RIM Exec on Mobile Malware and The Future of BlackBerry Security

Scott Totzke knows mobile security.

Currently VP of BlackBerry security at Research In Motion (RIM) and a RIM staffer for as long as the company has made smartphones, Totzke remembers when the BlackBerry Enterprise Server (BES), RIM’s main BlackBerry infrastructure component for corporations, had less than 50 IT policies for BlackBerry administrators to secure their organizations’ smartphone deployments.

Now with more than 500 security-related IT policies, BES is RIM’s flagship enterprise product. And the evolution of BES is a fitting metaphor for the growth of the BlackBerry platform in general; with more and more organizations employing BES and BlackBerry smartphones in a wide variety of settings, RIM’s security offerings needed to morph along with those organizations’ individual needs. And they’re still changing.

During his time with RIM, Totzke has also attended every one of the company’s Wireless Enterprise Symposium (WES) events, which started off as small niche, tech conferences but turned into what are now some of the largest enterprise-smartphone-related gatherings in the world.

Now in its ninth year, WES is where RIM unveils its latest and greatest. It’s also where thousands of BlackBerry enthusiasts, consumers and business-users alike, gather to share knowledge, network and break bread.

I’m on the scene in Orlando for WES 2010 this week, and I was fortunate enough to have a sit-down with Totzke yesterday, during which we chatted about the current state mobile malware and the future of BlackBerry smartphones.

Security Edge

RIM’s mobile platform is the most secure enterprise mobility option, Totzke says, because every product or service the company develops is built from the ground up with security in mind.

“Security is always a consideration from the start,” he says, whereas Apple and other handset and/or mobile software makers may be adding security-related features to make products more enterprise friendly.

Totzke also cites the fact that BlackBerrys are mostly secure “right out of the box.” Users don’t need to install any third-party antivirus or other security software. And corporate users on a BES are immediately protected by their organizations’ specific security settings.

“There’s no one-size-fits-all in mobile security,” Totzke says. So RIM offers its customers granular options via BES, so they can customize BlackBerry security to their own needs.

Whether it’s the BlackBerry hardware, a device OS or the corporate management software, security is built-in, and this end-to-end approach gives RIM an advantage over competitors, according to Totzke.

FREE CIO BlackBerry Newsletter

Get better use out of your BlackBerry and keep up-to-date on the latest developments. Sign-up »

BlackBerry and Mobile Malware

Mobile malware, and the idea of BlackBerry spyware, has been getting quite a bit of attention in the press lately.

Though mobile malware is a real threat that should be taken seriously, Totzke says in the grand scheme of things, it’s only in its infancy. From a BlackBerry perspective, malware represents a different threat to consumers than business users, since BES admins can set mobile application-install polices that stop users from installing non-approved apps. This can drastically reduce the risk of users installing dangerous software, he says.

Education on the risk of installing random apps from “untrusted” sources is key for all smartphone users, but especially for the consumer user, Totzke says.

“If an attacker can convince someone to install [a malicious] app, you don’t own your platform anymore,” Totzke says. “At the end of the day, social engineering is the hardest thing to fix.”

So it’s of the utmost importance to ensure that BlackBerry users are aware of the possible dangers of installing unknown or potentially harmful apps. And that education should be an on-going process, he says.

Consumers need to be their own security admins, Totzke says.

The many mobile platforms available to smartphone users today have likely slowed the progress of mobile-malware creators, because there are so many different “targets” instead of just one, Totzke adds. If there were only one or two major smartphone operating systems, the bad guys probably would’ve made more progress toward creating and disseminating mobile malware, according to Totzke.

What’s the BlackBerry-security threat that worries Totzke the most? The idea of malware that attacks cellular and other infrastructure. In other words, malware that employs users’ devices to target wireless carrier’s networks using distributed denial of service (DDoS) attacks.

Traditional DDoS attacks occur when hackers take control of large groups of computers and then order them all to access one website or service at the same time, overloading servers and eventually crashing or disabling the site. DDoS attacks could also be perpetrated on smartphone users, with wireless data packets being used to overload and disable carriers’ networks, Totzke says.

The Future of BlackBerry Security and BES

One of the BlackBerry platform’s leading strengths is the wide variety of IT policies within BES that let admins pick and choose which safeguards are required for their particular smartphone deployments.

As RIM adds more device-functionality, it will continue to add BES IT policies to mitigate risks related to new technologies or features, Totzke says. For example, RIM recently added new VoWi-Fi calling to its Mobile Voice System (MVS) 5 offering. And along with that new functionality, it added Wi-Fi network access controls to specify which Wi-Fi networks users could securely use with MVS features.

While 500 IT policies for BES available to choose from may seem like a lot today, that number is only going to increase in the future, he says. However, with new IT policies comes even greater complexity, so RIM needs to work on ways to make all the BES options and setting easier to navigate, according to Totzke. For example, the company will likely add new templates and baselines to simplify the process of finding and enabling appropriate security settings.

“For an admin, there are a lot of decisions,” Totzke says. “The goal is to simplify those security decisions, or at least make the big decisions easy and then let the admin fine tune.”

Totzke admits RIM has some work ahead of it in that particular field.

BlackBerry Security Advice for Users, Admins

The single most valuable BlackBerry user-security tip, according to Totzke: Set a password.

“If you don’t have password, you don’t ‘own’ the device,” Totzke says. “You’re not locking the front door.”

As for a security tip for administrators, Totzke says it may sound counterintuitive, but BES admins should beware of being overzealous in setting BlackBerry security policies — and revisit them fairly often.

Administrators “shouldn’t enable IT policies just because they can,” according to Totzke. He says the tendency is sometimes to “turn it up to 11.”

Enabling too many IT policies can create an unnecessarily restrictive environment for users, reducing the overall value of the BlackBerry and the wide variety of mobile applications available today, he says.

Sometimes decisions are made to set certain IT policies at a given time, and then those decisions aren’t reconsidered for years. The possible danger there: IT policies that may have seemed like a good idea two years ago only hinder the benefits of BlackBerry today, Totzke says.

AS

FREE CIO BlackBerry Newsletter

Get better use out of your BlackBerry and keep up-to-date on the latest developments. Sign-up »