How current is your company's mobile device security policy? If your policy is hopelessly out of date, you're not alone. When the National Institute of Standards and Technology ("NIST") first published formal guidelines for mobile device security in 2008 PDAs were still en vogue, the iPhone was in its infancy and the widely-rumored iPad was more than a year away from jumpstarting the tablet market. Five years is a lifetime in Silicon Valley. The ever-changing technological landscape can work to undermine even the most meticulous and thorough security policies, exposing companies to substantial new risks. But the frenetic pace of the tech industry does not have to prevent your company from designing a relevant and effective mobile device security policy.
On June 24th 2013, NIST published updated security guidelines that provide some direction for corporations working to "modernize" their company's policies and encompass current tech trends. Only five years removed from NIST's 2008 Guidelines on Cell Phone and PDA Security manual, cell phones have been replaced by smart phones, and tablets have forced PDAs into obsolescence. These new devices are subject to unique cyber security threats and vulnerabilities, and promise to create nightmare scenarios for corporations that fail to adopt strong policies for the use of these devices by employees. Responding to the profound technological advancement in the mobile device market, NIST updated its 2008 manual for 2013, now entitled Guidelines for Managing the Security of Mobile Devices in the Enterprise. The revised manual addresses the novel security concerns created by both company-issued, and personally owned, mobile devices used in the employment context. The bring-your-own-device ("BYOD") trend has created significant problems for companies that rely only on network isolation as the primary security measure. The risk of relying only on network isolation: company-issued devices can cause significant security risks when lost or misplaced by employees.
In addition to highlighting these new risks, the revised NIST guidelines provide six countermeasures that companies can employ to mitigate the novel security threats posed by the latest generation of mobile devices.
Smart Phones, Tablets and New Risk
Off-Campus or Remote Use
- Because employees are able to use new mobile devices in a variety of settings, such as private residences, coffee shops, hotels, and conference centers, the devices are mores likely to be lost or stolen.
- In addition, remote use will necessarily involve frequent contact with unknown or untrusted networks that may expose sensitive or proprietary data to interception.
- Location based services that are common-place in most mobile devices can threaten a company's security and privacy and expose an employee to increased risk of targeted attacks.
- Personally-owned devices usually contain unknown or untrusted third party applications which pose significant security risks.
- Personally-owned devices may interact with other systems to perform backup and storage functions placing an organization's data at risk where stored at an unsecured location.
- Personally-owned devices may also exchange information with other, untrusted mobile devices.
- Personally-owned devices may use untrusted content or link to malicious websites
How Should Companies Respond In Light of the Changing Security Risk to Mobile Devices?
NIST Recommends Adoption of the Following Mitigation Measures:
Adopt Strong General Policies: The centralized company technology can impose security policies on mobile devices in order to
- Restrict user and third party application access to hardware
- Restrict user and third party application access to device Operating System ("OS") services: web browser, email, calendar, contacts, etc.
- Restrict wireless network interfaces
- Monitor, detect and report policy violations, such as changing the baseline security configuration for the device
- Limit access to company services based on mobile device's OS
Incorporate Mobile Devices In Existing System Threat Models
- Existing threat models and risk landscape should incorporate mobile devices taking into consideration their heightened vulnerabilities
- Regular penetration testing that encompasses mobile device
Develop Multiple Security Strategies
- Effective General Policy
Updated Data Communications and Storage Measures
- Strong encryption of communications between mobile devices and the company
- Strong encryption of stored data on mobile devices: both local storage and removable media
- Remotely if lost or stolen
- Before issuing to a new user
- Self-Wipe configuration
User Device Authentication
- Strong Passwords
- Automatic Idle-Locks
- Token Pass
- Create a whitelist of preferred third-party applications
- Restrict the scope of each application
- Dedicated Application Store
Pre-Production of Security Solutions
- Implement and test solutions before production
Install Secure Baseline Configurations for Company-Issued Devices
- Build out a level of trustworthiness in company issued devices
- Prohibit the alteration of baseline configurations
- Monitor, report and penalize the alteration of baseline configurations
Maintenance and Assessment
- Regularly maintain mobile device security
- Check for upgrades and patches
- Detect and Document Anomalies
- Perform periodic assessments and compliance audits to confirm that policies and procedures are being followed
To the extent companies fail to adequately address the risk of employees use of mobile devices and update existing mobile device security polices, they will be vulnerable to data loss, security breaches and potential costly notifications and likely regulatory scrutiny in the event of a data breach. Reliance on the revised Guidelines for Managing the Security of Mobile Devices in the Enterprise and recommended mitigations measures offer corporations an opportunity to effectively manage the security risks presented by mobile devices in their environment.