Endpoint security: managing enterprise smartphone risk

Almost by the day, enterprises are becoming more receptive to the consumerisation of IT and introduction of mobile devices and platforms into their environment.

Introducing smartphones, netbooks or newer technologies such as the iPad and e-readers, can pose security issues to an organisation -- and to any customer or business included in the data held on the devices.

Threats such as Trojans and drive-by-downloads which attack and exploit unpatched vulnerabilities in software installed on an endpoint, rogue security applications, spyware, botnets, worms, viruses and phishing attempts are all threats that apply as much, if not more-so, to consumer devices as office-bound PCs.

And once commercial data makes its way onto an employee's device, which is often unmanaged, the enterprise can no longer control its spread or usage.

"Additionally, consumer platforms such as Mac and iPhone are becoming an increasingly attractive target to attackers due to their explosive growth -- the more there are out there, the more potentially unprotected endpoints there are to attack," regional product management manager APAC and Japan at Symantec, Josh Simmons, says.

IT managers must also bear in mind that while employee devices perform a dual role -- as a personal device and a company device -- the protection of any organisational data held on the devices is totally up to the company, says senior marketing manager for Websense, David Brophy.

"Organisations must not only bear the expense of fines and remediation if they suffer a data loss, they also risk the resulting loss of shareholder and customer confidence," he says. "This can have an adverse impact on reputation, brand, stock value, and even the potential for criminal prosecution against company executives.

"It doesn't matter whether breaches are accidental or deliberate; what matters is that the organisation is seen to have failed in its responsibility to care for personal and confidential information."

It's pretty clear that consumer IT in the enterprise is risky, but if banning or limiting devices isn't an option, what can you do?

To begin managing the risks of consumer IT, Gartner Research vice president, Leslie Fiering, suggests one of the first places to start is in reassessing security policies so that when an employee-owned device attaches to the enterprise network, the security policy's assumption should be that the device is "hostile until proved otherwise".

"The response must be a series of network access controls (NACs) that include strong authentication, and scan and block functionality, as well as network behaviour analysis," she says. "A variety of methods can be used to identify specific devices, their physical and virtual locations, and their usage history."

Such device 'fingerprinting' can help organisations determine whether a user is connecting from a managed company device, from a personal device that has been registered with the organisation's technical support group, or from a completely unknown system such as a kiosk in a coffee shop. Further tests can also determine the security posture of the device, and whether it has been recently scanned for malicious software.

Designing a robust, scalable and secure remote-access strategy is the next step. In essence, if a device does not conform to the policy, it is quarantined to a protected part of the network for remediation.

IT managers should also consider multiple levels of access based on trust, bearing in mind that unmanaged and uncontrolled platforms are more likely to contain keystroke monitors, worms, remote-access Trojans and other malware than managed platforms.

After that, establish application and data requirements which weight application delivery and remote access against the trust level of the target PC to determine the level of data leakage risk.

You should also isolate the enterprise's digital assets from whatever other applications and data are on the employee-owned device, further protecting enterprise or customer data and intellectual property.

"Ideally, there is absolutely zero data leakage between corporate-and personal-owned devices," Fiering says. "This means that malware on the employee's system cannot get to the enterprise data and applications, and the enterprise data cannot be copied onto the user's system or an external medium. It is also critical that whatever enterprise digital information resides or runs on the employee-owned system can be totally removed without leaving any traces, such as temporary files."

Many Trojans doing the rounds are designed to bypass endpoint protection software and head of security practice, BT Australia, Harry Archer, also stresses the importance of behaviour analysis techniques and strong policies. "Having [endpoint security] software is not in itself effective," he says. "It has to be controlled by security policies and combined with centralised management, with security monitoring, including auditing of the devices. End point devices need to be protected with tamper proof security agents."

Managing director at Sybase ANZ, Dereck Daymond, says there are four areas every organisation should assess: How to deny access to unauthorised users; how to manage the loss of a device containing company data; how to remove corporate data from a personal when an employee leaves the organisation; and protecting confidential data from prying eyes.

"For starters, establish a mandatory security policy requiring employees to set a strong password on their mobile device and to change it every three to six months," he says. "Mobile management systems can help IT administrators enforce such policies automatically, without the need for user involvement.

"You'll also need mobile management software offering remote lock and remote wipe capabilities enabling administrators to temporarily 'freeze' a device that may simply have been misplaced or remotely erase data from a lost or stolen mobile device... or when an employee leaves the company."

The development of a clearly stated Acceptable Use Policy (AUP) that highlights what information is made available to whom and when and that is made known to all employees is also a good step to take, says, vice president APAC for M86 Security, Jeremy Hulse.

