Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Getting & Securing Your iPhone

How you can justify the company buying your iPhone - and how to keep it safe from attack

With the near insane level of interest in the iPhone now at a dull roar, it's time to figure out how to get the company to buy you one. And it's way past time we really started nailing down what level of security is adequate for a phone -- and to require it. (See i Caramba! iPhone Hacked Already.)

First, if you want the company to buy you an iPhone, there are at least two guys who figured out how, and you can likely justify a couple of the devices as easily as they did. Gartner is clearly helping to keep these phones out of our shops, but when was the last time a non-IT executive listened to Gartner? IT often doesn’t get a vote.

What we need is a set of rules that every approved mobile phone must follow, allowing us to more effectively block unapproved phones. This will help us keep out phones that aren’t secure, like the first generation iPhone (although Microsoft is evidently working with Apple to make a future generation of the phone better), to cover our backsides when execs need to have the coolest new toy.

Application Control
With every device, there is likely a list of applications, such as virus checkers, that should be running on it to ensure it isn’t broadcasting out things it shouldn’t be. The idea that phones can be hijacked and used as spy devices is incredibly scary and likely to become a reality as smartphones from all vendors become more commonplace. Users love to take stuff off of their PCs that they think they don’t need, and the result is often a breach that could have been avoided had they left the damned anti-malware tools alone. The mobile phone needs to be able to report what it's running on it so we can lock it out of the enterprise network if it isn’t adequately protected.

Users have a nasty habit of installing things that look fun but are actually malware in disguise. A phone, like a PC, is increasingly a target for all kinds of hostile software. And if the user can install anything, you know some things will bypass the security settings and anti-malware software on the phone, thus enabling them to install something that they shouldn’t. You can lock down an iPhone if you detect a threat that could lead to disaster.

Device Control
Phones are increasingly becoming portals to the outside world, with their own networks that can bridge WiFi security and provide an unauthorized laptop access. Their built-in cameras can capture confidential information, too, but telling users their cameras are off limits isn't as effective as actually being able to simply turn the camera feature off altogether.

In addition, we need to be able to encrypt and protect the data on the phone because these things grow legs: A loss could require public disclosure if the mobile phone contained customer, patent, unreported financial, or employee information.

If the data is stolen or lost from the phone, we need to be able to lock out and possibly destroy that data.

These devices will become portals through corporate security, so we need to find a way to shut that down before the wrong folks get access to things they shouldn’t be able to touch.

User Authentication Management
Until phones come with consistent biometrics (and likely even after), we need management control over phone passwords. Password-protected notebooks and phones are becoming similar repositories for your data, and there's a good chance that policies initially written for PCs apply to smartphones. We need to enforce these policies on iPhones and other mobile phones.

Passwords (which should have been made obsolete years ago) get lost, forgotten, and need to be reset. Mobile phones should not require a password, but instead should have the ability to lock up their data. The danger of password-protected phones would be an emergency situation where, say, a woman was being raped and couldn’t call for help because she didn’t remember her iPhone password.

Notification Control
If you're sending out an emergency message about anything from a natural disaster to a terrorist attack, you need to be able to alert the employee that this is no spam message. The ability to tie notifications to specific alerts would be a massive help to preventing the kinds of communications problems over the last few months in natural and man-made disasters.

We need to be able to set alert sounds so employees know that means immediately drop everything and move -- to save their own lives and the lives of their co-workers.

Who Can Do This Now?
I only know of two companies that offer most of these security features now -- HP, with its new enterprise cellphone offering, and Good Technology.

In the meantime, you can probably scare potential iPhone buyers half to death by showing them what the total cost of this phone is likely to be. You can also check out the HTC Touch, which is the only iPhone-like product that can be set up to meet most of these requirements. You can only buy it currently at Dynamism.

And, you can share with your family the high-quality customer the iPhone is attracting and use him as an example of what you don’t want your kids to grow up to be.

Seriously, though, it's well past time we secured these things.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading.

  • Apple Inc. (Nasdaq: AAPL)
  • Hewlett-Packard Co. (NYSE: HPQ)
  • Microsoft Corp. (Nasdaq: MSFT)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: "I feel safe, but I can't understand a word he's saying."
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-11111
    PUBLISHED: 2020-03-31
    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
    CVE-2020-11112
    PUBLISHED: 2020-03-31
    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
    CVE-2020-11113
    PUBLISHED: 2020-03-31
    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
    CVE-2020-10374
    PUBLISHED: 2020-03-30
    A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
    CVE-2020-11104
    PUBLISHED: 2020-03-30
    An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...