Actu
Five Easy Steps To Enhance the Security of Mobile Device Use
April 2012 by John P. Pironti CGEIT, CISA, CISM, CISSP, CRISC, ISSAP, ISSMP President IP Architects, LLC and Advisor with ISACA
Mobile devices are quickly becoming a target rich and high return on investment environment for malicious attackers. Their use is expected to surpass the use of existing laptops and desktop computers by a factor of at least three in the next five years. The rapid innovation that is often associated with these devices also means that in the near future they are expected to have expanded capabilities, including touch less payments, personal data repositories, fully functional local applications, and the ability to simultaneously enable high-speed access to corporate and personal networks and applications. There are numerous behaviors and capabilities that users can adopt to help them mitigate risks and enhance the security of mobile devices without introducing debilitating restrictions or limiting functionality that make them less useful. This article will discuss five of the more useful ones.
1. Enable Device Password and Associated Data Wiping.
Enabling a password on a mobile device can help to ensure that unauthorized users cannot gain access without the device owner’s knowledge or consent. Users should be encouraged to avoid using easily guessable dates, numeric patterns or passphrases. It is also recommended that users enable the data wipe capabilities that are often available as standard features in modern mobile devices. These capabilities will erase the data on the device after a selected number of invalid password attempts are made to access the device. This will ensure that an attacker will have limited success using brute force or password guessing attack techniques.
2. Enable Device Auto Lock With Short Time Windows.
The auto lock features that are available on many mobile devices will require a password to be reentered after a period of inactivity or if triggered by a user action (e.g., close of cover on a tablet or tapping the lock button on a smartphone) similar to the way screen savers work on traditional desktop and laptop computers. This security feature is most effective when its time to enable is set for the shortest possible period of inactivity. It is recommended that this timeout should be no more then 10 minutes, and shorter if possible based on user tolerance. Enabling a short time window to activate auto lock on a mobile device will reduce the window of opportunity in which an attacker can have unrestricted access to a mobile device if it is out of the owner’s control.
3. Enable Device Data Encryption Capabilities.
Data encryption can be a useful control for securing data at rest and in motion if implemented and utilized properly. Many mobile devices have the ability to enable data encryption capabilities with little impact to the user experience after the initial enciphering of the data for data at rest, and limited network overhead and extra user requirements for data in transit. The use of encryption will limit an attacker’s ability to obtain usable data from the mobile device’s storage without the encryption key material and also prevent them from being able to easily capture sensitive data (such as user names and passwords) over the airwaves during network data communication.
4. Create Encrypted and Password Protected Backups of Mobile Device’s on a Regular Basis.
Mobile devices often contain large amounts of critical data and applications as users leverage them for computing activities. It is important to create and maintain encrypted backups of these devices on a regular basis to enable resiliency if a device ever malfunctions, is lost or is replaced. Cloud-based mobile device backup solutions are an an attractive option since they typically provide geographic separation between the device and the backup, and can be accessed whenever an internet connection to the device is available.
Regardless of the physical location of the mobile device backup, it should be locally encrypted and password protected while it is still in the control of the user. This is especially important in cloud-based and offsite backup solutions where the user has limited visibility and control of how the data are stored and accessed once they leaves the user’s control. If the backup is locally encrypted and password protected, there is a higher likelihood of maintaining the confidentiality and integrity of the data even when the information is out of the direct control of the user.
5. Use the Same Risk-aware and Security-conscious Web Browsing Behaviors Employed on Dedicated Computers When Using Mobile Browsers.
Web browsers on mobile devices can be exploited by attackers and used to enable attacks in the same ways they are leveraged in stationary computers. Mobile devices often contain sensitive information and have the ability to access corporate networks that make them an attractive target to motivated and capable adversaries. Risk-aware and security-conscious web browsing behaviors, including only connecting to familiar web sites and ensuring encryption is enabled when entering sensitive information, should be universally employed, regardless of the technology platform that is being utilized.
Final Thoughts
Mobile devices are quickly becoming ubiquitous tools that are being leveraged by both technically savvy and unsophisticated users. Their advanced functionality, large data storage capacities and high-speed data network communication capabilities make them an ideal target for motivated and capable attackers. ISACA, a global association of 95,000 security, assurance and governance professionals, offers free guidance on securing mobile devices at www.isaca.org/mobiledevices. By following these tips, enabling some basic technological security controls, and acting in a risk-aware and security-conscious fashion, users can effectively protect themselves from being an easy target while still enjoying the benefits that come with using these devices.
John P. Pironti is the President of IP Architects, LLC. He has designed and implemented enterprise wide electronic business solutions, information security and risk management strategy and programs, enterprise resiliency capabilities, and threat and vulnerability management solutions for key customers in a range of industries, including financial services, insurance, energy, government, hospitality, aerospace, healthcare, pharmaceuticals, media and entertainment, and information technology on a global scale for over 20 years. Mr. Pironti has a number of industry certifications including Certified in the Governance of Enterprise IT (CGEIT), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified in Risk and Information System Control (CRISC), Information Systems Security Architecture Professional and (ISSAP) and Information Systems Security Management Professional (ISSMP). Mr. Pironti frequently provides briefings and acts as a trusted advisor to senior leaders of numerous organizations on information security and risk management and compliance topics and is also a member of a number of technical advisory boards for technology and services firms. He is also a published author and writer, highly quoted and often interviewed by global media, and an award winning frequent speaker on electronic business and information security and risk management topics at domestic and international industry conferences.
ISACA is exhibiting at Infosecurity Europe 2012, the No. 1 industry event in Europe held on 24th – 26th April 2012 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
