The Enterprise's Achilles' Heel: Cellular Security
IT shops aren't doing enough to secure their cellular communications. This leaves them wide open to attack. The stakes are high -- and likely to get even higher.
One especially frustrating thing about securing the enterprise is that there are a lot of things you just can't control. Even when you do try to establish control, if users believe that the requirements of a security policy are too onerous -- or if security policies include provisions that explicitly prevent users from doing what they want or need to do -- they'll do their best to circumvent policy. In many cases, they're abetted by managers or executives who likewise feel constrained by the effects of a security policy.
This, of course, is all part of managing security in the enterprise. Security technologists have effectively been dealing with it forever.
What's perhaps most frustrating for security pros is when potential issues are clearly -- and literally -- out of their hands. Such is the case with smart phones or PDAs; use is growing (at a breakneck pace) in the enterprise. The alarming consequence, security researchers say, is that enterprise IT organizations aren't doing enough to secure their cellular communications.
It isn't exactly a problem of awareness -- it's a case of "bad faith."
According to a new survey from wireless watcher ABI Research, only one in five enterprises -- 18 percent -- has actually implemented dedicated mobile security safeguards. This is in spite of the fact that fully 80 percent of senior business executives say they're aware of the risks posed by hacked, compromised, or intercepted cellular communications.
Why the disparity? The irony, ABI concludes, is that over half of executives (55 percent) believe their organization has taken the appropriate steps to safeguard its cellular presence. Once they look into the matter, however, they discover that the opposite is true.
"Effective e-mail security has become routine, but our research shows most businesses do not apply anything like the same level of robust security to cell phone calls," said ABI vice-president and practice director Stan Schatt, in a statement. "Equally concerning is that a significant number of people who identified themselves as being responsible for cell phone voice call security incorrectly believe the organizations' mobile calls have been protected when they have not. This perception that they are protected when in reality they are not suggests a serious hole in the information security of many businesses."
ABI isn't exactly an unbiased observer, however. Its survey was sponsored by Cellcrypt Inc., a company that develops technology to safeguard cellular communications. That being said, the business case for improving cell phone security is clear. Businesses are increasingly dependent on cellular communications: ABI's tally found that nearly 80 percent of shops use their mobile assets to transact sensitive or confidential business on a weekly basis; more than half (51 percent) do so daily.
Second, ABI, CellCrypt, and other telco watchers have long talked about a potential explosion in cellular hacking. ABI cites at least one ongoing effort -- trumpeted by the Chaos Computer Club, or CCC, a celebrated German cracking group -- to defeat the encryption used to protect GSM (Global System for Mobile communications) traffic. Although not as prevalent in the United States, GSM is the de facto standard for global cellular connectivity: market watchers say it powers about 80 percent of the world's cellular traffic.
A rival technology, Code Division Multiple Access (or CDMA), is used by most cellular carriers in the U.S., although at least two prominent U.S. service providers (AT&T and T-Mobile) also have GSM-based backbones.
Globally, GSM's ubiquity makes it an exceedingly high-value target for crackers. Although GSM has been cracked before -- such as in February of 2008 when Pico Computing Inc. (a manufacturer of FPGA chip solutions) announced plans to market hardware capable of cracking A5/1, GSM's voice privacy encryption algorithm. Things could get much more interesting in 2010.
Late this past summer, for example, the CCC told the German edition of The Financial Times that it planned to release GSM-cracking software in a few months. That has Cellcrypt, the cellular security vendor that sponsored the ABI survey, ringing the alarm bells.
"In light of this summer's news that a GSM cracking codebook will be made widely and freely available very soon, and [that] sub-$1,000 interception equipment [will be] available soon after, this lack of security is particularly worrying," said Cellcrypt CEO Simon Bransfield-Garth, in a release. "Businesses must plan now for the eventuality that their mobile voice calls will come under increasing attack within the next six months."
Waiting and hoping, Bransfield-Garth maintains, just won't cut it: "A 'policy of hope' towards mobile phone security is not adequate, voice is another data service and should be afforded the same security considerations as e-mail and other corporate communications," he concluded.