AOH :: ISNQ4181.HTM

Mobile security requires an action plan




Mobile security requires an action plan
Mobile security requires an action plan



  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--1457021584-1320648186-1182228079=:8494
Content-Type: TEXT/PLAIN; CHARSET=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID:  

http://www.fcw.com/article102990-06-18-07-Print 

By Alan Joch
June 18, 2007

Security is one of the biggest management challenges that agencies face 
with mobile wireless devices. Chief among managers=E2=80=99 worries is the risks 
associated with employees using their own smart phones and personal 
digital assistants for official work.

=E2=80=9CIf you don=E2=80=99t own the device, you can=E2=80=99t secure it,=E2=80=9D said Michael King, a 
research director at Gartner.

By provisioning devices for employees rather than allowing them to 
connect to agency networks using personal gear, managers can ensure that 
the right security software is running on each device and that hardware 
is up-to-date with software patches and other upgrades, said Ira 
Winkler, author of =E2=80=9CZen and the Art of Information Security,=E2=80=9D a book 
that examines digital security threats.

Organizations that provision wireless devices also have better control 
of sensitive information if an employee leaves the agency, said Doug 
Landoll, general manager of En Pointe Technologies, a systems 
integrator. =E2=80=9CIf it=E2=80=99s my PDA, and I leave the organization, how do you 
know that I=E2=80=99ve deleted the data?=E2=80=9D

Retaining the phone number is also important. =E2=80=9CWhen someone has been 
representing your agency, that number is a kind of advertising,=E2=80=9D Landoll 
said.

He recommends that agencies include representatives from organizations 
outside the information technology department when writing wireless 
management policies.

=E2=80=9CThere are questions for the legal department, and having the device 
returned when someone is terminated is a [human resources] issue,=E2=80=9D 
Landoll said. =E2=80=9CWhen you=E2=80=99re writing policies, you need to integrate all 
those various departments.=E2=80=9D

Security policies should clearly spell out who receives reports of lost 
or stolen devices. Policies should also include procedures for 
decommissioning a missing unit to prevent someone from downloading or 
sending sensitive information, Landoll said.

The Commerce Department uses a combination of strong passwords and 
encryption to keep unauthorized users from accessing data and wireless 
services.

=E2=80=9CIf someone gets access to my [e-mail account], he can send messages as 
though they came from me,=E2=80=9D said John McManus, Commerce=E2=80=99s deputy chief 
information officer and chief technology officer. =E2=80=9CThings like phishing 
become easy to do when you=E2=80=99ve got access to a legitimate user=E2=80=99s 
account.=E2=80=9D

Commerce uses the standard security tools for the Research in Motion 
BlackBerry to protect devices and scramble data when its traveling 
through the wireless network, McManus said.


Platform security

The BlackBerry platform gets high marks from technology analysts for its 
security capabilities. Its closed-loop architecture connects agency 
e-mail servers to a BlackBerry Enterprise Server, which communicates via 
a secure channel to a network operations center and to BlackBerry 
devices.

=E2=80=9CIt=E2=80=99s one of the few wireless end-to-end systems that the [Defense 
Department] has said is okay,=E2=80=9D King said. =E2=80=9CBut because it=E2=80=99s a closed 
loop, it=E2=80=99s hard to expand that functionality beyond just e-mail. What 
you gain in security and manageability you sacrifice in flexibility and 
extensibility.=E2=80=9D

Platforms based on the Microsoft, Palm or Symbian mobile operating 
systems are easier to customize, King said, but they require more 
upfront work and third-party security tools, such as Sybase=E2=80=99s Afaria 
mobile security suite and encryption software from Bluefire Security 
Technologies, Certicom and VeriSign.

=E2=80=9CI=E2=80=99m not suggesting that you can=E2=80=99t secure mobile devices on those 
platforms. I=E2=80=99m just saying security is not as built-in as on the 
BlackBerry side,=E2=80=9D he said.


Standard configurations

To ensure that mobile wireless devices are secure, agencies also must 
take steps to securely configure the devices. Commerce technicians 
disable any default features on mobile devices that employees don=E2=80=99t 
require to do their jobs. That includes a sync feature that allows 
devices using Bluetooth technology to discover other compatible wireless 
hardware in the area.

=E2=80=9CThe default configuration would allow someone to come into the room 
with a Bluetooth device that says, =E2=80=98Tell me all the other Bluetooth 
devices in here.=E2=80=99 And your device would actually say, =E2=80=98Hi, I=E2=80=99m here, and 
here=E2=80=99s my status,=E2=80=99=E2=80=9D McManus said. =E2=80=9CYou can also turn off things like 
file transfer, because you don=E2=80=99t usually expect people to be doing a 
file transfer from their BlackBerry to another BlackBerry. If I=E2=80=99m a 
consumer, I may not care if anybody can use the Bluetooth capabilities. 
But if I=E2=80=99m a senior executive in the federal government, [that=E2=80=99s] a 
whole new threat.=E2=80=9D

Agencies also need to control the amount and type of data their 
employees download onto their wireless hardware. =E2=80=9CThey are going to put 
more data that you would never think of on the devices,=E2=80=9D Winkler said, 
=E2=80=9Cwhich means there=E2=80=99s going to be more data than you ever thought 
possible at risk.=E2=80=9D

-=-

Joch is a business and technology writer based in New England. He can be 
reached at ajoch (at) worldpath.com.


--1457021584-1320648186-1182228079=:8494
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com 
--1457021584-1320648186-1182228079=:8494--

Site design & layout copyright © 1986-2014 CodeGods