Five reasons to re-evaluate your mobile security policy
Part II of a two-part series
RISK BULLETIN |
Mobile devices are integrated into most organizations today. They are typically classified as smartphones, tablets and now with the large screens on the latest smartphones the term "phablets" has been coined. They're carried everywhere, connected to the Internet 24 hours per day, running applications that have been installed by the users and 5 percent of these mobile devices were lost in 20131.
As a matter of fact, today's mobile devices are so complex that an iPhone costing $200 today replaces 13 separate devices listed in a 1991 Radio Shack advertisement costing over $5,0002.
In an article titled re-evaluating your mobile security policy, written in 2013 by Soren Burkhart, a principal with RSM, he indicated that there are five items that organizations should include in their mobile device security plans:
- Does your company have a "bring your own device" (BYOD) policy? Are you aware of all the risks that may be associated with it?
- What types of mobile security measures are being implemented to secure mobile devices at your company?
- If you have mobile applications at your company, has anybody reviewed and checked them?
- What is your company doing about the cloud, and how has your data been secured?
- How often do you train your users about security?
All the items Mr. Burkhart identified above are important. However, the focus of this article will be on only a couple of the items and some of the detailed security actions that can be taken.
We will first begin with the BYOD policy. Most BYOD policies should cover, at a minimum, the following topics to adequately address the risk to the organization and to the customers (Note, since a policy should be unique to the organization, there could be more items due to specific requirements within the organization):
- The policy should address what information can be stored on the mobile devices and also identify what controls will be enforced on the device to ensure that the information is secured. Generally, the primary threats to confidential information are the loss or theft of the device, but also consider threats similar to what we see on desktops, including viruses, malware or malicious users.
The actual types of information that can or cannot be stored on the device can be tied back to the organization's information classifications policy, which should define sensitive and confidential information and provide guidance for protecting, transmitting and destroying that data.
- Normally, the policy should also identify types of mobile devices permitted. Typical mobile devices considered in the policy include laptops, netbooks, smartphones, tablets, personal wireless hotspots, MiFi, USB storage (thumb drives and disk drives) and possibly others not thought of.
As shown in the list above, a BYOD program can become very complex very quickly when you consider the number of types of devices and the fact that the devices may each require some unique solutions to secure the information on them.
- Is there an approved or unapproved application list indicating which applications can and cannot be installed on the BYOD device? Generally, most organizations we have worked with do not attempt to list the applications by name, but by category.
An example would be to identify the categories on unapproved applications that should not be installed, such as security scanners or adult content, etc., similar in many ways to content filters for Internet browsing.
- Does the policy identify whether the organization uses a mobile device management (MDM) system and if the BYOD user is required to install the MDM system on their device?
- The policy should identify whether or not the BYOD users will be required to implement a PIN to sign onto their devices and what the minimum length of the PIN is, as well as the amount of time before the screen locks and the user must re-enter their PIN. (Normally, we see the PIN required equal to yes, six characters and five or 10 minutes before lockout.)
The next item to discuss is the security measures taken to secure mobile devices in the organization. Security measures can be a bit of a usability versus security issue, and most organizations use an MDM solution to implement the security settings. MDM systems (i.e., MobileIron, AirWatch, MaaS360, etc.) provide management capabilities ranging from locating devices, monitoring installed applications, remote wiping of devices, automated configuration parameter settings, plus others. The parameter setting feature is useful when you consider that there are at least 46 unique settings in Apple iOS and Google Android has over 36 settings3.
More general configuration guidelines can be found in the National Institute of Standards and Technology (NIST) Special Publication 800-124.
The third item on the list, application review, entails reviewing the mobile applications used in the organization from a security perspective. Many times, the custom applications are developed to meet functionality requirements within a set budget and security does not get the priority focus it should. Applications developed for the organization should be reviewed from a security perspective to identify whether they suffer from vulnerabilities that may lead to the leakage of confidential data or even leading to a compromise of the mobile device itself.
Other applications on mobile devices may also be vulnerable and subject the device to the risk of data loss or compromise. Common applications installed by users that often contain vulnerabilities include browsers, third-party document viewers, trip booking applications and others.
