the mobile lane can be quite unsettling. Take the case of an accounting firm in Quebec City that was in the process of buying out another firm. In the midst of the negotiations, exchanging countless emails with senior management and discussing the strategy of this acquisition, the firm’s president lost his iPhone.

However, there were questions of whether the iPhone was lost or stolen. Regardless, there was concern that the sensitive and confidential information could land in the hands of the president of the firm they were looking to buy. Or perhaps it could be passed on to a competing accounting firm that could beat them to the punch? In either case, would the president now have to negotiate with a counterparty that holds key information and knows what hand he intends to play? Understandably, this would be an un-comfortable position to be in for anyone.

Since he couldn’t find his iPhone, the president was anxious to know if the information on his phone had been extracted or at least read. So, he called on experts at Victrix, Montreal-based IT consultants that specialize in allowing mobile workers to work together as virtual teams. “There was no way for us to know if any strategic information or data concerning prices and evaluation had been looked at and, even less, who could have looked,” says Stéphan Gariépy, Victrix vice-president, eastern Quebec.

It’s likely the accounting firm’s president had nothing to worry about, as most mobile devices are stolen for their cash value, not their information value, says Yves Godbout, CA•IT, CISA and chair of the CICA’s Alliance for Excellence in Information Technology (and CAmagazine’s technical editor for technology). But the possibility of espionage was real and must have given him a few sleepless nights.

His plight is symptomatic of a problem that is rampant in organizations today: the use of email as a storing system. “Most organizations are witnessing an explosion in email,” says Claudiu Popa, president of Informatica Corp., a Toronto consulting firm that specializes in information security and privacy compliance. “These emails often have very sensitive information in attachments that users keep forever. If it’s on a desktop at the office, that’s a relatively secure environment. But inside a mobile device, on the road?”

Handheld mainframes

People are surprisingly careless with their smartphones and mobile devices, especially considering that processing power on most of them surpasses that of mainframes of 30 years ago, says Barry Lewis, president and CEO of Cerberus ISC Inc., a computer consulting firm in Brampton, Ont. But it’s not just a question of raw processing power; the massive amounts of data on a mainframe were often not as sensitive and strategic as the few emails a company president can carry around in his smartphone.

A key security problem with mobile devices is that they are on their own, so to speak. Often they are not in contact with a company’s central IT department, which can detect when a computer is attacked by spies or hackers. And within an office, it’s easy to notice when a computer disappears. An iPhone or Android phone in an executive’s pocket doesn’t have such safeguards.

On a laptop, centralized control is more often implemented, so data safety is greater, but laptops too are lost or stolen in alarming quantities. According to Lewis, in 2008, 600,000 laptops were lost or stolen in US airports alone. As for mobile phones, a recent survey reported that in 2009, 60,000 were left by their owners in London taxis. “We don’t know what data is on the device,” Lewis says. “If we don’t know that, then we don’t always know that we’ve lost it. So we end up with data that we don’t know we’ve lost and devices that we don’t know we’ve lost.” Troubling.

It’s the sort of trouble another Quebec firm experienced. Gariépy recalls an incident when a construction company lost a tender offer to a competitor by a margin of just 1%. A few days before the offer, the company’s president could not find his iPhone and was convinced it had been stolen, not misplaced. He believes that the competitor got access to the information on the phone and was able to make a more attractive submission.

Mobile anarchy

Industry veterans believe we are now into the third wave of computing. First there were mainframes, then the client-server model and now everything is going mobile. “Give this another five years and you’ll see smartphones acting as servers,” Lewis says.

And for information security officers, this third wave is starting to look like a futurist version of the Wild West. People are carrying highly sensitive data in their pockets, connecting to company systems from anywhere through the Internet, over cellular and Wi-Fi connections whose security is questionable.

In the laptop segment of the mobility universe, security issues have somewhat been brought to heel: central IT management has the tools to control the devices and large suppliers such as IBM, Hewlett-Packard and Toshiba sell portable computers that integrate state-of-the-art security measures.

