The Month | SC Media

The Month

January 17, 2007

Enterprises will soon become the key drivers of the mobile phone security market, analysts believe.

Alan Goode, senior analyst at Juniper Research, said: "Corporate ITmanagers are getting very worried about the use of mobile devices oncorporate networks, but the devices currently fall between the cracks,and nobody is certain who is responsible for them. IT managers want totake control, and this will prove a key driver in the mobile securitymarket."

Numerous surveys indicate high penetrations of smartphones in enterpriseenvironments, but the handsets are often owned by individual workers,rather than the company, leading to a lack of coherent securitypolicies.

Goode also pointed to big-name security vendors shifting their focus tothe mobile space, as slowing sales in the PC market begin to bite.

He added: "In terms of threats, I think we may see some incidents in2007, and they're likely to be spyware-orientated, rather thantraditional virus-type attacks."

Late last year, researchers at McAfee found a commercial phone spyingapplication, designed to log phone call details and SMS messages,distributed as part of a multi-dropper Trojan. The Symbian spyware wasthe first to be detected "in the wild".

Encryption may about to become easier to implement, because an industrybody is developing a standard for managing symmetric encryptionkeys.

Although enterprise demand for encryption is growing because of theimpact of new regulations (PCI, HIPAA, etc), there is still no standardmethod of managing keys. Each vendor has its own proprietary scheme, andthis can cause interoperability issues.

Industry body OASIS (Organisation for the Advancement of StructuredInformation Standards) has proposed a specification, essentially an API,called Symmetric Key Services Markup Language (SKSML). The theory isthat this specification will allow key management across a variety ofplatforms. The details are to be thrashed out on 16 January by the newlyformed OASIS Enterprise Key Management Infrastructure (EKMI) TechnicalCommittee.

Cyber-terror could be a new and unwelcome feature of 2007, according toexperts.

The US government issued a warning to private financial institutions inlate December 2006, stating that Al Qaeda was planning to destroy theirdatabases.

Although the concept of terrorists using the internet as a vector forattacks is not new, the increasingly business-critical nature ofIP-based systems lends the idea more weight. Analysts have also pointedto the possibility of conventional attacks being perpetrated in parallelwith the cyber-attack of emergency VOIP phone lines.

"Cyber-terror used to be a matter of fiction and scare stories," saidRaimund Genes, anti-malware CTO at Trend Micro. "But it may becomereality during next year."

The warning followed a call from a group called ANHIAR al-Dollar forMuslims to attack US financial firms.

Online bank fraud rocketed last year, with UK consumers seeing an 8,000per cent increase in banking scams, according to a governmentwatchdog.

The Financial Services Authority (FSA) told the House of Lords scienceand technology committee it was "very concerned" about the growth inphishing attacks.

Between January and June 2005, 312 incidents were recorded, but thisleapt to 5,059 in the same period in 2006, according to figures frombanking trade body APACS. In the first half of 2006, £23.2 millionwas stolen, the committee heard, with about £22.5 million stolenin the second half of the year.

Philip Robinson, the FSA's head of financial crime, said he thoughtonline banking was generally safe, but raised concerns about banks' lackof transparency concerning online fraud.

VoIP security is set to become one of the top issues of the year, claimexperts, as businesses and consumers are attracted by lower voice callcharges.

However, as VoIP penetration increases, so VoIP security threats such asDDoS, voice spam, "vhishing" and fraud will become more prevalent.

Analysts point out that many business IP networks will have to betoughened significantly to cope with VoIP, where delays in packetrouting would be disastrous, as opposed to current email and webapplications, where minor speed fluctuations are less critical tousers.

David Endler, author of VoIP Hacking Exposed and chair of the VoIPSecurity Alliance, said: "VoIP has unique and very strict networkingrequirements, and we'll begin to see genuine threats to business VoIPemerging in 2007. Vhishing will definitely be a key tactic, as users arenot yet suspicious of phone calls in the same way they distrustemail."

A new year, a new OS - consumers will finally be able to get their handson Vista at the end of this month, but experts say the security benefitswill be initially negligible.

Microsoft competitors Sophos and Kaspersky have made much of the factthat Vista's additional security features won't prevent viruses using asocial engineering vector. These accounted for 40 per cent of themalware in circulation during December last year.

Threats such as Stratio-Zip, Netsky-D and MyDoom-O will be stopped bythe email system built into Vista, Windows Mail Client, but not bythird-party email clients, according to Sophos.

prestitial ad