- Email: [email protected]
Mobility and security: two sides of the same coin
MOBILE
Mobility and security: two sides of the same coin Mathieu Gorge, Vigitrust There is incredible pressure for all of us within the corporate world to work faster and smarter. Information is power and one needs to have access to key information at all times. With the advent of email technology in the last decade organizations have been able to ensure that key information is available to mobile staff on the road whether they are in the process of travelling or actually on customer sites Staff now have external access to many applications and remote access goes far beyond “email anywhere” solutions. We are now able to access back-end applications within corporate networks from Personal Digital Assistants (PDA) and we can also store as much information on a memory stick as we could on a high end laptop 10 years ago. As usual with security, whilst functionality has been greatly enhanced, risks for abuse and attacks have increased So what do CEOs, CIOs & CSOs need to pay attention to regarding the un-wired corporate communication tools they give to their mobile staff? How does an organization pro-actively address the risks posed by their mobile staff? Is mobility a death trap for security strategies or can we rely on best practice security principles to address the increased risk levels?
What do executives need to be worried about as regards mobile technology risks?
It is important for executives to put themselves in the shoes of mobile workers and take a user’s perspective in order to understand why mobile users may be more focused on the additional functionality they are given access to rather than on the risks this functionality brings to the organization. The typical road warrior is someone who is always on the go and works fast. They need to be in touch with customers, colleagues and suppliers at all the times.
Access to data from mobile devices: What are the key risks?
Mobile staff have to travel a great deal and may often be operating in environments where they cannot access data and/or systems, which are critical for them to carry out their daily duties. They might find themselves on a long haul flight for 12 November 2006
hours or in an area where broadband and wireless access is scarce. Therefore, mobile workers will have a tendency to download confidential data to their laptop or PDA They may also store data on memory sticks making maximum use of every portable storage device available to ensure that they can still work on key customer projects even if they do not have access to email or to other mission critical applications This is a major issue as confidential or highly confidential data might be stored on unprotected and unencrypted devices. Moreover, the organization might not be aware that this data has been copied onto mobile devices and may, therefore, not be aware of the risks it is facing. This could be considered to be a breach in security if your corporate communication tools usage policy states that no confidential data may be stored on PSDs unless it is encrypted.
Legislation
Data is key to the organization and needs to be appropriately protected. This is stated clearly in the Irish Data Protection Act, in the UK Data Protection Act as well as in many other
legal acts and security standards. It is worth noting that legislation is trying to push organizations to pro-actively address these issues. For instance, HIPAA in the US (Health Insurance Portability and Accountability Act) covers the protection of patient’s records pertaining to identifiable health information SB 1386 in California (US) forces organizations to publicize any security breach involving residents personal information disclosure. In France, the “Loi sur la Securite Financiere” is taking similar steps to control confidential data transfer, storage and transmission. The Payment Card Industry standard (PCI) is also addressing the issue of credit card information storage and transmission and puts emphasis on the fact that appropriate security measures should be taken so that this data cannot be copied, transmitted or accessed by unauthorized staff, which clearly applies to removable data storage devices commonly used by mobile workers. Mobile device security is therefore an integral part of the compliance agenda and management must include mobility in the overall security strategies. Security experts foresee a rise in the number of high profile cases such as the Department of the Veteran Affairs scandal in the US whereby thousand of Social Security Numbers held by the department were disclosed to third parties In the last two years a number of cases involving the loss or theft of company corporate resources (including laptops and PDAs) has already hit the headline including household names such as ING, Deloitte-Accountants and Fidelity investments (“Laptop Hall of Shame”, http://www.forbescom/columnists/2006/09/06/laptops-hall-ofshame-cx_res_0907laptops.html ). In every case the mobile device was either stolen or lost and it then transpired that it contained the organizations employee or end users personal details. Industry security working groups are also worried that this might only be the tip of the iceberg and that many such incidents go unreported but either way organizations need to be aware of the risks, their legal obligation and need to take appropriate action. Computer Fraud & Security
15
MOBILE
Physical security of mobile devices – frightening security concerns
It is very obvious that there is no point in having state of the art logical (or IT) security if everyone can physically access the device or network you are trying to protect Yet in the case of tools such as laptops, memory sticks and PDAs this rule seems to be overlooked. In fact, some devices have a tendency to “disappear”. Employees will willingly tell you on a Friday that they actually lost their corporate PDA the previous Monday and when challenged as to why they did not report it missing to the IT Department, security staff are very likely to get an answer along the lines of “Don’t worry about it! I was still able to get my mail using my laptop” . The next comment will more than likely be “How soon can I get a new PDA though, it is handier than a laptop!”. The fact that confidential data has been lost and that it may fall into the wrong hands does not come into the equation, which highlights the issue of lack of user awareness.
