Report: Mobile Malware Will Clobber Enterprise Security in 2011
iPads, iPhones and Android smartphones will be among the major targets for cybercriminals in the coming year, McAfee has warned.
That's because the consumerization of technology is leaving enterprise IT unprepared for the onslaught of personal devices in the corporate environment.
Expect cybercriminals to set up botnets of Apple devices and to introduce Trojans for Apple devices, McAfee Labs warned.
Geolocation features in social media websites, which are also available on smartphones, will further compound exposure to cybercriminals, McAfee Labs said.
Mobility Is a Double-Edged Sword
Mobile devices, in particular the iPad and iPhone, are catching on in the enterprise because they offer speed of access and cut costs. Salesforce.com has equipped its executives with iPads, as have Mercedes-Benz distributorships in the United States.
Medical students at the University of Central Florida and Stanford University are being issued the devices. JPMorgan Chase has already equipped executives with iPhones and is adding iPads to the list. California investment firm SafeView Advisory Group is getting iPads for staffers in some of its offices to use when calling on clients.
"The consumerization of technology is a slippery slope," Dave Marcus, director of security research for McAfee Labs, told TechNewsWorld. "How many people got Android smartphones or iPhones over Christmas? They're going to expect to be able to use these devices at work come January."
That's when the trouble will begin.
Few users understand or follow security procedures, and this will make it easier for cybercriminals to set up botnets -- networks of computers used to distribute malware or launch cyberattacks on targets, run by a central command and control center. Cybercriminals will steal user and corporate data through unsecured mobile devices in the enterprise, Marcus said.
Enterprise workers who bring in their own mobile devices should know them well, Marcus said. "Spend some time with your device and realize what that functionality means to your data," he suggested.
Take iPad or iPhone owners who send tweets from their devices, for example. "When a popup appears asking if you want to add your location to that data, understand what goes on when you click OK," Marcus pointed out. "And understand someone can go to Bing or Google and graph out your Tweets and your location."
Apple did not respond to a request for comment by press time.
It's Not Just iInsecurity
Some free apps for the iPhone and iPad reportedly transmit users' personal information to advertising networks without their consent.
The suit, "Lalo v. Apple, 10-5878," has been filed in the U.S. District Court of the Northern District of California in San Jose.
However, Apple isn't the only culprit.
"I think this is a vastly bigger problem than just Apple," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
"Providing geolocation and other personal information is Google's business model, and I'm surprised they weren't highlighted as the bigger problem," Enderle added. "There's a massive effort to capture as much information on us as possible and to provide that to third parties who will pay for it."
Such personal information isn't adequately protected, and Enderle predicted that the illicit gathering of personal information "will undoubtedly be one of the biggest issues of this year, if not of this decade."
Social media websites that offer geolocation services, such as Facebook, Gowalla and Foursquare, will further expose the whereabouts and preferences of users and what operating systems and applications they use, McAfee Labs warned.
This will make people more vulnerable to targeted attacks, which are aimed specifically at select users such as corporate executives.
Such targeted attacks have a higher rate of success than random attacks and are being increasingly used by cybercriminals.
Working on the Security Problem
Given that businesses are rushing to consumerize IT to save money, what can they do to bolster their security?
One possible solution is to develop a list of accepted apps. Push out that profile to users and allow them to only download those apps, McAfee Labs' Marcus said.
"The mobile users will be behind the enterprise firewall," Marcus pointed out. "I think business has the right to decide what kind of access to allow and then monitor the applications and enforce its policy."
However, Marcus acknowledged that this could lead to a backlash from angry users and will be difficult to enforce because the devices will be owned by the workers, not the corporation.
"There must be some agreement between the business and the user," Marcus stated. "But ultimately, there's no easy answer."