Check Point's solution provides secure remote access, data security, virus and malware protection, and security deployment and management for handheld wireless devices.

According to Check Point, enterprises face two risks when they allow handheld devices to connect to corporate resources over unsecured networks and via Wi-Fi hotspots: unauthorized persons or servers may access the corporate network, and data may be compromised during transmission. If either of these occurs, an enterprise is left wide open to damage.

Thankfully there is a straightforward solution. Enterprises can protect against these risks by deploying a network access control (NAC) solution and encrypting data in transit. A NAC solution, simply put, ensures that users are who they say they are, before being allowed to access corporate resources, as, enterprises can define NAC rules at the gateway and verify authorization before a user is allowed to connect over a VPN.

Handheld devices support a variety of authentication methods, including passwords, tokens, certificates and shared secrets. A strong secure remote network access solution will support a broad range of industry standards and should include WPA2, a secure wireless authorization protocol designed for enterprises and mobile devices operating over Wi-Fi networks. Once access is authorized, the data must be protected in transit.

Wireless communication protocols

The most popular secure wireless communication protocols are IPSec, IPSec over L2TP, PPTP, SSL and TCP/IP. While TCP/IP is the basic communication protocol of the Internet, the others represent different methods of creating a virtual private network (VPN), a secure "tunnel" for safe transmission of information across the Internet. The most popular forms are IPSec and SSL VPNs, and newer Smartphones use industry standard protocols for both. Whereas IPSec VPNs require a client loaded onto the endpoint device, SSL VPNs afford the most flexibility because they are clientless. Users of handheld devices typically access the SSL VPN via a simple Web browser. A strong SSL VPN solution will provide mobile workers with transparent, uninterrupted connectivity, allowing them to easily traverse firewalls, proxies, and network address translation (NAT) devices without the disruption of having to constantly re-authorize as they roam across multiple cellular and Wi-Fi networks.

Virus and malware protection

Regardless of secure transmission protocols deployed, the chosen VPN should include a firewall that protects the network from unauthorized access by outside, unknown networks and unauthorized users. Deploying personal firewalls on handheld devices helps block malicious traffic and prevents the propagation of worms and the potentially harmful effects of spyware, such as Flexispy, a variant of the Skulls Trojan. Firewall protection on both the endpoint and the gateway are consistent with multi-layered security, a recommended practice for strong protection. Ideally, firewalls should be integrated into other security technologies such as the VPN, NAC and NAT and should include intrusion prevention, antivirus and web content filtering capabilities. Unified security architecture with centralized management can allow enterprises to administer and deploy security policy from a single console.

Endpoint security policy compliance

Since IT administrators do not have direct access to handheld devices and may not be installing bundled software or VPN clients, they do not have as much direct control over the devices as they would like. This is a significant concern because handhelds, like other endpoint devices, can be used as an entry point of attack or to spread an existing virus or threat.

In the PC realm, there has been a dramatic rise in spyware including keystroke loggers, Trojan horses, and malware designed specifically to automate financial crime. These threats are now beginning to target handheld devices. Malware threatens information confidentiality, endangers system passwords and increases the risk of data loss or compromise. A strong handheld endpoint security solution protects against threats by ensuring that a device complies with an enterprise's security policy before a user is allowed to access the network. Prior to granting access, endpoint security solutions ensure that anti-malware software is up to date, devices patches and updates are in place, and real-time threat updates are received.
Endpoint security for handhelds should be tailored to a device's unique characteristics such as computing power and screen size. Malware scanners should employ signatures and rules that identify malware targeting the device's specific operating system. Virus signature updates should take into account the different Smartphone interfaces, such as SMS, MMS, and ActiveSync. Security providers are just beginning to develop anti-virus and anti-malware scanning tools to address these differences.

Since most malware is conveyed via unsolicited messages, endpoint security for mobile devices should include interface blocking utilities; the ability, for example, to turn on or off SMS/MMS or Bluetooth capabilities. Such utilities should include granular device settings so that IT administrators can apply different rules to different groups, and interface blocking should be configurable centrally within an enterprise for maximum visibility.

Data security for handheld wireless devices

Analysts agree that lost or stolen devices currently pose the greatest threat. A device usage survey conducted by Check Point found that 22% of mobile device owners had lost their devices, and a staggering 81% of these devices had no protection such as encryption. What's more, 37% of these devices contained sensitive information, such as passwords, corporate data and bank account details.

Research shows that the vast majority of lost or stolen mobile devices contain company communications and confidential business information. Because handhelds are often used by the most senior-level managers and by those accessing critical customer and financial data, the risk is enormous. Two solutions protect data on the devices from falling into the wrong hands: data encryption and device access control.
To protect against data loss or abuse, all data stored in files, folders and memory cards on the handheld device should be encrypted. A good solution should be transparent and simple, encrypting files on the fly without interrupting workflow. Handheld owners should be required to enter an access code or other authentication procedure before being allowed to access device features and stored data. With both of these protections in place, IT staff can sleep better at night knowing that data stored on the devices is protected. As an additional safeguard, enterprises may adopt technology allowing IT administrators to remotely wipe a phone clean in the event that it is reported lost or stolen.

Security deployment and management for handheld wireless devices

Most enterprises have a formal security policy in place, outlining their overall security and risk strategies. A good handheld device security solution allows an enterprise to monitor and protect devices within the context of this overall security strategy. It should offer centralized management of handheld devices, including policy management, monitoring, and enforcement, and should enable an integrated view of security status across the entire enterprise.

With centralized management, IT administrators can deploy security policies such as access rights, encryption settings and interface blocking rules, deploy patches and device updates, and distribute security threat updates and alerts. Centralized configuration and maintenance of security solutions for handhelds allows an enterprise to configure resources and policies more consistently and provides administrators with greater visibility into policies and status.

A security management tool allows an enterprise to build an audit trail of the performance and events associated with handheld devices and delivers critical information needed to spot security threats and aid planning. Network attacks have become increasingly complex, often involving blended threats. A sound handheld security solution should integrate into an overall, unified security management solution for the enterprise so that administrators can correlate security threats across all products and solutions to quickly identify potential attacks. For example, being able to see a user attempting to login to IPSec and SSL VPNs from different locations is an easy way to spot a potential login violation.

Conclusion

To stay competitive in a changing business world, enterprises must leverage technology to meet the needs of workers while ensuring the security and stability of information and network assets. Handheld wireless communication devices are becoming an indispensable part of business.

As workers continue to adopt and use handheld devices to check email, surf the Web, and access corporate resources, the potential for devastating security breaches will also increase. If enterprises do not quickly address the vulnerabilities posed by handheld wireless communication devices, they risk loss of data, damaged reputations, disrupted operations, and costly reparations.

Cybercriminals, a new breed of criminals specializing in malicious activity for financial gain, are beginning to target vulnerabilities associated with handheld devices. Already over 400 different mobile viruses have been identified, and experts warn that the number of threats will rise significantly. Meanwhile, awareness of the level of risk associated with handheld devices has been low. To protect against costly security breaches, enterprises need to accomplish four aims: protect the data on physical handheld devices so that it is not compromised when lost or stolen; secure data in transit and provide strong authorization; ensure device compliance via endpoint security tools; and implement centralized security deployment and management.

 

Excerpt from Check Point -
Handheld Wireless Security:
Business-critical devices face new security threats

 

If you missed part 1 of their Whitepaper, you can read it here.