› return to original page


Penalties and dangers for improper controls continue to rise - a brief report.
By Michael Terban, CISSP, SSCP, HIPAA Security

Mobile computing devices and removable media, all of which can hold sensitive data, are more than conveniences. For many companies, they have become essential operating tools. Because they have become so important, they have also become ubiquitous. Nevertheless, these devices also present significant and special potential for compromising the confidentiality of data. Posing significant risks for businesses, they are a mixed blessing.

Mobile devices include portable PCs as well as any other easily portable device that can be connected to the Internet. Removable media, including such items as cartridge and disk-based storage devices that can be used to move data among computers with ease, floppy disks, compact disks, flash memory cards, as well as hot-swappable or hot-pluggable external storage devices such as USB hard drives and external hard drives, even iPods. The purpose of this paper is to describe the common risks from all of those conveniences and to suggest sensible ways to mitigate the occurrence of those risks.

Overview: Legislation, regulations, standards, and contemporary business needs are causing organizations to evaluate the ways that they safeguard and ensure the integrity of computer-based data. Regulations like the Sarbanes-Oxley Act, Gramm-Leach Bliley Act, Health Insurance Portability and Accountability Act, and California Security Breach Information Act have clear requirements. In addition to those standards, management has a duty to stakeholders, clients, and customers to protect data from manipulation, invasion, tampering, or loss. As part of that responsibility, mobile devices and removable media, when they are present, must be secured. Policies, procedures, and guidance for these assets need to be clearly established and tested regularly. Personnel need to understand the risks and to be trained in appropriate behaviors and responses.

A former Morgan Stanley executive sold an old Blackberry on eBay. The result was that the eBay buyer found that the device had a great deal of company information and hundreds of confidential email messages -Security Pipeline, 2005

How Big is the Problem? The data speaks for itself.

The theft rate is high. More than 600,000 mobile device thefts occurred in 2004, totaling an estimated $720 million in losses.
Safeware Insurance, 2004

Large amounts of proprietary information are stolen. There were 600,000 mobile device thefts reported in 2004, totaling an estimated $5.4 billion in theft of proprietary information.
Safeware Insurance, 2004

All organizations are at risk. Mobile device theft has been attributed to 59% of computer attacks in government agencies, corporations, and universities during 2003.
Baseline, 2004

Many companies don't have policies. 73% of companies do not have specific security policies for their laptop computers.
Gartner Group, 2003

… even though they are aware of the risks. 80% of those surveyed acknowledged financial losses due to computer breeches.
CSI/FBI Computer Crime and Security Survey, 2002

… and of the dismal chances for recovery. 97% of stolen mobile devices and removable media are never recovered.
FBI

Removable media devices are convenient. Removable media devices are being used in 84% of companies.
Pointsec, 2005

… yet, they are known to be risky. 90% percent of those surveyed in companies were aware of the potential danger that removable media presents.
Pointsec, 2005

… and they are often used without permission. A third of organizations state that removable media is being used within their company without authorization.
Pointsec, 2005

Challenges for Mid-Size Businesses: All businesses must address their IT compliance responsibilities. However, as is true with many other tasks of securing computer-based information, small and medium-size business face special challenges, often because those organizations may have:

  • Limited technical manpower, so that IT staff does not have either the time or the depth of knowledge to establish and maintain an appropriate security posture.
  • Incomplete understanding of compliance laws and requirements, which are often complex, and which become even more so when a company must deal with more than one set of compliance measures.
  • Costly roll-outs of products and services, where every penny counts, and where compliance requirements may not have priority.
  • Inadequate asset tracking and utilization, which can allow for leakage or invasion of computer-based assets.
  • High support costs relative to revenues, made higher by virtue of needing to meet standards and regulations.

Solutions, basic steps: Mobile devices & removable media are among the favorites of road warriors, executives and programmers. Who hasn't seen businessmen & women at the local coffee shop, using the wireless network to send email, or a company's employees swapping USB sticks to transfer files? Is this secure? Does their company have a Mobile Computing and Acceptable Use Policy? Are the devices themselves adequately secured? Here are some minimum standards:

  • Install and activate a firewall in all mobile devices. Mobile devices must include a software firewall for protection.
  • Implement a user identification and password authentication mechanism in order to control user access to the system.
  • Activate a virus detection system, including a procedure to ensure that the virus detection software is maintained and up to date.
  • Also activate a spyware detection system, including a procedure to ensure that the spyware detection system is maintained and up to date.
  • Use a boot password for all mobile devices and laptops, making that the system accessible only to authorized users
  • Implement a biometric password system or a token-based device for mobile systems in high risk situations.
  • Install operating system updates that reduce high risk will be installed in a timely matter and in all devices.
  • Disable all unused or unnecessary services.
  • Password-protect the system administrator or root account.
  • Require the use of theft deterrent device such as a laptop locking cable when the device is unattended.
  • Install and activate an inactivity timer or automatic logoff mechanism.
  • Set wireless connectivity features' (e.g., 802.11, 802.16, Bluetooth) at the strongest level that is possible.
  • Use encryption. Never send/receive sensitive data over a wireless link unless another more secure end-to-end encryption technology is also being used. Mobile devices that retain company sensitive information must implement a form of a company's standard encryption to safeguard such information

Examples of more secure technology include: SSL, SSH, IPsec and VPNs.

Solutions, endpoint security: Endpoint security is being discussed as an approach to keep all of a company's computers compliant. In addition, endpoint security may be an easier more efficient way to manage the full spectrum of internal and mobile computer assets. As a Best Practice endpoint security is in fact currently a good fit for many companies. It can reduce lost time from a possible incident from a virus/worm while it can also perform automatic patch management. In that regard, endpoint security may be both effective and efficient. It's often worth evaluating. Here are some considerations:

Endpoint software tests all PCs on a network and grants established levels access to individual users who that meet an organization's established security policies, while quarantining others.

Endpoint software is designed to protect from threats introduced via internal endpoints file-sharing software, spyware, and out-of-date or unpatched operating systems and applications.

Tens of thousands of devices can be managed simultaneously, and compliance can be enforced for internal, remote and wireless devices throughout an enterprise. Moreover, enhanced features including policies based on MAC address (MAC Blocking), compliance tests, and IP/PORT quarantining, can be implemented.

Endpoint Security ensures that all endpoint devices remain compliant. Basic endpoint security policies can ensure continual usage of up-to-date antivirus and anti-spyware software. Any computer logging on to the network must meet and pass a certain checklist of criteria based on the company's security policy. Computers that fail to pass are segregated into a quarantined area away from other computers on the corporate network; this helps to keep the network virus free while providing for a security controlled network that complies with many of today's regulatory requirements.

Solutions, policies: In order to ensure adequate levels of security and to meet compliance requirements, industry standards, or market requirements, an organization's policies must reinforce its computer data practices. Even if specific practices may change, policies should provide the basis for practices. Here are some policies that should be considered:

  • Sensitive data access will follow least-privilege-access rights
  • Mobile device's holding Sensitive/Confidential company information will use encryption to protect the data
  • All USB sticks must be encrypted
  • Mobile device passwords will comply with organizational standards.
  • Biometrics or Token keys to help with complex password will be used wherever it is appropriate.
  • All virus software for mobile devices will be updated with the same frequency as the organization's non-portable assets.
  • All spyware software for mobile device will be updated with the same frequency as the organization's non-portable assets.
  • Mobile device must implement a software firewall.
  • Mobile device will be used for official work use only.
  • Mobile devices must initiate a physical lock for unattended periods.
  • Mobile devices will screen lock after a period of 10 minutes of inactivity
  • If a mobile device is used with a wireless network, it must use a secure VPN tunnel.
  • File sharing on all mobile devices must be disabled.
  • Auditing and logging on mobile device must be enabled.
  • Last user logon name must be disabled.
  • Unused user accounts must also be disabled.
  • If sensitive data transmission needs to occur, data will be in encrypted form and not clear text (Email)

Solutions, awareness: The above areas are a good way to get started, however If your company has a policy for mobile computing does anybody read it? Are employees held accountable with an acceptable use policy with an area tied to Mobile Computing Policy that's signed? If it's unsigned or unread, who's liable?

An effective security awareness program is the other essential component of a compliant, secure posture. The purpose of the security awareness program is to educate users about why the policies are in place and to let all employees know what those security policies and practices mean to each of them as well as to their company.

It is important that a security awareness training program is not only informative but also effective. One approach to accomplishing those goals is by asking companies and users real world questions. What would happen if an unauthorized person gained control of this mobile device? What kind of data is stored here? Confidential or financial information? Account names and passwords? Social Security and/or credit card numbers? Propriety corporate information? Business associates names and contract or employment details? Staff member reviews? Personal contact names and phone numbers? Decryption keys or pass-phrases? All employees and personnel must take ownership for security. When those people are equipped with mobile devices and removable media, their responsibility for security becomes even more important.

More Information: For more detailed and technical information, please contact Polar Cove. To learn more about Polar Cove and best practices for security, please write to either the author, mterban@polarcove.com, or to info@polarcove.com.



© 2006    Polar Cove