"Information should only be accessible to those who need it. There should be different levels of information protection in place and verification systems for those accessing the data. Critical information should also be encrypted to limit its chances of falling into the wrong hands," Hulse says.

"This is an issue that needs to be closely considered in small and medium enterprise in particular. In such businesses, more trust is placed with employees and there is a tendency for employers to consider protection of data as a secondary priority."

IBRS Advisor, James Turner, adds that while endpoint security threats are evolving, maintaining tight standard operating environments (SOEs), anti-malware clients, whitelists and greylists are good habits, however organisations must also focus on what they're doing with their applications.

"The more they can secure those -- with secure coding and authentication -- then they can start streaming that as a Web service or as something that synchronises with a client on a smartphone," he says. "Focus on what the users are doing, rather than what they're doing it on." Next page: The smartphone dilemma

Love it or hate it, no look at consumer IT security would be complete without a look at that ubiquitous device, the iPhone.

Gartner analyst, John Girard, says that while the iPhone has an improving security architecture, it's still incomplete, and that first-, second- and third-generation iPhones are vulnerable to 'jailbreaking,' -- unlocking the iPhone and disabling Apple's policy controls -- and to the recovery of system and application data.

As a result, he recommends that first- and second-generation iPhones should be phased out from and subjected to a comprehensive data wipe. Companies should also implement version checks to prevent users from enrolling older models on business email servers and networks.

iPhone 3GS devices bearing company information should be placed under policy management to enforce basic security protections, and you should also use content monitoring and filtering to avoid sending data to iPhones that might cause unnecessary risks.

However, head of technology at Sophos APAC, Paul Ducklin, says the issue of security on the iPhone, as well as Android-based smartphones, is complex as the devices can be viewed as both secure and insecure.

"Both of these use a 'closed-market' model, meaning that it is harder to get malicious or unwanted apps approved for sale, which increases security somewhat," he says. "On the other hand, it makes it very difficult for independent software vendors to produce security products as innovative as those which exist for Windows and Linux."

Ducklin adds that a core problem with consumer IT devices is that security isn't necessarily a key consideration when the devices are designed.

"Every iPhone shipped, for instance, has the same, easily-guessed and very widely-known, password for its root and user accounts -- 'alpine'," he says. "Apple explain this away by saying that local logins are not available on the device, so the root password is something of an irrelevance. But if it is an irrelevance, why not set it randomly and unguessable on every device, just in case?"

Sybase's Daymond adds: "Often it's the most senior level of management which wholeheartedly embraces the iPhone and that puts IT departments truly in the spotlight. We have been increasingly approached by IT managers whose CEO made the secure integration of their iPhone a personal request." Next page: Spotlight, Product watch

What: Marshal EndPoint Security Features: Offers visibility of portable device connections and file transfers, an audit trail of users and administrators, integration with Active Directory and a GUI designed for use by non-IT management, flexible exception management, 256-bit encryption and single-window administration. Also prevents file transfers to or from unauthorised portable devices, automatically encrypts data copied to approved devices, claims to mitigate productivity distractions, legal liability and inappropriate content. Where: www.m86security.com/products

What: Sybase Afaria Features: Promises to manage and secure critical enterprise data, mobile applications and devices. Data and content can be backed up and can be deleted if a device is lost or stolen. Sensitive data on devices is encrypted, and security policies are centrally enforced. IT can deliver fixes, upgrades and refreshes to mobile users in the field, and add, update or remove applications, data and content without user involvement. Where: www.sybase.com.au/products [Image: Afaria screenshot.jpg in S:\CW AprMay10\Images\secuirty feature]

What: Juniper Junos Pulse. Features: Offers a single, unified client for remote access, WAN acceleration, and NAC. Enables secure access to corporate networked and cloud-based data and applications from mobile devices and smartphones. Enterprises and service providers can deploy granular role and device-based security policies when provisioning mobile handset and device access. Based on industry standards and open, standards-based Trusted Network Connect (TNC) specifications. Where: www.juniper.net/us/en/products-services/

What: Symantec Endpoint Protection 11.0 Features: Integrates antivirus, antispyware, firewall, intrusion prevention, device and application control, requires a single agent managed by a single management console, enables NAC upgrade without additional software deployment for each endpoint. Claims to lower total cost of ownership for endpoint security. Where: www.symantec.com/en/au/business/endpoint-protection [image: Symantec Endpoint Protection image.jpg in S:\CW AprMay10\Images\secuirty feature]

This story, "Endpoint security: managing enterprise smartphone risk" was originally published by Computerworld Australia.

Must read: 11 hidden tips and tweaks for Windows 10
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies