Mobile devices such as notebooks, personal digital assistants, smartphones and USB storage drives have become ubiquitous in the business world. Companies keep adding these devices to their employees’ arsenals to reap the benefits of enhanced productivity, convenience and mobility. Some jobs today would be impossible without the mobility provided by these devices.
Nevertheless, poorly managed mobile devices greatly increase the potential for security failures and information compromise. Stolen, lost or sold notebooks, BlackBerrys, USB sticks and other devices loaded with sensitive information such as confidential e-mails, customer data and financial figures fall into the wrong hands. The loss of highly sensitive information and the potential associated media scandal is a huge problem in itself, but the impact might be greater — failure to protect certain information can be construed as a violation of business regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. The consequences range from fines to prison sentences for executives.
Apart from the loss of sensitive information, a stolen or hacked device is one of the easiest ways for malware or a human attacker to infiltrate a company’s internal network.
Unique challenges make it relatively more difficult for companies to secure their mobile device assets than to protect their wired devices. Because of their nature, mobile devices connect not only to the secure internal network but also to insecure external networks. This exposes them to various threats that are not seen in the internal company networks, which normally have multilayered security environments.
Many smaller devices do not contain centralized management features found in most enterprise software. Administrators find it difficult to enforce corporate IT policies on these devices. Normal security-related tasks such as software upgrades and security patch distribution are a nightmare.
Here are some best practices for protecting your mobile assets:
- Educate Users: Naive or misinformed users can bring down elaborate security measures. Hence, user education is one of the most crucial success factors for security setups. Create an IT policy for mobile device use and make sure that it is communicated to all employees who use such devices.
- Use Antivirus Software: Most desktop antivirus vendors now have antivirus software for common mobile platforms. It’s just as important to use a good — and regularly updated — antivirus solution on mobile devices as it is to use it on the desktop. Although the number of traditional viruses and worms targeting mobile devices is still tiny, it could grow into a much bigger problem in the future.
Currently, the real threat comes from so-called crimeware — applications designed to steal personal information or perform some other illegal task that will benefit the perpetrator. Some applications in this category surreptitiously send text messages from infected phones to premium phone numbers. However, the most dangerous applications in this category are probably the ones that are designed to spy on the voice and text communication of a user. A disgruntled employee or a competitor can install these on a device.
- Install a Personal Firewall: As mentioned previously, mobile devices that connect to networks other than the internal company network are exposed to threats that do not penetrate the multilayered security of the internal network. So-called personal firewalls, similar to the ones seen on the desktop, are an effective way to protect against many of these threats. These applications reduce the potential attack surface by restricting access to services available on the devices.
- Patch Religiously: Monitor security patches released by the manufacturers of the software installed on your mobile devices. Just like on the desktop, discovering and installing security patches as soon as possible can significantly reduce the number of security incidents.
- Use Encryption for Data Storage and Transmission: Encrypting the entire disk or other storage is probably the most important thing you can do to prevent the theft of confidential information from a mobile device. An encrypted disk will be the final layer of defense in case a device falls into the wrong hands. Good encryption makes the data inaccessible to illegitimate users. Many commercial software applications that do this automatically while remaining completely transparent to the user. Another, albeit weaker, approach is to encrypt individual sensitive files and folders instead of encrypting the entire disk. This tactic can be used in situations where encrypting the entire disk is not an option.
Configure the devices to always use the highest available encryption standard for wireless connections. All connections to the internal company network must be over a virtual private network.
- Manage Connectivity Mechanisms: Turn off Bluetooth when you are not using it. Do the same with other connectivity mechanisms. Use the highest possible security settings for wireless connections.
- Password-Protect the Device: Most devices come with basic password protection for device use. Turn it on. If possible, install third-party applications that implement stronger authorization mechanisms than basic login passwords.
- Use Physical Locks for Notebooks: Physical locks will prevent miscreants from just picking up your notebooks and walking away with them. Provide physical locks to your employees, and instruct them to use the locks whenever they use the notebooks outside company premises.
- Securely Wipe Devices Before Retiring Them: Confidential information has been recovered from mobile devices sold through online auction sites. Needless to say, most of those cases have been media disasters for the organizations involved. It is not enough to just delete the files before retiring devices — deleted files can be recovered easily. Destroying data completely from disks and making it unrecoverable is a difficult job. Use enterprise-grade disk-wiping software for all mobile devices before retiring them.
- Use Software Designed to Recover or Destroy Lost or Stolen Devices: Software applications are available that “phone home” or connect to monitoring services and report their location whenever they are connected to the Internet. Such applications can help in tracking, locating and recovering stolen or lost notebooks.
Some devices have a remote wipe feature that lets you remotely delete all data or perform a hard reset if they are lost or stolen. Research in Motion, the maker of the BlackBerry, for example, provides such a service to businesses.
• Does your company have a comprehensive IT policy for mobile device usage? Is it communicated clearly to all the employees?
• Does your IT department have a mechanism to centrally manage and take inventory of your mobile assets?
• Does your IT policy make it mandatory for the storage media on all mobile devices to be encrypted?
S.G. Masood is a Web security researcher for F-Secure (www.f-secure.com
), a network security services provider with headquarters in Helsinki, Finland.