Mobile Security Best Practices for SMBs
Tuesday, September 20, 2011Posted by John Beagle
by Don DeBolt, Director of Threat Research
It’s hardly a stretch in this day and age to say that every SMB has a mobile device. Mobile devices have helped revolutionize the way SMBs do business by facilitating instant communication and enabling us to store, send and receive documents right from our smartphones, anytime, anywhere. While these features have aided communication around the world, like anything that seems too good to be true, smartphones are not without flaws and can easily fall victim to mobile security threats – the aftermath of which can potentially cripple an SMB.
Estimates predict upward of 400 million smartphones will be sold this year alone, and IDC predicts half of the 2.1 billion people who regularly use the Internet will do so using non-PC devices. Every Internet-enabled phone is susceptible to mobile malware, making it even more critical that smartphone users implement some general mobile device best practices to keep their phones, their personal information and their data safe from an increasingly complicated world of mobile threats.
No one would suggest eliminating smartphones from our day-to-day lives and business operations, so following some simple mobile security guidelines can make all the difference in protecting your private information.
Don DeBolt, director of threat research for Total Defense, has put together some mobile security best practices that SMBs can easily implement to protect themselves against mobile malware. Here are those tips:
16 Mobile Security Tips for SMBs
1. Protect the investment physically with a hard cover and screen protector. This small investment will go a long way to keep scratches and cracked screens at bay.
2. Use an access code/password/or pattern sequence to lock/unlock the device when it is not in use. This helps to ensure the integrity of the device and data, in the event it is out of immediate control of the user. It should also be noted, the Android "pattern" lock option is more susceptible to being guessed according to research performed at Penn State University. The researchers were able to follow the "smudges" on the screen to guess the sequence. The preferred method is to set a pin number as the unlock code. These options can be found in the "Security" settings section of the device.
3. Set the sleep function to lock the screen and put the device into hibernation mode. This provides added security as well as helps to ensure longer battery life.
4. Avoid adware supported "FREE" applications. Ads require an Internet connection and therefore turning off the data connection can stop the ads from popping up. Ads are served from a third-party advertising server or network and sometimes they are truly malicious and can attack the device. Reducing the "random" and "unsolicited" connections to the Internet reduces the attack surface. As a byproduct of turning off the data connection to the Internet, if users play games they will reap longer battery life, and thus be able to play the game much longer.
5. Only install applications from trusted application "stores." Apple, Google, and RIM (Blackberry) all have a vested interest in offering secure software to their device owners. However, the Android platform is more open and allows device owners to install their own software or other software that they download from the Internet. It's the software that is downloaded outside of the application "stores" or "markets" that poses the most risk. Software that is offered via the platform "store" is vetted to a degree, and can easily be removed from download if a problem is identified.
6. Take a moment to review the requested permissions. When installing a mobile application the user may be confronted with a dialog box that requests expressed permission for the application to perform a specific action, or access specific data on the device. Android Permission examples include:
· "Record_Audio" - does the app really need to record audio?
· "Call_Phone" - does the app need to make a call without going through the Dialer user interface?
· "Camera" - does the app need access to the camera device?
· "Wake_Lock" - does the app need to prevent the device from going into Sleep mode?
· "Access_Fine_Location" - does the app need the GPS longitude and latitude coordinates of a user’s current position?
7. Don't share "location" within GPS enabled apps unless absolutely necessary. The ability to know exactly where a user is located based on the phones physical location can be a significant privacy and physical security concern. Many apps today are using the GPS embedded in mobile devices to "tailor" content for the user. Per the Google+ help documentation: "Users 18 and over have their location attached to each post by default. You can remove your location by touching the X [in the post]." Once a user removes their location from a post, the application will remember the setting and not share location information in future posts. Users can "opt-out" totally from location services, but this disables key features, like "maps" applications. Each person must weigh the benefit of the "tailored" content against the security concerns of sharing their physical location at any given time.
8. Avoid auto-upload of photos to social networks. Android 2.1+ devices with Google+ installed offer an "instant upload" option where photos and videos are immediately uploaded to Google's servers. Images and videos require high bandwidth to transmit and use of this feature may put users over the limit on their data plan. Use of this feature will also reduce battery life. There may also be privacy and physical security concerns if every photo and every video is uploaded prior to review by the device owner.
9. Delete unused applications. This helps to reduce the attack surface of the device in the event a vulnerability is discovered in that unused application. This also helps free up space on the device.
10. No clear text data in public Wi-Fi hot-spots. Firesheep demonstrates how easy it can be to capture a user's credentials on an open Wi-Fi connection and login as them with a simple "double-click." Mobile device owners must review each of their email and social networking applications to ensure encryption (HTTPS) is used for the entire session, but it is best to avoid open Wi-Fi hotspots whenever possible.
11. Use a mobile security application to protect against mobile malware and lost or stolen devices. Look for one with "Remote Lock and Wipe" capabilities in the event of a lost device. Many of these applications offer data back-up in the event the device "goes for a swim," and many offer protection against Malware, which is a growing concern for mobile devices.
12. Recycle old devices, but wipe it first. Many apps store usernames, passwords, and user data in clear text. To best protect important data when recycling devices, perform the following steps:
· Back-up the mobile device data and apps
· Remove any digital memory (MicroSD) cards
· Remove the SIM card
· Perform a factory reset of the device
· Then recycle/e-cycle
13. Avoid "jail-breaking" the device. Installation of untrusted applications may increase the attack surface area and users should never leave default passwords in place.
14. Perform device backups regularly and purge personal and business data at the same time. This provides integrity of data if the device is lost or broken, while at the same time limiting the amount of confidential data stored on the device at any given time. For example, the recent case involving nude photos of Scarlet Johannson, which were allegedly hacked from her phone, may very well have been prevented had she been following some basic mobile device best practices.
15. Patch your device regularly when new software is available. Keeping the device current with manufacturer updates can help to fix known bugs within the device software.
16. Leverage Parental Controls to limit children's access to the Internet and unauthorized content. Device security controls can help limit children’s use of the Internet and camera and also prevent the installation of applications.
Visit Don DeBolt at:
www.totaldefense.com and http://www.totaldefense.com/securityblog.aspx