Airport auctions
A few statistics easily support this argument. It was made public in August 2006 that Heathrow Airport, UK, which is one of the busiest business airports in the world now auctions lost unclaimed laptops on a regular basis. Moreover the airport administration reports that only about 10% of lost laptops are ever claimed. This is apparently due to the fact that it is easier to claim the value of the laptop from your insurance than it is to trace back in which area of the airport it was lost and to organize to have it searched for, found and collected. For a few hundred British Pounds anyone is therefore welcome to purchase an unclaimed laptop along with its carry case and all its contents. This means that the new owner will have access to the data that is on the laptop and the data that is kept around the laptop which, in some cases, may contain vital clues as to what passwords might be. Failing that, one can always attempt to break the password although, realistically, not everyone will be able to break passwords. 16
Computer Fraud & Security
However, bearing in mind that password cracking utilities are available for very little on the Internet this might be tempting for would be hackers. Stolen laptops may be traced back if they are fitted with the appropriate technology. However, this is not common practice as it is an additional cost and means that it is necessary to support additional IT system. It does, however, allow stolen goods to be traced as was the case with a laptop stolen from EuroTechnix, which was a victim of a raid where hardware was stolen and a Tablet PC eventually found its way to Nigeria http://www. theregister.co.uk/2003/02/07/on_the_ trail/ ). According to Gartner some 250,000 laptops are lost in the US every year. A survey conducted by Vontu and Ponemon Institute LLC has found that in 2006, 81% of respondents (major organizations in the US, Europe, Canada and Asia) stated that their firm lost laptops whilst the average probability for PDAs containing confidential business information was 60% compared to 53% for USB memory keys. Based on these alarming statistics it is clear that organizations are not pro-active about protecting their physical mobile communication assets and have not seen the link between loss or theft of mobile systems and the data security leakages resulting from what is known in the industry as “loss of control” over the mobile device.
Security concerns – technical perspective on mobility devices
From a technical standpoint mobile devices have always been an issue in terms of administration and security. The corporate perimeter, which was clearly defined in the past and protected behind gateway protection such as firewalls and corporate Intrusion Detection Systems (IDS) is no more. It now extends to a fleet of desktops and to every single handheld device which may contain sensitive data. Moreover the fact that these devices can be used to access corporate network applications such as email, CRM and financial & ERP packages as well as custom applications often requires
IT administrators to open up ports in the corporate gateway firewall. The extra ports add to the monitoring and reporting requirements around this type of access – which can be used as a “back door” to the corporate system unless properly secured via encrypted channels and strong authentication mechanisms. The challenge is daunting. In a world where corporate governance and compliance have become top priority items on the management board’s agenda, IT administrators and technical staff now have to remotely manage, control and update devices that may only be visible and/or accessible at very irregular intervals. In addition the multiplication of unmanaged end points is also increasing the risk of potential attacks against the organization while the risk of data leakage is growing yet again. To complicate matters, Bluetooth and IrDA port beaming connection mechanisms also create new technical risks. However, most attacks to date are considered to be proof-of -concept to show that these communication channels are indeed dangerous and may be exploited at a later stage. But the security industry is indeed concerned about new concepts such as Bluejacking which is described as follows: “ the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e. for bluedating or bluechat) to another bluetooth enabled device via the OBEX protocol.” www.wikipedia.org. More dangerously, experts are also worried about the concept of Bluesnarfing which relates to the way information is stolen via Bluetooth connections between a laptop and a PDA for instance. This allows attackers to hack into calendars, files and emails on the other party’s device. Furthermore, since some handheld devices have an embedded browser, users also have access to instant messaging. Best practice advice: •Authenticate •Encrypt •Discover all devices •Protect against viruses and spyware
November 2006
MOBILE
Focus on security issues surrounding PDAs data storage capabilities
PDA devices can store very large amounts of data. It is important to understand where and how this data is stored. There are three main types of data storage available using these devices. They can store data in persistent memory, external storage (ie. Flash memory cards), or internal RAM. Each of these types of memory present a significant security challenge for the organization. The following best practise recommendations should be considered as corrective action. 1 Internal RAM: All sensitive data in use must be stored in this part of the memory while decrypted. 2 Persistent memory: This part of memory maintains its status in the event of a loss of power, which eliminates the need for reinstallation should power go out and the device is not shut down properly. PDA administrators/owners should install required business applications in this section of memory, as long as no sensitive data is stored in the program directories. 3 External memory: External memory is only to be used for data that has no security risk (data not classified as confidential or highly confidential as per the asset classification policy in place. Only if data is encrypted according to encryption policy requirements may this section of memory can be used to store more sensitive information.
