Mobile devices are becoming increasingly prevalent as an extension of many electronic security solutions, where they allow end users to remotely manage their systems, as well as receiving alerts and status updates. For installers and monitoring stations, mobile devices can expand risk levels.
AT SecTech Roadshow’s panel session ‘Securing Networked Security Devices’ a question the panel put to installers and integrators was how many of them were deploying mobile devices and in many cities, the response was that for many end users, remote mobile management is a key attraction of the latest solutions.
Something else we spoke about at SecTech was the need to secure mobile devices and, generally speaking, the multi-authentication functions of higher end mobile device – fingerprint biometrics – as well as password protection of security applications were considered enough security in most cases to ensure adequate protection.
While these observations are certainly true, installers, integrators and end users, too, should take it upon themselves to get on top of mobile security and not just keep up with the latest threats and defences but foster a culture of caution when it comes to any device that serves as a portal for security solutions. Importantly, the challenges faced by electronic security people are global – that means procedures, tactics and intelligence can be shared.
As an example of the difficulties of managing thousands of largely uncontrolled mobile devices across major organisations of all kinds, a month or so ago the Department of Homeland Security released its Study on Mobile Device Security in which it highlighted the difficulties securing wireless networks and mobile devices that may threaten government agencies and called for an ongoing process to meet the problem.
Systems managed by DHS, the Office of Personnel Management, the Defense, Treasury, Veterans Affairs, and Health and Human Services Departments and the report acknowledged that these hold significant amounts of sensitive but unclassed information, whose compromise could adversely impact the organization’s operations, assets or individuals, and hold tremendous amounts of personally identifiable information (PII) that could potentially be used to compromise citizen financial wellbeing, privacy or identity.
According to the DHS, mobile cybersecurity threats “require a security approach that differs substantially from the protections developed for desktop workstations largely because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections and have evolved independently of desktop architectures.”
DHS called for standards for reporting and information sharing on cybersecurity threats and said the agency should coordinate mobility adoption across the government, with mobile devices assessed as part of DHS’s evaluation of mobile network infrastructure vulnerabilities.
“Special care must be taken in the use of these devices because the default level of security is optimized for consumer ease of use, which is not appropriate for federal employees,” said DHS. “The stakes for government users are high and government mobile devices represent an avenue to attack back-end systems containing data on millions of Americans, in addition to sensitive information relevant to government functions.
“Threats to government users of mobile devices include the same threats that target consumers, for example, call interception and monitoring, user location tracking, attackers seeking financial gain through banking fraud, social engineering, ransomware, identity theft, or theft of the device, services, or any sensitive data,” DHS said. “This puts at risk not just mobile device users, but the carriers themselves as well as other infrastructure providers. Government users may be subject to additional threats simply because they are government employees.”
Threats the report highlighted include the mobile device technology stack (mobile operating systems and lower level device components); mobile applications; mobile networks (e.g., cellular, Wi-Fi, Bluetooth) and services provided by network operators; device physical access; and enterprise mobile services and infrastructure, including mobile device management, enterprise mobile app stores and mobile application management.
Responding to Mobile Vulnerabilities
DHS recommends a new framework for mobile device security based on existing standards that would include mobile application security, enterprise mobility management, mobile device security and cellular network security, the report says. Adoption of baseline standards — such as those defined in National Information Assurance Partnership (NIAP) mobile Protection Profiles, the European Union Agency for Network and Information Security and others — can enhance security. Mobile apps purchased or developed by the government should be “evaluated against the Protection Profile for Application Software and the Requirements for Vetting Mobile Apps.”
Further, the DHS says, the government “should select mobile devices and enterprise mobility management products that have been evaluated to meet a minimum level of security, e.g., the NIAP Product Compliant List or other government approved product lists. NIAP approved products must be considered in the context of the environment of use, including appropriate risk analysis and system accreditation requirements.”
DHS recommends that Federal Information Security Modernization Act metrics should be enhanced to focus on securing mobile devices through the Federal CIO Council’s Mobile Technology Tiger Team. Additionally, the report says the Continuous Diagnostics and Mitigation (CDM) program should address the security of mobile devices and applications with capabilities to be at parity with other network devices (e.g., workstations and servers). The CDM program allows agencies to identify cybersecurity risks on an ongoing basis, then prioritize the risks based upon how severe they might be in an effort to let cybersecurity personnel mitigate the most significant problems first.
Tellingly, DHS says the National Protection and Programs Directorate’s definition of critical infrastructure should be amended to include mobile network infrastructure. DHS says its Science and Technology Homeland Security Advanced Research Projects Agency Cyber Security Division “should continue its work in Mobile Application Security to enable the secure use of mobile applications for government use. This effort includes continued collaboration with NIAP to automate Mobile Application Security testing.”
DHS recommends new research and development programs “to secure mobile network infrastructure and address current and emerging challenges impeding mobile technology.”
“DHS should develop a new program in advanced defensive security tools and methods for addressing mobile malware and vulnerabilities that spans applied research through operations, including new ways to handle Common Vulnerabilities and Exposures (CVE) generation for mobile.”
For installers needing to advise end users and end users needing to advise staff of best practise in mobile device security, there are a number of considerations. For a start, 2-step authentication is vital. If a device has biometric authentication, use it. And use a 6-digit code as well. We spoke at SecTech about the challenge of managing passwords and at a personal level, services like iCloud Keychain allows users to have challenging passwords or pass phrases without the challenge of remembering them or using the same password for everything. You can use Keychain, 1Password, Lastpass, DataVault or other dedicated password managers to deliver security audits, alerts, teams, token support, and more.
Something else to consider is how easy staff make it to access key functions through always open interfaces like iOS Control Center. Not only the torch but the ability to activate Airline Mode and deactivate tracking is accessible. And Notification Centre lets owners see incoming messages but displays them for others to see. Siri and Android comparable voice assistants are a functional risk, too, if included on a lock screen. Other things worth considering include VPN tunnelling in public places, and denying apps the ability to track a phone’s location. ♦