iPhone creates mobile malware tipping point

Apple’s Worldwide Developers Conference is the premiere showcase for new, shiny apple gadgetry. Regardless of your feelings about the company or the MacBook Pro, the iPod, or the iPhone, you can’t dispute the elegance of these devices. Apple has cornered the market on smart design.

The announcements from this year’s WWDC may not excite the masses as much as in the past, but they will have a profound impact on enterprise IT and will help completely revolutionize mobile computing in the enterprise. On the downside, the iPhone also presents the tipping point that will trigger both an explosion slow trickle of mobile malware, and an increase in Mac OSX malware. Not many can say they are the catalyst for good and bad megatrends—so all hail Steve Jobs for setting the foundation for a revolution in malware as well.

The moves to support office applications, broadband connectivity, GPS, and releasing a common development platform for both iPhone and Mac OS X, Apple has created the perfect storm for an explosion of slow trickle of mobile malware, data theft incidents and IT management headaches. Let’s review the more important WWDC announcements and their impact on enterprise security:

Enterprise Support (including Microsoft Exchange Integration and Office Applications) The point at which mobile and handheld devices become real issues for enterprise IT is the point at which data can be viewed and manipulated in the same way it can be on a desktop or laptop. The ability to store, forward, read, and write Microsoft Office applications eliminates the need to use a conventional computer to do real work, but creates a nightmare scenario for organizations who are still challenged by securing data on the devices for which they are responsible.

3G Support Fast Internet access will only increase the use of the iPhone for web browsing, on-line banking, commerce, and enterprise SaaS applications like salesforce.com. Handheld salesforce.com access, for example, will be a boon to field sales people, but opens the door to increasing the number of browser-based attacks.

GPS Support Although this may seem innocuous from a security perspective, it is clear that targeted malware is on the rise. Imagine being able to tailor a message to not only include information about the recipient but to include or reference their location.

iPhone Development Environment In my opinion the most significant WWDC announcement has been the introduction of the iPhone as a development platform that shares APIs and tools with Mac OSX. Couple this ability to cross-pollinate malware between the iPhone and Mac OSX, with a rich media layer and an easy-to-use development environment, and you create endless fun for the legions of malware authors looking to profit from the proliferation of iPhone and Mac OS X.

This is not a problem for tomorrow, but a problem of today and if we have any hope of taking control of our environments against the backdrop of an increasingly sophisticated user population, advancing technology, and hostile threats, we must learn to adopt new approaches to enterprise security that go beyond static object defense.

The top three things that IT must do today to deal with mobile computing devices are:

1. Attain Visibility Real-time visibility into assets, software and activities inside an infrastructure is the primary prerequisite for resolving the mobile assets problem. After all, how can you manage what you don’t see? Visibility must extend to mobile assets’ configurations and their actions on the network. It’s not enough to know that Bob in accounting owns an iPhone. You also need to know what software the iPhone runs, whether it is really Bob who is currently accessing confidential data, if he has rights to see this data, and whether he is doing it in a safe way.

2. Set Usage Policy As IT managers lose influence over the kinds of devices that play on their networks, the question becomes less about managing tangible assets and more about protecting information and controlling processes. This argues for a platform-agnostic policy-driven approach to information security management that encompasses both conditions and actions.

3. Enforce Policies and Controls Policies without means to enforce them have all lasting effect of New Year’s resolutions. To be effective in a world of mobile devices that come and go from the enterprise network, enforcement cannot be a matter or centralized command and control, but rules embedded in, and enforced, by the devices themselves.

The majority of organizations are ill-prepared to deal with managing devices they own, let alone managing devices brought in the organization by employees. This consumerization of IT is already straining organizations to manage the unmanageable. The workforce entry of a new generation of tech-savvy youth is forcing once draconian policies around the use of corporate owned devices to be rethought. Smart organizations realize that consumerized IT is not only inevitable, but important in keeping younger workers and successful early adopters motivated and productive. Mobile devices are on the march and there’s no stopping them. If you can’t beat ‘em, join ‘em, and establish the visibility and policy frameworks to enable their productive, safe contributions to achieving enterprise missions.

Advertisements

18 thoughts on “iPhone creates mobile malware tipping point

  1. While it may be that iPhone has done what Mac could not – surpass market share for the competing Microsoft OS (WinMo), it’s still got a ways to go to approach the market share currently held by Symbian or the Blackberry OS.

    Additionally, Apple’s enterprise-friendly feature set for the iPhone include remote management and security features not present in prior iPhone releases. So iPhone is just now on the table for enterprises. These features, while welcome, are bloody raw. I will eat my hat if Apple sees double digit adoption rates among Fortune 500 companies between now and the next major release.

  2. Hey Paul,

    I don’t think we will see ‘official’ enterprise adoption rates of any significance at all in the near term, however I imagine that it would be easy to see 10% ‘unofficial’ penetration through 2010 of fast, web-enabled (with a real browsing experience, not the crappy blackberry browser) handheld devices that offer a development platform and support for office applications.

  3. Pingback: iphone 3g review

  4. Pingback: Interesting Information Security Bits for June 10th, 2008 « Infosec Ramblings

  5. That’s kind of scary. All I paid attention to at the WWDC was the glamour of the new and upcoming iPhone and AppStore. I will stay tuned and write an article on my iPhone news site (http://www.iPhoneNewsVault.com) when the first victim shows the malware. I have a feeling that it will be covered by the media just like the glitch in the early iphone firmware.

  6. @Jameson

    The interesting aspect of security threats to consumer oriented devices, even when they enter the enterprise, as I know the iPhone will, is that unless the threat is near catastrophic it will not deter anyone from using them – and it probably shouldn’t.

    As we move the traditional computing form factor to smaller hand held devices like the iPhone it is inevitable that we will see an increase in malware and security incidents, but life will go on just as it does now – makes you feel all warm and fuzzy inside doesn’t it?

  7. Pingback: 12 ways to visualize network security « Amrit Williams Blog

  8. Amrit
    I see that you stand your ground firmly thorughout this debate.

    Now, original the question you raised of the vendors – its quite simple. Just as the hiker needed to outrun the slower hikers, the security vendors are like the bears, they just need to outrun the other bears to catch the slowest hiker.

    And before this turns into a rant, the same logic applies even to nature and natural selection. A surviving species doesn’t need to be perfect, it just needs to be a bit better then the competition.

    So this logic won’t go away, just accept it and try to be better then the competition

    Spirovski Bozidar
    http://www.shortinfosec.net

  9. Pingback: Apple Implements Remote App Kill Switch for the iPhone « Amrit Williams Blog

  10. Pingback: Mobile Win32 malware defenses | Win32 Removal

  11. Pingback: Location-Aware Malware Becoming a Reality « Amrit Williams Blog

  12. Pingback: Top 10 Most Overhyped Technology Terms « Amrit Williams Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s