By: John P. Pironti CGEIT, CISA, CISM, CISSP, CRISC, ISSAP, ISSMP
President IP Architects, LLC and Advisor with ISACA
Mobile devices are quickly becoming a target rich and high return on investment environment for malicious attackers. Their use is expected to surpass the use of existing laptops and desktop computers by a factor of at least three in the next five years. The rapid innovation that is often associated with these devices also means that in the near future they are expected to have expanded capabilities, including touch less payments, personal data repositories, fully functional local applications, and the ability to simultaneously enable high-speed access to corporate and personal networks and applications. There are numerous behaviors and capabilities that users can adopt to help them mitigate risks and enhance the security of mobile devices without introducing debilitating restrictions or limiting functionality that make them less useful. This article will discuss five of the more useful ones.
Enabling a password on a mobile device can help to ensure that unauthorized users cannot gain access without the device owner’s knowledge or consent. Users should be encouraged to avoid using easily guessable dates, numeric patterns or passphrases. It is also recommended that users enable the data wipe capabilities that are often available as standard features in modern mobile devices. These capabilities will erase the data on the device after a selected number of invalid password attempts are made to access the device. This will ensure that an attacker will have limited success using brute force or password guessing attack techniques.
The auto lock features that are available on many mobile devices will require a password to be reentered after a period of inactivity or if triggered by a user action (e.g., close of cover on a tablet or tapping the lock button on a smartphone) similar to the way screen savers work on traditional desktop and laptop computers. This security feature is most effective when its time to enable is set for the shortest possible period of inactivity. It is recommended that this timeout should be no more then 10 minutes, and shorter if possible based on user tolerance. Enabling a short time window to activate auto lock on a mobile device will reduce the window of opportunity in which an attacker can have unrestricted access to a mobile device if it is out of the owner’s control.
Data encryption can be a useful control for securing data at rest and in motion if implemented and utilized properly. Many mobile devices have the ability to enable data encryption capabilities with little impact to the user experience after the initial enciphering of the data for data at rest, and limited network overhead and extra user requirements for data in transit. The use of encryption will limit an attacker’s ability to obtain usable data from the mobile device’s storage without the encryption key material and also prevent them from being able to easily capture sensitive data (such as user names and passwords) over the airwaves during network data communication.
Mobile devices often contain large amounts of critical data and applications as users leverage them for computing activities. It is important to create and maintain encrypted backups of these devices on a regular basis to enable resiliency if a device ever malfunctions, is lost or is replaced. Cloud-based mobile device backup solutions are an an attractive option since they typically provide geographic separation between the device and the backup, and can be accessed whenever an internet connection to the device is available.
Regardless of the physical location of the mobile device backup, it should be locally encrypted and password protected while it is still in the control of the user. This is especially important in cloud-based and offsite backup solutions where the user has limited visibility and control of how the data are stored and accessed once they leaves the user’s control. If the backup is locally encrypted and password protected, there is a higher likelihood of maintaining the confidentiality and integrity of the data even when the information is out of the direct control of the user.
Web browsers on mobile devices can be exploited by attackers and used to enable attacks in the same ways they are leveraged in stationary computers. Mobile devices often contain sensitive information and have the ability to access corporate networks that make them an attractive target to motivated and capable adversaries. Risk-aware and security-conscious web browsing behaviors, including only connecting to familiar web sites and ensuring encryption is enabled when entering sensitive information, should be universally employed, regardless of the technology platform that is being utilized.
Mobile devices are quickly becoming ubiquitous tools that are being leveraged by both technically savvy and unsophisticated users. Their advanced functionality, large data storage capacities and high-speed data network communication capabilities make them an ideal target for motivated and capable attackers. ISACA, a global association of 95,000 security, assurance and governance professionals, offers free guidance on securing mobile devices at www.isaca.org/mobiledevices. By following these tips, enabling some basic technological security controls, and acting in a risk-aware and security-conscious fashion, users can effectively protect themselves from being an easy target while still enjoying the benefits that come with using these devices.