http://www.eweek.com/article2/0,1895,1950790,00.asp By Matt Hines April 18, 2006 News Analysis: Some industry watchers contend that the threat of malware aimed at mobile handsets is over-hyped; others say enterprises preparing for such threats will be better off when attacks arrive. Security software vendor Kaspersky Labs joined the ranks of anti-malware specialists introducing applications designed for use on mobile devices with the launch of its new beta technology for smart phones running the Symbian operating system. Whether such tools should be in demand by enterprises remains a topic of debate among industry watchers. Kaspersky's introduction of its Anti-Virus Mobile beta is particularly interesting because an overwhelming majority of the mobile handset threats identified to this point have been aimed squarely at Symbian devices. And as recently as the third quarter of 2005, researchers at Gartner reported that Symbian accounted for two-thirds of the world's shipments of smart phones, powerful handheld devices with larger memories and more PC-like capabilities than today's popular handsets. While most experts concede that smart phones could be one of the technologies that drive a new wave of adoption of enterprise mobility tools, Gartner said the cutting-edge devices represented only 6.1 percent of all the handsets shipped worldwide during 2005. Those relatively small numbers, combined with the comparatively benign nature of today's mobile threats, leaves some industry analysts with the impression that software vendors are inflating the issue. "The mobile security threat is getting a bit too much hype, eventually there could be real attacks, but a lot has to happen before it becomes an issue people really need to worry about," said Sandra Palumbo, analyst with Boston-based Yankee Group. "The fact is that the things we've seen so far have had such a limited scope that it's not really worth focusing a great deal of attention on it; the vendors are guilty of aggressive marketing." Among the fundamental issues separating the nature of today's mobile threats from desktop viruses is the sheer diversity of devices and operating systems on the market, compared to Microsoft Windows' utter dominance of the PC world for almost two decades. Palumbo said that as smart phones and mobile business applications become more widely adopted, the most popular platforms will likely fall prey to malware code writers. But the analyst doesn't believe such a stage will be set until at least several years from now. Along with Kaspersky's new product beta, high-profile vendors including F-Secure, McAfee and Symantec have all introduced similar mobile anti-malware applications. F-Secure in particular has been outspoken in exhorting enterprises to begin more actively defending wireless devices. Some people may think the company is trying to cash in on the fear of mobile security emerging the next big sore sport for IT administrators, but someday those individuals will wish they had been more prudent in preparing for tomorrow's attacks, said Antti Vihavainen, vice president of mobile security at Helsinki-based F-Secure. "People in enterprise IT departments think that preparing in advance for something that might not happen is lame, but the fact is that it's very hard to recover after a problem begins; it's damage control," said Vihavainen. "People have the option to be prepared; some will take it, some won't, and what we've been trying to say is that things will get worse before they get better with mobile threats, unless there is decisive action taken by business users." Taking a more proactive approach to mobile security companies may also discourage handset hacks because there will be fewer opportunities for the first waves of attacks to cause serious problems, the executive said. The fact that most of today's mobile threats have been launched by so-called script kiddies, or hackers inspired more by the notion of making a name for themselves among fellow virus writers, and not by organized criminals, doesn't mean that more professional wireless malware code isn't already in the works, he said. The emergence of applications such as eBay's new PayPal Mobile wireless payment technology could also cause even more criminals to focus on the space. There is already some evidence to suggest that the threat of mobile security issues is alarming some enterprise customers to the point where they are putting plans to utilize new wireless applications on hold. In a study published in March by anti-virus market leader Symantec, the company found that over 60 percent of the 240 enterprises it polled were postponing the introduction of new wireless tools based on security fears. Some 82 percent of those companies responding to the survey said that they would rate the impact of mobile viruses as roughly the same, or even worse, than the fallout caused by more traditional IT threats. Those opinions illustrate the fact that mobile security is already a real-world concern, and with good reason, said Paul Miller, director of mobile and wireless solutions at Symantec. An impending explosion of smart phone adoption along with a lack of preparation by enterprises is setting the table for serious attacks, he said. "Most companies' security strategies are outdated when it comes to the adoption of wireless, and many aren't following the use of smart phones at all, so, some enterprises are headed for a breakdown when attacks come," Miller said. "We're not saying that people need to take their attention away from the desktop, as obviously there's a lot of activity there, but companies at least need to begin creating policies and putting them in place before it's too late and some problem overwhelms them." On the other side of the coin, at least one security applications vendor has become outspoken in its contention that mobile security concerns are being overstated. While there very well may come a time when companies need to be as concerned with mobile threats as they are with desktop attacks, encouraging customers to throw time and resources at wireless security efforts today will only hurt their ability to stay ahead of today's viruses, according to Sophos, an anti-virus applications provider based in Abingdon, United Kingdom. "There is so much virus activity on the desktop today that having software makers tell enterprises they need to worry about this big looming mobile security threat right now is a little bit unproductive for everyone," said Graham Cluley, senior technology consultant at Sophos. "It's not likely that most people will encounter mobile threats for some time to come; beyond creating device usage policies of some kind, I'm not sure what work needs to be done." In a survey conducted by the anti-virus provider in mid-2005, over 70 percent of the 250 IT workers polled by Sophos said they believed the current state of mobile threats to be over-hyped. Instead of looking at anti-malware solutions for mobile handsets, companies should be considering ways to extend their desktop password and enterprise data access policies onto new devices, Cluley said. "There's a lot of skepticism; most of the companies we speak to are saying that they know this isn't a significant threat," said Cluley. "Some of them may already be thinking about future, but they know that battle isn't taking place right now." One research company, Stamford, Conn.-based Gartner, is advising its customers to begin considering a timeframe for looking at mobile security issues without encouraging enterprises to go out and start investing in technologies today. John Pescatore, analyst with Gartner, said it will be at least another year until real mobile threats arrive. "People started hyping mobile security as far back as 2001, but we don't think it's going to become a real issue until at least the end of 2007," said Pescatore. The analyst said that at that time there will be more smart phones in use, greater heterogeneity among handset operating systems, and more openness among users in running mobile applications that involve executable programs running on wireless devices, a key for launching malware programs, he said. "Once people start sharing more executable e-mail attachments and accessing applications, more viruses and worms will inevitably be spread," said Pescatore. "But looking at what's out there today and trying to build anti-virus software for every type of handset on the market is probably just a big waste of money." _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Tue Apr 18 2006 - 22:59:49 PDT