In this mobile security guide, we explore the security risks of mobile devices and provide some best practices to help you protect your corporate assets and your users against data loss, network compromise and threats.
Table of Contents
Mobile devices -- Areas of risk
Mitigating mobile security threats
Protecting handhelds -- Best practices
Top mobile security oversights
Gaining control with a mobile security policy
Everyone knows that mobile devices create business risks. Knowing this, some mobile managers ban laptops, wireless networks, handheld devices, etc. On the other hand, many allow mobility openly, with very limited controls, to the extent where it becomes an employee "right." Both are extremes in the classic struggle of trying to balance security with usability. Whether you support mobility in one of these fashions or fall somewhere in between, it's almost guaranteed that mobile security problems still exist. (Contributor: Kevin Beaver )
Mobile devices -- Areas of risk:
- Loss of general company data and files from these increasingly memory-laden devices.
- Key sales contacts could go to a competitor -- or be lost altogether.
- Physical loss of the device.
For more information Read Simon Forge's complete article, "Mobile device management -- Controlling risks and costs for better security."
- The employee's time to recover from the loss -- which can be a few hours or a few days -- is usually worth far more than the replacement costs of the device and software.
- The time needed by the network administration team to replace the device and handle the loss.
- Introduction of viruses and malware into the company's installed computer base, usually when synchronizing PC and handset in the office and on a home PC.
- Phone fraud of various types -- e.g., employees making unauthorized long-distance personal calls; this is less of a problem now because many companies accept that personal calling is going to happen, and corporate rate plans for bulk long-distance can cut the cost significantly. The cooperation of the mobile operator is required to control this.
- The use of such devices as means of stealing company information. The "inside job" on data theft can be pulled off using a wide variety of mobile devices, from PDAs to lowly MP3 players. (Contributor: Simon Forge)
Mitigate mobile security threats
Here are some key defenses against data loss, network compromise and compliance threats:
- Develop a comprehensive, strategic plan for mobile devices that incorporates security policies and procedures with strict accountability.
For more information
Read David Geer's complete article "Mitigate mobile security threats."
- When it comes to security, treat smartphones, laptops, personal digital assistants and other mobile devices no different than desktop computers. Apply the same security software to them, including antispyware software.
- IT, not employees, should select which mobile devices to use in the enterprise, and the company should own them and maintain central control. This way, IT can easily apply software patches and end-to-end encryption.
- Install acceptable software applications on mobile devices and warn users against adding unauthorized applications on their own.
- Create acceptable usage policies for mobile device and proactively educate users about them.
- IT should put in place an enforcement technology behind written usage and security policies for mobile devices. In other words, apply technologies that make it impossible (or near impossible) for users or devices to break company policy.
- Audit and monitor mobile device activity among employees to prove security policy compliance. Audits can reveal how effective a written policy is and how soundly employees are adhering to it. Regular audits can also help amass proof of compliance to HIPAA and other regulations. (Contributor: David Geer)
Best practices for protecting handhelds from mobile malware
Here are some best practices to help your users avoid mobile malware and its potential woes:
- Make sure all host systems that your users are syncing their devices to are protected with current antivirus software. In many cases, the desktop system can catch infected applications before they are installed on the mobile device.
For more information Read Al Berg's article,"Best practices for protecting handhelds from mobile malware."
- If your users are not using Bluetooth on their phones, PDAs, luxury automobiles or other gadgets, have them disable the feature altogether. In addition to closing the door on some types of malware and unwanted advertising, this will improve battery life on the device.
- If your users simply cannot live without their Bluetooth accessories, make sure that at the very least, their phone/PDA/etc. is not set to be discoverable. While this is not a guarantee that a skilled attacker will not see the device given time and motivation, it will provide some defense against attackers of opportunity. A better practice is to instruct users to activate Bluetooth when they need it and turn it off when not in use.
- While it may seem a bit obvious, we infosec types need to educate our users that, just as they should not click on every attachment sent to their PC e-mail inbox, they should view unsolicited messages and software on PDAs and phones with suspicion. The malware released to date for phones and PDAs requires help from the victim in order to spread. No help, no virus.
- Information kept on phones and PDAs should exist somewhere else as well. Malware is one threat to mobile devices, but there are many others: theft, loss, damage to name a few. No matter which of these results in data loss, having a backup will make recovery easier. (Contributor: Al Berg)
Top mobile security oversights
Critical mobile security mistakes -- things to look out for and gain control of going forward.
