From: InfoSec News (alertsinfosecnews.org)
Date: Mon Apr 09 2007 - 03:09:07 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.infoworld.com/article/07/04/06/HNwindowsmono_1.html

By Matt Hines
April 06, 2007

Without a doubt, the most influential factor driving the current state
of IT security is the ubiquitous presence of Microsoft's dominant
Windows operating system on a vast majority of the world's PCs.

Since an estimated 92 percent of the world's desktops were running on
Windows products in 2006, according to researchers at Net Applications,
it only makes sense that a similar majority of computer viruses have
been aimed at users of the software.

However, as more enterprise businesses begin to adopt newer, more
PC-like mobile devices, dubbed "smartphones," some IT department leaders
say that they have been waiting to adopt Microsoft's Windows Mobile
device OS based on security concerns.

Experts analyzing development of the nascent enterprise mobility sector
have frequently cited the widespread use of a variety of operating
systems as a major benefit to security of handhelds for the last few
years.

Security researchers refer to the popularity of handhelds running on
software made not only by Microsoft, but also by Palm, Symbian, and
Research in Motion, among others, as one of the factors that have led to
the existence of very few malware attacks aimed at mobile devices.

Attackers cannot focus on a single dominant platform in the mobile
space, making it less attractive than the world of Windows desktops, the
thinking goes.

As more users adopt smartphones, that dynamic may shift, experts claim,
but the lack of a single dominant handheld OS has served as a form of
protection.

"As the addressable market for smartphones expands, there will be more
attacks, as malware activity always moves to the areas of greatest
impact, but the activity isn't comparable to the desktop today," said
Jan Volzke, head of marketing for Mobile Security at San Jose,
Calif.-based McAfee. "The number of operating systems in use today has
likely had an effect on slowing attacks, as there is no single platform
to write malware code to."

But enterprise users say that a range of factors are pushing them to
marry their Windows desktop environments with their mobile device
strategies, with security as one of the leading catalysts.

Fears of creating a Windows Mobile monoculture that may be more
attractive to attackers are superseded by the need for a stable product
with familiar characteristics and ties to existing infrastructure, some
say.

Chevron PetroChemical, a massive plastics manufacturer based in Houston,
is currently in the process of rolling out Motorola and Samsung
smartphones running on Windows Mobile because IT project managers feel
the company can protect those handhelds more easily than those running
on other operating systems.

Jonathan Perret, IT Remote Connectivity analyst at Chevron
PetroChemical, a joint venture between parent company Chevron and
ConocoPhillipsSP, said that his company has been actively banning its
employees from using smartphones and PDAs -- including the popular
Research In Motion BlackBerry -- for the last several years.

Despite many requests by individual users to bring their personal
BlackBerry devices into the office, the firm waited until it could get
in hand Windows Mobile devices that would allow for enforcement of the
same types of policies it has created for securing its desktops.

"We knew we would only use Windows Mobile, and we waited for it because
it's the platform we felt we could secure most easily and at the lowest
cost," Perret said. "This process of adopting smartphones is all about
extending your network onto a new platform and addressing the challenges
of that platform, and we felt Windows Mobile presented fewer
challenges."

The reason why the company banned the use of BlackBerry handhelds was
because its IT department wasn't ready to invest in the back-end systems
needed to secure the devices, while it felt that Windows Mobile would
offer the opportunity to do so with existing infrastructure.

The company is also using a mobile device security package offered by
software maker Mobile Armor and provided through carrier Verizon to help
keep its smartphones locked down. So far the firm has 130 of the devices
distributed to its executives and sales force representatives, with
plans to hand out many more.

"Security slowed down previous adoption of PDAs and even our current
smartphone deployment because we were waiting for new tools; we were
limiting devices because of an inability to secure them," Perret said.
"Windows Mobile may not have advanced security features, but we can
augment that with third-party applications, and we felt that it
presented the best alternative compared to the other [platforms], which
would be a lot harder for us to support."

Microsoft officials agreed that one of the best selling points of
Windows Mobile from a security perspective is the handheld product's
close ties to its other systems.

The software giant won't try to keep up with every security feature on
the smartphone software market, but it believes its technologies can
already provide the sort of baseline protection that enterprises are
seeking.

"We're not going to try to go tit-for-tat on every security feature.
Some rivals might have more built in, but this process isn't all about
features; it's how the technology can be implemented that makes the big
difference," said Samir Kumar, mobile devices product manager at
Redmond, Wash.-based Microsoft.

"It's not about Windows Mobile having more security features than any
other platform; it's about enterprise customers who already see a need
to align mobile security and device management with how they do things
in the desktop world," he said. "If they have existing management tools
and policies for Windows desktops and laptops, it's logical and
effective to extend that to handheld devices."

Security experts contend that there are still far too many different
products in people's hands and that Windows Mobile commands far too
little share of the wireless market for there to be anything close to a
similar level of risk as the dangers associated with today's Microsoft
desktop monoculture.

As the OS does become more widely used, however, the risk of attack will
grow, according to security specialists.

"It's true there haven't been many mobile viruses, and you can still
debate whether those will ever be as prevalent as desktop attacks," said
Curtis Cresta, general manager of anti-virus maker F-Secure North
America. "But you can also look at the history of IT and decide what
will happen as more users adopt each OS; as more smartphones become
available and more people are using them, the pool for each OS gets
bigger, and we believe there will also be a bigger pool of attacks."

__________________________
Subscribe to InfoSec News
http://www.infosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]