[BreachExchange] Is Your Mobile Enterprise Subject to Law Enforcement Scrutiny?
Audrey McNeil
audrey at riskbasedsecurity.com
Mon Sep 12 18:35:48 EDT 2016
http://www.securityinfowatch.com/article/12245021/is-your-
mobile-enterprise-subject-to-law-enforcement-scrutiny
The mobile technology boom and its impact on enterprise computing have
changed the way we approach workplace security. IT managers now have to
extend support beyond servers and workstations and provide employees with
mobile access to corporate data anywhere at any time using handheld
devices. It has become routine to access company email, files, and database
records from laptops, tablets, and smartphones from home or in public
coffee shops, which presents new security challenges to IT manager – how do
you keep corporate IP secure while still providing remote access to
wireless users?
If you think of smartphones, tablets, and netbooks as portable
workstations, they need to be tracked and secured just as you would any
corporate asset. Unfortunately, IT staff don’t have direct access to
wireless assets so it’s harder to manage security patches and software
updates. And if a device is portable it can be lost or stolen, which means
any sensitive data on that device needs to be secured. And then you have to
consider the growing “bring your own device” (BYOD) phenomenon, which makes
data security even more complex.
Procedures and protocols for protecting mobile enterprise users have
evolved over time and it’s easier to protect corporate data, but what about
protection from government and law enforcement? The FBI and Apple were
recently embroiled in a prominently public dispute over whether Apple
should furnish the means to unlock a particular iPhone as part of the
investigation into the San Bernardino terrorist attack. By complying with
the request, Apple would have had to create the means to unlock any iPhone,
not just one unique device; which raises new concerns about personal and
corporate privacy in the U.S. and abroad. The FBI ultimately dropped its
demand for an iPhone skeleton key, announcing that they had found their own
means to unlock the iPhone in question, but if the FBI did succeed in
unlocking the iPhone then it now can unlock any iPhone. This could be just
the beginning of law enforcement overreach. Of course, the problem with
backdoors is that they can’t care who is using them: bad guys have an
irresistible incentive to acquire such a tool.
>From an IT security perspective, this creates a new set of concerns
regarding mobile enterprise security. Now, in addition to keeping the
mobile devices themselves secure, the data on those devices has to be even
more closely protected from prying eyes, including bad actors that have the
means to unlock secured devices and, potentially, law enforcement.
It’s time we developed new strategies to protect against a mobile data
breach.
Securing the Mobile Enterprise
First, let’s consider how much risk mobile users pose to enterprise
systems. Like every security tradeoff, it is impossible to eliminate all
risk so you need to determine the degree of risk you are willing to accept
in order to protect your organization’s intellectual property and sensitive
data.
If your primary concern is a data breach or cyber-attack, then restricting
Internet access to your critical services is one way to protect your
network. To prevent mobile devices from becoming a security risk, you can
restrict mobile access data encrypted via VPN or through secure
connections. Mobile devices disclose sensitive data or metadata as
background processes attempt to connect to enterprise services for updates
when connected to any network. Encryption or creating a secure connection
prevents interception of details about data traffic over unsecured
connections.
As part of best practices, critically sensitive data should never be stored
where an attacker can gain access by guessing a single password or network
address. However, even the strictest technical controls can be defeated
through determination by an attacker or carelessness by a user. For
example, the NSA and CIA attempted extraordinary measures to protect their
secrets, but Edward Snowden found a way to expose them. Custodians of
sensitive data, i.e. your employees, must be incentivized to protect
company IP and watch for weaknesses that may have been overlooked.
If potential data loss or theft is your greatest concern, then your best
strategy is to adopt strong encryption and authentication. Data in motion
should be encrypted to prevent unauthorized access or interception. Stored
data or data at rest, including data stored on mobile devices, also should
be encrypted. For example, most PC and mobile operating systems include
robust whole-disk encryption that can protect data in the event a device is
lost or stolen. Most mobile operating systems enable this feature by
default, although this feature needs to be configured in desktop computers.
Of course, the risk with encryption is that if the accompanying passwords
to access the data are lost, then the encrypted data is lost. That was the
problem the FBI experienced in its investigation. Passwords and passcodes
are normally the weakest links in the chain of security; simple passwords
can be easier to guess but overly long or complex passwords that have to be
changed frequently will aggravate users. Authentication can be somewhat
easier to manage. Most workstations or PCs can incorporate decryption as
part of device authentication. Mobile users often have additional options
with biometrics such as TouchID. Each authentication.