Best practice advice and other considerations for the security of mobility devices:
Successful security strategies are always based on a mixture of policies, technical solutions and user awareness. Moreover, when addressing security challenges
November 2006
Getting control of mobile worker security can seem out of reach
associated with mobility devices, CSOs must ensure that they look at the physical security aspects as well as the logical security covering data security – how the device connects back to the network. In addition the operational issues surrounding the deployment, support and retirement of mobility devices also needs to be taken into account The first step is therefore to develop and disseminate a set of policies addressing the security concerns over the roll out of mobility devices. These policies will set out who is to be given the use of unwired devices such as laptops, PDAs and USB keys. They will also link into the organization fixed assets register (or any other asset classification and management policy) and be clearly associated with the overall standard corporate communication tools policy which governs what constitutes safe and acceptable usage of business resources. In consideration of the additional security risks linked to mobility devices it is also essential to have a teleworking policy to
give “road warriors” clear guidance as to how to use such tools.
Device discovery
Then comes the issue of device discovery. It is obviously easier to manage a controlled environment and to that effect no unapproved mobility devices should be in use by employees This includes personal devices used to carry out business. It is not best practice to allow staff to use their personal PDAs on the corporate network notwithstanding the legal issues this may bring for non compliance with Data Protection legislation There are solutions allowing organizations to work from a white list of devices allowed to run on or to connect to the corporate network (SecureWave is one of the best of breed solutions to consider www.securewave.com )
Authentication In terms of authentication, organizations must ensure that all devices require user authentication on starting or resuming work (including PDAs). As usual a strong
Computer Fraud & Security
17
MOBILE password policy is required although it is best practice to implement two-factor strong authentication (such as Vasco, www.vasco.com), which will also work with most handheld devices and therefore include an additional layer of security for authentication to the device and back to the network via the mobile device.
Encryption Next item on the security check list for mobility devices is encryption. Many solutions on the market allow for PDA, laptop but also PSD encryption. This should be mandatory as part of the mobility roll out. Some solutions are more granular than others and allow encryption of part or the whole drive. Some solutions allow users to use the same software to encrypt data on a laptop as well as on USB memory keys. As with any encryption solution, organizations should be mindful to chose a vendor offering high standards of support structures. (SafeBoot and WinMagic provide such solutions, www.safeboot.com & www.winmagic.com) . In terms of PDAs and Smart phones, organizations can choose a solution allowing for devices to be blocked after three failed authentication attempts (perhaps also offering a way for users to be prompted for a customized Q&A challenge to re-authenticate) and should allow administrators to remotely wipe the data on the device. By the same token, these solutions must allow for quick back-up and re-installation features Windows based mobility solutions and BlackBerry solutions provide such features Generally speaking it is also recommended that organizations standardize on the make and models of mobility solutions to be rolled out. This makes it easier to track and manage assets and simplifies the technical security structure as administrator can concentrate on becoming security champions for a more targeted list of vendors
Viruses and spyware In terms of Anti-Virus, & Anti-Spyware most vendors do provide solutions for mobile devices including handheld (www.sophos.com & www.trendmicro. com) . Administrators may also consider solutions allowing some additional level 18
Computer Fraud & Security
of network access control by deploying network solutions, which will scan machines that have been “invisible” from the network for a while. They can then be isolated in a quarantine area where they will only have access to patches and updates they will need to install on the local device before being granted access to the corporate applications. It is of course vital that technical staff are trained on how to deploy, manage and retire mobility devices. This should be part of a clearly defined roll-out plan to ensure that the initial deployment of the mobility solution is successful. It will also greatly minimize support issues and recovery operations should devices need to be replaced and a user needs to be fully set-up again.
