It was interesting to watch the John Girard presentation on Mobile Device Security at the Gartner Security and Risk Management Summit in London last week. I really liked his point of view on the severity of risk vs how often it occurs. There are so many mobile security vendor press releases that exaggerate some of the rare occurrences whilst the more mundane and frequent security breaches go unmentioned.
His take-home message was that the vast majority of today’s real mobile security risks can be mitigated by ensuring a secure initial device configuration, reinforced by a software agent that can watch the configuration on the phone and the tablet, that can proactively decide what to do when it detects a breach.
The Growing Threat of Smartphone Hackers – from Mashable 12th August 2011
Here’s a list of six common mobile device configuration checks that you can run, to detect the configuration errors that account for the majority of real-world security risks. The good news is that a well-designed Mobile Device Management system (e.g. AirWatch) can automate the initial configuration to avoid all of these errors in the first place. It will detect non-compliant devices if the user changes the config, and can block non-compliant devices.
1) Check that the iOS password is actually set, and is not just set to 0000 or 1234 (as 10% of iPhones and iPad passwords are actually set to in the real world!)
2) Ensure that the user's device is set up to enable remote wipe if the device is lost or stolen. Also, for belt-and-braces protection, ensure that you have an agreement with the user (either on-paper or via on-screen Ts and Cs) to actually carry out the remote wipe of their data in these circumstances.
3) Ensure that encryption of local mobile data is switched on
4) Ensure that any jailbroken device can be detected by a software agent installed on the device
5) Ensure that the correct digital certificate is present on the device to access the network and the mail server
6) Ensure the secure setup of the enterprise WiFi network, including the use of WPA2 and the associated CCMP authentication protocol