[ISN] Analysts Speak Out on the Wireless Security Hype

InfoSec News isn at c4i.org
Wed Apr 19 01:44:59 EDT 2006


http://www.eweek.com/article2/0,1895,1950790,00.asp

By Matt Hines 
April 18, 2006 

News Analysis: Some industry watchers contend that the threat of
malware aimed at mobile handsets is over-hyped; others say enterprises
preparing for such threats will be better off when attacks arrive.

Security software vendor Kaspersky Labs joined the ranks of
anti-malware specialists introducing applications designed for use on
mobile devices with the launch of its new beta technology for smart
phones running the Symbian operating system. Whether such tools should
be in demand by enterprises remains a topic of debate among industry
watchers.

Kaspersky's introduction of its Anti-Virus Mobile beta is particularly
interesting because an overwhelming majority of the mobile handset
threats identified to this point have been aimed squarely at Symbian
devices. And as recently as the third quarter of 2005, researchers at
Gartner reported that Symbian accounted for two-thirds of the world's
shipments of smart phones, powerful handheld devices with larger
memories and more PC-like capabilities than today's popular handsets.

While most experts concede that smart phones could be one of the
technologies that drive a new wave of adoption of enterprise mobility
tools, Gartner said the cutting-edge devices represented only 6.1
percent of all the handsets shipped worldwide during 2005.

Those relatively small numbers, combined with the comparatively benign
nature of today's mobile threats, leaves some industry analysts with
the impression that software vendors are inflating the issue.

"The mobile security threat is getting a bit too much hype, eventually
there could be real attacks, but a lot has to happen before it becomes
an issue people really need to worry about," said Sandra Palumbo,
analyst with Boston-based Yankee Group.

"The fact is that the things we've seen so far have had such a limited
scope that it's not really worth focusing a great deal of attention on
it; the vendors are guilty of aggressive marketing."

Among the fundamental issues separating the nature of today's mobile
threats from desktop viruses is the sheer diversity of devices and
operating systems on the market, compared to Microsoft Windows' utter
dominance of the PC world for almost two decades. Palumbo said that as
smart phones and mobile business applications become more widely
adopted, the most popular platforms will likely fall prey to malware
code writers. But the analyst doesn't believe such a stage will be set
until at least several years from now.

Along with Kaspersky's new product beta, high-profile vendors
including F-Secure, McAfee and Symantec have all introduced similar
mobile anti-malware applications.

F-Secure in particular has been outspoken in exhorting enterprises to
begin more actively defending wireless devices.

Some people may think the company is trying to cash in on the fear of
mobile security emerging the next big sore sport for IT
administrators, but someday those individuals will wish they had been
more prudent in preparing for tomorrow's attacks, said Antti
Vihavainen, vice president of mobile security at Helsinki-based
F-Secure.

"People in enterprise IT departments think that preparing in advance
for something that might not happen is lame, but the fact is that it's
very hard to recover after a problem begins; it's damage control,"  
said Vihavainen.

"People have the option to be prepared; some will take it, some won't,
and what we've been trying to say is that things will get worse before
they get better with mobile threats, unless there is decisive action
taken by business users."

Taking a more proactive approach to mobile security companies may also
discourage handset hacks because there will be fewer opportunities for
the first waves of attacks to cause serious problems, the executive
said.

The fact that most of today's mobile threats have been launched by
so-called script kiddies, or hackers inspired more by the notion of
making a name for themselves among fellow virus writers, and not by
organized criminals, doesn't mean that more professional wireless
malware code isn't already in the works, he said.

The emergence of applications such as eBay's new PayPal Mobile
wireless payment technology could also cause even more criminals to
focus on the space.

There is already some evidence to suggest that the threat of mobile
security issues is alarming some enterprise customers to the point
where they are putting plans to utilize new wireless applications on
hold.

In a study published in March by anti-virus market leader Symantec,
the company found that over 60 percent of the 240 enterprises it
polled were postponing the introduction of new wireless tools based on
security fears.

Some 82 percent of those companies responding to the survey said that
they would rate the impact of mobile viruses as roughly the same, or
even worse, than the fallout caused by more traditional IT threats.

Those opinions illustrate the fact that mobile security is already a
real-world concern, and with good reason, said Paul Miller, director
of mobile and wireless solutions at Symantec.

An impending explosion of smart phone adoption along with a lack of
preparation by enterprises is setting the table for serious attacks,
he said.

"Most companies' security strategies are outdated when it comes to the
adoption of wireless, and many aren't following the use of smart
phones at all, so, some enterprises are headed for a breakdown when
attacks come," Miller said.

"We're not saying that people need to take their attention away from
the desktop, as obviously there's a lot of activity there, but
companies at least need to begin creating policies and putting them in
place before it's too late and some problem overwhelms them."

On the other side of the coin, at least one security applications
vendor has become outspoken in its contention that mobile security
concerns are being overstated.

While there very well may come a time when companies need to be as
concerned with mobile threats as they are with desktop attacks,
encouraging customers to throw time and resources at wireless security
efforts today will only hurt their ability to stay ahead of today's
viruses, according to Sophos, an anti-virus applications provider
based in Abingdon, United Kingdom.

"There is so much virus activity on the desktop today that having
software makers tell enterprises they need to worry about this big
looming mobile security threat right now is a little bit unproductive
for everyone," said Graham Cluley, senior technology consultant at
Sophos.

"It's not likely that most people will encounter mobile threats for
some time to come; beyond creating device usage policies of some kind,
I'm not sure what work needs to be done."

In a survey conducted by the anti-virus provider in mid-2005, over 70
percent of the 250 IT workers polled by Sophos said they believed the
current state of mobile threats to be over-hyped.

Instead of looking at anti-malware solutions for mobile handsets,
companies should be considering ways to extend their desktop password
and enterprise data access policies onto new devices, Cluley said.

"There's a lot of skepticism; most of the companies we speak to are
saying that they know this isn't a significant threat," said Cluley.

"Some of them may already be thinking about future, but they know that
battle isn't taking place right now."

One research company, Stamford, Conn.-based Gartner, is advising its
customers to begin considering a timeframe for looking at mobile
security issues without encouraging enterprises to go out and start
investing in technologies today.

John Pescatore, analyst with Gartner, said it will be at least another
year until real mobile threats arrive.

"People started hyping mobile security as far back as 2001, but we
don't think it's going to become a real issue until at least the end
of 2007," said Pescatore.

The analyst said that at that time there will be more smart phones in
use, greater heterogeneity among handset operating systems, and more
openness among users in running mobile applications that involve
executable programs running on wireless devices, a key for launching
malware programs, he said.

"Once people start sharing more executable e-mail attachments and
accessing applications, more viruses and worms will inevitably be
spread," said Pescatore.

"But looking at what's out there today and trying to build anti-virus
software for every type of handset on the market is probably just a
big waste of money."





More information about the ISN mailing list