When smartphones first emerged many IT organizations didn't recognize the risk they posed. That changed rapidly, of course, and today these devices are changing the risk profile for organizations because they introduce threats to sensitive company information.
Faced with the realities of the consumerization of IT, many organizations feel pressured to increase their support and management of consumer mobile devices. At the same time, IT and information security organizations are responsible for providing acceptable levels of data protection and enterprise security. It's a tall order to meet user demand for the devices while still maintaining an adequate security posture.
Recently viaForensics, researchers and practitioners in mobile forensics and security, published an in-depth analysis of the risks mobile devices pose in their report, "Mobile Security Risk Report - Understanding the security impact of iOS and Android in the enterprise." What sets this report apart is the research is based on forensic analysis of what's actually on the devices. The viaForensics team uncovers information that would be overlooked by common mobile device management (MDM) tools.
THE BYOD STRUGGLE: From writing custom apps to defining security
The report provides forensic insight on mobile device threats, data exposure risk and the benefits of most common security measures for these consumer platforms. Furthermore, viaForensics examines enterprise security questions, such as whether popular platforms (iOS and Android) are secure enough for enterprise use and how these platforms compare to the commonly used BlackBerry platform. The report addresses other questions that nag InfoSec specialists, such as: Can passcode security be broken, and if so, how? What does data encryption really accomplish? How secure are devices from malware threats?
From a risk/threat perspective, the authors present device and organizational risks and their likelihood in a way that gets the attention of both the less technical manager and a mobile security administrator. For the less technical, the report outlines in easy to understand language the risks associated with the popular mobile device platforms, the likelihood of occurrence, and recommendations for remediation.
For the more technical professional, the report describes in relative technical detail the specific risks posed, how the devices can be compromised using varying techniques, and how to remediate the risks where possible. For example, there are discussions on the iOS Keychain, the central database in iOS where credentials and sensitive data are stored, which can be broken into to retrieve data stored on the device. Also covered is how to extract or recover data on an Android device using either logical or physical imaging processes. The logical image can be used to recover allocated data on the device, whereas a physical image will recover both allocated and unallocated (deleted) data.
The following is an excerpt of numerous recommendations designed to reduce the overall risk posed by mobile devices in a security-conscious enterprise environment:
• Enforce strong security on mobile devices to the extent supported by the platform. Require alphanumeric passcodes, limit failed passcode attempts and require encryption. When using MS EAS, do not enable "Allow non-provisionable devices," so that only devices respecting the security controls will sync. Consider MDM systems for provisioning and management, recognizing that device data security may not be significantly enhanced by the MDM software.
• Reduce the amount of data stored on mobile devices. Limit email storage to only a few days, restrict downloads of attachments and only provide mobile access to employees with actual need. Users should be made aware that highly sensitive corporate data generally do not belong in email, especially if that email will exist on mobile devices.
• Implement clear and strong terms of acceptable use and legal protections. From a security standpoint, ideally corporations should own any mobile devices that are syncing corporate data. If devices are employee-owned, policies should clearly empower the corporation to acquire, audit and investigate the employee device (including personal data). Employees should not be allowed to back up corporate data on personal computers or cloud storage.
• Implement procedure for "secure delete." Significantly reduce the amount of data that can be recovered from memory by wiping unallocated space on the device on a regular schedule. Although NAND lifespan may be reduced, it is unlikely to impact function during useful life of the device.
• Manage Wi-Fi connectivity. Although incredibly convenient for use of Web and apps, Wi-Fi introduces significant security risk due to man-in-the-middle and other network attacks. If platform or MDM software allows restrictions of Wi-Fi access points, this would mitigate much of the network security risk -- admittedly with a trade-off in data download speeds (and cost).
There's much more free information from the viaForensics report on the company's website. The full report with very in-depth insight can be purchased from viaForensics. Get further information at https://viaforensics.com/products/mobile-security-risk-report/.
Brian Musthaler is a principal consultant with Essential Solutions Corporation. You can write to him at Bmusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.