MOBILE COMPUTING (AND REMOVABLE MEDIA) SECURITY
Mobile Security Introduction
Because there are significant common risks shared by mobile computers and removable media we will cover both in this brief overview of the threats associated with these elements of information storage and processing.
For the purposes of this summary we are taking this to cover laptop computers, hand held devices (PDAs) and removable media such as USB sticks, CDs and DVDs.
Why the Risk Exists
Most of these are exposed to the same risks as discussed elsewhere on this site related to the Internet, Websites, Netorks, Servers and E-Mail. However, mobile devices are also exposed to increased risk simply by the fact that they are much more likely to be removed from the physical security barriers which devices that are primarily in fixed, office based, locations enjoy. It is the existance of these additional thtreats which we focus on here.
Risks
What are these additional risks?
As it happens it is incidents related to the use of mobile devices and removable media which most often reach the press, often the front page. How often have you seen articles about laptops being ‘lost’ with very sensitive information on them or CDs going missing in transit with (for example as recently happened) personal tax and NI information for thousands of Tax Payers, information you thought was secure because it was in the hands of a government department?
The additional risks we are talking about here are highlighted very well by such articles. Laptops themselves are an easy target for thieves, it may be the hardware itself which is the objective of the theft, with any information on the laptop being a bonus if it happens to be of value. However increasingly, as we have outlined elsewhere, there is a much higher awareness of the value of the information itself and more often than not it is the information which is the target. From this point of view a CD (which in itself has little vaue) can be as valuable in terms of the information it might contain as a brand new expensive laptop.
We can group these risks into two categories:
a) the risk of actual theft of the device or media.
b) the risk that the theft will then lead to exposure, use for personal/financial gain, or loss of sensitive information held on the device or media.
Other risks (covered elsewhere on this site) exist as for fixed devices (PCs, Servers) particularly when a device is connected to a network, and consequential risks exist such as resulting litigation related to the loss of information (e.g. contravention of terms of the Data Protection Act).
What to do about it
It is the nature of mobile computing which creates the additional risks associated with it. The very flexibility which it gives is also the main source of additional risk and there is a natural resistance to any reduction of this flexibility in order to make the equipment or information more secure. Additionally, once out of the office environment the implementation of measures rests primarily with the individual, rather than being managed by those charged with the srecurity of the office infrastructure.
As with all other areas of risk (not just information security) the starting point must be an analysis of the risks, from which appropriate measures can be identified and implemented. Although the measures identified will include technical solutions (e.g. encryption) much of it will be procedural, and again such procedures and standards are harder to monitor when they are reliant on individuals who may not be office based, or are frequently out of the office. Nevertheless, the only way of effectively addressing the risks is to make sure that effective standards and procedures are introduced and followed.
The various standards, procedures and technical solutions will include the following:-
a) Regular back-up of information.
b) Password protection at device level.
c) Encryption of information at file and folder level.
d) Password Policy with means of enforcement – it is our experience that most passwords can be cracked within an hour and many within minutes, even critical Administrator passwords.
e) Procedures for ensuring appropriate transport arrangements are made for information on removable devices, appropriate to the level of sensitivity of the information being sent.
f) Standards for the care and usage of company equipment, with special attention to mobile computing (e.g. leaving laptops in the car).
This is by no means exhaustive and the needs will vary significantly from one business to another, hence the need to go through a proper process to identify the measures appropriate to the organisation. For most, outside assistance with such a process will be required, the expertise may simply not be available in-house. The ultimate aim for some may well be to implement an Information Security Management System compliant to the ISO27001 international Information Security standard. For many others this will be too onorous, however no organisation using IT systems can afford not to apply appropriate best practice which the ISO standard gives guidance on.
Doing something is better than doing nothing. Start by identifying the most critical risks and specific areas of concern, in this way the most obvious risks, such as those associated with mobile computing, will at least be addressed. This will contribute ultimately to more effective security measures and standards for all the IT infrastructure and Information on which the business depends.
Please contact Meritec if you would like to discuss any of these matters on a no obligation basis.
Back