Managing Mobile Devices

By: (CISSP, CISA, Security+)

Publication: The Colorado Banker , March/April 2010

According to Fast Company magazine, a laptop is stolen every 53 seconds. To put that into perspective, around three and a half laptops will have been stolen while you’re reading this article. Only 3% of all stolen laptops are ever returned. If you’re like the growing number of hyper-productive Americans today, you can see a great need for laptops and other mobile devices having access to your network. Reports are revised in the passenger seat of the car; research is done while waiting for a plane; emails are read and written while waiting in line for food. It is easy to see the value in such things, but how do you balance the risk associated with allowing these devices to access your confidential and valuable information, while also allowing them to leave the safety of your office? The cost of replacing a lost or stolen laptop or iPhone is really minimal compared to the loss of information or potential unauthorized access to information. There are both technical and nontechnical solutions available to help you maintain security while still enjoying the benefits of mobile devices.

On the technical side, there are several ways to secure laptops. As with all network equipment, setting a sufficient password on the laptop prior to access will go a long way in keeping the average person out of your system. More determined attackers can bypass this protection. This is where whole disk encryption enters the scene. Whole disk encryption software will encrypt your entire C: drive and make information inaccessible without a pre-determined key. Laptops, just like all other systems, are also vulnerable to viruses and other malware, especially while connecting to unknown wireless networks. Good patch management procedures and current antivirus software with up-to-date virus defi nitions will help protect your bank’s laptops. Disabling Bluetooth discovery mode on your laptop will also provide great protection from Bluetooth hacking tools. These tools enable an attacker to view contacts or email and even enable file sharing from your laptop to theirs.

Other handheld devices and smart phones like iPhones and Blackberrys are also becoming more and more prominent, introducing vulnerabilities that did not exist a few years ago. Knowing how to manage these devices from your Blackberry server or Exchange server can prevent unauthorized access to your bank information or email from a lost or stolen phone. Consider the following:

  • Enabling a password after a period of inactivity
  • Enabling remote data wipe
  • Disabling Bluetooth discovery mode

Never underestimate the value of nontechnical solutions like training, training, and training. It is said that the weakest link in any security program are the people. The reverse must then be true...that your employees can play a vital role in creating a secure network. This is especially true when managing mobile devices. Educate your users regarding the dangers of connecting to unknown wireless networks. They should never connect to an ad-hoc or peer-to-peer wireless network. On the physical side of security, train your users never to leave a laptop or handheld device unattended unless it is secured. You can use cable locks to attach your laptop to some large piece of furniture in a room. Thieves are much less likely to "sneak out" with a stolen laptop attached to an office chair. Train smart phone users to treat these phones with the care they would a laptop, taking care to not leave them lying around. This is a luxury left for those of us still using phones that are only capable of making phone calls.

Mobile devices like laptops and smart phones have greatly impacted the way we do business and the way we do life. We can continue to enjoy their convenience without sacrificing our privacy and confidentiality. We just need to be aware of the threats involved and be proactive about implementing mitigating controls.