Vous êtes sur la page 1sur 12

Project On: Mobile Devices Audit

By: Priyanka Rawool

Submitted to: Prof. Avinash Gokhale

What Are Mobile Devices?


Mobile devices can mean many different things to people. It can be defined as: Full-featured mobile Smartphones Laptops and netbooks Tablet computers Portable digital assistants (PDAs) Portable Universal Serial Bus (USB) devices for storage (such as thumb drives and MP3 devices) and for connectivity (such as Wi-Fi, Bluetooth) Digital cameras Infrared-enabled (IrDA) devices such as printers and smart cards Devices such as these provide the user with the opportunity for seamless communication and/or information storage whether in the office or elsewhere. The communication capabilities allow workers to utilize wireless networks to communicate via phone, e-mail and text. Many provide access to the Internet, access to company documents and drives, video and photographic capabilities, and storage capability. In short, many of these devices enable an employee to be away from the office yet have the convenience of all the office resources. phones with personal computer-like functionality, or

Risks and Security Concerns with Mobile Devices


Deployment of mobile devices can present a significant amount of risk to the overall enterprise security posture. Mobile devices have numerous vulnerabilities that are susceptible to malicious attacks as well as non-malicious internal threats. From the types of networks the mobile devices use to the threat of data loss, mobile devices have no shortage of inherent risk. Ironically, many of the risks associated with mobile devices exist because of their biggest benefit: portability. Mobile devices transport data via wireless networks, which are typically less secure than wired networks. These wireless networks can leave information at risk of interception. Additionally, many of these devices have storage capability and unencrypted data at rest, thus the information gathered from either the interception of data in transit or theft or loss of a device can result in the compromise of sensitive and proprietary information. In addition to data loss, mobile devices carry the risk of introducing malware. The devices themselves can be used as a platform for additional malicious activity. Devices and laptops with onboard microphones and cameras are particularly vulnerable because they can be activated easily using publicly available tools, possibly resulting in malware propagation, data loss and eavesdropping. Likewise, cellular and Voice-over IP (VoIP) technologies also have vulnerabilities that can be easily exploited, resulting in intercepted calls. The risks of using mobile devices are certainly abundant. In addition to the previously mentioned issues, the potential exists for technical attacks against devices by using vulnerabilities in the communications layer. These attacks are perpetrated using remote access tools (RATs) that can be planted on a mobile device, and thereby access the physical device to recover information and data. These threats can be countered in many cases by using sound policy and judgment in the implementation and use of the devices. However, some threats require the additional layers of protection that technical controls and countermeasures offer, such as encryption and third-party security software designed to counter these threats.

Figure 1 presents some known vulnerabilities and associated threats that need to be understood when dealing with mobile devices. Vulnerability
Information travels across wireless networks, which are often less secure than wired networks.
Mobility provides users with the opportunity to leave enterprise boundaries and thereby eliminates many security controls.

Threat
Malicious outsiders can do harm to the enterprise.

Risk
Information interception resulting in a breach of sensitive data, enterprise reputation, adherence to regulation, legal action. Malware propagation, which may result in data leakage, data corruption and unavailability of necessary data.

Bluetooth technology is very convenient for many users to have hands-free conversations; however it is often left on, and then is discoverable. Unencrypted information is stored on the device.

Mobile devices cross boundaries and network perimeters, carrying malware, and can bring this malware into the enterprise network. Hackers can discover the device and launch an attack.

Device Corruption, lost data, call interception, possible exposure of sensitive information. Exposure of sensitive data, resulting in damage to the enterprise, customers or employees.

The device has no authentication requirements applied.

The enterprise is not managing the device.

In the event that a malicious outsider intercepts data in transit or steals a device, or if the employees lose the device, the data are readable and usable. In the event that the device is lost or stolen, outsiders can access the device and all of its data. If no mobile device strategy exists, employees may choose to bring in their own unsecured devices. While these devices may not connect to Virtual Private Network (VPN), they may interact with e-mail or store sensitive documents.

Data exposure, resulting in damage to the enterprise and liability and regulation issues. Data leakage, Malware propagation, unknown data loss in case of device loss or theft.

Strategies for addressing mobile device risks


As mobile devices are becoming such a prominent tool in business operations, it is important for security managers to consider how to manage the risks associated with these devices. With the introduction of new mobile devices and platforms, IT professionals should update existing, or create new, mobile device strategies. Creating a mobile device strategy will help ensure that risks are accounted for and managed appropriately. Information security managers will need to think about issues such as organizational culture, technology and governance when creating the mobile device strategy.

