CISSP D3 Preview | Mobile device security

In this lecture, we’re going to talk about mobile security and when most people think mobile security, they think cell phones.
But it really is anything you can walk around with, anything we attach, that can be external USB drives, hard drives, tablets, CDs, laptops, anything that is mobile.
And obviously this also covers cell phones.
We have over the last five to eight years, started to add so many more devices to our networks.
And I’m sure this is going to exponentially grow over the next coming years.
The more devices and the more different types of devices we connect, the more complex policies, procedures and standards we need.
We need to ensure that every device we have data on is secure to a point that makes sense for that device and the data.
Most of the internal threats we have is not from malicious people.
They either just don’t know any better or it’s just easier to do it this way.
It’s probably not going to hurt anything.
It’s probably not going to be found out.
So as much as we can, we need to be able to eliminate them, even having the option to try to take the shortcut.
I know of one breach where a guy just wanted to go outside to have a smoke.
He didn’t want to go through the access point, all the control, all that stuff.
It was just much easier to open the back door, go out and smoke and then close the door when he was done, he had been doing it for months.
But one night he forgot to close the door all the way.
He closed it, but he didn’t get that little snap when the lock actually closes, and with that door not being closed, someone was able to get into the building, effectively circumventing all our other security.
He wasn’t malicious.
He wasn’t an intentional, bad actor.
He was just lazy.
Another example that is maybe more appropriate to mobile security was a doctor that compromised Protected Health Information or PHI.
Being the good doctor that he was, he just wanted to check on some patient records and he did not have his laptop with him.
So on his phone, he configured an unsecure mail client.
He checked the patient record he needed and then went on with his day.
A couple weeks later, he did the same thing.
It was easy and he kept doing that.
After some months, the phone was stolen and all that patient information was still on the phone in the mail client.
Again, not a bad guy, just someone who found a loophole and used it because it was easier.
To help with both of these, we obviously need to do the proper training to raise the awareness of our users.
But part of our role is to make sure that those loopholes are closed.
We close the loopholes and then we give them the tools that they need. With the guy that wanted to go out and smoke, he probably just needs to follow protocol.
But with the doctor, what he really needed was a secure male client on his phone.
And then maybe we need to ensure that the phone has full disk encryption and maybe remote wipe capabilities.
For all our mobile devices, we want to ensure that we have the policies, the procedures, and standards in place that we need so we can be as secure as we need to be.
On the technical side of things, we should lock our USB ports down, the CD drives, the network ports are wireless devices, wireless networks and disable auto run on any media that is attached to a laptop or any other portable device.
Wherever it is possible we should have full disk encryption if the device is stolen.
The attacker really has no way of accessing our data and with any device where it is possible that holds sensitive data, we should have some sort of remote wipe capabilities.
Either we send the command to the device and the next time it is online, it wipes itself. Or if it has not been online for 10 or 20 or 30 days, it does a remote wipe on its own.
And yes, there are ways you can circumvent this.
There is anything in IT Security.
That’s not really the point.
The point is we have enough security to protect whatever we are protecting.
Most cell phones already have the remote wipe capability and it is pretty inexpensive to add it to laptops as well.
For this as anywhere else, we want our defense in depth and user training and awareness is a huge part of that.
Cell phones are obviously the most common mobile device we use, and they are also the ones that gets lost the most often, which is probably also lucky, with any current Android or iOS operating system, it will by default have full disk encryption.
I mean, it is possible to turn it off.
But why would you? Now how our employees use their phone if they lose them is something we don’t really have a lot of control over.
If it is their personal phone, all we can do is make sure that they don’t have any confidential or sensitive data on their phones.
What we can do something about is if we issue company phones.
Here, we have a lot more control.
And regardless of which type of phone it is, both private and company phones, we need to ensure that we have the good security standards in place that we need.
And here we are not talking about phones that they only use for private use.
This is phones that is used partially for private use and partially for company use, as well as phones that we have issued.
So for any of the phones that have some sort of company data on it, it doesn’t matter if it is confidential or not.
They should, at a minimum, have the ability to be remotely wiped.