The New Mobile Security Challenge from Law Enforcement
The greatest source of enterprise security risk has traditionally been
company employees. Employees are unaware of security concerns so they
ignore security protocols without thinking, such as exchanging passwords or
accessing sensitive data from the local Starbucks. If the company issues
its own mobile hardware, then IT has more control over mobile security.
However, workers can still expose sensitive data accidentally, or they can
use company equipment for illegal activities. In the case of our FBI
example, San Bernardino terrorist Rizwan Farook was a county employee and
it was a county-issued iPhone that the FBI was seeking to crack in their
search for incriminating evidence.
Most companies are more concerned with protecting IP and their employee
records from the prying eyes of hackers, but protecting corporate data from
law enforcement could also be a concern. Sensitive company data can be
exposed when company-issued equipment or BYOD-enabled mobile devices are
seized by police or the FBI. Even if the company is not guilty of any
wrongdoing, a criminal investigation could make any data recovered from
mobile devices recovered as evidence part of the public records. Even if
you want to cooperate with law enforcement, you don’t want to give the FBI
an excuse to start rooting through your servers.
If you are concerned about protecting company data from law enforcement,
then the approach you choose for device security certainly matters. For
example, if an employee is arrested and their company-issued phone is
entered into evidence, you run the risk of company information on that
phone being exposed. With strong authentication, you may be able to defeat
attempts to unlock the phone. For example, the courts have ruled that law
enforcement can legally compel a suspect to surrender a fingerprint, which
can be used to unlock a biometric-protected device. However, you cannot be
compelled to surrender a password. If you are concerned about losing
control of data stored on mobile devices, passcode authentication may be
more secure than biometrics. Most mobile devices also can also be
configured to erase themselves after a predetermined number of
authentication attempts to prevent someone guessing a passcode. In the case
of Farook’s iPhone, the FBI was concerned they might compromise data stored
on the phone if they attempted to recover his passcode through guessing.
Best Practices for Mobile Enterprise Security
Mobile Device Management (MDM) software can be an extremely effective tool
in defending against a mobile data breach. An MDM solution gives you total
control over remote devices. It provides a means to remotely enforce data
encryption and authentication, including regularly updating passcodes. You
can use MDM to distribute software and security updates over the air. You
also can track mobile devices, gain remote control over device settings,
and even disable, unlock, or even wipe a mobile device from a remote
console.
In the San Bernardino terrorism case, for example, if the county had
activated its MDM system and Farook’s iPhone had been properly configured,
the FBI wouldn’t have had to ask Apple to create a cyber skeleton key. The
MDM system could have unlocked the phone remotely, and even could have
controlled the types of data that could be accessed so sensitive
information could be protected.
If your organization has a BYOD program, then you need to mandate that they
become part of an MDM program. Any device that either contains sensitive
data or that could potentially provide access to sensitive data needs to be
under IT control to ensure that security patches are up to date and the
devices are secure when not in use. Training is also essential. Explain to
users the need for security and make sure all personnel has a clearly
defined set of mobile device security protocols to follow. Training is the
only way to cover cases that cannot be addressed directly by MDM or other
controls.
Corporate data is going to be subject to some kind of attack. When
balancing the risk the mobile enterprise presents in exposing that data,
you have to consider the importance of the data, the acceptable barriers to
access, the cost of security, and other factors that have to be balanced
against risk. You can secure your network data by building a digital moat
around your network, and you can protect data that flows outside the
firewall with encryption and authentication. However, if you are supporting
remote users, enforce the necessary security protocols as a prerequisite
for access to sensitive systems.
As demonstrated by the dispute between Apple and the FBI over iPhone
encryption, no technology is absolutely secure. Any approach to mobile
security needs to balance the real need for tighter security against
required resources, cost, and user aggravation. The challenge is striking
the right balance between adopting draconian levels of security and
promoting user productivity; a task that you don’t have to take on alone.
Independent security experts can be a valuable resource when mapping out
the right mobile enterprise security strategy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160912/66bac204/attachment.html>
More information about the BreachExchange
mailing list