AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY
Friday, April 06, 2012
SecureWorld 2012 – Security of Mobile Devices
The SecureWorld Expo in Boston hosted a number of industry speakers, among them six with titles indicating security of mobile or smart devices, illustrating the current concern and interest in this area. There were three primary messages expressed in these sessions:
1. Mobile devices such as smartphones and tablets represent a risk to an organization’s data and environment
2. Mobile devices have different security concerns than devices physically attached to an organization’s network
3. Mobile devices have vulnerabilities, for which many exploits have been developed and deployed
Many attendees were probably disappointed when an easy turn-key solution was not provided for these issues. Some left with the impression that “no one knows how to properly manage security of these devices.” Is it really that bad? Well, for organizations that can respond and adapt, no. What that means is that the use of these devices requires new methods of evaluating and managing security. There are features, products, and services available right now that can help, but the solutions are not as automatic, convenient, and comfortable as those that are commonly deployed for servers and workstations. Since there is money to be made creating solutions that offer these additional benefits, those will come soon. What can we do now?
1. Leverage existing policies and procedures. Expand policies and procedures as required.
2. Provide user training for security measures that cannot be applied and enforced automatically, such as:
• Password authentication
• Idle timeout/autolock
• Disabling auto connect to Wi-Fi networks, especially open/public networks
3. Provide user training regarding downloading applications, clicking links in emails or on websites, opening email (especially from personal accounts), and opening email attachments.
4. Use available anti-virus solutions. McAfee, Kaspersky, Trend Micro, and others provide appropriate solutions.
5. Update the devices frequently. If automatic updating is available, ensure that it is enabled; if not, educate users on how to update and send reminders to do so on a periodic basis.
6. Use encryption products to secure stored data. McAfee, Kaspersky, Trend Micro, and others provide solutions for various devices and operating systems.
7. Provide a means for users to report lost or stolen devices, such as a hotline to a call center or IT help desk.
8. Develop a method to remotely wipe all data from lost or stolen devices.
9. Control access to the internal network, resources, and data. Consider:
• Limiting mobile devices to email and calendar access
• Prohibiting mobile devices from connecting to a corporate Wi-Fi network or LAN
• Limit mobile devices to VPN access to the corporate network
10. Develop a policy and process for secure disposal of (wipe/sanitize or destroy) mobile devices
Using the measures described above will provide immediate security, help with compliance, and give IT staff members and users peace of mind. Continue to look for new solutions that automate security and integrate with existing systems.