Tom Olzak

Archive for the ‘Mobile Device Security’ Category

Android malware not yet a real problem, but…

In Android Security, Mobile Device Security on July 1, 2015 at 13:52

Malware targeting Android devices is growing, likely hitting 2 million instances by the end of 2015 according to the Verizon 2015 Data Breach Investigations Report.  And while the number of devices actually infected is small, the potential for large scale mobile attacks is not.  See by Toolbox blog about this here…

Home users create security gaps: Fill them

In Access Controls, Application Security, Business Continuity, Cloud Computing, Computers and Internet, Insider risk, iPad, Mobile Device Security, Network Security, Policies and Processes, Policy-based access control, Risk Management on February 13, 2013 at 20:13

In Phishing attacks target home workers as easy ‘back door’ –, John Dunn writes that users fear becoming targets when working at home.  This should surprise no one.  With the rapid growth of BYOD (bring your own device), organizations struggle to close security gaps as they attempt to meet new business requirements of anywhere/anytime delivery of information and business processes. (See The BYOD Trend.)

Smartphones, tablets, and privately-owned laptops are not adequately controlled in most organizations.  Traditional access controls, especially authorization constraints, fail to mitigate risk sufficiently.  One important change organizations can make is to context- or policy-based access controls.  (See Securing Remote Access).



Policies are not enough to protect mobile data…

In Access Controls, Application Security, Content Filtering, Data Leak Prevention, Data Security, Mobile Device Security, Policies and Processes, Policy-based access control, Risk Management, Security Management on December 29, 2012 at 12:27

Policy is not enough.  Ensuring sensitive information is handled in accordance with internal policy and regulatory constraints requires monitoring of all activities associated with it.  In other words, inspect what you expect… continuously.  Further, too much reliance on human behavior is a recipe for security disaster.

This week, we learned that the University of Michigan Health System, via a vendor, lost about 4000 patient records.  The vendor, apparently authorized access, copied patient records from a database to an unencrypted device.  The device, left unattended in a vehicle, was then stolen.  Sound familiar?  It should.  This scenario appeared many times in news articles over the last several years.  While the players differed, the gaps leading to the losses were largely the same.

This set of conditions is growing more common.  They are strengthened with an increasing number of devices filling the role of insecure mobile data storage, as the BYOD (bring your own device) phenomenon continues to complete its hold on business operations.  Managers and business owners who believe they can simply write a policy, train employees, and move on to the next challenge are kidding themselves.

(For a detailed look at how competing interests apply pressure every day to employees trying to do the right thing, see Bruce Schneier’s Liars and Outliers.)

So what can we do to protect ourselves from becoming the topic of yet another subject in an article about mobile data loss?  Plenty.

For traditional access control environments…

First, ensure your policies have teeth.  For example, what are the sanctions for a vendor or employee who fails to follow policy?  Next, implement reasonable and appropriate technical controls to monitor traffic (e.g., IPFIX data) and aggregated logs (i.e., SIEM).  IPFIX, for example, provides near real time information about anomalous data flows: like a vendor copying 4000 records from a database.  Finally, implement a process whereby IPFIX and SIEM alerts prompt an immediate review of who did the copying, what they copied the data to, and whether the target device is in compliance with policies addressing data on the device category into which it falls.  For example, if security sees a data transfer to a mobile device, they should confirm that the device is encrypted and the user authorized to carry the data out of the building…

For policy-based organizations…

As BYOD expands the corporate attack surface, policy-based access controls augment the steps listed above.  By default, do not allow anyone to copy data to a mobile device that does not meet policy requirements for data protection.  Policy-based controls authorize user access based on user role, the device used, the location of the user/device, the data and processes accessed, day of the week and time access is requested, and the device’s compliance with security policy.  All of this is automated, preventing reliance on human behavior to protect data.

(For more information on policy-based access controls (also known as context-based access controls), see Chapter 9: Securing Remote Access. )

Again, policies are not enough.  Without technical controls, they rely on human behavior to protect data.  This is a bad idea.  Instead, implement technical controls as far as is reasonable for your organization, and then monitor for compliance to ensure people, processes, and technology are producing expected security outcomes.

Android security…?

In Application Security, Certificates, Cybercrime, Data Security, Hacking, malware, Mobile Device Security, security, Security Management on March 6, 2011 at 20:09

A recent blog, Frequency X Blog, examines the latest Android malware, DroidDream.  The hole that allowed this is as big as they get.

Ready for the Hordes? You’d Better Be…

In Access Controls, Business Continuity, Data Leak Prevention, Data Security, Mobile Device Security, Policies and Processes, Risk Management, Security Management on November 3, 2010 at 10:35

The battle rages as users fight to get their smartphones connected to your network.  As many have written, it is futile to fight against the hordes beating on your door.  So whether the user currently demanding access uses an iPhone, a Blackberry, or an Android device, there are a few basic principles to follow before opening the gate.

First, make sure you can centrally manage all handheld devices that connect.  Yes, this includes user-owned devices.  If you allow them to connect to company email or the company’s internally facing WiFi network, then you have some additional rights.  The most basic of these is the right to wipe lost or stolen devices.  This also includes wiping any user-owned device in the possession of a departing employee.  They don’t get to take data along to the next employer…

RIM provides this in its enterprise server offering.  iPhone and Android phones are manageable via Microsoft Exchange.  It doesn’t matter how you do it, but place a policy in place, wrap some processes around it, and enforce central management across all devices–including those owned by C-level managers.  Yes, they lose their phones, too.

The other must-have security control is central policy management.  Again, if data for which you’re responsible is on a device, you have the responsibility to protect it.  So creating mandatory password or PIN policies is a necessary part of handheld device security.  No, your users won’t like this.  But, hey, it’s sensitive data.  They need to compromise a little.

Next, if you allow handhelds to connect to your network, you have to protect yourself from slowly emerging malware threats.  No, there aren’t a lot now.  But there weren’t a lot of viruses around when PCs first started appearing on desktops.  Maybe if we’d paid more attention then, we’d have less problems how.  In any case, it is never too early to start looking at packages available from all the major anti-malware solution vendors.  And make sure whatever you select is centrally manageable.  Not all vendors get this yet.

Finally, consider encrypting sensitive data on the phones.  Yes, I understand that many encryption solutions for handhelds are easily cracked.  So does that mean you do nothing to protect your data?  Let’s face it, the password or PIN protection isn’t much either.  The best way to prevent data breaches caused by compromised phones is to follow a very basic rule–don’t put allow it to be put there in the first place.

There are other things you can do, but these are the “absolutely must-haves,” in my opinion.  Hold off the hordes until you have the right infrastructure in place and broad support for your efforts.

%d bloggers like this: