Security Leadership and Management

Why Superphone Hacks Are Your Business

March 1, 2011
/ Print / Reprints /
/ Text Size+

Many of you in the traditional roles of corporate, investigations and physical security may not think your organization has an active role in your organization’s telephony security polices and programs. Well, at least not on the risk management side of the equation. Post-hack or theft, the investigation and clean-up, of course, falls to your organization. But the recent rise in smart, or the newly coined, “superphone” hacks, breaches and resultant losses do require your attention and participation at the front end of risk management. In many cases, the flaw is not the technology being used, but the people using and misusing the technology. According to a Verizon Data Breach Investigations Report, which cites misused permissions as a core issue, 96 percent of these cyber-breaches are avoidable by implementing simple or intermediate controls.

   This is not only an IT or technology security issue, per se. Rather, key risk issues are right in the sweet spot of corporate security, including culture, training and policies by employees to ensure that risk is reduced. The rise of corporate networks, electronic supply chains, remote workforces, global expansion and travel have all added to the complexity of risk management and securing the business, and mobile devices only add to the layer of brand risk. And then there’s the arrival of superphones to further raise the security bar.

 What are superphones? As a basis for discussion, there are the traditional cell or mobile phones, the original un-tethered phone for the purpose of making a call while mobile. Security was not an issue for the first mobile phones, unless you lost one or had the electronic serial number stolen and applied to another phone. The only “exposure” was a huge phone bill and a lengthy argument with your service provider. Losses were limited.

The superphone category also includes the Apple iPad and post-iPad tablets, and according to talk at the recent CES Show, Apple should have a profitable year, with a projected 20 million iPads in 2011 expected to be sold. The year 2011 has been dubbed, “year of the tablet,” and rightly so.

So what to do? A “Sysadmin” blog written by Trevor Pott and distributed in a recent OSAC briefing outlines the general issues and potential problems, and provides a good starting point for definitions within your organization, so that everyone from IT to sales is singing the same tune.

The blog, titled “Superphones: A Nightmare Waiting to Happen,” correctly points out that with new connectivity and functionality, the risk to new attacks for superphones has increased. Specifically, Pott defines superphones as those that include access to an integrated app store and multimedia playback capabilities.

 And his key point for you: “Superphones, on the other hand, are deadly. They are not only fully-featured computers in their own right, they are easy – and desirable – enough to use that everyday users are getting in on it. They are everywhere and worst of all, their popularity is seeing their vulnerabilities discovered, exploited and malware specifically designed to target them.”

It may be no coincidence that on the day after the blog was posted, McAfee, the anti-virus company best known for computer virus software, announced research that “smartphones are the cyber criminal’s new frontier.” According to the research, malicious attacks on smartphones increased 46 percent in 2010 (and you are thinking…only 46 percent?)

At the top of the attacked list are the market share leaders, including Google’s Android and Apple’s iPhone. And it is also no coincidence that McAfee acquired smartphone security company Trust Digital to enter this new growth market.

What are examples of the most common malicious attacks? One takes control of the Google Android application and quietly sends premium rate text messages to a number the hackers established. Their profits are instant and huge. Similar to the cell phone risk, the expense is yours. Of larger risk is spying to gain access to passwords to corporate networks as well as personal banking accounts. And the ability to download free apps to a corporate device that have not been vetted for malware is a significant risk. The February announcement of hacks on Western U.S. Energy companies by Chinese organizations included “tricking employees to reveal passwords.” There is nothing techno-savvy about that. That is all about people, policies and procedures.

Many of the publicized security breaches are the result of exploiting poor security technology and design. But many are also the result of not making users understand how to securely use their new superphone to protect the business and their own information. While the IT issues of superphones are not the traditional role of security, having a conversation with your IT folks leading the superphone charge may be worthwhile. Your expertise and voice in policies and tracking privilege usage beforean investigation has to be launched is central to the goal of protecting the business and building your brands.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive


CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+