Following up on my recent post (“Always-on access, brings always threatening security risks”) I’d like to continue the conversation and discuss other device settings that help prevent unauthorized information disclosure.
Many organizations overlook the risks posed by Bluetooth. The security of Bluetooth has been slowly increasing over the years. When it first appeared many devices had a hardcoded PIN of 000. The situation is slightly better now, but still few users change the vendor provider defaults. At the same time the capabilities and varieties of Bluetooth profiles have greatly increased leading to a number of potential risks that include using Bluetooth enabled devices as remote listening devices, for file transfers, and even for remote control of other functions. Companies should cover Bluetooth risks and acceptable profiles in security awareness training as well as AUPs.
One of the attractions of BYOD is that users often hope to escape the constraints of software provide by central IT departments and install a variety of applications that appear useful. Unfortunately, few users are likely to properly evaluate the risk of many popular phone or tablet apps. Increasingly apps for mobile devices are integrated with consumer grade cloud services. This integration provides convenience to the user because data may be seamlessly synchronized to various cloud storage services. But, the security controls may be inadequate to protect confidential information. As a side effect, companies may not be able to definitively determine where their data resides, or even delete the data if that becomes necessary.
Another problem associated with many mobile device apps is the geolocation and other user data collected that may be inadvertently shared with third parties. Many large financial service companies have detailed policies about what information may shared via social media, because too much information disclosure may create a security risk, or even create regulatory violations. Apps that seamless collect data and post it may cause unauthorized information disclosures without an employee even realizing the information has been shared with third parties.
Mobile devices and especially BYOD can potentially greatly increase the costs and risks associated with eDiscovery. Mobile device eDiscovery may include a variety of services and data. The services or data may include: email, text messages, call records, locations visited, locally stored data, data stored in the cloud, photos, web sites visited, and recorded conversations.
Lacking sufficient policies and signed forms, employees could seek damages for loss of personal data if the company deletes personal data stored on the device, or due to claims of repetitive stress injuries.
Companies should educate employees about the risks associated with and the acceptable uses of mobile devices, including BYOD devices. To address the risks SMBs should create policies, and where possible implement technical controls.
Companies should require employees to sign forms that acknowledge documented acceptable use practices, absolve the company of liabilities, and require the employee to notify the company in the event of device loss or disposal.
Companies should prohibit the use of:
– Jailbroken or rooted devices
– Operating systems and applications with known unpatched security vulnerabilities
– Public wireless networks without using a VPN
– Devices that do not require the use of a PIN or passphrase to gain access to applications
– Apps that require too broad a set of permissions
– Unapproved apps or app sources
– Devices that cannot be remotely wiped by the business
– Sharing of the device
– Unapproved cloud storage of company data
– Unapproved Bluetooth profiles
Companies should implement technical controls that provide:
– The requirement to use a PIN or passphrase to use the device
– The ability to remotely wipe the device
– Mobile Device Management that provides virtualization or sandboxing of corporate data and apps
– The ability to blacklist or whitelist specific applications
– The ability to prevent the use of a jailbroken or rooted device
– VPN access if access to the corporate network will be provided
– Network segregation of on-premise wireless networks
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.