This Computerworld story rings some pretty alarming security bells over the imminent release of the iPhone. The Apple device will be hot -- very hot -- which will make it very attractive to the dark side. People will bring it into the enterprise, which is worrisome since little information on security has been released by Apple. Finally, the iPhone runs the Mac OS X, so it may be vulnerable to malware that already exists for that platform.
Well, never mind, apparently. Others quoted in the piece make a persuasive case that the potential problems are not dire and that the iPhone doesn't necessarily pose a significant risk. Applications will be delivered over the Safari browser. The absence of a software developers kit (SDK), experts say, makes mischief much less likely. It is fair to point out, however, as this Security Pro News writer does, that using a browser as a conduit for applications doesn't eliminate all the danger. Indeed, a bunch of vulnerabilities to Safari recently were patched by Apple.
We will see what happens soon enough, since the iPhone is slated for release Friday. The issues of whether this phone poses no security threat, whether its arrival signals a crisis of massive proportions, or if the reality rests somewhere in between -- which of course is likely -- bring up something that is important for security staffs to keep in mind: Consumer gear invariably is used at work, and in most cases there isn't much the organization can do to stop it.
The best approach is to work with end users as new technology is introduced. In that way, at least the company has an inkling of what is living on its network. The most obvious example of what can happen is the case of rogue access points (APs), unauthorized wireless local area network (WLAN) hot spots that are set up by users. They generally are established for positive reasons, such as creating a sub network among a group of employees who sit near each other and work together closely. But if the IT department doesn't know about the network -- and if a consumer-grade AP is used -- it is a recipe for trouble.
IT must work with other departments to ensure that such unauthorized activities are kept to a minimum. To be sure, technical solutions can root out some unauthorized activities. That's good, but shouldn't be the main thrust of the organization's strategy. The IT department should work with human resources, senior management and other departments to create strong, comprehensive policies. More importantly, the policies should be enforced. The good news is that most folks will cooperate once they understand why it's important to track unauthorized gear.