SY0-501 Section 4.2- Summarize mobile security concepts and technologies.
Mobile devices, such as laptops, tablet computers, and smartphones, provide security challenges above those of desktop workstations, servers, and such in that they leave the office and this increases the odds of their theft. In 2010, AvMed Health Plans, a Florida-based company, had two laptop computers stolen. Together, over one million personal customer records were on those computers, and this is but one of many similar stories that happen on a regular basis.
At a bare minimum, the following security measures should be in place on mobile devices:
Screen Lock The display should be configured to time out after a short period of inactivity and the screen locked with a password. To be able to access the system again, the user must provide the password. After a certain number of attempts, the user should not be allowed to attempt any additional logons; this is called lockout.
Strong Password Passwords are always important, but even more so when you consider that the device could be stolen and in the possession of someone who has unlimited access and time to try various values.
Device Encryption Data should be encrypted on the device so that if it does fall into the wrong hands, it cannot be accessed in a usable form without the correct passwords.
Remote Wipe/Sanitation Many programs, such as Microsoft Exchange Server 2010 or Google Apps, allow you to send a command to a phone that will remotely clear the data on that phone. This process is known as a remote wipe, and it is intended to be used if the phone is stolen or going to another user.
Voice Encryption Voice encryption can be used with mobile phones and similar devices to encrypt transmissions. This is intended to keep the conversation secure and works by adding cryptography to the digitized conversation.
GPS Tracking Should a device be stolen, GPS (Global Positioning System) tracking can be used to identify its location and allow authorities to find it. Note that removable storage can circumvent GPS. For example, if a device has GPS tracking but it also has removable storage, a thief can simply remove the data they want and leave the device.
Application Control Application control is primarily concerned with controlling what applications are installed on the mobile device. Most viruses that are found on Android phones stem from bad applications being installed. Related to application control is disabling unused services. If you do not need a service, turn it off.
Storage Segmentation By segmenting a mobile device’s storage you can keep work data separate from personal or operating system data. You can even implement whole device encryption or just encrypt the confidential data.
Asset Tracking You must have a method of asset tracking. It can be as simple as a serial number etched in the device or as complex as a GPS locator. Related to this is inventory control. A complete and accurate list of all devices is an integral part of mobile device management.
Device Access Control Device access control, in this context, refers to controlling who in the organization has a mobile device. Not every employee should have one. Limiting access to such devices reduces risk.
There are a number of issues to be cognizant of when it t comes to application security.
Key management is an area of importance that is continuing to grow as PKI services increase and expand to mobile.
Credential Management Credentials allow usernames and passwords to be stored in one location and then used to access websites and other computers. Newer versions of Windows include Credential Manager (beneath the Control Panel) to simplify management.
Authentication Authentication has always been an issue, but now that mobile is expanding and the need for authentication with applications associate with it has grown, the issue has become even more important. Users should be taught best practices and should never configure any application to automatically log them in.
Geo-Tagging Geo-tagging (usually written as GeoTagging) allows GPS coordinates (latitude, longitude, etc.) to accompany a file such as an image. This is a common practice with pictures taken using a smartphone or digital camera. While it can be useful if you are trying to remember details of a family vacation, it can also raise security concerns in a business environment. As an example, suppose a picture is taken of your server room and posted—the geotagged information accompanying it would allow anyone to know the precise location of your server room and that could easily be something you would rather protect.
Encryption Encryptionopens up a lot of possibilities for increasing security, but brings it with issues that company policies should be created to address: for example, what is the procedure when a user forgets their password to an application/data?
Application White-Listing White lists are lists of those items that are allowed (as opposed to a black list—things that are prohibited). A white list of applications should exist to identify what applications are approved and accepted on your network.
Transitive Trust/Authentication Anytime one entity accepts a user without requiring additional authentication on the behalf of another entity, the possibility is introduced for problems to occur. As much of a pain as it is for users, the more stops that you have requiring them to authenticate before passing through, the safer you make you make your environment.
BYOD Concerns BYOD (Bring Your Own Device) refers to employees bringing their personal devices into the corporate network environment. This is a common issue in the modern workplace, and it can pose substantial security risks.
The first risk involves those devices connecting to the company network. If an employee has personal smartphone, for example, and they bring it to work and connect it to the company’s Wi-Fi network, then any virus, spyware, or other malware that may have infected that phone can spread to the company network. One way to address this is to have a second Wi-Fi network—not connected to the main corporate network, but simply a guest network—and only allow personal devices to connect to that Wi-Fi and not to the main network. Another risk involves compromising confidential data. Modern mobile devices are complex computer systems. An employee could use a cell phone to photograph sensitive documents, record conversations, and acquire a great deal of sensitive data. Some Department of Defense contractors do not allow phones in certain sensitive areas of their buildings. This may be more restrictive than at most civilian companies, but at least you should be aware of this potential issue and have a policy to address it. That policy could be as simple as allemployees agreeing that if they bring a mobile device onto company property, it is subject to random search. Data ownership becomes an issue with BYOD. If the device is personally owned but used for company business, who owns the data on the device? The company or the individual? Related to that is the issue of support ownership. Is the individual responsible for support or the company? Patch management is closely related to support ownership. Who will be responsible for ensuring the personal device has patches updated? Antivirus management is another related issue. What antivirus software will be used? How will it be updated? These are all important questions that will need to be answered.
Adherence to corporate policies is an obvious issue. If individuals own their own devices, which they have purchased with their own funds, ensuring the user and the device adheres to corporate policies will be a challenge. Related to that issue are legal concerns. When a device is owned by the individual but used for company business, a number of legal issues arise. As just one example, what if the device is used to send spam? Is the company responsible? Another example would involve the employee leaving the company. How does the organization verify the device does not have any proprietary data on it? Forensics is another legal issue. If there is, for example, litigation against the company, usually computer records is subpoenaed, but the data that might reside on a personal device is a legal gray area. Then there are purely technical concerns. Architecture and infrastructure considerations are critical. Will the personal device be compatible with the organizational infrastructure? Onboard cameras and video also pose a challenge. Some organizations forbid the use of cameras within the company, or at least within secure areas. And finally there is the issue of acceptable use policies. Companies generally have acceptable use policies regarding how computers can be used within the organization. How will that be implemented with devices that don’t belong to the company? Some organizations simply opt to forbid such devices, but in our modern world of ubiquitous devices, that approach may not be feasible in your organization.