Risk
10/26/2009
11:42 AM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

Smartphones Call For Security-Smarter Users

Smartphones, and all the other smartstuff filling our pockets, bags, lives, make for mobile convenience and access -- including access by crooks. Time to get your smartphone-using staff to dial up their security practices.

Smartphones, and all the other smartstuff filling our pockets, bags, lives, make for mobile convenience and access -- including access by crooks. Time to get your smartphone-using staff to dial up their security practices.A world of information, communication and connection in your hand (or budded to your ear). That's the smartphone promise, and it's a promise more and more of us are taking up.

Which means that more and more of us need to take a hard look at our smartphone security practices.

Trend Micro reported this summer, for instance, that 44% of smartphone users thought Internet access was safer via the phone than computer.

While there's a certain insulation from OS-specific attacks, that's a limited and ultimately false security. Purely in and of themselves, smartphones aren't safer than any other connected technology. If there's information on a device, and the device is connected, and its user is receiving e-mail and surfing the Web -- well, you complete the call.

Malware links, phishmail, texting, social network scams, all the other ploys crooks use to catch unwary users offguard can be just as effective over the phone as over the PC.

Yet less than a quarter of the smartphone users the security company surveyed had installed the security software that came with their phones.

And of course smartphones are small, making them more easily stolen -- or left behind by a user -- than a notebook. CNN quotes one Symantec security expert as saying that smartphones are a stunning 15 times more likely to be lost than a notebook!

Because so many employees are using personal smartphones and devices for business purposes -- and you really ought to have a policy on that -- it can be tricky to ask to see the device and review its protection levels.

But making sure that every employee using a smart device for any business purpose has the device password protected, has securityware installed and updated regularly, and understands that a smartphone isn't only a communication and connection platform, it's also a threat environment, is among the most important security calls you can make.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.