Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
26 December 2005  
Untitled Document
Sections

Best Defence
Technology Life
Columns

Between The Bytes

Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Express Hospitality
Express TravelWorld
feBusiness Traveller
Express Pharma
Exp. Healthcare Mgmt.
Express Textile
Group Sites
ExpressIndia
Indian Express
Financial Express

Untitled Document
 
Home - Best Defence - Article

Mobile security

Securing mobile devices

Organisations should secure mobile devices on a priority basis. This is especially the case when these are used by top management, writes Vishal Jain.



Vishal Jain

As more and more business processes are getting IT enabled, threats to information processing systems are also increasing exponentially. Business is on the move and corporate personnel are constantly generating bytes of data per minute. Corporate organisations are providing their members with portable computers and smart gadgets such as PDAs and smartphones.

Organisations are investing a considerable amount of their IT budget in securing the information and information assets on their wired network, but ignoring to neutralise the security threats posed by handheld devices. A research conducted by a leading firm reported that mobile devices are the new frontier for viruses, spam and other potential security threats.

Considering the growth of the involvement of handheld devices in the day to day operations and easy access to available information on security lapses of these devices, organisations should act immediately upon securing the family of these smartphones. It is believed and universally accepted that an organisation’s information security is as good as its weakest link. Currently, these devices are mainly used for small data transfers such as e-mail, sales figure upload and basic statistical analysis but these may have high impact if they store strategic content. According to a recent Mobile Usage Survey, it was discovered that almost 30 percent of users store their PINs, passwords and other business critical information on their handheld devices without enabling the basic security features present on the system. It was observed that the theft or loss of these devices has increased in the last couple of years. Therefore, no matter how robust an organisation’s security architecture is, it may be highly vulnerable when accessed by unprotected smart gadgets.

Mobile devices do pose unique security challenges. Some of the key threats can be due to theft/loss, inadequate usage, malicious software or hacking. Today, organisations should treat mobile devices as one of their important assets, especially when these are used by their top management.

The Ten Commandments of mobile security

From a CIO’s perspective these ensure reasonable security on mobile devices.

  • Classifying mobile devices in higher grades and implementing strong asset management
  • Performing a risk assessment exercise that should include identification of various security risks due to mobile devices and designing a risk-based architecture for mobile device network
  • Formulating policies and procedures for mobile device security
  • Configuring the best feasible power-on authentication
  • Implementing security solutions for storing of information encrypted in external storage cards
  • Installing anti-virus solutions on all mobile devices and configuring it for regular updation with latest virus definitions and security updates
  • Evaluating and configuring solutions for secure access to corporate network such as mobile VPNs
  • Developing minimum baseline security standards for each type of mobile devices
  • Performing regular reviews and security audits for mobile devices
  • Creating awareness on the usage of mobile devices and educating users about the different security threats features provided by these devices.

The foundation of mobile device security

Though achieving 100 percent assured protection from security breaches may not be possible, reasonable security can be ascertained by designing controls from three aspects—the security of the device, that of the information stored on it and the transmission of data when connected to a network or other device.

Before designing security controls, it is important to assess the total cost of ownership for implementing the controls. It is advisable to perform a risk assessment exercise to prioritise the implementation of the security controls.

The concern for security flows from the top in an organisation, which holds true especially in the case where mobile devices are provided to the senior management of organisations. CXOs are responsible for ensuring that security is imbibed in their business operations. This can be initiated by defining strong policies and procedures catering to the security of mobile devices. The policy should address security risks posed by mobile devices, and procedures should guide users on the ‘Dos & Don’ts’ while using handheld devices.

Formulating policies and procedures is half the battle won. The most important part is to create awareness among users about the impact of the various security threats posed by these devices on the business or operations. The awareness should also include educating users on corporate policies and procedures formulated on the usage of handheld devices and its security features.

Information stored on the external storage cards
should be on a ‘need-to-know’ basis. There are ways to make devices lock or destroy the lost data by sending the machine a special message

So far, we discussed building the foundation from the people and process perspective. However, it is equally important to know that there are technical solutions to implement certain key security controls.

Handheld devices should be protected through power-on passwords. In fact, some mobile devices are equipped with biometric authentication which prevents unauthorised access in case of thefts or loss of these devices. Other methods can be token-based or smart card-based authentication.

One of the key security risks posed by mobile devices is the access to sensitive information, especially when these are stored on a detachable storage card such as MMC and SD Cards. The first and foremost way to protect data on these cards is to encrypt the information. Further, the information stored on the external storage cards should be on a ‘need-to-know’ basis. There are ways to make devices lock or destroy the lost data by sending the machine a special message. Also, some mobile devices have high-powered processors that will support 128-bit encryption.

Locking down Bluetooth

Almost all mobile devices and smartphones are equipped with Bluetooth facility. Bluetooth is one of the other technologies used for data transfer. Though it is considered secure as it has strong authentication, authorisation and encryption controls, this can cause unavailability of services or loss of data if not used in a secure manner.

Some tips on securing Bluetooth devices

  • Enable Bluetooth services only when required
  • Configure the Bluetooth device in ‘undiscoverable’ mode, so that the device is not listed in the search listings of other Bluetooth devices
  • Use six to eight digit numeric or alpha-numeric passwords (wherever supported) for pairing
  • Do not pair with unknown devices, especially, in public locations
  • Do not accept files or messages from an unknown device, as this can be dangerous virus or worm e.g. Cabir
  • Ensure that the Bluetooth display name of the mobile device does not suggest your identity
  • Install security updates and anti-virus solutions from leading vendors
  • Unpair the device from your mobile device, in case the other device is stolen

The third most important aspect is to protect information that is being transferred from sniffing and spoofing. The transmission of data from handheld devices to the corporate networks, either using corporate Wi-Fi network or a third party network, should be encrypted using strong algorithms. For example, the transfer of mail in most smartphones is encrypted at the application layer between clients installed on the mobile devices and the server for mobile devices. Therefore, the ‘end-to-end’ security in these cases does not include encryption of e-mail beyond the server for mobile devices. The transfer of e-mail beyond the mail server becomes critical especially if the corporate mail server is hosted on the telecom service provider’s network. In this case, encryption at the network layer such as IPSec should be implemented.

Apart from the security practices mentioned earlier, one of the biggest threats to mobile devices is through viruses or other malicious software. Vendors of these mobile devices are making constant efforts to develop security solutions. Therefore, it is advisable to install anti-virus solutions, and these should be constantly updated with latest virus definitions and security updates.

Considering all the aspects, the best thing from an organisation’s perspective is not a technology solution but awareness of its personnel on secure usage.

The author is Senior Consultant, Ernst & Young. He can be reached at vishal.jain@in.ey.com

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.