This document provides steps for organizations to better secure mobile devices. It begins by noting that over 75,000 mobile devices are left in London taxis each year, containing photos, documents, emails and more. It then lists the top 10 risks to mobile devices like loss, theft, malware and data interception. The document outlines a 5 step process to improve security: 1) Quantify the problem and risks, 2) Draft policies for device use, 3) Configure devices with security settings, 4) Encrypt data, and 5) Establish incident response plans as part of business continuity. It provides examples of specific policy rules and technical configuration options to better secure mobile devices.

1. Getting a Grip on Mobile
Devices

2. L year thousands of
ast
travellers left personal items in
London taxi cabs

3. 27 toilet seats

4. 4 sets of false teeth

5. 3 dogs

6. 2 babies

7. 1 cat

8. 1 pheasant

9. Funeral ashes

10. A dead body

11. Over 75,000 mobile
computing devices

12. These devices can hold
10k photos 200k docs
100k emails

13. H do you Get a Grip
ow
on that?

14. T 10 Risks
op
1. L oss
2. T heft
3. M alware
4. Stealth installs
5. Data interception
6. Direct attack
7. Call hi-jacking
8. VP hi-jacking
N
9. Session hi-jacking
10. Device hi-jacking

15. Step 1
Quantify the Problem
• Stop.
• First measure the problem
• Conduct a survey
• How many devices? Running what applications?
• Processing, storing, transmitting: what data?
• Draft Asset Register
• Draft Risk Register

16. Step 2
Draft policies
• Device ownership
• Device liability
• Acceptable devices
• Acceptable use
• Acceptable applications
• Minimum device security requirements
• Where to report lost/stolen devices
• Security Awareness Program

17. Consider…
• Mandating the use of PINs to access devices
• Mandating use of complex passwords to access
applications
• Set max number of password failures
• Set max days of non-use lock out
• Specify password change interval
• Prevent password reuse via password history
• Set screen-lock

18. Step 3
Configuration
• Firewall
• Anti-virus (Malware, Trojans, Spyware)
• O/S Updates
• Hardening
• Back end support servers
• VPN dual authentication

19. Consider…
• Adding or removing root certs
• Configuring WiFi including trusted SSIDs, passwords, etc.
• Configuring VPN settings and usage
• Blocking installation of additional apps from the AppStore
• Blocking GeoLocation
• Blocking use of the iPhone’s camera
• Blocking screen captures
• Blocking use of the iTunes Music Store
• Blocking use of YouTube
• Blocking explicit content

20. 20

21. Step 4
Encryption
• Data
• Disk
• Document, File & Folder
• Laptop
• Port & Device Controls
• Removable Media & Device
• Email

22. Step 5
Incident response
• Included in BC/DR Plan
• Back ups
• Alternatives:
– Find it
– Track it
– Kill it

23. H to Get a Grip
ow
 Quantify the problem
 policies
 Configuration
 Encryption
 Incident Response

24. Source

25. the problem in hand

26. A different perspective
26 Dover Street
London
United Kingdom
W 4L
1S Y
+44 (0)20 3586 1025
www.riskfactory.com