Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cyber Security Awareness Month - Day 20 - Securing Mobile Devices - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 20 - Securing Mobile Devices

Over the last few years, the mobile devices in our lives have become much more complex and powerful, and as a result, more attractive as targets for malware authors.   The iPhones, Androids, and Blackberries in our pockets (and the pockets of company executives) have more raw computing capabilities than the desktop machines of a few years ago (and the servers of a few years before that) and they run web browsers capable of running javascript or flash (hmm... haven't we seen issues with both of those technologies on other platforms?), plus they have built-in GPS capabilities that allow for tracking of our movements, and nearly constant access to the internet to potentially share that information (or any other data on the device) with "the bad guys."  Unfortunately, defensive capabilities have not kept pace.  To make matters worse, because of their size, these new mobile devices are small enough that they are also much easier to misplace (or steal).  For this reason, it is probably even more important to that the human being involved be even more vigilant than ever.  In the following discussion, I also make a somewhat artificial distinction between personal and corporate use of mobile devices.

Corporate usage

For corporate mobile devices, I would urge a few measures (where possible)

  • Encryption - if the capability exists on the platform you are using, whole device encryption could provide some minimal protection to corporate (or personal) data on the device should it be lost or stolen.
  • Remote Wipe - the ability to remotely kill or wipe a device that has been lost or stolen should be enabled if it exists.
  • VPN - where possible, VPN back through the corporate environment (understanding all the issues discussed in yesterday's diaries apply here, too).  This allows one to take advantage of proxies, firewalls, e-mail filtering of the corporate network.  When possible, use the mobile device as a thin client to access data in the corporate network or in "the cloud" rather than keeping potentially sensitive data on the mobile device itself.

Personal usage

For personal devices, the biggest thing is to remember that the defenses on these mobile devices are even slimmer than on our home PCs and laptops.

  •  Fight the urge to do things like banking, that might reveal information that could be used for identity theft, from your mobile device.
  •  Don't click on links sent via IM, Facebook, SMS

General usage

In general, there are a few things that should probably be done all the time to protect yourself and your personal and corporate information (and they may increase your battery life, too).

  • Turn off the GPS and data (3G/4G/wifi) capabilities when you aren't actually using them.
  • If anti-virus software exists for your platform install it.  It probably won't protect you from much, but if it stops even one attack, that's better than nothing.
  • If at all possible, don't mix corporate and personal use on the same mobile device.

I've been starting to think about mobile malware lately, and frankly, it worries me.  So, what are you doing to secure your mobile devices (both corporate and personal)?

---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
GIAC GSE #26

Jim

400 Posts
ISC Handler
Set a PASSCODE! I'm amazed by the number of people with their whole life on their iPhone or Blackberry that don't set a simple passcode/password and auto-lock on idle params.
Sure you have to type the passcode umpteen times a day to unlock the device, but isn't it worth an extra 90 seconds per day to keep your vital information safe?
Paul

44 Posts Posts
Don't forget the great article by Chris Carboni last June. http://isc.sans.edu/diary.html?storyid=9046

I installed AV on my phone mere minutes after reading his post.
RobM

14 Posts Posts
Let's not forget the basics of a solid security policy for mobile devices. In my organization, the security policy details the dangers of mixed use (personal/business) and it makes it clear that mixed use is forbidden and a disciplinary offense up to and including termination.

It sounds harsh, and it might not be how *I* would write the policy, but it certainly keeps the issue foremost in my mind as I'm using my mobile devices. And making sure our users are mindful of how their activities impacts the network is a good first step in preventing misuse.
RobM
1 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!