Mobile devices are quickly becoming a target-rich and high return-on-investment environment for malicious attackers. Their use is expected to surpass that of existing laptops and desktop computers by a factor of at least three in the next five years. The rapid innovation that is often associated with these devices also means that in the near future they are expected to have expanded capabilities, including touch-less payments, personal data repositories, fully functional local applications, and the ability to simultaneously enable high-speed access to corporate and personal networks and applications.
There are numerous strategies users can adopt to help mitigate risks and enhance the security of mobile devices without introducing debilitating restrictions or limiting functionality. This article will discuss five of the easier, useful ones.
1. Enable Device Password and Associated Data Wiping
Enabling a mobile device password can help ensure that unauthorized users cannot gain access without the device owner’s knowledge or consent. Users should be encouraged to avoid using easily guessable dates, numeric patterns or passphrases.
It is also recommended that users enable the data wipe capabilities that are often available as standard features on modern mobile devices. These capabilities will erase the data on the device after a selected number of invalid password attempts are made. This will ensure that an attacker will have limited success using brute-force or password-guessing attack techniques.
2. Enable Device Auto Lock with Short Time Windows
The auto lock features available on many mobile devices will require a password to be reentered after a period of inactivity, or if triggered by a user action (e.g., closing the cover on a tablet or tapping the lock button on a smartphone) similar to the way screen savers work on traditional desktops and laptops. This security feature is most effective when its ‘time to enable’ is set for the shortest possible period of inactivity.
It is recommended that this timeout should be no more then 10 minutes, and shorter if possible based on user tolerance. Enabling a short auto lock period will reduce the window of opportunity for an attacker’s unrestricted access to a mobile device if it is out of the owner’s control.
3. Enable Device Data Encryption Capabilities
Data encryption can be a useful control for securing data at rest and in motion if properly implemented and utilized. Many mobile devices have data encryption capabilities with little impact to the user experience after the initial enciphering of the data for data at rest, and limited network overhead and extra user requirements for data in transit.
Encryption will limit an attacker’s ability to obtain usable data from the mobile device’s storage without the encryption key material, and also prevent them from easily capturing sensitive data (such as user names and passwords) over the airwaves during network data communication.
4. Create Encrypted and Password-protected Backups on a Regular Basis
Mobile devices often contain large amounts of critical data and applications, as users leverage them for computing activities. It is important to create and maintain encrypted backups of these devices on a regular basis to enable resiliency if a device ever malfunctions, is lost or is replaced.
Cloud-based mobile device backup solutions are an an attractive option because they typically provide geographic separation between the device and the backup. They can also be accessed whenever an internet connection to the device is available.
Regardless of the physical location of the mobile device backup, it should be locally encrypted and password protected while it is still in the control of the user. This is especially important in cloud-based and offsite backup solutions where the user has limited visibility and control of how the data are stored and accessed once it leaves the user’s control. If the backup is locally encrypted and password protected, there is a higher likelihood of maintaining the confidentiality and integrity of the data, even when the information is out of the direct control of the user.
5. Use the Same Risk-aware and Security-conscious Web Browsing Behaviors Employed on Dedicated Computers When Using Mobile Browsers
Web browsers on mobile devices can be exploited by attackers and used to enable attacks in the same ways they are leveraged on stationary computers. Mobile devices often contain sensitive information and have the ability to access corporate networks, which make them an attractive target for motivated adversaries. Risk-aware and security-conscious web browsing behaviors – including only connecting to familiar websites and ensuring encryption is enabled when entering sensitive information – should be universally employed, regardless of the technology platform that is being utilized.
Final Thoughts
Mobile devices are quickly becoming ubiquitous tools that are being leveraged by both technically savvy and unsophisticated users. Their advanced functionality, large data storage capacities and high-speed data network communication capabilities make them an ideal target for attackers.
ISACA, a global association of 95,000 security, assurance and governance professionals, offers free guidance on securing mobile devices. By following these tips, enabling some basic technological security controls, and acting in a risk-aware and security-conscious fashion, users can effectively protect themselves from being an easy target while still enjoying the benefits that come with using these devices.
| ISACA is exhibiting at Infosecurity Europe 2012, the No. 1 industry event in Europe held on 24–26 April 2012 at Earl’s Court, London. The event provides an unrivalled free education program, exhibitors showcasing new and emerging technologies, and offers practical and professional expertise. Visit the Infosecurity Europe website for further information. |
John P. Pironti is the president of IP Architects, LLC. He has designed and implemented enterprise-wide electronic business solutions, information security and risk management strategy and programs, enterprise resiliency capabilities, and threat and vulnerability management solutions for key customers in a range of industries, including financial services, insurance, energy, government, hospitality, aerospace, healthcare, pharmaceuticals, media and entertainment, and information technology on a global scale for over 20 years. Pironti has a number of industry certifications, including Certified in the Governance of Enterprise IT (CGEIT), Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified in Risk and Information System Control (CRISC), Information Systems Security Architecture Professional and (ISSAP) and Information Systems Security Management Professional (ISSMP). Pironti frequently provides briefings and acts as a trusted advisor to senior leaders of numerous organizations on information security and risk management and compliance topics, and is also a member of a number of technical advisory boards for technology and services firms. He is also a published author and writer, highly quoted and often interviewed by global media, and an award-winning frequent speaker on electronic business and information security and risk management topics at domestic and international industry conferences.