The fourth item on the list focuses on the use of information clouds by our mobile device users. As cloud providers serving the mobile devices continue to offer more and more services, we need to be aware of the ways in which our information can be accidentally shared, copied or extended to the cloud. In security communities, this inadvertent copying or storing of sensitive information in the cloud is called "incidental" cloud use.
A common example of incidental cloud usage involves the use of note-taking software on the mobile devices—most commonly tablets. During the installation of the free note-taking software, the user is often presented with the option of backing up their notes, so they will not lose them. If a nonattentive user selects "OK" (Isn't OK always the right answer?) whenever they create a document to save notes during a meeting or other event, their document is automatically backed up or copied to the note-taking software developers cloud. No vendor due diligence or similar process has taken place, but the organization now has a new cloud provider where customer data or other sensitive information could be stored and ultimately leaked.
Other examples of cloud providers that mobile device users access are through the installation of applications such as photo sharing sites, social networking sites, Snap-Chat and others. The risks related to cloud usage can be easily controlled by using an MDM system that limits the users' ability to install applications that utilize these cloud services. Some MDMs may not allow an organization to restrict the installation of an application, but they can remove the applications when they are detected as installed.
Finally, and most would agree, the largest threat to an organization's security is the users themselves; they are susceptible to many threats to an organization's information security.
Common user missteps:
- They forget or abandon their devices during travel. (How many times have you read stories about unclaimed laptops and other devices left at airports?)
- They misplace their devices (especially smartphones) and the devices may be found by others who might be curious as to what information is on them.
- They open text messages coming from unknown parties that contain a URL and point their browser to the URL in order to determine the source of the messages
- They are constantly checking for Wi-Fi now that most carriers have dropped their unlimited data plans and some of these free Wi-Fi networks are traps. A pineapple (Wi-Fi devices planted by "hackers") is used to learn Wi-Fi keys or perform man-in-the middle attacks or worse, and have been found all over the country at airports, coffee shops and other similar locations.
- If policy dictates that a PIN needs to be in place, they will generally disable the PIN if it is not enforced through an MDM or similar solution. Or the users could become one of the 26 percent of users who use a simple PIN4, like 1234, 1111, 5683 (LOVE), etc.
- The devices are easily stolen as they are small, light and when you walk through a coffee shop, restaurant and other public areas, not well guarded.
Users need to be trained and taught about the risks to themselves and the organization when using mobile devices in public. Generally, annual training should be required and supplemented when possible through organization-wide alerts and emails. Like most training, it needs to be repeated and offered in various forms to ensure that all users are taking the appropriate precautions through their actions to protect their mobile devices.
One last item regarding mobile security that was not mentioned in Mr. Burkhart's article and, until 2013, was not adequately addressed, is how to validate that BYODs (or company-issued devices) comply with company requirements and do not contain application or operating system vulnerabilities. Generally, mobile devices are not connected to the organization's networks, so testing or scanning them for vulnerabilities has always been problematic.
There is now at least one tool that permits the testing of mobile devices whether they are on Wi-Fi, cellular networks or around the world. Last year, IscanOnline released their mobile device testing solution that allows the testing of mobile devices (smartphones, tablets, Android and iOS, as well as Windows Mobile). The way it works is that the devices load an application. The organization is then sent a key, and the user executes the test. The testing occurs on the device, and only the results are sent to the management system so that the audit department or IT can review the results and make changes as needed to the devices.
Tenable Nessus takes a different approach in that their solution interrogates the MDM component (Microsoft ActiveSync, for instance) and uses the information collected by ActiveSync to identify security issues with devices from a configuration and vulnerability perspective. There are likely other solutions similar to Tenable Nessus' approach and we believe we can expect to see more validation tools and technology in the near future to catch up with the growth of mobile devices in organizations.
As can be seen in the above discussion items, there is a lot to consider when developing a mobile device security plan. The policy needs to be inclusive enough to be useful while also not being so large as to be cumbersome. In addition to traditional risk management techniques and security awareness messages, a host of new factors (such as complex configuration parameters, multiple operating system platforms and mobile application security) require careful consideration. For being so small, portable and simple to operate, mobile devices can have a significant impact on security.
For further information, please contact Loras Even, principal, security and privacy, RSM LLP.
1 IscanOnline, Inc.
2 trendingbuffalo.com (original source although this article has been grabbed and re-printed many times)
3 Center for Information Security Benchmarks