Enterprises need to take control of PDAs, smart phones and other mobile wireless devices to ensure corporate security.
Mobile devices--from PDAs and smart phones to wireless handsets and printers--are exploding into the workplace. While these IP-enabled devices are improving productivity by giving employees increased access to corporate applications, they're opening the enterprise to a host of risks.
Focused on locking down networks and laptops, organizations often overlook the need to take control of mobile wireless devices. Left unchecked, these gadgets--which store an increasing amount of sensitive data, including customer and pricing information--can easily open gaping holes in enterprise network defenses.
But organizations can get control over these powerful, well-connected devices by adopting a systematic approach to device detection, assessment, protection and enforcement. There are a number of strategies for discovering and fingerprinting mobile systems, plus scalable methods for finding and fixing the vulnerabilities associated with them.
By taking hold of these devices and controlling their use in the enterprise, companies can reap the benefits of mobility without putting sensitive data at risk.
|Mobile devices & threat vectors|
Figure 1: Mobile devices connect locally and remotely over various technologies, making detection tricky. Outlook Web Access and desktop mail redirection are user activities that add to the difficulty in tracking and managing mobile devices.
Assessing the Risk
Many companies assume that PDAs, smart phones and other mobile equipment pose little business risk, but today's mobile devices have the power, storage and connectivity to rival laptops. Many enterprise applications are being adapted to reach increasingly mobile workforces.
According to Gartner, 40 percent of corporate data now resides on handheld devices, making it especially dangerous if they fall into the wrong hands due to loss or theft. And, users are prone to losing PDAs and mobile phones. A 2005 study by Pointsec Mobile Technologies found that 63,000 mobile phones and 6,000 Pocket PCs were lost over a six-month period in London taxis alone.
Last year, aerospace manufacturer Boeing fell victim to a mobile device theft that exposed personal information of 161,000 employees. In 2003, a Morgan Stanley VP made headlines when he sold a BlackBerry on eBay that still carried company data. Such incidents can require companies to comply with privacy and breach notification laws, including California's SB 1386, and result in unwanted media attention.
In some cases, the mere presence of unauthorized mobiles poses a threat. For example, rogue systems that synchronize with trusted desktops can pass along viruses or gather data from network shares. Bluetooth headsets, Wi-Fi travel routers and other wireless convenience devices can open unprotected backdoors into corporate networks. Wireless cameras, embedded in many new phones, make it easier than ever to capture and transmit proprietary information to outsiders.
Despite the risks, oftentimes a password is all that's used to protect a portable device. In a survey of U.S. professionals by Pepperdine University, one in four had experienced loss or theft of at least one PDA used for business; half used nothing more than a password for security.
Detecting Mobile Devices
Taking control and protecting the enterprise against these risks starts with mobile device detection.
"Being able to assess the threat is the absolutely critical first step," says Jason Jaynes, CREDANT Technologies' product management director. "Companies want a feel for what devices are being used, who is using them and how big of a problem this presents for them. Based on usage reports, the company can then decide what to protect, and enforce security on those devices."
But identifying mobile devices that connect to corporate networks is harder than it sounds. Established practices and tools exist for wired device discovery, including port scanners like Nmap, vulnerability assessment tools like Internet Security Systems' Internet Scanner, and network managers like Hewlett-Packard's OpenView. While these have a role to play in mobile discovery, they cannot monitor the dynamic mobile perimeter.
As shown in Figure 1 (right), mobile devices come and go, connecting locally and remotely over varied technologies. Consider the Pocket PC, which connects through the CDMA2000 to the enterprise mail server, a Wi-Fi hotspot to the VPN gateway, an office Wi-Fi to the corporate network, and a cradle to the corporate desktop. And that is just one device carried by one user. Factor in diverse devices and OSes, and discovery becomes even more challenging.
When developing a detection strategy, consider all potential network/data access vectors. For example, Microsoft's Outlook Web Access is often used for remote access to Microsoft Exchange. Bluefire Security Technologies' CEO Mark Kominsky describes this difficult-to-catch scenario: "To check mail with your Treo [PDA], you need credentials and server name. But if you can get [the Outlook link] from someone else, you can get into the Exchange server. There is no real way of tracking this, other than tracking the activities of a person."
Another overlooked vector is desktop mail redirection. "Consider the employee that goes to a carrier's store and purchases a handheld running Sprint PCS Business Con-nection or BlackBerry Redirector," says Jaynes. "The company doesn't have a mobile mail server, but the user can still redirect mail, and perhaps files, to a device outside the corporate network. Many companies can't detect this."
With Trust Digital's MobileEdge feature, PCs can be checked for mobile threats by searching the registry and log files.
Identifying the Right Tools
Discovering all of the mobile devices that affect corporate networks requires complementary techniques, combining wired discovery with wireless, desktop and remote-access monitoring.
