1 Controls for Mobile Devices Naba Barkakati, Ph.D. Chief Technologist U.S. Government Accountability Office (GAO) 441 G St NW, Washington, DC 20548 USA Email: [email protected] Phone: 1-202-512-4499
Jul 13, 2015
1
Controls for Mobile Devices
Naba Barkakati, Ph.D.Chief Technologist
U.S. Government Accountability Office (GAO)441 G St NW, Washington, DC 20548 USA
Email: [email protected]: 1-202-512-4499
2
Convergence
transformation of "atoms to bits“
conversion of everything from voice,
video, TV, etc. into digital information
flow across platforms on the Internet
Sintermask - fabbster
3D-printer v01
3
Growth of Mobile Computing
- Growth in broadband wireless connectivity adoption of
mobile devices such as smartphones and tablets
- Almost half of American adults own smartphones and a
quarter of the adults own tablets
4
Growth of Mobile Malware
Number of variants of “malware,” aimed at mobile devices
has gone from about 14,000 to 40,000, a 185% increase in
less than a year
5
GAO Report on Mobile Device Security
• GAO issued a report (GAO-12-757) on mobile
device security at the request of House Energy
and Commerce Committee.
• Consulted key federal agencies – FCC, NIST, DHS, DOD,
FTC – as well as wireless industry association (CTIA), and
mobile device manufacturers (HTC, RIM, Motorola Mobility,
Samsung, LG) plus information security companies
• Report presents mobile devices vulnerabilities as well as
security controls and practices to mitigate risks associated
with the vulnerabilities
6
Mobile Device Vulnerabilities
1. No password/PIN
2. No 2-factor authentication
3. Unencrypted wireless transmissions
4. Unknowingly install malware
5. No security software installed
6. Operating systems not updated
routinely
7. Apps not updated routinely
8. No firewall to limit Internet
connections
9. “Rooting” or “jailbreaking” of device
10.Unsecured communication channels
7
• How to protect against threats that may
exploit these vulnerabilities?
• Individuals can implement technical
controls such as enabling passwords
and encryption that can limit or prevent
attacks.
• Individuals can also adopt key practices
such as using passwords, installing anti-
malware software, limiting use of public
WiFi etc that can mitigate the risk that
their devices will be compromised.
• Organizations can also adopt
organization-wide controls and practices
Improving Mobile Device Security
8
Turn on 2-factor
authentication for
sensitive
transactions
Turn on remote disabling of lost or stolen devices
(you have to install an app)
Controls for Individuals
+
Enable PINs and passwords
as a first line of defense
9
Controls for Individuals (continued)
Install a personal firewall
Install antimalware
Verify authenticity of downloaded
applications (e.g., by verifying
digital signatures)
10
Controls for Individuals (continued)
Download and apply
software updates
whenever they are
available
Enable encryption,
where available
Use “whitelisting”
Lorem Ipsum dolor sit
amet, consectetuer
adipiscingelit. Duis
tellus.
?b6445Fmv+t50QE2mg
ElMaBug4QZ4EfYC77b
mwUzAgoFlCSiZDDx+J
F+VN+xZzGI
oeat5UxC9kz1YgdpxeN
FPvAuK4NWMaCaoJX
eb16Vtj4qtinRQa0UK4P
FdCU0ySzb
aaDyHtx5soNa836H9B
0XHn+lXA==?64b
11
Controls for Organizations
Implement centralized security management for
devices
Use integrity validation tools to scan devices to
detect compromise
Implement VPN
Use PKI digital certificates for digital signing
and encrypting emails
Conform to government security specifications
such as NIST, DOD
12
Controls for Organizations (continued)
Install enterprise firewall to isolate traffic
to and from wireless devices
Monitor incoming traffic from mobile
devices
Monitor and control mobile devices
Get device log files and analyze them
Intrusion
Prevention System
13
• DOs
1.Turn off or set Bluetooth to “undiscoverable”
2.Limit use of public WiFi for sensitive transactions
3.Configure accounts to use https
4.Maintain physical control of device
5.Delete all before discarding mobile devices
• DON’Ts
1. Don’t install unnecessary apps
2. Don’t click links sent in suspicious email
3. Don’t click on advertisements in applications
4. Don’t unnecessarily disclose mobile
phone numbers
5. Don’t store sensitive information on device
6. Don’t “jailbreak” devices
Security Practices for Individuals
14
1. Establish mobile device security policy
2. Train employees on mobile device
security
3. Establish deployment plan for mobile
devices
4. Perform risk assessments for mobile
devices
5. Implement configuration management
for mobile devices
Security Practices for Organizations
Mobile Security Training
15
GAO Recommendations to FCC, DHS
FCC – work with wireless carriers and device
manufacturers to implement baseline mobile
security safeguards; track progress once this is
done
DHS – establish baseline measure of consumer
awareness of mobile security and measure
effectiveness of awareness campaign of National
Initiative for Cybersecurity Education (NICE)
See http://www.fcc.gov/smartphone-security
16
http://www.fcc.gov/smartphone-security