Whatever else you do, "Assume your smartphone will be
lost or stolen and plan accordingly," says David Porter, head of
security and risk at Detica consultancy.
"I see far more careless people losing their phones, than
identity thieves out on smartphone raids.
"People need to guard their smartphones as they do any other
valuable possession, such as their wallet or handbag," he says.
In the future we may have to worry more about malware on mobile
phones and PDAs, explains Eric Domage, research manager for
security products and services at analyst IDG, but we do not yet
know what impact it will have. "But loss and theft are happening
now."
Furthermore, criminals are increasingly targeting specific
organisations, he says. During the burglary in March of Eiffage
BTP's offices in Haut-du-Lièvre, four laptops containing plans to
the new Maxévilleprison were stolen from the offices, while no
other computers or businesses in the same building were
touched.
"We have been giving users new productivity tools which are
normally mobile, but the basic, basic, danger is theft or loss," he
says, and stresses that it is not complicated.
"Data protection is encryption, and basic encryption is
free."
Encryption
He adds that not encrypting a mobile tool could be seen as
dereliction of duty. "People who do not encrypt are now liable," he
says.
Domage is not aware of cases where failure to encrypt has
resulted in a jail sentence, but he says it is a possibility in the
United States, and is probably coming to the UK and the rest of
Europe.
Encryption should, therefore, be a matter of enterprise policy,
and that policy should extend such that, "Any additional memory
chips should also be encrypted, not just the phone's main internal
memory. Subscriber Identity Modules (Sims) should be protected with
a password and the phone with another, and these passwords should
be extremely hard to guess and changed every month, every week or
even every day, depending on how valuable the data is. The phone
should also be made to self-lock within 30 seconds of non-usage,"
says Porter.
To ensure such a policy is followed, Domage advocates
smartphones with out-of-the-box encryption, centralised control
that dictates allowed Wi-Fi connections, enforces virtual private
network use, and manages updates.
Bluetooth
He also suggests that Bluetooth is disabled because its
relevance to business operations is marginal, but that it opens an
attack channel that is sometimes exploited, albeit rarely.
Nevertheless, in the future securing smartphones is likely to
become more complicated. And despite the failure of anybody to
collect the $10,000 prize at a recent smartphone hacking fest
(PWN2OWN), the number of mobile platforms continues to grow with
Android, Apple mobile OS, Symbian OS, Windows Mobile, and Palm,
which serves to broaden the target.
A smartphone is just a PC in the pocket but one we will not do
without, almost regardless of risk.
"Information security professionals need to plan how to
accommodate a new generation of hyper-connected employees using
smartphones.
It is no longer viable for security professionals to deal with
the threats by banning use of mobile internet phones." says John
Colley, managing director for EMEA at (ISC)2.
Smart phone security guide
● Encrypt data and communications.
● Password protect wherever possible.
● Do not store confidential material on the phone, but on a
remote server.
● Do not install untrusted software.
● Do not browse unknown sites or open attachments from
strangers.
● Deactivate unused connections such as Wi-Fi and Bluetooth.
● Assign an ID number to each mobile device and keep track of
who is using it.
● Use a "Lock and Wipe" service that prevents the device from
being used when lost or stolen.
● Make sure your mobile devices and data are covered by
insurance.
● Train your staff to use these devices and understand the
security issues.
● Draw up an "acceptable use" policy and ask users to confirm
their understanding.
● Do not allow mobile devices to have access to sensitive
corporate data, without strong security measures (virtual private
networks, authentication and encryption).
● Check your data allowance and infrastructure can handle the
likely increase in traffic mobility will bring.
● Channel e-mail through existing content filters and manage
e-mail security at the gateway.
● Use malware detection.
● Personalise phones to detect any quick handset swapping.
● Ban phones from sensitive meetings, or remove batteries to
guarantee the phone is off.
● Never let your phone out of your sight.