2014 Articles

Security risks for enterprise Smartphones and handhelds and best practice to deal with them

Does your enterprise organisation allow your employees and IT users to connect their handheld computers, mobiles and Smartphones to your company-wide network solutions?

If so, you probably already know that you need to be aware of the data and security risks associated with mobile deployments. Have you developed a strategy which outlines the appropriate policies for dealing with the aforementioned issues effectively and efficiently?

This article covers 6 best practices and policies for handheld devices security.

POTENTIAL SECURITY RISKS

Physical security
Simply put, handheld devices are prone to loss, theft or compromise simply because they are portable by nature. It’s relatively easy, whether by intention or accident, for an unauthorised person to gain access to a handheld devices, including the resident data.

Some people share their devices with family members or friends. Opportunistic thieves aim for easy targets and those they know are likely to have high value devices in their possession; anyone from couriers, to travelling businesspeople to service engineers are all at risk.

Identity theft is now a highly organised crime and high profile or enterprise level organisations that hold personal data about their customers or clients are attractive targets for data theft.

  • There were over 102,300 recorded cases of Identity theft in 2009 (CIFA, 2010)

  • Identity fraud cost the economy £1.2 billion in one year (Identity Fraud Steering Committee figures, 2008.)

If your handheld devices are configured to access corporate email or to connect to your Enterprise software through your Virtual Private Network (VPN), you already have a significant security risk.

Solution: One simple measure that is worth adopting early is to require your users to protect their devices with passwords or PINs. Selected passwords should be required to access the operating system whenever the handheld is switched on as well as to unlock the device in the first place.

A more secure, more advanced method of achieving an even better level of security is by employing biometrics.

Biometrics comprise a whole range of methods for uniquely identifying users based upon one or more physical traits, such as a fingerprint. Technology in this area is now advanced enough to be applied to handheld computers for use as identity access management and to replace typed passwords or PINs.

Most Smartphone devices already include this feature as standard but most people never enable it because of the inconvenience involved in having to enter the password or PIN each time they want to use the device.

But implementing this policy as a standard requirement will protect your organisation from easy access by someone who finds a lost device or picks up one that has been left unattended.

This is only a basic security measure though as both PINs and passwords can often be easily overcome by someone with a little knowledge and capability.

For example, version 2.0.1 of the Android operating system had a bug that meant a person could get to the home screen of the device without needing to enter the PIN. All that was required was to hit the Back button as soon as a call came in.

Most people when discovering that their device had been lost or potentially stolen decide to call it at the earliest opportunity in the hope that it has been found by someone trustworthy enough to return it when asked.

All a knowledgeable thief would have to do is wait for the (almost) inevitable call to come in and they had access to the phone.

The Apple iPhone had similar issues in early versions of their OS. Clicking Emergency Call and then double clicking the Home button provided access.

Wi-Fi access
Most modern Smartphones and handheld devices can utilise the carrier’s 3G network and also connect to different Wi-Fi networks.

If one of your users connects their phone to an unsecured Wi-Fi network, they are immediately exposed to threat of attack.

If sensitive information from your company is stored on the device such as network passwords, client data such as names and addresses or personal telephone numbers of directors or other staff, this can present you with a serious problem and a very real security challenge.

If your user connects back to your company network over the same unsecured Wi-Fi, your entire network could be at risk.

Solution: Require your users to connect to your company network only via a secure VPN. The data being transmitted between your network and the device will be encrypted whilst in transit. Even if intercepted, it still can’t be read.

Security software
Handheld devices can be infected by malicious software from a variety of sources, including email, connecting to an already infected PC or other device or simply via the Internet connection used. It is even possible now to infect a device via Bluetooth. 

Solution: Require users who connect to your network to install approved security software on the devices that they use. There is already a wide range of appropriate software available for all the major handheld and Smartphone platforms from most of the major providers including F-Secure, Trend Micro, Kaspersky, and Norton.

Internet security
Most modern handhelds and Smartphones now have highly functional web browsers. However, screen size is, by definition, still an issue and one of the challenges with smaller screens is that a lot more goes unnoticed.

This makes it surprisingly easy to present a mobile user with a phishing website without it being detected or even looking suspicious. For more information about phishing see:

http://en.wikipedia.org/wiki/Phishing

Malware, worms, trojans and other malicious software can then easily be transmitted to your network via the device.

Solution: Protect the your network by ensuring that your corporate firewalls carry out deep packet protection of all data being transferred from your handheld or Smartphone network. For more information about deep packet protection see:

http://en.wikipedia.org/wiki/Deep_packet_inspection

Bypassing security mechanisms
Some devices make it far too easy for users to bypass security mechanisms in order to make use of the device easier for the user. For example, security measures can be bypassed for a user who is trying to connect their phone to a Wi-Fi network or to a particular device.

One typical example of this involves security certificates. A user visiting a website for example with an invalid certificate may be presented with a warning by the browser. But in most cases, they are simply asked by the device if they still want to connect.

If they choose to ignore the warning and connect anyway, the device and your network will be at risk.

Solution: Insist that users do not bypass security mechanisms and make policies clear so that users know how to recognise a security risk and know what action to take in those circumstances.

Data confidentiality
If your users store business-related information on their handheld devices, the data they store should be encrypted at the highest possible (and affordable) level.

This should include data both on the device’s internal storage, as well as data on SD cards, flash memory cards and other devices.

According to Goode Intelligence, a recent survey indicated that as many as 64% of handheld device users do not encrypt data that they know to be confidential. For more information visit:

http://www.goodeintelligence.com/pdfs/news_release_251110.pdf

Also, Juniper Network found that more than 76% of handheld device users access sensitive information with their mobile devices. See:

http://www.juniper.net/uk/en/company/press-center/press-releases/2010/pr_2010_10_26-11_00.html

In the same survey, 81% of respondents also admitted sneaking onto their employers networks without permission, so beware!

Solution: Consider data stored on handhelds and Smartphones in your organisation as being always available. Encrypt confidential data securely and make sure that password policies are adhered to.

Best practices for handheld security policies
Handheld security in the enterprise environment needs looking at from two polar angles. 

First, you need to protect your handheld devices from being compromised and second you need to protect your company network from any compromised devices.

Below are some of the best practices that you can incorporate into your security policies:

  • Ensure that all data stored is encrypted,

  • Ensure that Bluetooth, Wi-Fi and GPS are turned off when not in use,

  • Only allow users to connect to your corporate network through a secure VPN,

  • Implement mobile security software on all handheld devices phones as a requirement,

  • Don’t allow users access to data that they don’t need in the field or on their mobile devices,

  • Implement secure password policies on all mobile devices where possible,

  • Deploy security, monitoring, and management software on all devices,

  • Ensure that users turn off unneeded applications to reduce the possible attack surface,

  • Carry out a proper risk/benefits analysis separately for all divisions or personnel using handheld devices as to whether or not they require access to your corporate network