The standard way to address risk--whether malicious mobile apps or
how wireless stores can steal your data--is to start with an
assessment. We've discussed getting rational about risk, but this
is a new challenge: How do you perform a risk assessment on a
technology that changes weekly and that you might not even own?
Many companies, including just recently VMware, are going to a
"bring your own device" model, which adds a whole new wrinkle.
For this column, I'm focusing on data security, not the myriad
other risks presented by mobile devices, such as eavesdropping,
availability and reliability of coverage, even the use of these
devices for corporate disaster recovery--though those are all worth
thinking about.
The first issue: We don't have cold, hard data on how to best
reduce risk, because mobile security as a discipline hasn't been
around long enough to prove how effective, or ineffective, any
given control is. The answer, for now, is to look inward. Focus on
the effectiveness of the control in your environment and the
likelihood that your users will comply. Be prepared to ask a lot of
questions and test your theories before assigning a risk to a
specific threat or scenario.
I recommend you split up your mobile security risk assessment
into four categories: sensitive data access, device risk,
management risk, and awareness. For each area, develop interview
questions to draw out employee feedback. Mix up the questions. Go
beyond simple yes/no, and include open-ended and likelihood
formats--for example, "On a scale of 1 to 5, with 1 being never and
5 being very frequently, how often do you let your child download
apps?"
One technique I use is the "11 questions" exercise. When you're
meeting with people, have them provide a list of 11 or more
questions they would ask if they were in your chair. This gets
difficult after the first five or six, but you would be amazed at
how often you'll uncover risks you didn't suspect existed. Document
them, and use that info to guide the rest of your risk assessment
interview process. One of my favorites from a risk assessment
interview: "How do I stop my husband from looking at dirty websites
on my iPad?"
Good question.
1. Sensitive Data Access
The top-level concern about mobile devices is that they can
access sensitive data and potentially cause a breach or leak of
this data to the public. But can they really? For example, a
company we performed a risk assessment for didn't even know what it
considered sensitive data. Once we identified that (it was the
financials), we were able to point out that the accounting software
the company used ran only on Windows, wasn't reachable via mobile
devices, and just six of 400 employees even had access rights. The
real risk was reports containing financial data being generated and
emailed around.
To document which sensitive information a mobile device has
access to, start by building data flows based on data
classifications, and document who touches what, when. Here's a
10-step process for classifying data. In larger organizations,
check for documented business workflows that you can review. For
each spot where sensitive data "changes hands" (either via a human
or a system), interview the folks involved to discuss if and how
that data could land on mobile devices.
Our experience shows that most mobile devices don't have direct
access to sensitive data. Rather, they have peripheral access (like
our email example above), and existing security systems, such as
data loss prevention, identity management, and access control, can
usually address those sources.
2. Device Risk
Device risk is where most of the media spreads FUD: 200 percent
increases in mobile malware! Less than 50 percent of mobile device
users employ passcodes! While scary stats are fun to talk about and
easy to sensationalize, evaluating risk is not nearly that simple.
Each mobile device operating system has unique vulnerabilities and
offsetting controls.
When looking at device risk, in my report, 5 Top Mobile Security
Threats for 2012, I recommend you spend less time worrying about
viruses and Trojans and more time worrying about how you'll encrypt
the sensitive data we talked about, guard against theft of the
device, educate the help desk, and extend the reach of your mobile
security technologies. When we analyze the coverage of most mobile
device management suite deployments, for example, clients are
surprised to see that there are devices that bypass their MDM
software and go directly to ActiveSync, use legacy IMAP or POP3, or
have VPN access into the network and users don't even realize their
devices are connected. You can't foresee the next threat coming
down the pike, so focus your efforts on making sure you have as
many capabilities as possible to secure as many mobile device types
and platforms as possible.
3. Management Risk
Mobile security is difficult because of the thousands of devices
being traded in, lost, stolen, and updated with new apps and
firmware every day. You're always going to struggle to keep up with
the velocity of change, so make sure you have a process to quickly
analyze the risk any given mobile threat presents to your data, and
to evaluate new operating systems and devices. Do you have a person
or team responsible for monitoring the latest malware notifications
or evaluating popular new platforms for vulnerabilities? The recent
discussion of the security implications of the Kindle Fire is a
great example. The day the Fire was released, it began accessing
corporate email and Wi-Fi networks. How would you handle 20 percent
of your company's workforce logging on using a new, unknown mobile
device with an untested version of Android? Also, as we mentioned
before, mobile devices are traded in, damaged, and stolen--a lot.
Do you have a policy to make sure they're wiped first?
Analyze the processes you'll use to deal with malware alerts and
end user problems. How likely is it that you can consistently
execute these processes? Be honest--are resources allocated
properly? Do you have enforcement mechanisms for mobile security
policies?
4. Awareness
The first and last line of defense for mobile devices is the
user. Users are running at admin level and have the ability to
install and delete apps, reconfigure settings, back up data or not.
How well are you informing them about risks? A handout as they go
through new-hire training isn't enough. They need to know exactly
what to do when they see something suspicious going on with their
mobile devices. Comprehensive mobile security awareness training is
very effective at reducing risk. I believe it is one of the
strongest security controls you can invest in outside of MDM
technology, but many companies I work with aren't prepared to talk
with employees about these risks in an ongoing way.
Mobile security risk assessments provide great insights into
where the organization is likely not to succeed when implementing
mobile security and addressing the risks head-on while working with
your mobile security council to determine what controls will most
effectively reduce risk. Once you have some idea of how you want to
go about reducing your risks, don't be afraid to perform some trial
and error. Getting the right mix of risk reduction and good mobile
experience is vital to the success of a mobile security
program.
Michael A. Davis is the CEO of Savid Technologies, a
technology and security consulting firm based in Chicago
Source: InformationweekUSA