The Urgent Need for Mobile Device Security Policies

Sunday, November 20, 2011

Kevin Johnson


The Defense Information Systems Agency recently certified its first secure mobile device running on the Android operating system, further demonstrating the growing importance of mobile devices within workplaces.

Whether organizationally supplied or employee-owned, mobile devices are making their way into the business world rapidly, creating significant security and compliance challenges for businesses of every size.

Malware attacks, lost or stolen devices, unauthorized access to internal networks, the list of threats associated with these devices goes on and on, creating an immediate need for mobile device security policies. 

Policies play a key role in an organization's security and compliance efforts.  When gaps are uncovered in an environment, they must be augmented with new or updated policies; as is the case with mobile devices.  The need for businesses and government agencies to establish strong policies for mobile environments and the protection of information used with mobile devices is immediate.  

To determine which policies are important and why, you must first have a clear understanding of the risks associated with mobile device usage.  

Mobile devices inherently have minimal security, often no more than a simple passcode (which few users take the time to set up).  Additionally, iPad 2's smart cover features have a faulty set-up, making it easy for attackers to access apps with a simple press of the power button even after it has been shut for a brief period of time. 

While employees use these devices to access, store and share work-related information, many treat their mobile devices as if they are ‘simply a phone' leaving them on tables in restaurants, in taxis, on coffee shop counters, and other locations where they easily can be forgotten or stolen.

Just as cash-strapped organizations enjoy the cost savings associated with allowing employees to use their own devices, employees are happiest when using a device of their choice.  As a result, employee-owned devices are becoming increasingly more common in the workplace.  Yet with the myriad of devices being used, managing employee-owned devices is much more difficult, particularly when dealing with Android and BlackBerry devices.  

Unlike iOS devices which are updated from a central source (Apple); Android and Blackberry devices are often limited in the updates allowed. Because carriers alter Android and Blackberry device platforms, automating updates is not always possible. This is a security vulnerability, which IT has little control over.

However, iOS devices come with their own set of risks, including automatic wireless network association attacks.  Because these devices are configured to automatically associate any access point named ATT WiFi, iPads and iPhones are vulnerable to a ‘man in the middle' type attack such as eavesdropping and other external attacks.

Perhaps the biggest vulnerability with mobile devices is not the devices themselves but the applications.  New apps are introduced almost daily, often quickly thrown together without little to no thought about security. 

As a result, flawed applications are opening mobile devices up to attacks, enabling attackers to take control of devices (sending information as if they were the user), steal information and enter internal networks in order to access everything that is there.  For example, numerous Android apps have been pulled from the market because of malware installed in the app.

Another area of risk businesses need to consider is malicious insider attacks.  Similar to USB flash drives, mobile devices easily can be used to store internal data.  Corporate managed devices are an easy target for disgruntled employees wanting to sell or steal data.

Once you have a clear understanding of the risks associated with mobile devices, only then can you develop policies to protect your organization.  When developing a mobile device policy, you will need two different policies, one for corporate-owned devices and another for employee-owned devices.

Corporate-owned device policies can be slightly modified to include all computing devices (mobile phones, iPads, etc.).  This policy should also cover what employees can and can't do with their mobile device, including downloading and updating standards.

Policies for employee-owned devices will obviously be more complex; how do you tell someone you can't install an app if it is their own phone?  Control policies have to be put in place that respect the employee yet keep your network secure.

For example, how do you get access to a device if there is an incident (an employee is being malicious or someone has gained control)?  Without a policy in place, it is difficult to demand access.  If access to the device is achieved, you now have access to their personal information, log-ins and credentials.  

What if you discover inappropriate information about them, can you act on that?  This opens up another level of privacy issues (even though the mobile device was accessed because of a legitimate risk).  

Policies need to be in place up front, stating what employees are allowed to do, what your organization is allowed to do, and what will be done in certain instances.  For employee-owned devices, your policy should limit the pool of potential devices (and platforms) which they can use.

With devices defined, you then can start building policies around them.  For example, if employees are given remote access to a network, they are not allowed to install certain types of apps on their device.  The policy should also address the personal use of these corporate devices.

Policies also must be established to ensure devices are managed by the agency.  If a bug occurs in a mobile device, it is typically set back to a factory default when rebooted which can cause the device to become unmanaged. 

In the case of employee-owned devices, the most common reason these devices become unmanaged is because an employee upgraded to a new device or updated the operating system. Often the employee is not thinking about the management status of the device and; therefore, is unaware that it is no longer being managed. 

With managed devices, alerts can be set up as defined by policy to warn IT if a device has become unmanaged. IT then can work with employees to ensure the mobile device is reset to be properly managed.  Most devices, either built into the platform or available through a third party, allow you to create a rules system that will enable you to wipe the device either locally or remotely. 

For businesses with extremely confidential information, this is a worthwhile investment.

We just have touched on the surface of the various controls and policies relevant to managing mobile devices.  As noted, mobile devices are much more complex than traditional computing platforms because of the portability and variety of devices.  As a result they are much more complex to manage and control. 

For businesses allowing mobile devices, whether company-owned or employee-owned, mobile security policies must be put in place and enforced. To learn more about Mobile Device Security Policies, check out my course SEC571: Mobile Device Security. 

For more information on this course, please visit

Kevin Johnson is a Senior Instructor for SANS Institute and a Senior Security Consultant at Secure Ideas. Kevin can be reached at  

Cross-posted from GSN Magazine

Possibly Related Articles:
PDAs/Smart Phones
Information Security
Policy SANS Compliance Risk Management Mobile Devices Android DISA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.