Mobile Device Part 3: The New Malware Gateway
Invent something cool, something fun, something useful, and someone will find a way to ruin it for everyone.
That's what malware has repeatedly done for computers, for the Internet, for e-mail, and for anything else it can latch its ugly hands onto. We've responded with suites of anti-malware-ware, designed to catch phishing attempts, stop viruses and spyware, and much more.
Now our smartphones are at risk.
No, we're not really seeing traditional viruses, which for a variety of reasons don't yet make sense on a smartphone. But we are seeing an increasing number of e-mail and Web-based attacks that phish for information, direct users to malicious Web sites, and more. Regardless of what you allow your users to do with their mobile devices on their own time, what comes through the corporate e-mail server is your concern, and the risk of data loss is also your concern. It's not impossible -- or even difficult -- for phone-based malware to harvest users' contact lists, which would include business contacts. Phishing Web sites can easily harvest business credit card numbers, login accounts, and more.
We can fight the e-mail vectors in the normal fashion, by having our e-mail servers act as a secure bastion. Scanning and filtering tools become even more important than ever. But protecting users' smartphones against Web-based attacks is trickier, because they won't always be passing through our corporate firewalls and gateways.
There's an emerging vendor space for tools designed to help us protect mobile devices when they're off the corporate LAN, and it's also time for us to consider a sit-down, heart-to-heart talk with our users. Yes, training. Let's haul everyone into class, show them some real examples of phone-based malware attacks and help them learn to recognize the signs. Test them. Heck, make a game show out of it. Here's an e-mail -- is it safe to poke the link with your finger or should you tap the trash can icon instead? Here's a Web site -- what would you do to check its validity?
If users want to be issued a corporate smartphone, or even want to be able to have their personal device access corporate resources, make this half-day class mandatory. Make yearly refreshers mandatory, too. For many organizations, that won't be a problem: Companies that use heavy or specialized machinery, for example, are long-accustomed to periodic re-certifications for their employees. If a smartphone isn't a "specialized device," what is?
Does your company have a plan for helping your users combat mobile malware? What would you suggest for other readers to consider?
- Read more of Don Jones' Mobile Device blog series:
Posted by Don Jones on 10/14/2011 at 1:14 PM