I wrote this article for Magazcitum in Mexico City. That version will be in Spanish but here is the full article in English.
We are consumers of information and we live and share our lives online. We live in a world where the demand for access to information on a mobile platform is increasing at a rapid rate. We want our emails on demand, and want to see our friend´s profiles on Facebook, or find the nearest café so we can tweet our daily thoughts. We want to be kept up to date on the events of the world. Smartphones enable this connectivity and have become essential tools in our daily lives in business.
Smartphones are changing the business landscape. As enterprises have moved toward global business operations, these devices have become indispensable. Mobile devices offer enterprises the ability to keep their employees connected at all times. These devices afford people the ability to conduct business anywhere—whether they are at home, in the office, or traveling between destinations.
When a company grants business users the ability to use smartphones, the company must contend with many threats to smartphones which are similar to laptops or workstations. These threats include malware, viruses, browser exploits and data sniffing to name a few. All of these threats can lead to data leakage of sensitive information. Therefore companies need to address the risk of deploying smartphones in their organization.
DESCRIPTION OF RISKS
Smartphones provide the connectivity and mobility to access information and are mobile computing platforms with similar functionality and power to laptop computers. They also carry the same type of risks. In fact, attackers are developing sophisticated malware that target smartphones and are developing creative new ways to exploit these devices.
These attacks are often successful due to the small screen size of the device making it difficult to verify the integrity of links or websites that may be displayed on the device, and also generally there is a lack of awareness by users that malware or spying software exists that can lead to data leakage from the smartphone.
|Data leakage||A stolen or lost phone with unprotected memory allows an attacker to access the data on it.|
|Improper decommissioning||The phone is disposed of or transferred to another user without removing sensitive data, allowing an attacker to access the data on it.|
|Unintentional data disclosure||Most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.|
|Phishing||An attacker collects user credentials (e.g. passwords, credit card numbers) using fake apps or (sms,email) messages that seem genuine.|
|Spyware||The smartphone has spyware installed allowing an attacker to access or infer personal data. Note: spyware includes any software requesting and abusing excessive privilege requests. It does not include targeted surveillance software.|
|Network spoofing attacks||An attacker deploys a rogue network access point and users connect to it. The attacker subsequently intercepts the user communication to carry out further attacks such as phishing .|
|Surveillance||Spying on an individual with a targeted user’s smartphone.|
|Diallerware||An attacker steals money from the user by means of malware that makes hidden use of premium sms services or numbers.|
|Financial malware||Malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.|
|Network congestion||Network resource overload due to smartphone usage leading to network unavailability for the end-user.|
THE IMPACT ON NETWORK SECURITY
Whether corporate-issued or personally owned, smartphones easily move in and out of the network, traversing internal and external firewalls. They can connect to the corporate network over wireless, or bypass the network entirely using mobile cellular connections. That means users could download malware from the Web over 3G/4G, and then distribute it to the network over the corporate WiFi network. They are also contain large internal flash hard drives that pose a threat to data leakage by transferring files to the smartphone from a computer.
It is harder for IT to control what users do with their smartphone devices, and how these devices expose business data to security threats. Even if the smartphone is issued by an IT department, any endpoint device that can bypass security measures is insecure and poses the same threat of Data Leakage of sensitive information.
BEST PRACTICES FOR MANAGING SMARTPHONES
While high-security environments, such as banks or certain governmental agencies, will continue to mandate specifically allocated smartphones, this will be increasingly difficult for these and other organizations as the consumer market continues to grow in importance as a primary driver for smartphone adoption. We already see the use of Blackberrys, iPhones and Android smartphones in the workplace.
The demand for smartphones in the business sector is increasing and companies need to be aware of the threats that can compromise security and lead to data leakage. Here is a list of processes you can implement to lower the risk of data leakage from smartphones.
- Update your security policy to include smartphones and define an awareness training program to provide users with information on how to use the smartphone securely.
- Define allowable device types (enterprise-issued only vs. allowing personal devices and types of devices such as BlackBerry® or iPhone)
- Define the nature of services accessible through the devices, taking into account the existing IT architecture.
- Identify the way people use the devices, considering the corporate culture as well as human factors and how the nondeterministic execution of processes through the use of mobile devices may lead to unpredictable risks.
- Integrate all enterprise-issued devices into an asset management program.
- Describe the type of authentication and encryption that must be present on the devices.
- Define how data should be securely stored and transmitted using encryption, PIN and strong password security.
- Outline the tasks for which employees may use the devices and the types of applications that are allowed.
- Disable applications that are not needed and define a policy to restrict installation of unauthorized software on the device.
- Passwords for websites should be stored in a program or software vault to prevent caching of passwords in browsers.
- Install mobile security software (including anti-virus and firewall) on the smartphone to protect against viruses and malware.
- Disable Bluetooth, WiFi and GPS, if not specifically in use or required.
- Manage backups of devices according to the corporate backup policy.
- Deploy remote “wiping” capability through a central management system to disable the device if lost or stolen.
- Establish smartphone wireless access security using at a minimum WPA2 encryption.
- Synchronization of devices to desktops or laptops – an up to date anti-virus and firewall software must exist on the computer to prevent malware or virus attacks.
- Train users in awareness of SMS phishing attacks (smishing attacks) which trick the user into entering personal details into a malicious website.
- Enable users to connect to the corporate network via SSL VPN or by an approved IPSec mobile client.
- Include the smartphones into an Endpoint Security program to prevent data leakage by copying files to and from the device via USB.
- Ensure firmware and patch management of smartphones is integrated into your security management program for endpoints.
Technical innovation has paved the way for smartphone assimilation into the workplace. These devices have acted as a catalyst for improving efficiency, productivity and availability in business operations. While many enterprises have chosen to utilize this technology, they have often not considered the business risk or the governance implications associated with these devices.
Loss, theft or corruption of sensitive or confidential data; malware that can affect not only the mobile device itself, but also the enterprise network; and the way in which employees use the devices are just a few of the risks involved with this type of technology. In addition to the governance and security that already exist within the enterprise, risks and associated controls (if they exist) that accompany this boundary less technology must be assessed to ensure that enterprise information assets are protected and available.
Enterprises that have been considering the use of mobile computing devices in their environment should calculate the benefits that the technology can offer them and the additional risks that are incurred. Once benefits and risks are understood, businesses should utilize a governance framework to ensure that process and policy changes are implemented and understood, and that appropriate levels of security are applied to prevent data loss.