Wireless monitors detect nearby devices with active Infrared, Bluetooth or Wi-Fi interfaces. An office can be spot-checked for Bluetooth devices using Network Chem-istry's BlueScanner or AirMagnet's BlueSweep. Similar "stumblers" can discover Wi-Fi access points, but full-time detection of Wi-Fi clients requires a distributed wireless IPS like AirDefense's AirDefense Enterprise or AirTight Networks' SpectraGuard.
Desktop mobile security monitors detect PDAs and phones that synchronize with corporate PCs. As an example, Bluefire Security Technologies' Mobile Security Suite and CREDANT's Mobile Guardian Enterprise use centrally installed PC agents to spot connections to Windows Mobile ActiveSync. Sync attempts can be logged, denied or permitted based on device identity and state. If registration succeeds, protective measures can be synchronized onto the mobile device before further use.
Alternatively, PCs can be periodically checked for mobile threats without resident agents. Trust Digital's Enterprise Discovery uses a scanner that can be invoked whenever users log in to a Windows domain. The PC's registry and logs are searched, with results sent to a database for historical reporting. A report for one PC and one PDA, generated by a demo program, are shown above.
Remote-access monitors detect off-site handhelds that use mobile business applications, like corporate mail, but never touch a desktop cradle. CREDANT and Trust Digital, among others, can detect and secure devices that synchronize through mobile enterprise application servers like BlackBerry, GoodLink, Intellisync and CommonTime.
Monitoring can also occur at the company's VPN server or Web portal, or at any point of network admission. Cisco Systems' Network Admission Control and Trusted Com-puting Group's Trusted Network Connection (TNC), for instance, define interfaces for endpoint security assessment and enforcement. Mobile security products can leverage these to detect handhelds and create a conduit for registration and activation.
Mobile detection tools operate in report-only, block-and-report and enroll-and-report modes. Reporting capabilities are critical, so look for solutions that offer both detail and filtering. Data export functions are also important to help consolidate information gathered by independent tools.
Remote-access monitors track use by login or a subscriber identity module, while wireless monitors track activity by MAC address, International Mobile Equipment Identity and universal unique identifiers. Many tools report IP addresses, but mobiles often use DHCP. Correlating multiple identifiers and attributes to individual devices is difficult, so look for tools that combine data to fingerprint devices.
Detection may be sufficient for companies that just want to meet reporting requirements. But most will eventually go further by blocking unauthorized access and fingerprinting devices to identify their owners, tracking activities and mitigating threats.
|Clutch Control: employee-owned mobile devices|
How can you deal with mobile devices that are not company-owned, yet pose a risk to company assets? You may not have direct jurisdiction over employee-owned mobile devices used exclusively for personal activities. However, every company has the right to define and enforce policies regarding corporate data, no matter where it is located.
"Some companies say that if the device comes into our organization, then it comes under our corporate policy. Some just say those devices aren't allowed. But I don't think you can really prevent people from doing that without some type of detection," says Martin Allen, managing director for Pointsec.
Mobile devices can be detected when synchronized to a corporate desktop, connected to a corporate network, or carried on-site with an active wireless interface. But how do you spot the off-site Treo containing manually entered customer contacts or business account passwords? If that device never touches the company network in any way, there is simply no automated way to detect it.
Mike Reimer, Trust Digital's executive vice president of marketing and business development, argues that transparency is the key. "You can [cause] a grass-roots revolt if you don't implement security the right way. Some vendors require you to enter a password [into your PDA] just to make a phone call, which doesn't impact corporate data at all, and that creates frustration for users," he says. "The right approach is to learn what your problems and issues are, create your policy, and then decide how to implement that policy."
Minimize user impact by making enforcement as transparent as possible, but eliminate corporate liability if a device is lost or stolen. By defining policy, you can help employees understand the rules and consequences. By automatically detecting devices and installing protection, you can motivate employees to safeguard the mobiles they purchase. And if those measures result in minimal worker disruption and inconvenience, those mobiles will be more likely to stay protected.
According to market research firm TNS NFO, 86 percent of employers permit the business use of employee-owned mobiles, yet 84 percent do not set usage guidelines. That's a recipe for disaster. To manage the business risk posed by mobile devices, companies should define which devices are allowed under what conditions. At minimum, a mobile device policy should identify the following:
- Supported devices and OS versions
- Users and desktops that can use those devices for business
- Wireless interfaces that can be used on those devices
- Business data that can be stored on those devices
- Required protection measures
- Policy and noncompliance enforcement
Detection can shape policy by showing devices already in use, providing the basis to assess risk and deciding which countermeasures are warranted. However, the framework used to implement those decisions should be device-independent and extensible. A solution tailored specifically for today's mobile devices will be quickly outdated.
Implementing policies on an enterprise scale requires central deployment of software and configurations. For cost and consistency, leverage existing infrastructure and data. Seek out mobile security platforms that integrate with existing user databases. Re-use inventory management and software distribution systems where possible.
