The current generation of cellular telephony products presents a wide range of potential risk to the corporate environment. From the simplest cell phones that could expose a corporate phone list, to more advanced cellular devices that are capable of storing and manipulating documents, to the latest smart phones that enable direct access to the network via 802.11 wireless connectivity (“WiFi”); the landscape for protecting corporate assets is wider and more varied than ever before.
Modern cell phone devices can be loosely categorized into three tiers based on the functionality of each device: basic, advanced, smart
a. Cell phones that only provide voice and messaging capabilities
a. Cell phones that provide additional features such as GPS or multimedia capabilities
a. Cell phones that provide PDA functionality including document management and manipulation.
b. Provide alternative network access including 802.11 wireless networking capabilities.
The key difference in the way we view these various devices is that the most advanced of them are truly full featured computing devices and should be subjected to the same scrutiny and governance as any other mobile IT corporate asset such as a laptop. These new devices are capable of nearly every function of their larger counterparts including document storage and manipulation, web browsing, messaging and direct network access via WiFi. Additional and unforeseen functionality may be added with the addition of third-party applications. While these devices are similar in many ways to regular corporate assets, they differ in one fundamental way: size. Due to their small size the risk of loss or theft is significantly higher than their larger counterparts.
According to the document from NIST entitled “SP800-124: Guidelines on Cell Phone and PDA Security” an estimated 85,619 mobile phones and 21,460 PDAs were left behind in one Chicago taxi firm’s vehicles during the six-month period of the study, compared with only 4,425 laptops. One estimate given for the year 2007 was that approximately eight million phones would be lost. These numbers suggest that it is prudent to employ a more stringent security regiment for those cellular devices capable of carrying sensitive data to include data/disk encryption and remote wipe capabilities.
Just as the risks are varied depending on the type of device, so too, are the efforts employed to secure the devices. A basic cell phone may be best secured by merely enabling a screen-lock that requires that the user enters a pin number before accessing the device. More robust and feature-filled devices that are equipped with document management tools, WiFi and internet access require appropriately robust solutions, comparable to larger portable devices such as a laptop. These more advanced cellular devices should use the same types of security as would be recommended for a corporate laptop, including firewall, anti-virus, anti-malware, remote wipe capabilities, strong passwords and encryption at the file and disk levels.
Issues with Connectivity
With the addition of 802.11 and Bluetooth wireless connectivity to this new class of portable device, care should be exercised to limit potential exposure when utilizing these connections to connect to corporate assets or when transmitting business related information. Whether web-browsing or using email, an unsecured WiFi connection can lead to confidential data leakage. When sending information over WiFi make sure that the connection is encrypted whenever possible (such as with an SSL connection.) If data is being sent via insecure means such as email, care should be exercised to protect the data by utilizing encryption (even using a password-protected zip format will provide at least some protection)
An improperly secured Bluetooth link will allow an attacker to surreptitiously connect to the device and potentially download any and all information stored on it. Bluetooth pairing pin numbers should always be changed from their default values, or should be disabled when not in use.
Consideration should also be given to the possibility of the device being used as a proxy, allowing unauthorized connectivity to/from the internet by proxying the WiFi connection to the cellular data connection.
Methods of Protection
Due to the similarity in features that smart phones have with laptops it is reasonable to consider securing the device as if it were a laptop or any other corporate asset. That means employing a local firewall, anti-virus/anti-malware measures, encryption of corporate data, enabling VPN connectivity to access corporate assets, etc. Any non-essential services should be disabled when not in use (such as Bluetooth or WiFi)
These devices should also be subject to the same scrutiny and rigorous standards as other corporate devices and subject to the same policies and procedures regarding acceptable use, authorized software, password requirements, Internet policies, etc. Specific policies and procedures should be created to assist in the governance of these devices (including laptops) that would delineate the methods and tools used to enforce these recommendations.
Security concerns for the different types of cell phones are cumulative starting with the ‘basic’ cell phone.
Basic Cell Phone Security Concerns
a. Loss, Theft, Disposal
b. Unauthorized Access/Usage
2) Advanced Cell Phone Security Concerns
a. Electronic Tracking
b. Server resident data
3) Smart Cell Phone Security Concerns
b. Data Interception or Access
c. Network Access
d. Should be regarded as a small form factor laptop for the purposes of security requiring the same methods of protection including anti-virus, anti-malware, etc.
The amount of effort employed to secure each type of device should be commensurate with the potential risk associated with each class of device.
1) Basic and Advanced Cellular Phones
a. Employ the use of a screen lock password
b. Where possible enable backups of phone data to the network (via activesync or other methods)
2) Smart phones
a. Should be regarded as comparable to a laptop in regards to data exposure and potential risk and therefore should employ the same methods of protection.
b. Anti-virus measures should be installed and utilized.
c. Anti-malware measures should be installed and utilized.
d. Firewall software should be installed and active to prevent unauthorized connections to or from the device.
e. VPN connections should be used when connecting into the corporate network
f. Non-essential services (such as Bluetooth or WiFi) should be disabled when not in use.
g. Strong passwords or two-factor authentication should be used to secure access to the device’s networking connections.
The security concerns delineated here are taken from various sources, primarily from NIST SP800-24 “Guidelines on Cell Phone and PDA Security” http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf