New year resolution: Improve mobile security

There were approximately 40 million smart phones shipped in the third quarter of 2008.  Most of these phones were purchased for personal use. However a growing number of employees expect to connect their personal device to enterprise networks in order to retrieve e-mail, synchronize calendars, and download files. Although the enterprise may not own the device, they do own the information assets stored on the device. Therefore, enterprises must evaluate mobile device threats and implement mitigation techniques.

Mobile Device Threats

Mobile devices usage expose an enterprise  to security threats such as:

1. Device loss or theft – A recent Credant study estimated that there were over 31,500 mobile phones left behind in New York’s Yellow Taxicabs during a six-month period in 2008.
2. Data leakage – Any sensitive data stored on a mobile device can be easily transferred to other storage devices and computers.
3. Unauthorized wireless usage – Wireless security policy violations can expose the enterprise to system attacks (e.g. connection to a wireless ad hoc network can lead to man-in-the-middle attacks).
4. Malware attacks – An increasing number of malicious software attacks target mobile devices (e.g. viruses, Trojan horses, worms, etc.).

Security Policies

Enterprises should establish security policies that minimize mobile device threats without overly restricting usability. I recommend that enterprises consider the following policies.

1. Implement a continuous program of employee education that teaches employees about mobile device threats and enterprise security policies.
2. Perform periodic auditing of device security configuration and policy adherence.
3. Perform regular backup and recovery of confidential data stored on mobile devices.
4. Adhere to product specific best practices.   For example, see the Microsoft Security Guide for Mobile Device Manager 2008 or the BlackBerry Enterprise Solution Security Technical Overview.
5. Perform configuration and software upgrades “over the air” rather than requiring the user to connect the device to a laptop/PC.
6. Encrypt traffic between the messaging server and other enterprise servers (e.g., between the RIM BlackBerry Enterprise Server and the Microsoft Exchange Server).
7. Enforce strong passwords for device access.
8. Enforce the use of virtual private network (VPN) connections between the mobile device and enterprise servers.
9. Encrypt local storage, including internal and external memory (e.g., secure digital cards).
10. Enforce the same wireless security policies that are used for laptop wireless security.  Refer to the following articles “WLAN Security – Lessons 1, 2, 3“ for additional information
11. Consider the use of two-factor authentication in order to strengthen network access security.