Information Security Today Home

New Books

Software Quality Assurance: Integrating Testing, Security, and Audit by Abu Sayed Mahfuz; ISBN 9781498735537
Enterprise Level Security: Securing Information Systems in an Uncertain World by William R. Simpson; ISBN 9781498764452
Big Data: Storage, Sharing, and Security edited by Fei Hu; ISBN 9781498734868
Mastering the Five Tiers of Audit Competency: The Essence of Effective Auditing by Ann Butera; ISBN 9781498738491
Information Security Policies, Procedures, and Standards: A Practitioner's Reference by Douglas J. Landoll; ISBN 9781482245899
Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval, Second Edition by David R. Matthews; ISBN 9781498739580

New Considerations for Securing the Mobile Enterprise

By Andrew McDonnell, Vice President, Security Solutions at AsTech Technology Consulting

The mobile enterprise has changed the way we approach workplace security. Employees are no longer bound to their desks and now have access to company data from virtually anywhere. Executives and employees alike routinely access company email, files, and database records from laptops, tablets, and smartphones, which has created a new set of security headaches. How do you keep company data safe and still support mobile users? Mobile workstations are harder to track and secure. Any device that is portable enough to provide wireless access to the computer network is portable enough to be lost or stolen. And it's more difficult to ensure that software patches and security settings are up to date in handheld devices. And when you add "bring your own device" (BYOD) to the mix, security issues become even more complex.

Now there's a new wildcard that can have a direct impact on mobile enterprise security. The FBI and Apple were recently in a prominently public dispute over whether Apple should furnish the means to unlock a particular iPhone as part of an investigation into the recent San Bernardino terrorist attack. The challenge is that by complying with the request, Apple would have created the ability to unlock not just one phone but any iPhone; which raises new concerns about personal and corporate privacy in the U.S. and abroad. The FBI ultimately dropped its demand for an iPhone skeleton key, announcing that it had found its own means to break into the iPhone in question. If this method is real and applicable to any iPhone, law enforcement overreach is only the beginning. The problem with back doors is that they can't care who is using them: bad guys have an irresistible incentive to acquire such a tool.

From an IT security perspective, this creates a new set of concerns regarding mobile enterprise security. In addition to keeping the mobile devices themselves secure from loss or theft, the data on those devices has to be protected even more closely from prying eyes. New strategies need to be considered to protect against a mobile data breach.

Weighing Mobile Enterprise Risk

First, consider the true level of risk posed by mobile users. Like every security tradeoff, it is impossible to eliminate all risk. You need to assess what degree of risk you are willing to accept to protect your organization's intellectual property and other sensitive data.

If you are concerned about attack, then restricting open access to your critical services from the Internet is one way to protect your network. You can give mobile devices access to data via encrypted VPN or secure connections, preventing interception of important traffic details over potentially unsafe connections. Mobile devices can be especially prone to disclosing sensitive data or metadata as background processes attempt to connect to services for updates promptly upon connecting to any network. Critically sensitive data should not be kept where it can be reached because an attacker guessed a single password or network address, but even the strictest technical controls can be defeated through determination or carelessness. Custodians of sensitive data must be incentivized to protect it and maintain vigilance for weaknesses that may have been overlooked. The NSA and CIA attempted extraordinary measures to protect their secrets, but Edward Snowden found a way to expose them.

If you are concerned about potential data loss or theft, then strong encryption and authentication is your best approach. Data in motion should be encrypted to prevent unauthorized access or interception. Data that is stored on devices should be encrypted as well. For example, most PC and mobile operating systems include robust whole-disk encryption that when employed can protect data even if a device is lost or stolen. While most mobile operating systems enable this feature by default, PCs need to be configured to enable this feature. The tradeoff with this sort of encryption, as experienced by the FBI, is that without the accompanying password(s) the encrypted data is lost. The passwords and passcodes are often the weakest link in the chain, but overlong passwords that must be changed frequently will aggravate users. Most PCs can incorporate decryption into device authentication so the level of inconvenience is mitigated, and mobile device security can be even more convenient with biometrics such as TouchID. While not all these systems are equally robust, and using biometrics as a shortcut for passcodes creates other weaknesses, there are many options for striking a good balance of security and usability.