In the policy that sets the strategy goals, the following issues should be considered:

Defining allowable device types (enterprise-issued only vs. allowing personal devices and types of devices such as BlackBerry or iPhone) Defining the nature of services accessible through the devices, taking into account the existing IT architecture Identifying the way people use the devices, considering the corporate culture as well as human factors and how the nondeterministic execution of processes through the use of mobile devices may lead to unpredictable risks Integrating all enterprise-issued devices into an asset management program Describing the type of authentication and encryption that must be present on the devices Outlining the tasks for which employees may use the devices and the types of applications that are allowed Clarifying how data should be securely stored and transmitted

Figure 2 provides strategies to address risks. Mobile devices have the potential to become the biggest threat for leakage of confidential information. Their protection, very much neglected until now, will become a primary task for enterprises. Creating a transparent, understandable, flexible and executable policy to protect against risks related to the use of mobile devices will support management in its effort to protect intellectual property and sustain competitive advantage. Risk
A lost or stolen mobile device

Strategy
Implement a central management console for device remote control-i.e., location tracking, data wipeout, Password/PIN change or strong user authentication. Ensure that mobile devices are encrypted so information is unusable in the event of lost or theft. Turn to cross-platform centrally managed mobile device managers. Secure the systems that are accessed with authorization, encryption & privileges control. Monitor & restrict data transfers to handheld or removable storage devices and media from a single, centralized console.

Providing support to various devices Controlling data flow on mobile devices Preventing data from being synchronized onto mobile devices in an unauthorized way Keeping up with usage of the latest & greatest devices. Promoting accountability, responsibility and transparency with device usage Demonstrating regulatory compliance

Create keen user awareness on information assets, risks and value to the enterprise. Track the devices are used, and provide regular feedback to management.

Implement a central management console to manage all stages of asset management, from installation to retirement.

Test Steps for Auditing Mobile Devices


Part 1: Mobile Device Technical Audit
Step 1: Ensure that mobile device management (MDM) software is running the latest approved software and patches. Running old software on the mobile device gateways may leave the gateways or remote mobile devices open to known attacks or prevent the organization from taking advantage of more robust security features.

How: Evaluate the gateway with an administrator, and verify that the code
running on the gateway is the latest version. Verify that the latest version is correct using the manufacturers website or other similar updated source of information from the manufacturer. Examine the change-management processes around evaluating and maintaining current code releases for the APs. Note whether this process is automated and coordinated and whether it scales operationally across regional sites. Step 2: Verify that mobile clients have protective features enabled if they are required by your mobile device security policy. Many MDM solutions, including GoodLink and RIM (maker of Blackberry), both provide several client features such as password controls and remote or local wiping that can bolster your security should a device become lost or stolen.

How: Requisition a mobile device with an administrators help, and verify that it
has the protective features enabled as determined by your mobile security policy or other agreed-on standard. Some common features available with MDM solutions include enforced passwords, password settings, remote lock, remote wipe, and local wipe. Passwords can be set up to meet several different requirements in terms of length and complexity. Emergency calls to 911 should be allowed when configured to enforce passwords. Remote lock allows administrators to lock a lost

or stolen mobile device until it is either found or a decision is made to wipe the device remotely. Wiping the device prevents an attacker from retrieving any data. The local wipe feature is designed to wipe the device if a user exceeds the maximum number of tries to log into it. If you have the capability, you should evaluate the process a user would follow if his or her PDA phone were lost or stolen. Test these features to verify that your company processes work as designed and that all parties understand how to carry out the process. Step 3: Determine the effectiveness of device security controls around protecting data when a hacker has physical access to the device. This is an advanced step and would be performed with the help of your companys computer forensic or security team. The subtle reason for performing this step is to help shed light on the need for security on mobile devices. The companys e-mail server and global address book are accessible remotely on lost or stolen devices until the device account tied into the company network is deactivated.

How: In one large company, it was estimated by the administrator that wiping a
device succeeds only about 20 percent of the time. One of the reasons for this is because users tend to wait too long before reporting that their devices have been lost or stolen. If users are not aware of what to do when they lose a device, a window of opportunity opens for someone with malicious intent to attempt to record data from the device. Waiting to raise a potential issue renders the remote lock and erases controls ineffective. If you determine that you need to use forensic tools to test your controls, you need to state your assumptions clearly. You could, for example, give yourself a timeframe to pull data from a device before remotely attempting to kill the device. Assume that you have the ability to kill devices remotely, and assume that Faraday bags are not used by the attacker. Faraday bags prevent radio signals

from reaching a device and lend an unfair advantage to an attacker. These bags might be used by a skilled, intentioned attacker, but they are not common. The following additional controls may help to prevent physical access hacks. These must be turned on manually and should be in line with your policies.

Managed devices must be password-protected and erase themselves automatically after, for example, 15 incorrect password attempts. Devices can be locked or erased remotely. A password is required to read data on a mobile device. Step 4: Evaluate the use of security monitoring software and processes. Security monitoring and regular log reviews can reveal potential issues before a serious event occurs.

How: Speak with the mobile device administrator in an attempt to understand


whats being logged and how those logs are reviewed. Its best to have an automated review process. Work with the administrator to understand whether these logs are useful; if they are not, determine what barriers exist to prevent them from being reviewed and delivering actionable data. Step 5: Verify that unmanaged devices are not used on the network. Evaluate controls over unmanaged devices. Unmanaged devices often contain sensitive personal and corporate data without the benefit of the security controls enforced on managed devices. This makes them easy targets for compromise when they are lost or stolen.

How: One method for discovering the number of potential unmanaged devices
on your network is to look for the existence of the supporting desktop software on your systems. This doesnt prove that an employee is actively using the device but suggests that at one point he or she tried to do so. You could use your endpoint management software, for example, to search for the existence of the executables associated with the desktop software used with the mobile devices.

The reality is that this can be a very difficult step; however, its important to manage mobile devices on the corporate network. Advanced controls might include a preventative control such as Network Access Controls that can prevent these devices from connecting to the network. Discuss detective and preventative controls with your administrator. Step 6: Evaluate procedures in place for tracking end user trouble tickets. Failure to establish ownership and tracking of end user issues could result in end users being unable to resolve connectivity problems.

How: End user issues should be tracked through a trouble ticketing system. An
owner for these issues should be assigned and a group should be held responsible for tracking the progress to closure for any tickets opened because of mobile device issues. Discuss these processes with the administrator. Step 7: Ensure that appropriate security policies are in place for your mobile devices. Policies help to ensure compliance with a standard, help with repeatable processes, and allow the company to act against documented company violations.

How: Determine whether mobile device policies exist and whether the
administrator responsible for the mobile devices knows and understands the content of those policies. Determine whether the policies are being followed or what barriers might exist to prevent them from being followed. Finally, ensure that relevant portions of the WLAN policies are communicated to employees that use the wireless network. A few common policy items might include the following:

You must use one of the defined and supported devices. Synchronizing to your local workstation is allowed only with approved managed devices.

When available, antivirus and encryption tools should be used on your handheld device. The password policy for handhelds that access the companys Internet and/or email systems is [defined policy]. After 15 failed password tries, the handheld must be erased automatically. The device must time out after 30 minutes of inactivity. Step 8: Evaluate disaster recovery processes in place to restore mobile device access should a disaster happen. Failure to have appropriate recovery processes in place prevents a timely restoration of mobile e-mail access for users who must have it to conduct company business.

How: Restoring mobile device access may not be at the top of most peoples
list following a critical disaster, but at least be some thought should occur around and procedures in place to facilitate this process. Discuss this with the administrator, and ensure that the recovery processes are in line with the expectations and standards of other recovery processes in the company. Depending on the use of mobile e-mail, this may be a critical component, such as with a large mobile sales force that depends on wireless mobile e-mail to conduct business and close deals efficiently. Other environments, such as those that use wireless e-mail to supplement existing and working wired infrastructures, may not view this as very important. This is a business risk that should be evaluated and measured appropriately when you review the mobile device security policies and BC/DR processes. Step 9: Evaluate whether effective change management processes exist. Change management processes help track and provide controlled changes to the environment. Controlled environments are more secure and have less impact on user productivity.

How: Discuss change management practices with the administrator as they


relate to changing components in the environment that affect the infrastructure and especially changes that might affect the end user. Consider asking for evidence of a recent change and following through how the change was handled from start to finish, verifying that appropriate approvals were obtained and documentation created. Step 10: Evaluate controls in place to manage the service life cycle of personally owned and company-owned devices and any associated accounts used for the gateway. The service life cycle of devices is defined as the provisioning, servicing, and deprovisioning of devices over the period of time such devices are used at the company. The risk of not tracking a device through the service life cycle includes losing track of the device to an employee who leaves the company with sensitive information still on the mobile device.

How: Measures should exist to manage the service life cycle of the mobile
devices managed by your company and the accounts associated with those devices. Discuss this with the administrator, and look for records supporting his or her statements. Walk through a recent provisioning and deprovisioning process with the administrator.

Vous aimerez peut-être aussi