 |
 |
 |
There is incredible pressure for all of us within the corporate world to work faster and smarter. Information is power and one needs to have access to key inform ation at all times. With the advent of e-mail technology in the last decade organizations have been enable to ensure that key information is available to mobile staff on the road whether they are in the process of traveling or actually on customer sites. Staff now have external access to many applications and remote access goes far beyond e-mail anywhere solutions. We are now able to access back-end applications within corporate networks from Personal Digital Assistants (PDA) and we can also store as much information on a memory stick as we could on a high end laptop 10 years ago. As usual with security, whilst functionality has been greatly enhanced, risks for abuse and attacks have increased. So what do CEOs, CIOs & CSOs need to pay attention to as regards the un-wired corporate communication tools they give to their mobile staff? How does an organization pro-actively address the risks posed by their mobile staff? Is mobility a death trap for security strategies or can we rely on best practice security principles to address the increased risk levels? What do CxOs need to be worried about as regards mobile technology risks? It is important for CxOs to put themselves in the shoes of mobile workers and take a user's perspective in order to understand why mobile users may be more focused on the additional functionality they are given access to rather than on the risks this functionality brings to the organization. The typical road warrior is someone who is always on the go and works fast. They need to be in touch with customers, colleagues and suppliers at all the times. Access to data from Mobile Devices: What are the key risks? The issue mobile staff face is that most of them travel a great deal and may often be operating in environments where they cannot access data and/or systems which are critical for them to carry out their daily duties. Because they might find themselves on long haul flight for 12 hours or in an area where broadband and wireless access is scarce mobile workers will have a tendency to download confidential data to their laptop or PDA and may also store da ta on memory sticks making maximum use of every portable storage device available to ensure that they can still work on key customer projects even if they do not have access to e-mail or to other mission critical applications. This is a major issue as confidential or highly confidential data might be stored on unprotected and unencrypted devices. Moreover, the organization might not be aware that this data has been copied onto mobile devices and may, therefore, not be aware of the risks it is facing. This could be considered to be a breach in security if your corporate communication tools usage policy states that no confidential data may be stored on PSDs unless it is encrypted. Data is key to the organization and needs to be appropriately protected. This is stated clearly in the Irish Data Protection Act, in the UK Data Protection Act as well as in many other legal jurisdictions and security standards. It is worth noting that legislation is trying to push organizations to pro-actively address these issues. For instance, HIPAA in the US (Health Insurance Portability and Accountability Act) covers the protection of patients records pertaining to identifiable health information. SB 1386 in California (US) forces organizations to publicize any security breach involving residents personal information disclosure. In France, the Loi sur la Securite Financiere is taking similar steps to control confidential data transfer, storage and transmission. The Payment Card Industry standard (PCI) is also addressing the issue of credit card information storage and transmission and puts emphasis on the fact that appropriate security measures should be taken so that this data cannot be copied, transmitted or accessed unauthorized staff which clearly applies to removable data storage devices commonly used by mobile workers. Mobile device security is therefore an integral part of the compliance agenda and CxOs must include mobility in the overall security strategies. Security experts foresee a rise in the number of high profile cases such as the Department of the Veteran Affairs scandal in the US whereby thousand of Social Security Numbers held by the department were disclosed to third parties. In the last two years a number of cases involving the loss or theft of company corporate resources (including laptops and PDAs) has already hit the headline including household names such as ING, Deloitte-Accountants and Fidelity investments. For some details on specific case please see the Laptop Hall of Shame, at http://www.forbes.com/columnists/2006/09/06/laptops-hall-of-shame-cx_res_0907laptops.html ). Physical Security of Mobile Devices Frightening Security Concerns It is very obvious that there is no point in having state of the art logical (or IT) security if everyone can physically access the device or network you are trying to protect. Yet in the case of tools such as laptops, memory sticks and PDAs this rule seems to be overlooked. In fact, some devices have a tendency to disappear. Employees will willingly tell you on a Friday that they have actually lost their corporate PDA the previous Monday and when challenged as to why they did not report it missing to the IT Department, security staff are very likely to get an answer along the lines of Don't worry about it! I was still able to get my mail using my laptop. The next comment will more than likely be How soon can I get a new PDA though, it is handier than a laptop! The fact that confidential data has been lost and that it may fall into the wrong hands does not come into the equation which highlights the issue of lack of user awareness. A few statistics easily support this argument. It was made public in August 2006 that Heathrow Airport, UK, which is one of the busiest business airports in the world now auctions lost unclaimed laptops on a regular basis. Moreover the airport administration reports that only about ten percent of lost laptops are ever claimed. This is apparently due to