Mobile computing has become a critical tool in professional and personal everyday life for millions of people. Mobile devices provide a convenience of seamless communications and portable information storage. A growing number of consumers are using tablets and smartphones for all online activities, making them a desirable target for bad actors.
Examples of mobile devices:
- Laptops and netbooks
- Tablet computers
- Portable Universal Serial Bus (USB) memory sticks (such as “thumb drives” and MP3 devices) and for connectivity (such as Wi-Fi, Bluetooth and other mobile internet modem drives)
- Digital cameras
Powerful productivity capabilities of mobile devices continue to expand, however their biggest advantages- size, portability, wireless interfaces and associated services, present additional threats to those of desktop computers.
Security threats to mobile devices include the following:
- Loss, theft, or misplacement. Mobile devices are small, portable and … easy to lose or to be stolen. Hundreds of thousands of cell phones, laptops and tablets are lost each year. The mobile device in the hands of a stranger provides easy access to sensitive data stored on the device and data stored on corporate networks as well as an ability to impersonate the authorized user.
- Unauthorized device and data access. Access to the device and its contents may be gained by forging or guessing authentication PIN or password or by bypassing the authentication mechanism entirely. Mobile devices transport data via wireless networks, which are typically less secure than wired networks. These wireless networks can leave non-encrypted information at risk of interception and compromise.
- Malware. Communications networks can be used to deliver viruses and other forms of malware to mobile devices. Malware can be spread through internet downloads, messaging services and Bluetooth communications.
- Spam. Unwanted SMS text messages, email, and voice messages from advertisers have begun to appear on mobile phones.
- Electronic eavesdropping. Spying software can be installed onto a device to collect and forward information onto another phone or server. Such applications exist not only for the laptops but also for certain phone models.
- Electronic location tracking. GPS capabilities of the some mobile devices provide opportunity to track a person’s whereabouts.
Here are some tips on securing a mobile device:
- Maintain physical control of the device. One should treat it similarly to a credit card, maintaining control at all times and storing it securely if left unattended.
- Enable user authentication. Passwords and PINs are good first line defenses and are usually available on most mobile devices. When creating a password, use at least eight to twelve characters, a mixture of numbers, letters and special characters. Personal wireless (Wi-Fi) access points should also be password-protected to limit unauthorized access. Read and understand the documentation covering the mobile device features and options for authentication.
- Backup data regularly. Data such as private personal information, electronic documents, photos, music, software applications, and network settings may be synched with a desktop computer or printed out and kept in a safe location. Remember, while the device itself can be easily replaced, it’s the data on it that could cost you millions. Also record such information as serial number and model of your mobile device.
- Minimize data exposure. If you can, avoid keeping sensitive information on a mobile device. If the presence of sensitive data is not avoidable, consider encryption of the data. Some devices support built-in encryption capabilities.
- Avoid questionable actions – think before you click. Malicious code can be spread to mobile devices through internet downloads, messaging services and Bluetooth communications. Suspicious messages or contacts should be destroyed without opening. It is not an operating system that allows malicious code execution on a device; it is a user that allows the installation of infected files or connections from other devices. Any request from an unknown program whose installation was not initiated by the user should not be accepted. Software download from sites that seem suspicious or are not known should also be avoided. Only programs that are from reputable manufacturers and have verified digital signatures should be installed.
- Limit wireless interfaces. Mobile devices are frequently used in such environments like hotspots, customer sites, business partner offices, airports and conferences. A very simple protection step is to turn off Bluetooth, Wi-Fi and other wireless interfaces until they are needed. Being invisible prevents the device from being scanned and located and attacked. Do not assume that public hotspots are secure. Instead, assume that other people in cafes, hotels, libraries, airports and other public places can access any information you see or send over a public wireless network. Do not connect to unsecured wireless networks. If you don’t need a password to connect, the hackers don’t either. When you ask your computer to search for Wi-Fi networks, you will see a list of those that are available along with a note or icon that indicates whether a network is secured or unsecured. Do not allow automatic connections. Configure your computer to let you approve access points before you connect Don’t conduct any confidential business via a Wi-Fi connection in the airport or at your hotel. Consider setting up a virtual private network (VPN) connection that will allow you to send e-mail and use the web securely: Marshall VPN Instructions
- Deactivate and wipe lost or compromised devices. If a device is lost or stolen, disabling service, locking it, or completely erasing its contents remotely are the options to take. Certain devices, such as iPhones and Androids, have the capability to lock a device or erase its contents remotely through a built-in mechanism. If you are using Microsoft Exchange on your mobile phone learn how to perform a remote wipe on a mobile phone: http://technet.microsoft.com/en-us/library/aa998614.aspx
- Eliminate or disable unnecessary services and applications. Unneeded functions, features, add-ons or plugins increase security risks because they can enable cyber-criminals with access to user content and device programming interfaces. Reduce them to only those required.
- Add additional security controls software. A wide range of products exist for various mobile devices, including smartphones and tablets, that usually provide one or more of the following capabilities: improved authentication mechanisms, data back up and encryption, firewall, antivirus, anti-spam, and VPN.
- Always apply critical patches and upgrades to the operating system and to all installed apps.
- Evaluate device security periodically.
Courtesy of special publication by National Institute of Standards and Technology (NIST): “Guidelines for Managing the Security of Mobile Devices in the Enterprise”