“
No unapproved mobility device should be in
”
use
A lost and stolen item policy should be in place to allow users of mobility solutions to escalate the loss or theft of their device(s) almost in real-time. Back on the corporate network, administrators will be in a position to revoke credentials for remote access from the mobile devices and issue temporary credentials so that users can resume work with the least disruption possible. This may need to be coupled with a replacement policy in conjunction with key suppliers who will ensure prompt replacement of mission critical business tools. It is also best practice to hold interviews with users who have lost mobile devices or have been victims of theft This can help deal with internal “fraud” and will also help increase security levels. It is also recommend to provide additional dedicated awareness training to all staff using mobility devices and to ensure that acceptable usage policies are communicated to all staff. Finally managers are advised to keep in close contact with mobile workers so that they do not feel isolated and keep in touch with the corporate “feel” and
therefore align themselves with the corporate security standards in place.
Summary:
Mobility solutions are business enablers and help users work smarter and faster. It is likely that more and more employees will have access to mobility devices such as laptops, PDAs and USB Memory keys in the future. The security challenge for CSOs and other executives is significant. Physical security threats as well as technical security dangers make the use of mobility solutions an additional significant security risk for the organizations. However best practice security strategies will help mitigate this risk so that organizations can focus on the value add of mobility solutions. Carefully deploying the devices coupled with associated security policies for both users and administrators together with the implementation and support of best-ofbreed technical solutions to protect access to devices (and the corporate network they allow users to connect to) is key. However user awareness remains essential as mobility devices are easily forgotten or stolen together with the data they contain Required technology is there to protect at a technical level, it is now up to organizations to deploy it and take the right steps to increase user awareness levels enabling them to make the most of mobility solutions to improve their business practices.
Recommended reading: www.blaberry.com – The CIO’s Guide to Mobile Security www.hpcom/go/mobilityandwireless www.vigitrust.com www.good.com – Mobile Device Security White Paper 2006 http://www.vontu.com/uploadedFiles/ global/Ponemon-Vontu_US_SurveyData_at-Risk.pdf – US Survey – Confidential Data At Risk http://www.microsoft.com/windowsmobile – Overview of Microsoft Mobile Solutions http://www.theregister.co.uk/2003/02/07 /on_the_trail/ – Stolen Tablet PC finds its way to Nigeria November 2006
Mobility and security: two sides of the same coin Mathieu Gorge, Vigitrust There is incredible pressure for all of us within the corporate world to work faster and smarter. Information is power and one needs to have access to key information at all times. With the advent of email technology in the last decade organizations have been able to ensure that key information is available to mobile staff on the road whether they are in the process of travelling or actually on customer sites Staff now have external access to many applications and remote access goes far beyond “email anywhere” solutions. We are now able to access back-end applications within corporate networks from Personal Digital Assistants (PDA) and we can also store as much information on a memory stick as we could on a high end laptop 10 years ago. As usual with security, whilst functionality has been greatly enhanced, risks for abuse and attacks have increased So what do CEOs, CIOs & CSOs need to pay attention to regarding the un-wired corporate communication tools they give to their mobile staff? How does an organization pro-actively address the risks posed by their mobile staff? Is mobility a death trap for security strategies or can we rely on best practice security principles to address the increased risk levels?
What do executives need to be worried about as regards mobile technology risks?
It is important for executives to put themselves in the shoes of mobile workers and take a user’s perspective in order to understand why mobile users may be more focused on the additional functionality they are given access to rather than on the risks this functionality brings to the organization. The typical road warrior is someone who is always on the go and works fast. They need to be in touch with customers, colleagues and suppliers at all the times.
Access to data from mobile devices: What are the key risks?
Mobile staff have to travel a great deal and may often be operating in environments where they cannot access data and/or systems, which are critical for them to carry out their daily duties. They might find themselves on a long haul flight for 12 November 2006
hours or in an area where broadband and wireless access is scarce. Therefore, mobile workers will have a tendency to download confidential data to their laptop or PDA They may also store data on memory sticks making maximum use of every portable storage device available to ensure that they can still work on key customer projects even if they do not have access to email or to other mission critical applications This is a major issue as confidential or highly confidential data might be stored on unprotected and unencrypted devices. Moreover, the organization might not be aware that this data has been copied onto mobile devices and may, therefore, not be aware of the risks it is facing. This could be considered to be a breach in security if your corporate communication tools usage policy states that no confidential data may be stored on PSDs unless it is encrypted.
