Movin’ right along
The President of the United States is apparently using an Android phone, and likely an outdated version, at that. Despite reports that the newly inaugurated president was, in typical fashion, offered a “secure, encrypted device approved by the Secret Service,” it appears Mr. Trump prefers his own personal device. Don’t we all?
Of course, most people aren’t under the same scrutiny as the leader of free world, nor are we privy to the types of information and secrets that could lead to catastrophic or life-threatening events. However, employees do interact with employers’ sensitive and private data every day, and a leak or loss of data, or worse—compromise of the device that leads to the spread of malware, theft of valid user credentials and privilege escalation/unauthorized system access, or mobile pivoting—is pretty catastrophic to the organization experiencing and managing the after-effects of the breach.
As the security community scoffs at the notion of President Trump tweeting away on his Samsung Galaxy S3 or S4 and thinking about all the security vulnerabilities those actions introduce (even if Trump is only using his phone to tweet), this is a reminder to security teams that now is a good time to take a look at your own company’s mobile device policies and security capabilities.
In search of good times and good news
First things first: Security teams must have an accurate assessment of all of the devices touching the network. While this is certainly easier to do with company issued desktops and laptops, the reality of the situation is that employees can and will use personal devices to send and receive job-related email, files, and data; log in to company-controlled accounts (on the company network and those in the cloud); and generally make use of the productivity benefits mobility has afforded, despite the fact that “connectivity everywhere” has introduced more risks for the security team to manage. The user is not particularly interested in risks, but security can’t manage unknowns.
To understand the scale and scope of potential mobile vulnerabilities, security teams should conduct vulnerability scans to identify all of the devices which have or are requesting system access, audit directory accounts to learn which ones are in use, and then map devices to actual employees/contractors/authorized users. This process will reveal a lot about your organization’s use of mobile devices and can bring forth suspicious activity. Employees may legitimately use two or three non-company issued devices to conduct work, and that’s OK, but if a device can’t be mapped to a currently employed or authorized user, access needs to be revoked ASAP and the organization might consider looking into rogue activity. The security team isn’t going to stop the company president from using her or his new tablet to check email, but to be able to manage mobile device security, the first step is knowing it’s happening. You can’t mitigate the risks you don’t know about.
With good friends you can’t lose
Once you’ve found all of the devices, security teams “have some options,” said Georgia Weidman during a recent MISTI eSummit on mobile device security. If the device is corporate owned, Weidman says companies can evaluate system or application isolation, though she stresses that neither of these solutions has gained a lot of traction in the workplace due to unpleasant user experience. The moment your company president says, “No, that won’t work,” the idea goes out the window. In government offices or more highly regulated environments, however, enforcing the use of a locked-down device might be just the ticket.
Other options, said Weidman, like mobile device management, enterprise mobility management, and mobile application management (recommended by NIST as a mobile security protection), have limitations and shortcomings that could lead to a false sense of security. Instead of falling victim to the lure of a tool, security teams need to consider mobile devices as just another part of the security program. And what works in a traditional environment? Protecting the data, of course! Encryption, segmentation, and limiting access privileges are all effective against mobile threats. Naturally, though, users of mobile devices are humans who can be fooled into phishing scams, clicking on malware, or visiting an infected website.
This could become a habit
Security awareness is helpful, but it won’t eliminate every risk, every exploit. Companies should look to offer—if not enforce—two-factor (2FA) or multi-factor authentication (MFA). Because user experience is a consideration, security teams need to strategically plan how 2FA or MFA will be introduced to the organization. The worst thing a security team can do is demand a new process that the company president refuses to use. Guess who will win. Introducing security protections isn’t a zero-sum game, though; as users are becoming more aware of cybersecurity (and they are, even if it’s not at the pace security practitioners would prefer), adoption of 2FA and MFA will grow, helping stop some of the credential stealing that contributes to many current breaches. In addition, corporate security teams can thank social media sites for socializing users’ ability to control their own privacy and security settings, which will cut down the success rate of certain types of attacks.
Opportunity knocks once, let’s reach out and grab it
Because social engineering does and will continue to work against users, security teams must implement organizational controls that limit the damage an attacker can achieve once inside the system—it’s the same for mobile security as it is for stationary devices. Security teams must commit to proactively testing and monitoring mobile devices and applications alongside the organization’s infrastructure. If the organization has bought MDM, EMM, MAM, or other security solutions, says Weidman, the company needs to test those tools as well, to ensure they’re accomplishing what’s been promised. A continuous monitoring approach to test the efficacy of our security programs as it relates to mobile devices—just like with traditional applications, networks, etc.—is the only way to understand our organizations’ vulnerabilities and risks.
Your company president might not be willing to budge on the selection of his/her own smartphone, but she/he will be receptive to decreasing organizational risk.