Risk Factory: Getting a Grip on Mobile Devices

Getting a Grip on Getting a Grip on Mobile DevicesMobile Devices

Last year thousands of Last year thousands of travellers left personal travellers left personal items in London taxi cabs items in London taxi cabs

27 toilet seats27 toilet seats

4 sets of false teeth 4 sets of false teeth

3 dogs 3 dogs

2 babies 2 babies

1 cat 1 cat

1 pheasant 1 pheasant

Funeral ashes Funeral ashes

A dead bodyA dead body

Over 75,000 mobile Over 75,000 mobile computing devicescomputing devices

These devices can hold These devices can hold

10k 10k photosphotos

200k 200k docsdocs

100k 100k emailsemails

How do you Get a How do you Get a Grip on that?Grip on that?

Top 10 Risks Top 10 Risks 1. Loss2. Theft3. Malware 4. Stealth installs5. Data interception 6. Direct attack 7. Call hi-jacking8. VPN hi-jacking9. Session hi-jacking10.Device hi-jacking

Step 1Step 1

Quantify the Quantify the ProblemProblem• Stop.• First measure the problem• Conduct a survey• How many devices? Running what applications? • Processing, storing, transmitting: what data?• Draft Asset Register• Draft Risk Register

Step 2Step 2

Draft policies Draft policies

• Device ownership• Device liability• Acceptable devices• Acceptable use• Acceptable applications• Minimum device security requirements• Where to report lost/stolen devices• Security Awareness Program

Consider…Consider…

• Mandating the use of PINs to access devices• Mandating use of complex passwords to access

applications• Set max number of password failures • Set max days of non-use lock out• Specify password change interval• Prevent password reuse via password history• Set screen-lock

Step 3Step 3

ConfigurationConfiguration

• Firewall• Anti-virus (Malware, Trojans, Spyware)• O/S Updates• Hardening• Back end support servers• VPN dual authentication

• Adding or removing root certs• Configuring WiFi including trusted SSIDs, passwords, etc.• Configuring VPN settings and usage• Blocking installation of additional apps from the

AppStore• Blocking GeoLocation• Blocking use of the iPhone’s camera• Blocking screen captures• Blocking use of the iTunes Music Store• Blocking use of YouTube• Blocking explicit content

Consider…Consider…

20

Step 4Step 4

EncryptionEncryption

• Data• Disk• Document, File & Folder• Laptop• Port & Device Controls• Removable Media &

Device• Email

Step 5Step 5

Incident responseIncident response

• Included in BC/DR Plan• Back ups• Alternatives: – Find it– Track it– Kill it

How to Get a GripHow to Get a Grip

Quantify the problempoliciesConfiguration Encryption Incident Response

SourceSource

the problem in handthe problem in hand

26 Dover Street 26 Dover Street LondonLondon

United KingdomUnited KingdomW1S 4LYW1S 4LY

+44 (0)20 3586 1025+44 (0)20 3586 1025www.riskfactory.comwww.riskfactory.com

A different perspectiveA different perspective