Legislation
Data is key to the organization and needs to be appropriately protected. This is stated clearly in the Irish Data Protection Act, in the UK Data Protection Act as well as in many other
legal acts and security standards. It is worth noting that legislation is trying to push organizations to pro-actively address these issues. For instance, HIPAA in the US (Health Insurance Portability and Accountability Act) covers the protection of patient’s records pertaining to identifiable health information SB 1386 in California (US) forces organizations to publicize any security breach involving residents personal information disclosure. In France, the “Loi sur la Securite Financiere” is taking similar steps to control confidential data transfer, storage and transmission. The Payment Card Industry standard (PCI) is also addressing the issue of credit card information storage and transmission and puts emphasis on the fact that appropriate security measures should be taken so that this data cannot be copied, transmitted or accessed by unauthorized staff, which clearly applies to removable data storage devices commonly used by mobile workers. Mobile device security is therefore an integral part of the compliance agenda and management must include mobility in the overall security strategies. Security experts foresee a rise in the number of high profile cases such as the Department of the Veteran Affairs scandal in the US whereby thousand of Social Security Numbers held by the department were disclosed to third parties In the last two years a number of cases involving the loss or theft of company corporate resources (including laptops and PDAs) has already hit the headline including household names such as ING, Deloitte-Accountants and Fidelity investments (“Laptop Hall of Shame”, http://www.forbescom/columnists/2006/09/06/laptops-hall-ofshame-cx_res_0907laptops.html ). In every case the mobile device was either stolen or lost and it then transpired that it contained the organizations employee or end users personal details. Industry security working groups are also worried that this might only be the tip of the iceberg and that many such incidents go unreported but either way organizations need to be aware of the risks, their legal obligation and need to take appropriate action. Computer Fraud & Security
15
MOBILE
Physical security of mobile devices – frightening security concerns
It is very obvious that there is no point in having state of the art logical (or IT) security if everyone can physically access the device or network you are trying to protect Yet in the case of tools such as laptops, memory sticks and PDAs this rule seems to be overlooked. In fact, some devices have a tendency to “disappear”. Employees will willingly tell you on a Friday that they actually lost their corporate PDA the previous Monday and when challenged as to why they did not report it missing to the IT Department, security staff are very likely to get an answer along the lines of “Don’t worry about it! I was still able to get my mail using my laptop” . The next comment will more than likely be “How soon can I get a new PDA though, it is handier than a laptop!”. The fact that confidential data has been lost and that it may fall into the wrong hands does not come into the equation, which highlights the issue of lack of user awareness.
Airport auctions
A few statistics easily support this argument. It was made public in August 2006 that Heathrow Airport, UK, which is one of the busiest business airports in the world now auctions lost unclaimed laptops on a regular basis. Moreover the airport administration reports that only about 10% of lost laptops are ever claimed. This is apparently due to the fact that it is easier to claim the value of the laptop from your insurance than it is to trace back in which area of the airport it was lost and to organize to have it searched for, found and collected. For a few hundred British Pounds anyone is therefore welcome to purchase an unclaimed laptop along with its carry case and all its contents. This means that the new owner will have access to the data that is on the laptop and the data that is kept around the laptop which, in some cases, may contain vital clues as to what passwords might be. Failing that, one can always attempt to break the password although, realistically, not everyone will be able to break passwords. 16
Computer Fraud & Security
However, bearing in mind that password cracking utilities are available for very little on the Internet this might be tempting for would be hackers. Stolen laptops may be traced back if they are fitted with the appropriate technology. However, this is not common practice as it is an additional cost and means that it is necessary to support additional IT system. It does, however, allow stolen goods to be traced as was the case with a laptop stolen from EuroTechnix, which was a victim of a raid where hardware was stolen and a Tablet PC eventually found its way to Nigeria http://www. theregister.co.uk/2003/02/07/on_the_ trail/ ). According to Gartner some 250,000 laptops are lost in the US every year. A survey conducted by Vontu and Ponemon Institute LLC has found that in 2006, 81% of respondents (major organizations in the US, Europe, Canada and Asia) stated that their firm lost laptops whilst the average probability for PDAs containing confidential business information was 60% compared to 53% for USB memory keys. Based on these alarming statistics it is clear that organizations are not pro-active about protecting their physical mobile communication assets and have not seen the link between loss or theft of mobile systems and the data security leakages resulting from what is known in the industry as “loss of control” over the mobile device.
