The days of having a single device with one specific function is over. Mobile devices are converging; your 'mobile phone' is no longer just your 'mobile phone', it's your mobile PC.
The convergence of data or information and communication technology in a singular intelligent mobile device has the advantages of global and abundant ease of access to information, collaboration and communication at your fingertips. With the exponential rate at which these mobile devices are advancing and becoming more sophisticated, the on-going development of mobile device enterprise application platforms and telecom improvements, the easier it is becoming to access and manipulate information, however on the flipside the wider the door is being left ajar for hackers or individuals with malicious intent to do the same.
The telecoms or mobile device operators are also concerned about mobile device security. An insecure or compromised mobile device is also a potential problem for them as a compromised device is a threat to the smooth running of their networks. Problems in mobile device security leading to theft of mobile devices could be detrimental to companies reputation and result in data loss.
Mobile devices enable users to be more effective and a lot of the work today is done outside of the office, opening up great business opportunities and increasing functionality whilst reducing operation cost. However security of data has now become more important than perimeter security as this new business model requires well-designed access to business functions from anywhere. This area as many security professionals feel has lagged behind with little or nothing done to protect organisational remote access and data access through mobile devices. The office and all its data is basically being carried around with the user. If these devices are not secured and managed it is the same as allowing anyone random access to your offices and your company information.
Securing the mobile device
Mobile security should be a clear focus as advancement in mobile devices and emerging technologies introduces increased potential security risk. Privacy and security is needed at all layers of technology. The security mechanisms of the mobile devices, smartphones and tablets, are not always able to deal with the ever changing emergent trend of information theft through malicious attacks.
New areas of security and privacy now need to be covered, including:
- The mobile device
- The mobile networks
- The management of mobile identity
- Credential Privacy
- Machine to machine communications
Potential risks when using a mobile devices
- Mobile devices are easily lost or stolen
- Possible compromise of confidential data on the device, local or remote
- Possible breach in the security of the network to which the mobile device connects
- Cost to replace the device and restore the data to the same level previously attained.
Steps to help achieve mobile device and data security
The first step is to choose a device that has been designed with security in mind. With the increasing variety of mobile devices on the market, one should research these devices and go with a device where security is part of the technology or the device is security capable. You should consider a mobile device that has the best possible control and security options built into the device and then make sure to use these security measures available to you.
Some devices are built for corporate use and security is a priority. Other devices are consumer driven and have poor implementation of security controls.
From a corporate point of view taking a proactive stance over mobile devices and purchasing a uniform set of devices is worthwhile to assist in simpler and improved management of the devices within the corporation and thus acquiring more control over the corporate device fleet and corporate data.
Authentication or password function
It is important to turn on the authentication function on your device. The password chosen should be one that is not easily determined and should remain private. It is no good having this security option and not using it.
Within a corporate environment authentication should be enforced for all mobile devices as it is enforced on the desktop pc or laptop, the mobile device should be no different. In fact the security of the mobile device should be taken more seriously as they are more easily lost or stolen and are used just about anywhere. By adding strong password security to the device in the event of it ending up in the wrong hands will be a better deterrent and improved chance of securing the corporate data on the device. Remember most of these devices have remote access to your network as well and store your remote access credentials.
Encrypt your data. By ensuring that the data on your mobile device is encrypted and that the encrypted data is managed. If the device happens to be stolen or lost the data will be secure and remain confidential.
Corporations should enforce the encryption of company data on mobile devices. By doing this they have control over their corporate data no matter where it is or where it ends up, as the encrypted data will not be able to be accessed by unauthorized users. The huge hype or paranoia of sensitive data and the privacy surrounding that data should be taken seriously and precautionary measures must be enforced. Policies surrounding the use of encryption methods on mobile devices must be set up, managed and enforced.
Have software in place allowing you to remotely stun, wipe or lock the device in the event that the device is lost or stolen.
In a corporate environment have a clear policy in place regarding remote wiping of mobile devices in the event that they are compromised. The policy should be managed and enforced. Ensure that the employees know the procedure to follow, which number to call or who to contact if need be, to ensure effective follow up. There are many technologies or services that allow for this to be done remotely. By having this option in place within your enterprise, you can quickly have your device disabled or wiped if necessary securing the confidential corporate data you have on the device.
Corporations need to ensure the apps installed on corporate mobile devices are secure, sandboxed applications. Make sure they are what they say they are. Applications can be a way for malicious people to gain control of your device and can be a gateway to your private data. Or alternatively turn your device into a bot for resource abuse.
Within a corporate environment the installation of third party apps on mobile devices should be limited or controlled. Mobile devices are essentially computing platforms that can accept various applications. This could be a potential route for outsiders with malicious intent to gain access to your network or corporate data.
Firewall software and policies can be set up specifically for traffic control and management to and from mobile devices. This way the data that is accessed via the mobile devices can be restricted to only certain data on the network, thereby controlling the data that is available on mobile devices.
Software to examine traffic flowing through the mobile device (IPS/IDS)
The mobile device is always improving and becoming more sophisticated. As it becomes more advanced it is also becoming a greater tool for the hacker or individual with malicious intent. One should have HIPS/IDS software installed to inspect the traffic flowing through the mobile device to enable early warning of any potential attack via the mobile device. This software should report to central console for security event correlation.
Wireless and Bluetooth Functions
Bluetooth and wireless can be used by hackers to gain access or proliferate malware to other devices and networks. If the Wireless or Bluetooth function is always active this can be an easy route for hackers to launch an attack. It is important to disable the Wireless and or Bluetooth setting when it is not in use to help prevent potential problems.
A mobile device is an extension of your LAN and WAN and can be used by attackers to gain access to corporate data and systems just like if the attacker found an unsecured laptop. The mobile device is another endpoint and now with the hardware being as powerful as PC and Laptop devices the security platforms need to be equal if not greater to what is available on those platforms.
As mobile devices converge and become commoditized both the corporate and individual require protection of this resource and defence from any potential damage incurred through the misuse of the mobile device. The increased sophistication of the mobile devices, application platforms and telecoms brings with it great advantage but elevated risk. Corporates need to be aware of the risks and not become complacent especially because security vendors are lagging behind in this area.