Mobile Security and Law Enforcement

Employees themselves have traditionally been the greatest threat to data security. They are unaware of security concerns and routinely break security protocols without thinking, such as sharing passwords or accessing sensitive data from the local Starbucks. When using company-issued hardware, IT has more control over mobile security, but that control can't completely prevent an employee from using company equipment in a way that exposes sensitive data. or even for criminal activities, as was suspected in the case of San Bernardino terrorist Rizwan Farook. Farook was a county employee with a county-issued iPhone, and in searching the iPhone for evidence the FBI could sweep county data as well as any evidence the phone might have contained.

Normally, companies are more concerned about protecting their data from the prying eyes of hackers and cyber crooks than law enforcement. However, sensitive company data also can be compromised when devices are seized by police or the FBI. Even if the company isn't guilty of any wrongdoing, sensitive information on the mobile device could become public in the event of an investigation. And even if you are cooperative, you don't want to give the FBI an excuse to start rooting through your servers.

If you are concerned about protecting company data from law enforcement, then the types of device security you choose certainly matters. For example, if an employee is arrested and their company-issued phone is entered into evidence, you run the risk of company information on that phone being exposed. With strong authentication, you may be able to defeat attempts to unlock the phone. However, you must choose the right types of protection. Under the law, the courts have ruled that law enforcement can compel you to surrender a fingerprint, which can be used to unlock a biometric-protected device, but you cannot be compelled to surrender a password. If you are concerned about losing control of data stored on mobile devices, passcodes can be more secure than biometric authentication. Most mobile devices can also be configured to erase themselves after a number of failed authentication attempts, as the FBI was concerned Farook's phone might if they attempted to recover his passcode through guessing.

Strategies for Mobile Security

Your best defense against a mobile data breach can using Mobile Device Management (MDM). An MDM platform gives you total control over remote devices, including over-the-air distribution of software updates, more control over device settings, device tracking, and even the ability to remotely disable, unlock, or even wipe a device. MDM also is your best tool to ensure compliance with company security policies such as requiring encryption and strong passcodes.

Interestingly, in the case of the San Bernardino terrorist, Farook's county-issued iPhone could have been accessed using the county MDM system, if the MDM controls had been configured appropriately. With MDM in place the county could have worked with the FBI to unlock the iPhone without having to ask Apple to create a cyber skeleton key. MDM could have provided more control over the types of data stored on the iPhone, so any sensitive information would strike a balance between being safe and recoverable.

If employees are using their own mobile devices, then you may face obstacles if you expect them to join an MDM program. One way or another, you will want to make sure that devices containing your sensitive data are up to date with the latest security patches and locked when not in use. In addition to direct monitoring and control, you also need to have a clearly defined set of security protocols to explain requirements to personnel and to cover cases that cannot be addressed directly by MDM or other controls.

Any data that is going to be used is going to be subject to some kind of attack. The importance of the data, the acceptable barriers to access, budgets, and more all have to be taken into account and balanced against risk. You might build a secure moat around your network to protect your data, and be sure to encrypt any data that moves outside the firewall. If you are supporting remote users, be sure consider and enforce necessary security protocols as a prerequisite for access to sensitive systems.

This dispute between Apple and the FBI over iPhone encryption demonstrates that no technology inherently or unassailably secure. Any step towards tighter security can also be unacceptably costly in terms of resources or aggravation. Striking a balance between establishing draconian levels of security and maintaining productivity means weighing the risks against the benefits while developing the right mobile security strategy. These are hard problems, and you don't have to solve them alone.

Subscribe to
Information Security Today

Bookmark and Share

© Copyright 2016 Auerbach Publications