Tom Olzak

Posts Tagged ‘mobile data’

Security None-sense

In Data Security, iPad, Network Security, Risk Management, Security Management on December 1, 2010 at 13:03

I’m sitting in my mother’s hospital room. It is in a new, modern, well thought-out addition to the Toledo Hospital. There is even high-speed Internet access via Wi-Fi. However, the hospital’s IT department blocks social networking sites. Why?

If it’s for security, why bother? I can access Facebook and Twitter from my iPhone and iPad using other tools. For example, I sent a Facebook post (just because I could) using my email. I continued to receive friend updates via email and text messaging. I could also post photos or video from my iPhone. So any HIPAA compliance intent is fully circumvented.

If the hospital is blocking social networking to preserve bandwidth, it needs to reconsider. Today’s patients–and their families–have integrated 24/7 social contact into their lifestyles. Blocking access is simply a poor business decision.

Finally, they may block blogging before my next visit, given that I am writing this on my iPad will sitting in my mom’s room…

iPhone Security may not an Oxymoron

In Data Security, iPhone, Mobile Device Security, Smartphones on April 8, 2010 at 10:59

When engaged in a discussion about iPhone v. Blackberry v. Windows Mobile security, you might want to place on the table a copy of this article from The MacLawyer.

The author asserts that a properly configured iPhone is no less secure than a laptop or other mobile device.

Good luck with mobile malware defense

In Encryption, Mobile Device Security, Smartphones, Windows Mobile on July 21, 2009 at 09:21

Looking for softer targets, black hats are stepping up their efforts to take over your smartphones and wireless PDAs.  It was only a matter of time before these devices, once falling below the radar of financially motivated cybercriminals, began to look like softer targets than increasingly hardened enterprise networks.  So what can we do about it? 

In a paper published in March of 2005, I wrote about the potential for mobile device compromise.  However, the risk of anything other than Microsoft Mobile infections was very small at the time.  Even so, Microsoft Mobile devices didn’t carry much more risk than their Symbian-based cousins.  But now things have changed.  Smartphones which use Symbian OS—the vast majority—are facing a very real risk of becoming part of a “mobile botnet.”

A new worm known as Sexy View/Sexy Space, once installed on a phone, communicates back to a controlling server.  Connection to the server allows a black hat to communicate commands to one or more infected devices.  This is the basic requirement for a botnet.  Now your users’ cell phones, too, can eventually participate in the same botnets as their PCs.

Protection for cell phones has lagged far behind solutions created for laptops and desktops.  What this means is there are almost no solutions for enterprise anti-malware protection—defined as a solution which uses a central console to configure, monitor, and ensure up-to-date protection across all mobile devices.  However, there some things you can do to protect your organization’s smartphones and sensitive data residing on them.

  1. Choose devices which can be configured to only allow download and installation of software verified as safe.  Apple’s and RIM’s online stored for the iPhone and Blackberry devices, respectively, are good examples.  But this isn’t a knock-out punch for mobile malware, as Symbian discovered with Sexy View and Sexy Space.  The purveyors of this new malware actually got the software approved by the Symbian online store.
  2. Anti-malware for mobile devices has been available for some time.  McAfee has primarily focused on Windows Mobile devices, but is moving into the Blackberry space.  Kaspersky has a very robust solution for phones running Symbian 9.1, 9.2, and 9.3.  Most business class solutions cost around $30 per year per device and are updated by direct connection to the AV software vendor.  (Free products are available for personal use.)  Products usually include a firewall and often provide data encryption capabilities.

Security vendors are making progress, but until a true enterprise solution is available, security management of hundreds or thousands of handheld devices is very difficult.  We can always use policy (e.g., Blackberry Enterprise Server) to deny the download and installation of all third party apps.  However, this won’t be a long-term answer as tech-savvy users at all levels—including executive management—startto push back hard when these types of policies are rolled out.

 

Help for the Clueless

In Data Security, Email, Mobile Device Security, Network Security, Risk Management, Uncategorized on July 15, 2009 at 08:06

For the past four years, I haven’t connected to any public hotspot unless I was using a service which encrypts my session over the local network unless I was doing someone not even remotely important online.  I did this—and continue to do so—because it’s been common knowledge for at least long that connecting to public wireless is like posting your personal information on a bulletin board in the parking lot; it’s available to anyone interested in looking.

So why are so many users still connecting to hotel, airport, coffee shop, rogue, and restaurant public wireless networks and sending passwords, PINs, and other sensitive information in the clear?  A few years ago we might have given them the benefit of the doubt.  But today there is enough information available from numerous sources to ensure every computer user has at least heard that public wireless is dangerous.  In my opinion, the problem is they can’t be bothered or they have no clue how to protect themselves.

Evidence of the problem showed up recently in an online article in which the author writes,

“Much of the time, people just log in to the first robust network they see,” says AirTight spokeswoman Della Lowe. “When we did our airport study, we found only 3 percent of the people were using secure networks.” (Wireless Cybercriminals Target Clueless Vacationers, Fox Charlotte, 11 Jul 2009)

As security professionals, we may need to speak a little louder about solutions for this growing—and largely ignored—problem.  Every chance we get we should discuss with our mobile business users, acquaintances, and anyone else who will listen how to protect themselves, including:

  1. Resisting the urge connect to the first hotspot they see without giving it some thought and without protecting their user session
  2. Using HTTPS protected Web mail, such as Gmail
  3. Using online VPN services, such as WiTopia or ShareVPN, both fee-based but inexpensive

Going beyond one-off user solutions, organizations with more than a few mobile users should encourage or force their users to access the Internet via a company-hosted VPN solution, such as SSL VPN.  Under no circumstances should company laptops access the Web via public hotspots unless the sessions are encrypted, at least through the hotspot infrastructure.

System physical security should include mobile device asset management

In Access Controls, HIPAA, Physical Security, Piracy Legislation on May 27, 2009 at 21:43

Some organizations spend a lot of time worrying about administrative (policies) and logical (application and system electronic) access controls without much concern for physical security.  I don’t mean the kind of physical security where you make sure your data center is locked.  I mean the kind of security which allows you to track who has your resources and ensures your organization takes the right steps to quickly mitigate impact.

For example, it doesn’t make much sense to lock the data center when unencrypted, unmanaged mobile devices travel across the country.  The sensitive information stored safely in the data center might as well be in the lobby.  This might seem a basic principle, but many organizations still don’t get it.  Take the US Department of the Interior, for example.  According to a report completed last month by the department’s inspector general, Western Region,

…13 computers were missing and… nearly 20 percent of more than 2,500 computers sampled could not be specifically located.  Compounded by the Department’s lack of computer accountability, its absence of encryption requirements leaves the Department vulnerable to sensitive and personally identifiable information being lost, stolen, or misused.

Source: Evaluation of the Department of the Interior’s Accountability of Desktop and Laptop Computers and their Sensitive Data, U.S. Department of the Interior, Office of the Inspector General, 24 April 2009.

So the IG could verify the loss of 13 unencrypted computers, but about 500 were simply unaccounted for.  The reason? Several of the agencies within the department had no process to track computer inventory.  The following is from a related InternetWorld article:

Despite policies mandated by the Federal Information Systems Management Act and other regulations, including rules that say computers should not be left unattended in plain view and that organizations should establish policies to protect their systems from unauthorized access, the Department of the Interior doesn’t require that any hardware that costs less than $5,000 — that would cover most PCs — be tracked in an asset management system, and the current tracking system doesn’t have proper backing, according to the report.

Source: Department Of The Interior Can’t Locate Many PCs, J. Nicholas Hoover, InformationWeek, 27 April 2009

Most of us agree that encryption is a necessary part of any mobile device security strategy.  But why worry about tracking laptops?  Isn’t encryption enough to render the data on a lost or stolen laptop inaccessible?  Well, it depends.

Many organizations do not use strong passwords.  The reasons vary, including:

  • Users tend to write complex passwords down, leaving then easily accessible
  • Password reset calls constitute a high percentage of help desk calls, rising exponentially as password complexity increases

In other words, strong passwords are often seen as weaker and more costly to the business than simple passwords.  And password complexity tends to remain the same when an organization implements full disk encryption, raising concern about the real effectiveness of scrambling sensitive information.  The complexity of the password and the configuration of the login policy (i.e., history, failed login attempt, etc.) are factors in the strength of any encryption solution.  In any case, encryption solutions should be supplemented to some degree—depending on the organization—by a mobile device physical management process, including,

  • Mobile device assignment process which includes recording employee name and date of assignation
  • Clearly documented mobile device usage and protection policy signed by each employee before he or she receives a mobile device
  • Periodic, random verification that the assigned user still has physical control of the device
  • Strict employee termination process which includes receipt of assigned devices
  • Documented device end-of-life process, including
    • recording receipt of device
    • recording of device disposition, in accordance with the organization’s media sanitation and reuse policy
  • Tested and documented device loss process, including
    • process for reporting a mobile device lost or stolen
    • assessment of the probability of sensitive data breach and notification of affected individuals
%d bloggers like this: