Embed Size (px)
DESCRIPTION
This first-in-a-series guide gives you brief and easy recommendations on policies you can set at your organization to secure mobile devices, mitigate mobile threats, and secure company data. To download a free Mobilsafe demo, click here: http://information.rapid7.com/mobilisafe-demo.html?LS=1428723&CS=Web
Citation preview
Mobile Security GuidePolicies To Mitigate Device Threats
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Mobile Security Guide: Policies To Mitigate Device Threats
In order to protect corporate data and resources from mobile device security threats, it’s critical to have device security policies in place—as well as processes and tools to ensure their effectiveness. Some of the greatest threats to corporate data from mobile device use can occur via:
Lost/stolen devices and terminated employees
Employee behavior: Leaking corporate data into mobile apps, like Dropbox and Evernote
Jailbroken devices
Trojans that infect devices, such as DroidDream
Employees unknowingly install abusive apps that leak contact, calendar, and location data like prior versions of LinkedIn and Path
Phishing attacks via SMS and Email
Sniffing and Man-In-The-Middle attacks from using unprotected networks
Password Policies
These policies specify that a password is required to unlock the mobile device on being powered on or upon waking from an idle state. This policy can help protect in lost and stolen device scenarios.
There are 4 key elements to an effective password policy:
Length
Complexity
Timeout duration before a password is required
Failed attempts before a reset
Device Security Recommendations
In order to mitigate the above mobile device threats, we recommend the following policies and practices.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
There is a balance to strike here between making sure the password cannot easily be guessed with minimal password strength requirements but also making sure that the password complexity requirements do not annoy end users. Specifying the timeout duration is a part of this balance as well. If the duration is set too short, users will be annoyed with repeated password entries and if the duration is too long, then the device is more easily susceptible upon being stolen or lost. You can also specify the number of failed password attempts before a device is wiped. This policy is particularly tricky as your acceptable use policy must make the consequences of failed password entry clear as a full device wipe will erase all personal and corporate data on the device. There are numerous example of an employee’s child getting a hold of a locked device and entering incorrect passwords accidentally until the device wiped itself
Recommendation: At a minimum, require a numeric password that is at least four digits long.
Encryption
This policy enables whole device encryption on Android 3.0+ devices. This policy can help protect company data in lost and stolen device scenarios. If an attacker were to get a hold of a device and attempt to access stored data without the appropriate encryption PIN available, they would fail to access decipherable data. iOS 4.0+ devices support encryption by default out of the box and enabling this policy and disallowing non-provisioned devices will prevent iOS devices running earlier versions from accessing corporate data.
Recommendation: Enable encryption but be cognizant of devices that fail to meet the minimum platform version requirements to support the policy.
Remote Wipe
This isn’t a specific device policy that has to be configured, but it is a device security recommendation that requires language in the acceptable use policy to cover this capability. When devices authenticate with Exchange to access corporate data, they will be required to allow remote wipe operations in order to sync data to their device.
Recommendation: Establish clear, easy-to-understand language in the company’s Acceptable Use Policy (AUP) about when the company is permitted to remotely wipe a device and reset it to factory state.
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Peripheral Management
There are a variety of peripherals on smartphones today, including GPS, NFC, Bluetooth, and cameras. There are a number of device security policies that can be used to ensure these peripherals are not used.
Recommendation: Unless your organization is in an extremely information-sensitive industry (e.g., Defense), skip policies that disable peripherals for employees bringing in personal devices.
3rd Party App Stores
Malware is rampant in 3rd party app stores and downloading content from these sources presents a significant risk to corporate data and resources. While Android does not support remote management of access to 3rd party app stores and users with jailbroken iOS devices can gain access to 3rd party app stores, it is critical to establish written policies that are clear and easy to understand so employees are educated about the risks. This can be taken a step further by starting to inventory the applications on employee mobile devices.
Recommendation: Establish clear, easy to understand language in the company acceptable use policy about not allowing employees to access and download content from unauthorized app stores.