But in the smartphone segment there prevails a joyful and trendy anarchy. Because most of the popular devices have been designed with the general consumer in mind, not the businessperson, they lack many essential security components. One notable exception is RIM’s BlackBerry, in which corporate-grade security is built-in, not added piecemeal as an afterthought.

Executive urges

Smartphones are repeating a pattern witnessed in the 1980s with desktop computers. They flood into the corporate fold without any rational plan. And very often, Gariépy points out, they are introduced from the top through executives who can’t resist the status statement these devices make.

And the greatest obstacle to security with these devices is the users themselves. “People believe nothing of value resides on their device, yet much can be used for identity theft, intellectual property theft or espionage,” says Phil Smith, HP Canada category manager, business notebooks. Furthermore, they like these devices for the immediacy and convenience and don’t want to be bothered with security barriers, especially passwords. This is why many users deactivate the password protection, which to begin with is very rudimentary. “The majority of phones out there only require a four-digit PIN identification,” says Smith. “In a regular notebook, that would never be accepted as security.”

Security essentials

None of our computer experts felt comfortable saying that most security issues concerning mobile computing, especially smartphones, have been resolved. Many shortcomings can be compensated by third-party products, for example Sophos Mobile Control or Sybase iAnywhere, but it is not clear if they adequately cover all the bases. Each client must thoroughly analyze and test them to see if they fit his or her specific needs.

A few notes of caution, however, and a few essentials of mobile security one should be on the lookout for include:

Passwords: they are the most crucial component. The login password of a smartphone needs to be rock solid. If it isn’t, a hacker who cracks it has access not only to all data, even encrypted data, but will also gain access to all other passwords held in a password manager on the device — bank accounts, company access codes, confidential websites, etc. And specialized tools that can easily crack passwords abound, says Michel Kabay, professor of computer sciences and information assurance at Vermont’s Norwich University. One example is Elcomsoft’s Phone Password Breaker that boasts the capacity to break password routines on any mobile phone, BlackBerrys included.

Backup: if the integrity of the data on your mobile apparatus has been compromised, access to backup files should restore it. Kabay says such backups should be carried out automatically and not depend on the user’s goodwill.

Encryption: if a device can’t encrypt every bit of data it carries, don’t even look at it. Make sure it can establish an encrypted VPN tunnel for communications with corporate systems.

Anti-hacking tools: like any computer, a mobile device must respond only to its legitimate user. That’s why filters such as firewalls, anti-virus and anti-spam software are essential.

Remote wipe: if a device is lost or stolen, it is crucial to be able to lock it from a distance or, better still, to wipe off everything that is in it. LoJack Corp. offers such a service for laptops, and Sophos for smartphones.

Network access control and log management: after passwords, these are the crucial security measures needed by a company to make sure all its devices implement uniform policies and procedures, to ensure passwords are strong enough, and to allow access to the company network only to authorized devices.

For a more detailed treatment of these issues, please consult Claudiu Popa and CICA principal, practitioner support Nicholas Cheung’s The Canadian Privacy and Data Security Toolkit for Small and Medium Enterprises, which is part of CICAs CA Tools for Success series.

Letting mobility spread anarchically is not the ideal way to go. It poses too many threats to companies, especially accounting firms that have a fiduciary duty to preserve client information. It’s not just security that mobility challenges. It also challenges the bottom line, says Lewis. Because these devices have so little security embedded in them, it must be added by purchasing third-party software that can become costly. Also, because the variety of devices is great, companies cannot allow them to proliferate and must standardize, says Popa, to avoid the cost of bridging the differences between competing operating systems and applications.

But most of all, companies need to be wary of the future cost of communications these devices might impose. Until now, companies had relatively modest communications expenses because they owned their networks. But mobile devices, especially smartphones, operate over cellular networks that companies don’t own, and the cost of synchronizing them with the corporate IT department could become prohibitive, warns Lewis. This is an important aspect accountants and the corporate world must keep in mind, and it forces them to carefully plan their mobile deployment. Better safe than sorry.