They should be able to be tracked so we can find them.
They should have a lock screen that after a certain amount of minutes where the phone is not used, the screen locks.
And it should be set to if you enter the wrong password so many times the phone becomes a brick.
And if it is a company phone, we should also disable removable storage.
If we give our employees mobile devices and we are a small organization, it is possible we might just configure the phones by hand.
But as you know by now, anything that is done by hand is more susceptible to mistakes and omissions than anything that is automated.
This is the same reason we don’t harden our servers manually.
It should all be automated.
So when we start moving into the hundreds or thousands of devices, that automation should have it in a centralized system and that will be an MDM, a mobile device management system.
Using that, we can give every single phone a standard basic configuration that we know is secure.
And then on top of that, we can add to our group specific configurations.
So the server team might need access to certain things or the phone needs certain capabilities.
Well, then we add that to the server team profile.
We can also add application, white or black listing.
Here, white listing is preferred because white listing is us saying only these applications are allowed.
If you try to install anything that is not on that specific list, you can’t install it.
Whereas a blacklist is us listing all the applications we don’t want installed, which is almost impossible to keep up with.
I mean, there are thousands of new applications every day.
We can, also with MDMs, at storage segmentation, we can add or remove remote access, we can push new configuration out, take backups of the device and so much more.
Now, let’s say an employee leaves the company and they don’t bring their phone back.
Well, then we can either completely wipe it or we can just wipe the parts of the drive that we know contains company information.
It gives us that flexibility that we need to secure our company data.
And now a slightly controversial topic.
Since we monitor and manage their device, we can also see what traffic they use, where they are, which phone calls they make.
Now, that may or may not be legal where you live, if we as a company do that in any way, shape or form, they need to be told and they need to sign a form where they say, I agree to all of this before they get the device.
The MDMs can be an amazing tool, it can help us a lot.
But we need to make sure that what we do with it is also legal.
And the MDM is not just for smartphones.
It can easily track laptops, tablets and really anything that can be managed and tracked in a centralized system.
Laptops, smartphones, and tablets are amazing productivity tools.
I know that anywhere where I have worked, where we have had them, they certainly make my day and my work life much, much easier.
But as with anything else, they have to be secure the right way or they are a liability.
Which then brings us to BYOD.Bring your own device, which is super awesome if you are a user.
Maybe not so much if you are someone in security, now instead of having fifteen different devices that we hand out that we have configurations for, now, we may have hundreds or thousands of different devices that gets brought to work and used on our network.
So with BYOD, we should have a clear policy, when they bring their own devices to work.
We have a policy, we have procedures and we have guidelines on what is acceptable use and what is not.
They need to clearly understand how they are allowed to use their own devices.
And we also need to be very clear on how much support we offer for their own devices.
If we have, like I said, 10, 15 devices that we issue, well, then our help desk can easily keep up with that.
They can have the proper procedures in place.
But they most likely won’t have that for the hundreds of different devices our employees bring in.
And how we do that is really depending on our organization, what are we trying to do and what our capabilities.
It is that fine balance that we always need to strike between being user friendly while still having enough security.
Here, a possible solution could be that we add their personal devices to our MDM.
They accept that when they are on company property, we to some extent monitor what they do and cannot do.
So with the MDMs and mobile security, we have a lot of questions that we need to ask.
And then with those answers, we design our policies, our procedures, and our guidelines.
If we give them mobile devices, how do we make sure we get them back when they’re terminated or leave the company?
Or at least that we can wipe the device, if they use their own devices? How do we ensure there’s no company data left on it when they leave?
And how do we ensure that the sensitive data they have on their device is not accessible to anyone from the outside?
How do we ensure that they don’t go home and transfer that data to another device?
How do we make sure they have the latest patches, the latest antivirus and on and on.
Before we add any mobile devices to our networks or allow our employees to bring their own devices?
There’s a lot of thoughts and considerations we have to go through to make sure that the implementation we choose is both secure enough while still allowing our employees to do what they need to do in the easiest possible way.
And with that, we are done with this lecture.
I will see you in the next one.