Don't Be Out'smart'ed

• By Joseph C. Panettieri
• 02/01/06

The new breed of smart mobile phones will soon pose the biggest danger to your data security. Software companies are gearing up to nullify the threat.

Like kids coming in from the playground, digital devices entering your schools carry a lot of germs. Increasingly, today’s students carry cell phones and so-called “smart phones” with e-mail and instant-messaging capabilities. These devices are often infected with viruses and worms that are looking to leap onto your IT systems.

More than 100 viruses now target smart phones running mobile operating systems from Microsoft Corp. (www.microsoft.com), PalmSource Inc. (www.palmsource.com), and Research in Motion Ltd. (www.rim.com), to name a few. Imagine if those viruses could infiltrate a WiFi connection and crawl from students’ smart phones onto your school’s servers, desktops, and notebooks, contaminating your district’s most critical data.

Now stop imagining. Hackers have been working overtime to make this nightmare scenario a reality. Consider the Cabir worm, which targets mobile phones running Symbian OS (www.symbian.com) and Nokia’s Series 60 (www.nokia.com) user interface. Once triggered, Cabir uses Bluetooth (www.bluetooth.com) to send itself from one phone to another. Another worm, Commwarrior, uses both Bluetooth and MMS (multimedia messaging service; www.mobilemms.com), a popular messaging standard for smart phones and cell phones. Though neither Cabir nor Commwarrior inflicts terrible harm on mobile devices, count on hackers to continue to update and evolve mobile worms, creating some that may eventually carry payloads that try to steal personal information.

Time to panic? Not quite. Several innovative software companies are striving to secure mobile devices before they turn on their masters. Their efforts are paying rapid dividends.

Hot Stuff

Keep a close eye on Bluefire Security Technologies (www.bluefiresecurity.com), a privately held firm in Baltimore, MD, that has developed an integrated security suite for smart phones. Bluefire’s mobile security suite offers authentication, encryption, integrity monitoring, a firewall, VPN (virtual private network), and centralized management.

This may sound like overkill, but consider how much confidential business is transacted on today’s mobile devices. From your school principals to your guidance counselors, your workforce will increasingly run e-mail and other mission-critical applications on mobile devices. In some cases, the data might ultimately include student Social Security numbers, test scores, and other personal information.

Alas, more than 80 percent of mobile devices lack enterprise security capabilities, according to Connecticut-based technology research firm Gartner Inc. (www.gartner.com). Now consider that Gartner estimates roughly 880 million mobile phones were sold in 2005. Lump those two statistics together, and the result is a very enticing, poorly secured target for hackers.

The 4-1-1 on WiFi

Voice-over-IP (VoIP) technology further complicates matters. Over the next few months, Cisco Systems Inc. (www.cisco.com) and other major networking firms will continue to grow the market for multifunction smart phones that communicate with cell and WiFi networks.

The upside is that your students will be able to place calls over traditional cell systems or via WiFi hotspots and VoIP networks in your schools. Students won’t worry about weak cell signals, because the WiFi network will provide additional blanket coverage for their phone calls.

And the downside? Worms can use those WiFi access points to penetrate your IT systems.

Rather than panic, take a few practical steps. First, outline and communicate a security policy for your school. Post the policy on your Web site and distribute it to all students, faculty, and staff to read and sign. Ensure that students read and sign the policy at least twice annually.

Next, evaluate the emerging market for endpoint security solutions. Such software typically protects mobile devices, notebooks, and desktop PCs.

If you already have an enterprise antivirus license in place, speak with your vendor to see how the smart phone market is being addressed. If the vendor has product available, test it on 20 or so smart phones. If you’re satisfied with the product, offer to serve as a customer reference in exchange for a deep discount on the license. Few schools have embraced smart phone security, so you’ll likely receive favorable pricing in exchange for endorsing the product.

Along with the usual suspects—Symantec Corp. (www.symantec.com) and McAfee Inc. (www.mcafee.com)—scour the market for niche solutions. One interesting upstart is Secure Data In Motion Inc., known more commonly as Sigaba (www.sigaba.com). The company designs secure messaging solutions for traditional PCs and mobile devices. Sigaba’s offerings have been shown at several customer sites, and have thus far impressed.

You should also reexamine your school district’s software patching policy. Companies such as Microsoft and Symantec proactively alert customers when software security patches are available. However, without proper testing you run the risk of applying patches that could cause software conflicts or application crashes. To avoid such setbacks, explore patch management software from the likes of Macrovision (www.macrovision.com).

Ask the Experts

Before you purchase or license any security offering, be sure to interview the most critical audience of all: your students. Ask them how they plan to use iPods, smart phones, USB thumb drives, and other mobile devices over the next few months. Also, determine how they plan to move data between the devices.

Their answers will be inspiring and alarming, because even as you strive to support scores of new devices and form factors, you must also safeguard your network from them. Which is to say, you must take all measures you can, to prevent a friend from becoming an enemy.

Joseph C. Panettieri has covered Cisco, the networking industry, and Silicon Valley since 1992.

This article originally appeared in the 02/01/2006 issue of THE Journal.