Professional Documents
Culture Documents
Figure 1 presents some known vulnerabilities and associated threats that need to be understood when dealing with mobile devices. Vulnerability
Information travels across wireless networks, which are often less secure than wired networks.
Mobility provides users with the opportunity to leave enterprise boundaries and thereby eliminates many security controls.
Threat
Malicious outsiders can do harm to the enterprise.
Risk
Information interception resulting in a breach of sensitive data, enterprise reputation, adherence to regulation, legal action. Malware propagation, which may result in data leakage, data corruption and unavailability of necessary data.
Bluetooth technology is very convenient for many users to have hands-free conversations; however it is often left on, and then is discoverable. Unencrypted information is stored on the device.
Mobile devices cross boundaries and network perimeters, carrying malware, and can bring this malware into the enterprise network. Hackers can discover the device and launch an attack.
Device Corruption, lost data, call interception, possible exposure of sensitive information. Exposure of sensitive data, resulting in damage to the enterprise, customers or employees.
In the event that a malicious outsider intercepts data in transit or steals a device, or if the employees lose the device, the data are readable and usable. In the event that the device is lost or stolen, outsiders can access the device and all of its data. If no mobile device strategy exists, employees may choose to bring in their own unsecured devices. While these devices may not connect to Virtual Private Network (VPN), they may interact with e-mail or store sensitive documents.
Data exposure, resulting in damage to the enterprise and liability and regulation issues. Data leakage, Malware propagation, unknown data loss in case of device loss or theft.
In the policy that sets the strategy goals, the following issues should be considered:
Defining allowable device types (enterprise-issued only vs. allowing personal devices and types of devices such as BlackBerry or iPhone) Defining the nature of services accessible through the devices, taking into account the existing IT architecture Identifying the way people use the devices, considering the corporate culture as well as human factors and how the nondeterministic execution of processes through the use of mobile devices may lead to unpredictable risks Integrating all enterprise-issued devices into an asset management program Describing the type of authentication and encryption that must be present on the devices Outlining the tasks for which employees may use the devices and the types of applications that are allowed Clarifying how data should be securely stored and transmitted
Figure 2 provides strategies to address risks. Mobile devices have the potential to become the biggest threat for leakage of confidential information. Their protection, very much neglected until now, will become a primary task for enterprises. Creating a transparent, understandable, flexible and executable policy to protect against risks related to the use of mobile devices will support management in its effort to protect intellectual property and sustain competitive advantage. Risk
A lost or stolen mobile device
Strategy
Implement a central management console for device remote control-i.e., location tracking, data wipeout, Password/PIN change or strong user authentication. Ensure that mobile devices are encrypted so information is unusable in the event of lost or theft. Turn to cross-platform centrally managed mobile device managers. Secure the systems that are accessed with authorization, encryption & privileges control. Monitor & restrict data transfers to handheld or removable storage devices and media from a single, centralized console.
Providing support to various devices Controlling data flow on mobile devices Preventing data from being synchronized onto mobile devices in an unauthorized way Keeping up with usage of the latest & greatest devices. Promoting accountability, responsibility and transparency with device usage Demonstrating regulatory compliance
Create keen user awareness on information assets, risks and value to the enterprise. Track the devices are used, and provide regular feedback to management.
Implement a central management console to manage all stages of asset management, from installation to retirement.
How: Evaluate the gateway with an administrator, and verify that the code
running on the gateway is the latest version. Verify that the latest version is correct using the manufacturers website or other similar updated source of information from the manufacturer. Examine the change-management processes around evaluating and maintaining current code releases for the APs. Note whether this process is automated and coordinated and whether it scales operationally across regional sites. Step 2: Verify that mobile clients have protective features enabled if they are required by your mobile device security policy. Many MDM solutions, including GoodLink and RIM (maker of Blackberry), both provide several client features such as password controls and remote or local wiping that can bolster your security should a device become lost or stolen.
How: Requisition a mobile device with an administrators help, and verify that it
has the protective features enabled as determined by your mobile security policy or other agreed-on standard. Some common features available with MDM solutions include enforced passwords, password settings, remote lock, remote wipe, and local wipe. Passwords can be set up to meet several different requirements in terms of length and complexity. Emergency calls to 911 should be allowed when configured to enforce passwords. Remote lock allows administrators to lock a lost
or stolen mobile device until it is either found or a decision is made to wipe the device remotely. Wiping the device prevents an attacker from retrieving any data. The local wipe feature is designed to wipe the device if a user exceeds the maximum number of tries to log into it. If you have the capability, you should evaluate the process a user would follow if his or her PDA phone were lost or stolen. Test these features to verify that your company processes work as designed and that all parties understand how to carry out the process. Step 3: Determine the effectiveness of device security controls around protecting data when a hacker has physical access to the device. This is an advanced step and would be performed with the help of your companys computer forensic or security team. The subtle reason for performing this step is to help shed light on the need for security on mobile devices. The companys e-mail server and global address book are accessible remotely on lost or stolen devices until the device account tied into the company network is deactivated.
How: In one large company, it was estimated by the administrator that wiping a
device succeeds only about 20 percent of the time. One of the reasons for this is because users tend to wait too long before reporting that their devices have been lost or stolen. If users are not aware of what to do when they lose a device, a window of opportunity opens for someone with malicious intent to attempt to record data from the device. Waiting to raise a potential issue renders the remote lock and erases controls ineffective. If you determine that you need to use forensic tools to test your controls, you need to state your assumptions clearly. You could, for example, give yourself a timeframe to pull data from a device before remotely attempting to kill the device. Assume that you have the ability to kill devices remotely, and assume that Faraday bags are not used by the attacker. Faraday bags prevent radio signals
from reaching a device and lend an unfair advantage to an attacker. These bags might be used by a skilled, intentioned attacker, but they are not common. The following additional controls may help to prevent physical access hacks. These must be turned on manually and should be in line with your policies.
Managed devices must be password-protected and erase themselves automatically after, for example, 15 incorrect password attempts. Devices can be locked or erased remotely. A password is required to read data on a mobile device. Step 4: Evaluate the use of security monitoring software and processes. Security monitoring and regular log reviews can reveal potential issues before a serious event occurs.
How: One method for discovering the number of potential unmanaged devices
on your network is to look for the existence of the supporting desktop software on your systems. This doesnt prove that an employee is actively using the device but suggests that at one point he or she tried to do so. You could use your endpoint management software, for example, to search for the existence of the executables associated with the desktop software used with the mobile devices.
The reality is that this can be a very difficult step; however, its important to manage mobile devices on the corporate network. Advanced controls might include a preventative control such as Network Access Controls that can prevent these devices from connecting to the network. Discuss detective and preventative controls with your administrator. Step 6: Evaluate procedures in place for tracking end user trouble tickets. Failure to establish ownership and tracking of end user issues could result in end users being unable to resolve connectivity problems.
How: End user issues should be tracked through a trouble ticketing system. An
owner for these issues should be assigned and a group should be held responsible for tracking the progress to closure for any tickets opened because of mobile device issues. Discuss these processes with the administrator. Step 7: Ensure that appropriate security policies are in place for your mobile devices. Policies help to ensure compliance with a standard, help with repeatable processes, and allow the company to act against documented company violations.
How: Determine whether mobile device policies exist and whether the
administrator responsible for the mobile devices knows and understands the content of those policies. Determine whether the policies are being followed or what barriers might exist to prevent them from being followed. Finally, ensure that relevant portions of the WLAN policies are communicated to employees that use the wireless network. A few common policy items might include the following:
You must use one of the defined and supported devices. Synchronizing to your local workstation is allowed only with approved managed devices.
When available, antivirus and encryption tools should be used on your handheld device. The password policy for handhelds that access the companys Internet and/or email systems is [defined policy]. After 15 failed password tries, the handheld must be erased automatically. The device must time out after 30 minutes of inactivity. Step 8: Evaluate disaster recovery processes in place to restore mobile device access should a disaster happen. Failure to have appropriate recovery processes in place prevents a timely restoration of mobile e-mail access for users who must have it to conduct company business.
How: Restoring mobile device access may not be at the top of most peoples
list following a critical disaster, but at least be some thought should occur around and procedures in place to facilitate this process. Discuss this with the administrator, and ensure that the recovery processes are in line with the expectations and standards of other recovery processes in the company. Depending on the use of mobile e-mail, this may be a critical component, such as with a large mobile sales force that depends on wireless mobile e-mail to conduct business and close deals efficiently. Other environments, such as those that use wireless e-mail to supplement existing and working wired infrastructures, may not view this as very important. This is a business risk that should be evaluated and measured appropriately when you review the mobile device security policies and BC/DR processes. Step 9: Evaluate whether effective change management processes exist. Change management processes help track and provide controlled changes to the environment. Controlled environments are more secure and have less impact on user productivity.
How: Measures should exist to manage the service life cycle of the mobile
devices managed by your company and the accounts associated with those devices. Discuss this with the administrator, and look for records supporting his or her statements. Walk through a recent provisioning and deprovisioning process with the administrator.