Security concerns – technical perspective on mobility devices
From a technical standpoint mobile devices have always been an issue in terms of administration and security. The corporate perimeter, which was clearly defined in the past and protected behind gateway protection such as firewalls and corporate Intrusion Detection Systems (IDS) is no more. It now extends to a fleet of desktops and to every single handheld device which may contain sensitive data. Moreover the fact that these devices can be used to access corporate network applications such as email, CRM and financial & ERP packages as well as custom applications often requires
IT administrators to open up ports in the corporate gateway firewall. The extra ports add to the monitoring and reporting requirements around this type of access – which can be used as a “back door” to the corporate system unless properly secured via encrypted channels and strong authentication mechanisms. The challenge is daunting. In a world where corporate governance and compliance have become top priority items on the management board’s agenda, IT administrators and technical staff now have to remotely manage, control and update devices that may only be visible and/or accessible at very irregular intervals. In addition the multiplication of unmanaged end points is also increasing the risk of potential attacks against the organization while the risk of data leakage is growing yet again. To complicate matters, Bluetooth and IrDA port beaming connection mechanisms also create new technical risks. However, most attacks to date are considered to be proof-of -concept to show that these communication channels are indeed dangerous and may be exploited at a later stage. But the security industry is indeed concerned about new concepts such as Bluejacking which is described as follows: “ the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e. for bluedating or bluechat) to another bluetooth enabled device via the OBEX protocol.” www.wikipedia.org. More dangerously, experts are also worried about the concept of Bluesnarfing which relates to the way information is stolen via Bluetooth connections between a laptop and a PDA for instance. This allows attackers to hack into calendars, files and emails on the other party’s device. Furthermore, since some handheld devices have an embedded browser, users also have access to instant messaging. Best practice advice: •Authenticate •Encrypt •Discover all devices •Protect against viruses and spyware
November 2006
MOBILE
Focus on security issues surrounding PDAs data storage capabilities
PDA devices can store very large amounts of data. It is important to understand where and how this data is stored. There are three main types of data storage available using these devices. They can store data in persistent memory, external storage (ie. Flash memory cards), or internal RAM. Each of these types of memory present a significant security challenge for the organization. The following best practise recommendations should be considered as corrective action. 1 Internal RAM: All sensitive data in use must be stored in this part of the memory while decrypted. 2 Persistent memory: This part of memory maintains its status in the event of a loss of power, which eliminates the need for reinstallation should power go out and the device is not shut down properly. PDA administrators/owners should install required business applications in this section of memory, as long as no sensitive data is stored in the program directories. 3 External memory: External memory is only to be used for data that has no security risk (data not classified as confidential or highly confidential as per the asset classification policy in place. Only if data is encrypted according to encryption policy requirements may this section of memory can be used to store more sensitive information.
Best practice advice and other considerations for the security of mobility devices:
Successful security strategies are always based on a mixture of policies, technical solutions and user awareness. Moreover, when addressing security challenges
November 2006
Getting control of mobile worker security can seem out of reach
associated with mobility devices, CSOs must ensure that they look at the physical security aspects as well as the logical security covering data security – how the device connects back to the network. In addition the operational issues surrounding the deployment, support and retirement of mobility devices also needs to be taken into account The first step is therefore to develop and disseminate a set of policies addressing the security concerns over the roll out of mobility devices. These policies will set out who is to be given the use of unwired devices such as laptops, PDAs and USB keys. They will also link into the organization fixed assets register (or any other asset classification and management policy) and be clearly associated with the overall standard corporate communication tools policy which governs what constitutes safe and acceptable usage of business resources. In consideration of the additional security risks linked to mobility devices it is also essential to have a teleworking policy to
give “road warriors” clear guidance as to how to use such tools.
Device discovery
Then comes the issue of device discovery. It is obviously easier to manage a controlled environment and to that effect no unapproved mobility devices should be in use by employees This includes personal devices used to carry out business. It is not best practice to allow staff to use their personal PDAs on the corporate network notwithstanding the legal issues this may bring for non compliance with Data Protection legislation There are solutions allowing organizations to work from a white list of devices allowed to run on or to connect to the corporate network (SecureWave is one of the best of breed solutions to consider www.securewave.com )
Authentication In terms of authentication, organizations must ensure that all devices require user authentication on starting or resuming work (including PDAs). As usual a strong
Computer Fraud & Security
17
MOBILE password policy is required although it is best practice to implement two-factor strong authentication (such as Vasco, www.vasco.com), which will also work with most handheld devices and therefore include an additional layer of security for authentication to the device and back to the network via the mobile device.
