Mobile devices Prove to be a New Battleground in the Cybersecurity War

Larry Boettger / December 02, 2016
Mobile devices Prove to be a New Battleground in the Cybersecurity War

Mobile devices have become a prime target for cybercriminals. They are attacking them to gain access to sensitive data, such as bank accounts[1] and Health Care information[2]; exploiting them via malware and ransomware[3]; and other nefarious activities. Attacking mobile can also be used to bypass a firewall and other network controls to gain access to your organization’s network. 

It’s important to include mobile devices in your cybersecurity program in order to ensure you have the appropriate preventive, detective and corrective controls to protect the confidentiality, integrity and availability of your critical systems, applications and data.  After all… mobile devices are just handheld computer systems that can contain the same types of vulnerabilities, and sometime the same access to your internal network resources, as your standard issue desktop and/or laptop.  What makes these devices higher risk is they are often mismanaged or ignored entirely versus desktops and laptops.  If you prohibit employees from connecting their own computer systems to the internal network, why do you allow them to connect their phones?  Allowing Bring Your Own Device (BYOD) without security often means you’re BYOC (Bypassing Your Own Controls).
 

Where to Start

This document provides guidance in helping you ask the right questions about your current or proposed implementation of mobile devices.  Our goal is to help you securely enable your  business to use mobile devices.  It can be done… with the right planning.

The first place to start is identifying what your business needs are and how mobile devices fit into your business strategy. Some questions to ask:
 

  • Do your workforce members use the mobile devices to do their work (emails and texting customers, business partners, writing documents, etc)?

  • Does your organization allow the workforce to Bring their(Your) Own Device (BYOD) or are they furnished by the Company?

  • Does your organization use or develop mobile applications to support the business?

  • WIll mobile devices access or store confidential information?

  • Do mobile devices need direct access to your entire network to meet the business needs?

  • How do you ensure company and/or customer information is removed from the devices when an employee leaves?

 

Governance, Risk and Compliance

Once you have an understanding of how mobile devices are used to support the business needs, it is critical to implement strategic and tactical Governance, Risks, and Compliance (GRC) controls that includes:
 

  • Policies and procedures related to:

    • Mobile device usage in your organization

    • Configuration baseline requirements for the devices (NIST has a Special Publication Guide that is a good resource[4] to help get started)

    • Incident handling and forensic practices in the event that a mobile device is compromised, lost or stolen (SANS has a nice forensics poster to use as a resource[5])

    • If your organization develops or uses mobile device applications, then ensure that there is a procedure to validate that the code is secure (OWASP has project devoted to secure mobile applications that is a good resource[6])

  • If you don’t “own” the device, ensure you have employees sign a waiver to give you the legal right to wipe devices upon termination of employment.

  • Conducting workforce security awareness training to communicate your mobile device policies and procedures and how the users can use them securely both at work and in their personal activities

  • Conducting risk and vulnerability assessments and penetration testing on mobile devices on a regular basis to ensure that they are validated to meet best practices security and compliance needs

  • Ensuring that your annual audits (either by internal audit or by an outside third party) include mobile devices in the audit scope to validate that the mobile device cyber security program is effective

  • Investing in Mobile Device Management (MDM) technology to automate and centralize the controls to secure and monitor mobile devices, such as:

    • Configuration of the security settings of the devices (password lock, encryption, disabling cloud data storage, etc.)

    • Remote wipe when it is lost or stolen

    • Enforce anti-malware

 

Final Thoughts

Mobile devices have become just as important as computers for both our business and personal usage. Implementing and maintaining the security of them is possible as long as they are included in your corporate cybersecurity program.

 


[1] The Wall Street Journal: Hackers Target Your Phone - http://www.wsj.com/articles/mobile-bank-heist-hackers-target-your-phone-1472119200

[2] Healthcare Informatics: Mobile Device Security Often the Weakest Link in Healthcare Security Chain: http://www.healthcare-informatics.com/news-item/mobile-device-security-often-weakest-link-healthcare-security-chain-study-finds

[3] CSO Report: Smartphone Infection Rate Doubled in First Half of 2016: http://www.csoonline.com/article/3114687/mobile-security/report-smartphone-infection-rate-doubled-in-first-half-of-2016.html

[4] NIST SP 800-124: Guidelines for Managing the Security of Mobile Devices in the Enterprise: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf

[5] SANS Smartphone Forensics Poster: https://digital-forensics.sans.org/media/DFIR-Smartphone-Forensics-Poster.pdf

[6] OWASP Mobile Security Project: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project

Larry Boettger
About the Author


Larry Boettger
Lead Security Consulting Engineer

Larry brings almost 20 years of Technology and Security experience. He has specialized in the Healthcare, Financial, and Retail (PCI) verticals, additionally he has both the breadth and depth of knowledge and experience needed to provide end-to-end Information Security and Privacy solutions to nearly any industry. Larry also brings 15+ years of experience with security and compliance and regulatory or industry audits for HIPAA, PCI, FFIEC, GLBA, SEC as well as state privacy rules and regulations. He is as strong leader who has developed and managed technology and security programs for several large and complex organizations.

Comments
Blog post currently doesn't have any comments.

Explore More