Users should encrypt mobile data to avoid falling foul
of data protection legislation, according to a report on mobile
security from analyst firm Burton Group.
Analyst Michael Disabato said encryption is the one foolproof
method of protecting the contents of a disc drive or personal
digital assistant, provided a strong, proven encryption algorithm
is used and weak pass phrases or keys are avoided.
He said the built-in Encrypted File System for Windows and the File
Vault for Mac OS X meant users have little excuse for not
encrypting laptop data. He said utilities are also available to
encrypt the contents of PDAs without user intervention and these
should be used as well.
The report advised companies to use recovery keys. Burton Group
said these could then be made available in the event of a user
losing their encryption keys or leaving the company without
revealing the encryption keys.
Along with protecting data, Disabato urged IT directors to
lock-down mobile devices for security. In the report he pointed out
that a number of wireless hotspots assign public IP addresses to
users' machines when they connect, rather than using the more
secure Network Address Translation protocol. He said these
addresses are regularly scanned by hackers for vulnerable devices
that can be infected with viruses or Trojan programs.
Disabato also warned that Windows XP has connection sharing enabled
by default, which means it will connect with any wireless network
it can find.
"This opens up a serious security hole, as most new laptops come
with built-in wireless technologies (Bluetooth, 802.11), and any
nearby wireless device can now access enterprise networks through
the mobile device or the contents of the mobile device itself," the
report said.
But although mobile technology can be made more secure, Disabato
said the weakest link in the security chain was the user. The
report said users would view security measures as an inconvenience
rather than a protection.
Disabato said policies should be developed that cover mobile
communications and computing.
What to include in a mobile use policy
- Wireless Lan usage, including public hotspots, home networks,
and the enterprise network
- Cellular data and voice network usage. The largest security
risk is the discussion of confidential information in a public
place
- Reporting mobile loss or theft
- Approved connection types
- Authentication credentials
- Information authorised for storage on mobile devices - keep in
mind the varying capabilities for encryption on each device
type
- Acceptable use of the network
- Enforcement consequences
- Notification of human resources and IT when personnel leave the
company or change function.
Source: Burton Group