10 Best Practices for Mobile Device Security
See related slideshow, 10 Best Practices for Mobile Security.
As the rate of mobile device adoption continues to spike and the sophistication of these devices advance, users are becoming more efficient road warriors than ever. Unfortunately, they’re also introducing a lot of risk into the IT equation. The more capable these devices are of helping users access and manipulate data, the more capable they are of being used by hackers to do the same.
“Think about what resources these people have access to from the phones,” says Tom Cross, security researcher for IBM ISS X-Force. “These folks will have VPN clients where you can get into the corporate intranet and there have been cases in the past where people have actually written back doors that will run on the phone that allows a bad guy to connect from the Internet through the phone into your internal network. That is a risk you want to manage.”
Sadly, though, many organizations these days not only do not manage their mobile security risks, they don’t even manage mobile devices. Organizations need better control over the devices that connect to their networks if they want to keep a tight reign over corporate data, Cross says. This means taking a proactive role over mobile devices and getting the organization to sponsor the purchase of a uniform set of devices within the enterprise.
“It is absolutely our view that you should manage these devices,” Cross says.
Paul DeBeasi of Burton Group’s network and telecom strategies group says that organizations may not even need special security technology to mitigate mobile device risk to an acceptable level. Most times it is a matter of starting out with consistent policy development and enforcement, he says.
The following is a list of suggestions from Cross and DeBeasi to start managing mobility effectively.
1. Choose Devices Carefully
Not all devices are created equally when it comes to security. For example, iPods are built for general consumers not as concerned by security and is therefore less inherently secure than a BlackBerry device designed for enterprise users.
“The degree to which IT managers can control security on mobile devices is highly dependent upon the vendor that they select,” DeBeasi says. “You should try to get mobile devices that have the best possible control and security on them and then use those mechanisms and it will go a long way to locking down those mobile devices.”
2. Turn On Encryption
Once you choose devices with stronger security controls, use those controls! DeBeasi says that many organizations do not enforce or even set policies mandating the use of device encryption on mobile devices.
“Many people don't go through the bother of doing the encryption. You always want to be careful and you always want to have a level of paranoia about what happens to your sensitive information,” he says. “ Mainstream enterprises need to lock it down and take it seriously like they do with a laptop and be really consistent with their policies and enforce them.”
3. Require Authentication
A survey released by Credent Technologies in September 2008 found that in just a six month period more than 31,000 New Yorkers left behind mobile devices in a taxicab. The fact of the matter is that these devices are just too easy to lose to go without proper authentication. And yet, most enterprise users don’t use the password function on their devices.
“So imagine, you lose your phone in a cab and the next passenger gets in opens it up and then they immediate access to your device because you didn't put any authentication in there,” DeBeasi says.
He says that it is critical that users be required to turn on device authentication so that lost devices can not be easily accessed by any person that finds or steals a device.
4. Utilize Remote Wipe Capabilities
Give IT staff the ability to remotely access and disable devices in the event of loss or theft. This could be very handy in a situation where, say, an executive loses his or her device at a conference—along with yearly sales projections and strategies stored within, DeBeasi says. With the remote capability all it would take is a quick call to IT and they’ll take care of it.
5. Set Up a Lost Phone Hotline
It is not good enough simply to have remote wipe capabilities. Organizations also need to have a procedure set for users who have lost their devices. Make it easy for them to call IT to alert staff that a device has been lost by setting up a direct line and publicize the procedure for IT notification in such an event.
“If you're concerned about losing data, make sure your users have a contact point where they can get a hold of you so you can initiate that process to wipe them over the network and make sure that data isn't lost,” Cross says. “They’ll have an incentive to get a hold of you if they want another phone, but it’s useful if they know who to call and that you can immediately start that process.
6. Control Third-Party Apps
Smartphones are so dangerous because they are essentially miniature computing platforms that can accept any nature of third-party applications. Cross recommends limiting the installation of unsigned third-party applications to prevent the bad guys from requisitioning control of your devices.
“It makes sense to limit people’s ability to install arbitrary third-party applications because that is exactly the how some of these Trojans will allow a bad guy to connect form the internet and get back out into your corporate VPN,” Cross says. “That's how they work, they go out and say ‘Here's this cool video game for your Blackberry! Install this, it’s a lot of fun.’ And people will install it and it will say ‘This isn't signed,’ and they'll say, ‘That's OK.’ And then their phone is now a gateway.”
7. Set Unique Firewall Policies
Enterprises should set up unique firewall policies specifically for traffic coming from smartphones. The way Cross sees it, smartphone users don’t necessarily need access to every bit of data on the network, so it makes sense to limit exposure by only offering access to the types of data they need.
“There's stuff that they need access to, but they probably don't need access to your financial database. It probably doesn't work very well from a phone browser anyway,” he says. “ Stuff like that that has nothing to do with what people are doing from the phone, so you should firewall it off and traffic coming from the phone should only go to stuff that people would reasonably want to use.”
8. Use Intrusion Prevention Software
As smartphones become more and more powerful, they’re likely to become another weapon in the hacker toolbox. As a result, it makes sense to have your intrusion prevention software examining traffic coming through mobile devices.
“It’s possible that you could see attacks come in from phones; they're very sophisticated devices,” Cross says. “I mean, you can run Metasploit on an iPhone. So that’s something you need to think about.”
9. Keep an Open Mind About AV
Cross says that he doesn’t necessarily suggest enterprises go out today and buy host-based antivirus software for their smartphones, but he does believe they should be paying attention to advances in mobile device AV. He believes that it may be necessary in the coming years.
“I don't know what the numbers are , but we've obviously seen a tremendous explosion in the sophistication of these devices and the number of these devices that are out there and i think that that's going to continue,” he says. “It’s my sort of futurist vision that in at some time maybe five or ten years from now there were actually be more smartphones on the Internet as client devices than there are PCs.”
10. Shore Up Bluetooth
Bluetooth capabilities on today’s smartphones may make it easy to talk on a hands-free headset, but they’re also a target for hackers, who can take advantage of its default always-on, always-discoverable settings to launch attacks. In order to limit your exposure, US CERT recommends that users disable Bluetooth when it is not actively transmitting information. It also suggests switching Bluetooth devices to hidden mode. Organizations can limit exposure by making this company policy.