For example, Utimaco's SafeGuard settings can be configured as Windows Group Policy Objects that Active Directory pushes to PCs, where they can be synchronized onto PDAs. Alternatively, SafeGuard's software and settings can be pushed to mobiles using Afaria's XcelleNet or Extended Systems' XTNDConnect.
|Wireless intrusion prevention|
Figure 2: Wireless IPSes can detect unauthorized devices and invoke containment actions.
Protecting Against Threats
PDA and smart phone protection is conceptually similar to laptop safeguards, but is implemented much differently due to variations in OSes, embedded security, I/O methods and user behavior.
Power-on passwords, for instance, can prevent access to stolen devices, but few users enable built-in mobile PINs.
A mobile security suite can require passwords, enforce complexity rules and invoke lockout or data wipe after repeated failure. However, entering a long, complex password on a PDA is tough, so consider easy entry methods like image or fingerprint authentication. Authenticating repeatedly is impractical, so weigh usability exceptions. Getting locked out on the road is incapacitating--look for self-service password reset.
Stored data encryption is important for mobiles, but opinions vary as to granularity and method. "It depends on how mobile the workforce is and how important their information is," says Martin Allen, Pointsec's managing director. "Some companies have a corporate policy to encrypt everything, others encrypt only devices with sensitive information."
Securing data in transit can be accomplished with secure applications such as BlackBerry and GoodLink, secure links like 802.11i, or mobile VPNs, including those from Aventail, Bluefire, Columbitech, NetMotion and Netseal. These methods are not mutually exclusive; they serve different purposes. Choose carefully: Device-specific methods are less extensible; network-specific methods inhibit roaming.
The recent rash of mobile worms and Trojans has sparked interest in firewall and malware defenses. PDA firewalls can be stand-alone programs, such as Airscanner's Mobile AntiVirus Pro and CREDANT's Personal, or integrated with other defenses. Many AV vendors sell PDA/smart phone scanners, designed to mitigate OS-specific threats, including Kaspersky Labs, Symantec, McAfee, F-Secure and Trend Micro.
Authorization is an area where mobile security programs are paving the way. Blacklists can stop users from installing programs that put corporate data at risk; whitelists can verify the presence of required programs before the device can access a network or desktop. Many products can enforce usage rules for removable storage, embedded cameras, telephones and wireless interfaces.
Enforcing Security Policies
Once a mobile security policy has been implemented, it must be enforced. Devices must be monitored to spot changes, like when a hard reset restores factory default settings. Detection tools can help to enforce policy by automatically re-installing programs and settings on next connect or sync attempt. For travelers cut off from the company network, use offline recovery methods to restore from flash memory or storage cards.
Enforcement actions may be administrator-initiated or policy-based. For example, PDAs can be configured to delete vulnerable data when a serious attack is detected. Users may add policies beyond corporate mandates to wipe personal data when a threat is detected, or administrators may wipe lost handhelds on next connect.
Blocking unauthorized network use can be accomplished through many techniques: Host-resident agents can prevent PDAs from synchronizing to desktops; VPN gateways and portals can deny access to unauthorized users, perhaps factoring in device identity; and gateways using NAC or TNC can block clients that fail integrity checks or quarantine them for remediation.
If a wireless IPS detects an unauthorized device, it may disconnect that device by transmitting wireless management messages. Or, it could use traceroute to determine the Ethernet switch used by an AP, disabling the port to prevent network intrusion. These "containment" actions can even be invoked automatically, such as by blocking all connections between trusted users and rogue APs. (For a comparative review of wireless IPS/IDS appliances, see Information Security's March 2006 feature "Unplugged.")
Ultimately, enforcement decisions require information. Mobile attributes and activities must be tracked to enable analysis and historical reporting. Sources include mobile device logs, synchronization logs, remote access logs and wireless intrusion alerts. Bluefire's Mobile Security Suite, for example, gathers security events from mobiles in real-time, creating a central repository for reporting and threat analysis. Good Technology's Monitoring Portal tracks GoodLink usage to provide real-time snapshots of users and devices. Wireless IPS and stumblers can be used to track down unauthorized Wi-Fi or Bluetooth devices for physical removal.
More information from SearchSecurity.com
Join Lisa Phifer on April 20 at noon ET, as she provides operational advice for locking down mobile devices.
Learn how to win your end users' cooperation to secure the gizmos they bring in to the office.
Here are tips for securing iPods in the enterprise.
While controlling mobile wireless devices may seem like a daunting task, IT organizations can no longer afford to ignore the business threats they present. The dangers will only escalate in proportion to the number of users, devices and network entry points. At a minimum, detect devices, assess exposures and establish a mobile usage policy, then roll out protection and enforcement as business needs and risks warrant.
Mobile challenges will evolve along with technology. But mobile security will not be accomplished overnight, so get a grip on the mobile enterprise today.
Dig Deeper on BYOD and mobile device security best practices
Protecting the corporate network with a mobile device security strategy
A guide to Wi-Fi-cellular integration in the enterprise
Detecting mobile devices on a wireless guest network
Wireless IPS must detect non-Wi-Fi wireless LAN security threats