Blog of Intellectual Capital

“The hottest trends in technology also represent some of the gravest threats to corporate data security.

Mobile devices, social networking and cloud computing are opening up new avenues for both cyber criminals and competitors to access critical business information, according to speakers at this week’s RSA Conference 2011 at San Francisco‘s Moscone Center and a survey set for release this morning.

The poll of 10,000 security professionals, by Mountain View market research firm Frost & Sullivan, also concluded that corporate technology staffs are frequently ill prepared to deal with many of the new threats presented by these emerging technologies.

“The professionals are really struggling to keep up,” said Rob Ayoub, global program director for information security research at Frost & Sullivan.

Mobile: Mobile devices ranked near the top of their security concerns, coming in second behind applications, such as internally developed software and Internet browsers.

Businesses face a number of threats from the increasingly common use of smart phones and tablets by their workers, including malicious software that attacks the operating systems, or the simple loss or theft of devices often laden with corporate information.

Juniper Networks, a sponsor of the RSA conference, presented some eye-catching – if also self-serving – statistics during a session titled “Defend Your Mobile Life.”

Mark Bauhaus, an executive vice president at Juniper, said that 98 percent of mobile devices like smart phones and tablets aren’t protected with any security software, and that few users set up a password. That’s troublesome, he said, given that:

— 2 million people in the United States either lost or had their phones stolen last year;

— 40 percent of people use their smart phone for both personal and business use;

— 72 percent access sensitive information, including banking, credit card and medical records;

— 80 percent access their employer’s network over these devices without permission.

Bauhaus stressed the need to adopt mobile applications and online services – which Juniper not coincidentally provides – that remotely turn off and wipe gadgets, blacklist spammers, detect and remove viruses, and ensure that devices are safe before connecting to corporate networks.

Hackers have already tried to exploit the popularity of mobile applications by writing Trojan Horses, malicious programs that appear to be helpful apps in online markets, said two researchers from Lookout Mobile Security of San Francisco in a separate session.

Once users install the app, however, it can disable the phone, force it to execute commands or snatch information.

Since late December, two Trojans have been identified on Android phones that represented significant leaps in technological sophistication, said Kevin Mahaffey, chief technology officer of Lookout, which also develops mobile security services.

Known as Geinimi and HongTouTou, both are examples of malicious software inserted into otherwise familiar and legitimate apps.

“We’re nowhere near the level of sophistication you see in desktop malware, but it’s definitely a step up from what we’ve seen to date,” Mahaffey said.

Cloud: A Wednesday morning session titled “Cloud Computing: A Brave New World for Security and Privacy,” highlighted the considerations that businesses should bear in mind before using such a system, in which data are stored on remote server farms rather than ensconced behind a company’s own walls.

Placing corporate e-mails, human resource information or credit card numbers outside the company’s physical domain raises a number of legal, privacy and security issues, according to the panel.

Hackers go after cloud providers for the same reason that criminals rob banks, said Eran Freigenbaum, director of security for Google Apps.

“Cloud providers are going to get attacked and get attacked, because that’s where the data is,” he said.

The measure of a cloud service, like those provided by Google, Amazon.com or Salesforce.com, are how they hold up against such assaults and respond to exposed vulnerabilities, he said.”