As mobile security becomes more complicated, new techniques and old basics offer some protection
As mobile devices stream into all types of organizations in both the public and private sectors, there’s growing anxiety in government agency IT departments about how to properly manage and secure mobile devices against a range of possible security breaches and malicious code attacks.
The numbers are staggering: Early in 2011, smart phone shipments exceeded PCs for the first time, according to IDC Research. The market research firm also reported that 365.4 million units were shipped in the second quarter of 2011, up 11.3 percent from the 328.4 million phones shipped in Q2 2010.
And it’s not just phones. Gartner Inc., Stamford, Conn., predicts sales of 54.8 million media tablets in 2011 and sales of more than 208 million units by 2014. While smart phones and mobile devices are already visible in most government agencies today, public-sector IT organizations face an immediate challenge in ensuring adequate security.
Attacks on mobile networks and devices have grown in recent months, both in number and sophistication. Early security threats from young, independent hackers have turned into sophisticated attacks driven by experienced criminals or even state-sponsored terrorists. Threats, including those that compromise user data or privacy, are now targeting widely supported services such as text messaging and voice. Phishing attacks and traditional malware problems have also affected a surprisingly high number of mobile devices.
Challenges for federal IT administrators arise from the influx of “personal” devices into the workplace, the popularity of various mobile operating systems, and the need to balance access to data and networks with growing security requirements. Not surprisingly, security ranks high among most survey respondents. IPhones, iPads and other employee-owned mobile gear are the most risky devices that can be connected to an organization’s networks, according to a recent survey by ISACA, an international user group devoted to providing benchmarks and guidance for technology best practices. Previously known as the Information Systems Audit and Control Association, ISACA polled 2,765 IT leaders around the world. According to the survey’s results, 58 percent of respondents said employee-owned mobile gear — including smart phones, laptops, notebooks, tablets and flash drives — represents the greatest risk to organizations. To see the full results, visit www.isaca.org/risk-reward-barometer.
Nevertheless, mobile device use is exploding among government employees. The Veterans Affairs Department, for example, has announced plans to allow the use of Apple iPads and iPhones beginning Oct. 1, with a longer list of devices expected for approval soon. Currently, only BlackBerry smart phones are authorized for use by 20,000 VA employees.
Meanwhile, in July, Research in Motion received FIPS 140-2 certification for its BlackBerry PlayBook tablet. PlayBook is the first tablet certified for deployment within U.S. federal government agencies. No competing tablet has gained Federal Information Processing Standard certification from the National Institute of Standards and Technology, although Apple and Google are both working on FIPS certification for iOS and Android, respectively.
Government workers are creating and sharing information through a multitude of mediums — from e-mail, instant message and USB flash drive to voice over IP, smart phone, social media, public Wi-Fi networks and home computers. Each medium introduces security vulnerabilities that require protection. According to Will Hedrich, a security architect at CDW-G, the technology supplier is working closely with government clients to help them reach three primary pillars of stronger mobile security:
* Content filtering — Adopting a heuristic-based content filter with an anti-malware engine. The filter actively analyzes every packet of information and blocks dangerous content in real time.
* Mobile device management — Locking down mobile devices (iPads, PlayBooks, etc.) to ensure information isn’t hacked or stolen.
* Employing data loss prevention — Classifying data and preventing sensitive information from being downloaded or e-mailed outside the agency or to unauthorized agency employees.
“Because so many government workers are using personal smart phones and other mobile devices for work purposes, IT organizations suffer a giant headache as they must strive [to] keep in compliance with federal security standards, while safely allowing employee and contractor access to data and information,” Hedrich said.
CDW-G typically proposes mobile device management solutions from Symantec or McAfee, Hedrich explained, to provide the encryption, complex passwords and enforcement policies agencies need to protect government information and network resources. Some of the advanced features of mobile device management solutions include multifactor authentication, disabling of camera functions and/or access to “apps” stores, and the ability to block access from wireless local-area networks or connect only to certain specified networks.
There’s also a remote lockout capability so that when a phone is left idle, it can be locked out of network access after a certain number of minutes. And the ability to wipe data remotely from mobile devices is vitally important when a device is lost or stolen, Hedrich explained. In some cases, mobile management solutions can even boot users off the network if they attempt to jailbreak their devices to work around agency security controls.
Meanwhile, Hedrich added that data loss prevention solutions from leading suppliers such as RSA, Symantec and McAfee can help protect data at rest as well as data in motion. DLP is used on networks, in data centers and for endpoint devices. DLP can stop users from sending PDFs or Excel spreadsheets, alerting the user and manager via an e-mail message to allow or reject such requests. Also, DLP tools can seek information and even pictures that fall outside personally identifiable information compliance parameters to stop users from sending files that compromise security guidelines.
DLP isn’t a quick fix, however, because it requires proper security policies and education for every group of users in an organization. This type of solution typically takes at least six months to implement, he said. Policy and management issues can slow implementation.
Another important tool in the mobile security arsenal is content filtering, which can address the majority of threats that arise from the Web. In typical Google searches, for example, users might see 20 links, and some of those links might contain malicious code that installs a bug, bot or some other peer-to-peer attack, Hedrich said. This is why organizations need a real-time filter to determine if a website is safe and accept or deny access for any websites deemed inappropriate or dangerous. Even on reputable sites, there might be malware in some links, and content filtering will block those links from appearing on a Web page, Hedrich explained.