the fact that it is easier to claim the value of the laptop from your insurance than it is to trace back in which area of the airport it was lost and to organize to have it searched for, found and collected. For a few hundred British Pounds anyone is therefore welcome to purchase an unclaimed laptop along with its carry case and all its contents. This means that the new owner will have access to the data that is on the laptop and the data that is kept around the laptop which, in some cases, may contain vital clues as to what passwords might be. Failing that one can always attempt to break the password although, realistically, not everyone will be able to break passwords however bearing in mind that password cracking utilities are available for very little on the Internet this might be tempting for would be hackers. Stolen laptops may be traced back if they are fitted with the appropriate Technology however this is not common practice as it is both an additional cost and another IT system to support. It does, however, allow for the tracing of stolen goods as was the case with a laptop stolen from EuroTechnix who were victims of a raid where hardware was stolen and a Tablet PC eventually found its way to Nigeria http://www.theregister.co.uk/2003/02/07/on_the_trail/ ). According to Gartner some 250,000 laptops are lost in the US every year. A survey conducted by Vontu and Ponemon Institute LLC has found that in 2006, eighty one percent of respondents (major organizations in the US, Europe, Canada and Asia) stated that their firm lost laptops whilst the average probability for PDAs containing confidential business information was sixty percent comparable to fifty three percent for USB memory keys. Based on these alarming statistics it appears clear that organizations are not pro-active about protecting their physical mobile communication assets and have not seen the link between loss or theft of mobile systems and the data security leakages resulting from what is known in the industry as loss of control over the mobile device. Security Concerns Technical Perspective on Mobility Devices From a technical standpoint mobile devices have always been an issue in terms of administration and security. The corporate perimeter which used to be clearly defined and protected behind gateway protection such as firewalls and corporate Intrusion Detection Systems (IDS) is no more. It now extends to a fleet of desktops and to every single handheld device which may contain sensitive data. Moreover the fact that these devices can be used to access corporate network applications such as e-mail, CRM, financial & ERP packages as well as custom applications often requires IT administrators to open up ports on the corporate gateway firewall which adds to the monitoring and reporting requirements around this type of access which can be used as a back door to the corporate system unless properly secured via encrypted channels and strong authentication mechanisms. The challenge is daunting. In a world where corporate governance and compliance have become top priority items on the management board's agenda, IT administrators and technical staff now have to remotely manage, control and update devices that may only be visible and/or accessible at very irregular intervals. In addition the multiplication of unmanaged end points is also increasing the risk of potential attacks against the organization whilst the risk of data leakage is growing yet again. To complicate matters, Bluetooth and IrDA port beaming connection mechanisms also create new technical risks although most attacks to date are considered to be proof of concept to show that these communication channels are indeed dangerous and may be exploited at a later stage. However the security industry is indeed concerned about new concepts such as Bluejacking which is described as follows: the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard which typically contains a message in the name field (i.e. for bluedating or bluechat) to another bluetooth enabled device via the OBEX protocol. www.wikipedia.org More dangerously, experts are also worried about the concept of Bluesnarfing which relates to the way information is stolen via Bluetooth connections between a laptop and a PDA for instance. This allows attackers to hack into calendars, files and e-mails on the other party's device. Furthermore, since some handheld devices have an embedded browser, users also have access to Instant Messaging. Focus on security issues surrounding PDAs Data Storage Capabilities PDA devices can store very large amounts of data. It is impor tant to understand where and how this data is stored. There are three main types of data storage available using these devices. They can store data in persistent memory, external storage (ie. Flash memory cards), or internal RAM. Each of these types of memory present a significant security challenge for the organization. The following best practice recommendations should be considered as corrective action. Internal RAM: All sensitive data in use must be stored in this part of the memory while decrypted. Best Practice Advice and other Considerations as regards the Security of Mobility Devices: Successful security strategies are always based on a mix of policies, technical solutions and user awareness. Moreover, when addressing security challenges associated with mobility devices, CSOs must ensure that they look at the physical security aspects as well as the logical security covering data security, how the device connects back to the network. In addition the operational issues surrounding the deployment, support and retirement of mobility devices also needs to be taken into account. The first step is therefore to develop and disseminate a set of policies addressing the security concerns over the roll out of mobility devices. These policies will set out who is to be given the use of un-wired devices such as laptops, PDAs and USB keys. They will also link into the organization fixed assets register (or any other asset classification and management policy) and be c learly associated with the overall standard corporate communication tools policy which governs what constitutes safe and acceptable usage of business resources. In consideration of the additional security risks linked to mobility devices it is also essential to have a tele-working policy to give road warriors clear guidance as to how to use such tools. Then comes the issue of device discovery. It is obviously easier to manage a controlled environment and to that effect no unapproved mobility devices should be in use by employees. This include personal devices used to carry out business. It is not best practice to allow staff to use their personal PDAs on the corporate network notwithstanding the legal issues this may bring for non compliance with Data Protection legislation. There are solutions allowing organizations to work off a white list of devices allowed to run on or to connect to the corporate network (SecureWave is one of the best of breed solutions to consider www.securewave.com ) In terms of authentication, organizations must ensure that all devices require user authentication on starting or resuming work (including PDAs). As usual a strong password policy is required although it is best practice to implement two-factor strong authentication (such as Vasco, www.vasco.com) which will also work with most handheld devices and therefore include an additional layer of security for authentication to the device and back to the network via the mobile device. Next item on the security check list for mobility devices is encryption. Many solutions on the market allow for PDA, laptop but also PSD encryption. This should be mandatory as part of the mobility roll out. Some solutions are more granular than others and allow the encryption of a part or the whole drive. Some solutions allow users to use the same software to encrypt data on a laptop as well as on USB memory keys. As with any encryption solution, organizations should be mindful to choose a vendor offering high standards of support structures. (SafeBoot and WinMagic provide such solutions, www.safeboot.com & www.winmagic.com) . In terms of PDAs and Smart phones, organizations chose a solution allowing for devices to be blocked after three failed authentication attempts (perhaps also offering a way for users to be prompted for a customized Q&A challenge to re-authenticate) and should allow administrators to remotely wipe the data on the device. By the same token, these solut ions must allow for quick back-up and re-installation features. Windows based mobility solutions and BlackBerry solutions provide such features. Generally speaking it is also recommended that organizations standardize on the make and models of mobility solutions to be rolled out. This makes it easier to track and manage assets and simplifies the technical security structure as administrator can concentrate on becoming security champions for a more targeted list of vendors. In terms of Anti-Virus, & Anti-Spyware most vendors do provide solutions for mobile devices including handheld (www.sophos.com & www.trendmicro.com) . Administrators may also consider solutions allowing some additional level of network access control by deploying network solutions which will scan machines that have been invisible from the network for while and isolate them in a quarantine area where they will only have access to patches and updates they will need to install on the local device before being granted access to the corporate applications. It is of course vital that technical staff be trained as to how to deploy, manage and retire mobility devices. This should be part of a clearly defined roll-out plan to ensure that the initial deployment of the mobility solution is successful. It will also greatly minimize support issues and recovery operations should devices need to be replaced and a user required to be fully set-up again. A lost and stolen item policy should be in place to allow users of mobility solutions to escalate the loss or theft of their device(s) almost in real time. Back on the corporate network administrators will be in a position to revoke credentials for remote access from the mobile devices and issue temporary credentials so that users can resume work within the least disruption possible. This may need to be coupled with a replacement policy in conjunction with key suppliers who will ensure prompt replacement of mission critical business tools. It also best practice to hold interviews with users who have lost mobile devices or have been victims of theft. This can help deal with internal fraud and will also help increase security levels. It is also recommend to provide additional dedicated awareness training to all staff using mobility devices and to ensure that acceptable usage policies are communicated to all staff. Finally it is also recommend for managers to keep in close contact with mobile workers so that they do not feel isolated and keep in touch with the corporate feel and therefore with the corporate security standards in place. Summary: Mobility solutions are business enablers and help users work smarter and faster. It is likely that more and more employees will have access to mobility devices such as laptops, PDAs and USB Memory keys in the future. The security challenge for CSOs and other CxOs is significant. Physical security threats as well as technical security dangers make the use of mobility solutions an additional significant security risk for the organizations. However best practice security strategies will help mitigate this risk so that organizations can focus on the value add of mobility solutions. It is crucial that devices are carefully deployed coupled with associated security policies for both users and administrators. This should be further complemented with the implementation and support of best-of-breed technical solutions to protect access to devices (and the corporate network they allow users to connect to). However user awareness remains essential as mobility devices are easily forgotten or stolen together with the data they contain. Required technology is there to protect at a technical level, it is now up to organizations to deploy it and take the right steps to increase user awareness levels which will enable them to make the most of the mobility solutions available to do business. Recommended reading: www.blaberry.com The CIO's Guide to Mobile Security |