- Not knowing what is really at risk
Most employees and managers haven't really thought about what there is to lose -- especially when it comes to the lack of physical security controls with mobile devices. Simply put, people aren't valuing business assets and treating the threats and vulnerabilities seriously enough.
For more information Read Kevin Beaver's complete article, "Top mobile security oversights."
- Not taking the complexities involved seriously enough
It is easy to assume that mobile security is simply achieved. You just encrypt wireless traffic and laptop hard drives and all is well, right? Not really. For starters, it's all in how encryption is used and when it's used. Also, with the lack of physical controls, unauthorized usage is very difficult to prevent or trace back. The software side of mobile security is a complex beast and it cannot be taken lightly.
- Being too trusting of people
Many in IT and upper management are too trusting of employees and with outside contractors and visitors. They are often given a lot of privileges with mobile devices -- both on and off the network -- but no one really knows how they're using them.
- Not using technology for help
There is a great over-reliance on policies to keep information safe -- especially at the management level. The assumption is that a policy is in place, so everything is safe and sound. There are lots of security controls from power-on passwords to BitLocker drive encryption in Windows Vista, from WPA encryption to the Microsoft PPTP VPN (among others). The key is making the choice to use them. If the controls you need are not there by default, there are solutions available to keep mobile systems secure from the elements.
- Not understanding how the bad guys work
Mobile systems (wireless LANs included) aren't being properly tested for security exploits. In fact, mobile systems are often outside the scope of security assessments. Of the testing that is being done, it is often a checklist audit with no in-depth testing ethical hacking to find out just what controls can be bypassed and exploited. Looking at mobile systems with a malicious attitude and good tools is absolutely necessary to find the real problems. (Contributor: Kevin Beaver)
Gain control with a mobile security policy
To manage security risks, companies need to define which mobile devices are allowed and under what conditions. They should place limits on network and application access and on business data storage and transfer. Security measures and practices should be required and processes defined to monitor and enforce compliance.
These decisions should be documented in a mobile device security policy -- a formal statement of the rules by which mobile devices must abide when accessing business systems and data. Such policies may include the following sections:
- Objective: Identify the company, organizational unit and business purpose of the policy.
For more information Read Lisa Phifer's complete article, "Policies for reducing mobile risk."
Gain more insight with our special report on mobile security policies.
- Ownership and authority: Identify those responsible for policy creation and maintenance (development team), those responsible for policy monitoring and enforcement (compliance team), and those responsible for policy approval and management oversight (the policy's owners).
- Scope: Identify the users/groups and devices that must adhere to this policy when accessing business networks, services and data. Enumerate the mobile device models and minimum OS versions allowed to access or store business data. Identify the organizational units that are (or are not) permitted to do so.
- Risk assessment: Identify the business data and communication covered by this policy -- your company assets that may be placed at risk by mobile devices. For each asset, identify threats and business impacts, taking into consideration both probability and cost.
- Security measures: Identify recommended and required mobile security measures and practices, including:
- Power-on authentication to control lost/stolen device use
- File/folder encryption to prevent unauthorized data disclosure
- Backup and restore to protect against business data loss or corruption
- Secure communication to stop eavesdropping and backdoor network access
- Mobile firewalls to inhibit wireless-borne attacks against devices
- Mobile antivirus and IDS to detect and prevent device compromise
- Application and interface authorization to control program installation, network use, synchronization and data transfer to/from removable storage
- Acceptable usage: Define what users must do to comply with this policy, including procedures required for device registration, security software download and installation, and policy configuration and update. Enumerate best practices that users are required to follow, including banned activities. If users understand what they can and cannot do and why, they will be less frustrated and more likely to comply with stated policy.
- Deployment process: Define how you plan to implement and verify your mobile security policy. It is a good idea to begin with a trial, taking both your mobile security software and defined procedures out for a test drive with a small group of users. Many security policies fail because they prove impractical to deploy or use. Working out these kinks before requiring everyone to follow your policy will increase voluntary compliance and overall effectiveness. Don't forget to include training for administrators and users in your deployment process.
- Auditing and enforcement: Voluntary compliance is nice, but insufficient for truly managing business risk. Effective policies ensure compliance through monitoring and enforcement. (Contributor: Lisa Phifer)