Encryption Next item on the security check list for mobility devices is encryption. Many solutions on the market allow for PDA, laptop but also PSD encryption. This should be mandatory as part of the mobility roll out. Some solutions are more granular than others and allow encryption of part or the whole drive. Some solutions allow users to use the same software to encrypt data on a laptop as well as on USB memory keys. As with any encryption solution, organizations should be mindful to chose a vendor offering high standards of support structures. (SafeBoot and WinMagic provide such solutions, www.safeboot.com & www.winmagic.com) . In terms of PDAs and Smart phones, organizations can choose a solution allowing for devices to be blocked after three failed authentication attempts (perhaps also offering a way for users to be prompted for a customized Q&A challenge to re-authenticate) and should allow administrators to remotely wipe the data on the device. By the same token, these solutions must allow for quick back-up and re-installation features Windows based mobility solutions and BlackBerry solutions provide such features Generally speaking it is also recommended that organizations standardize on the make and models of mobility solutions to be rolled out. This makes it easier to track and manage assets and simplifies the technical security structure as administrator can concentrate on becoming security champions for a more targeted list of vendors
Viruses and spyware In terms of Anti-Virus, & Anti-Spyware most vendors do provide solutions for mobile devices including handheld (www.sophos.com & www.trendmicro. com) . Administrators may also consider solutions allowing some additional level 18
Computer Fraud & Security
of network access control by deploying network solutions, which will scan machines that have been “invisible” from the network for a while. They can then be isolated in a quarantine area where they will only have access to patches and updates they will need to install on the local device before being granted access to the corporate applications. It is of course vital that technical staff are trained on how to deploy, manage and retire mobility devices. This should be part of a clearly defined roll-out plan to ensure that the initial deployment of the mobility solution is successful. It will also greatly minimize support issues and recovery operations should devices need to be replaced and a user needs to be fully set-up again.
“
No unapproved mobility device should be in
”
use
A lost and stolen item policy should be in place to allow users of mobility solutions to escalate the loss or theft of their device(s) almost in real-time. Back on the corporate network, administrators will be in a position to revoke credentials for remote access from the mobile devices and issue temporary credentials so that users can resume work with the least disruption possible. This may need to be coupled with a replacement policy in conjunction with key suppliers who will ensure prompt replacement of mission critical business tools. It is also best practice to hold interviews with users who have lost mobile devices or have been victims of theft This can help deal with internal “fraud” and will also help increase security levels. It is also recommend to provide additional dedicated awareness training to all staff using mobility devices and to ensure that acceptable usage policies are communicated to all staff. Finally managers are advised to keep in close contact with mobile workers so that they do not feel isolated and keep in touch with the corporate “feel” and
therefore align themselves with the corporate security standards in place.
Summary:
Mobility solutions are business enablers and help users work smarter and faster. It is likely that more and more employees will have access to mobility devices such as laptops, PDAs and USB Memory keys in the future. The security challenge for CSOs and other executives is significant. Physical security threats as well as technical security dangers make the use of mobility solutions an additional significant security risk for the organizations. However best practice security strategies will help mitigate this risk so that organizations can focus on the value add of mobility solutions. Carefully deploying the devices coupled with associated security policies for both users and administrators together with the implementation and support of best-ofbreed technical solutions to protect access to devices (and the corporate network they allow users to connect to) is key. However user awareness remains essential as mobility devices are easily forgotten or stolen together with the data they contain Required technology is there to protect at a technical level, it is now up to organizations to deploy it and take the right steps to increase user awareness levels enabling them to make the most of mobility solutions to improve their business practices.
Recommended reading: www.blaberry.com – The CIO’s Guide to Mobile Security www.hpcom/go/mobilityandwireless www.vigitrust.com www.good.com – Mobile Device Security White Paper 2006 http://www.vontu.com/uploadedFiles/ global/Ponemon-Vontu_US_SurveyData_at-Risk.pdf – US Survey – Confidential Data At Risk http://www.microsoft.com/windowsmobile – Overview of Microsoft Mobile Solutions http://www.theregister.co.uk/2003/02/07 /on_the_trail/ – Stolen Tablet PC finds its way to Nigeria November 2006