Mobile Policy
Overview
Security Risks with Mobile Devices
 Guidelines for Managing the Security of
Mobile Devices in the Enterprise
 Threats of Mobile Devices and Mitigation
Strategies
 Bring Your Own Device (BYOD)
 Policies for BYOD
 Case Studies

Security Risks with Mobile Devices

Device hardware and OS vulnerabilities

Mobile Malware

Mobile Application Security Risks

Using unsecure connection

Device lost and stolen
Device Hardware and OS
Vulnerabilities

Android and iOS are comparably risky

Vulnerabilities were found in cross-app
resource sharing protocols on Apple’s
desktop and mobile platform
◦ Exploited to steal data such as password, and
authentication keys

Jailbreaking iOS and Rooting Android
devices
Mobile Malware
Trojans that send SMS messages to
premium rate number
 Background calling applications that make
long distance calls
 Key logging applications
 Worms
 Spyware

Mobile Application Security Risks

Common vulnerabilities
◦
◦
◦
◦

sensitive data leakage
unsafe sensitive data storage
unsafe sensitive data transmission
hardcoded passwords/keys, etc.
HTML5-based mobile apps are at the risk
of malicious code injection – Cross
Device Scripting Attacks
Guidelines for managing the security
of mobile devices






Organizations should have a mobile device security
policy
System threat models for mobile devices and
resources accessed through the mobile devices
should be developed.
Organizations should select the services provided by
mobile device solutions that meet their needs
A pilot mobile device solution needs to be
implemented and tested before putting the solution
to production.
Organization issued mobile device should be fully
secured before being used
Mobile device security should be regularly maintained
Mobile Device Security Policy
Defines the types of resources in the organization
that may be accessed via mobile devices.
 Defines the types of mobile devices that are
permitted to access organization’s resources.
 Defines the degree of access of different classes
of mobile devices,

◦ organization issued devices vs. personally owned
devices.

Defines the requirements for mobile device
management technologies
◦ the administration of centralized mobile device
management servers
◦ the updating of policies in the servers, etc.
Services Provided by Mobile Device
Solutions

General policy.
◦ Enforce enterprise security policies on the mobile device
◦ E.g., restricting access to hardware and software, managing wireless
network interfaces, detecting and reporting policy violation.

Data communication and storage.
◦ Encrypted data communication and storage, device wiping, and wiping
device remotely.

User and device authentication.
◦ E.g., resetting forgotten passwords remotely, automatically locking idle
devices, and remotely locking devices.

Applications.
◦ The app store allowed to use, the applications allowed to be installed
◦ Permissions assigned to the applications, installing and updating
applications, the use of synchronization services, etc.
◦ Verifying digital signature on applications
◦ Distributing the organization’s applications from a dedicated mobile
application store.
Mobile Device Security Maintenance








checking for and deploying upgrades and patches
ensuring that the clocks of mobile device
infrastructure components are synced to a common
time source,
reconfiguring access control features as needed
detecting and documenting anomalies
keeping an active inventory of mobile devices and
their users and applications
revoking access to or deleting an application
wiping devices before reissuing them to other users
periodically perform assessments to confirm
compliance of mobile device policies, processes, and
procedures
Threats of Mobile Devices in the
Enterprise
Lack of physical security control
 Use of untrusted mobile devices
 Use of untrusted network
 Use of untrusted applications
 Interact with other systems
 Use of untrusted content
 Use of location services

Threats and Mitigation Strategies – (1)
Threat
Lack of physical Security
Control

Lost or stolen devices

Attacker recovers data from
device, or use device to
access organization’s remote
resources
Mitigation

Require authentication before
gaining access to the device
or organization’s resources

Encrypt the device’s storage
or not store sensitive data on
mobile devices

User training and awareness
to reduce insecure physical
security practices
Threats and Mitigation Strategies – (2)
Threat
Use of Untrusted Mobile
Devices

Restriction on security, OS,
etc. could be bypassed
through jailbreaking and
rooting
Mitigation

Restrict or prohibit BYOD
devices

Fully secure organizationissued devices, monitor and
address deviations from
secure state

For BYOD devices, run
organization’s software in a
secure, isolated sandbox on
the mobile device, or use
device integrity scanning
applications
Threats and Mitigation Strategies – (3)
Mitigation
Threat
Use of Untrusted Network


Eavesdropping


Man-in-the-Middle attacks


Use VPN
Use mutual authentication
mechanism to verify the
identities of both endpoints
before transmitting data
Prohibit use of insecure Wi-Fi
networks
Disable network interfaces
that are not needed
Threats and Mitigation Strategies – (4)
Threat
Mitigation

Use of Untrusted
Applications




User can download
untrusted third party mobile
device application
User can access untrusted
web-based applications
through the device’s built-in
browsers





Prohibit all installation of third-party
applications
allow installation of approved applications
only
verify that applications only receive the
necessary permissions
implement a secure sandbox that isolates
the organization’s data and applications
from all other data and applications on the
mobile device
perform a risk assessment on each thirdparty application before permitting its use
on organization’s mobile device
prohibit or restrict browser access
force mobile device traffic through secure
web gateways, HTTP proxy servers, or
other intermediate devices to assess URLs
before allowing access
Use a separate browser within a secure
sandbox for browser-based access related
to organization
Threats and Mitigation Strategies – (5)
Threat
Mitigation

Interact with other systems





Connect a personally-owned
mobile device to an organizationissued laptop
Connect an organization-issued
mobile device to personallyowned laptop
Connect an organization-issued
mobile device to a remote
backup service
Connect any mobile device to an
untrusted charging station
Risk of storing organization’s data
to unsecured location, and
malware transmission




Implement security controls on
organization-issued mobile device
restricting what devices it can
synchronize with
Implement security controls on
organization-issued computer
restricting the connection of
mobile devices
block use of remote backup
services or configure the mobile
devices not to use such services
Do not connect mobile devices to
unknown charging devices
Prevent mobile devices to
exchange data with each other
through logical or physical means
Threats and Mitigation Strategies – (6)
Threat
Mitigation

Use of Untrusted Content


Malicious QR codes could
direct mobile devices to
malicious websites


Educate users not to access
untrusted content with any mobile
devices used for work
Have applications (e.g., QR
readers) display the unobfuscated
content (e.g., the URL) and allow
users to accept or reject it before
proceeding
Use secure web gateways, HTTP
proxy servers, etc. to validate
URLs before allowing access
Restrict peripheral use on mobile
devices (e.g., disabling camera use)
to prevent QR code reading
Threats and Mitigation Strategies – (7)
Threat
Use of Location Services

Attackers could correlate
location information with
other sources about who the
user associates with and the
kinds of activities they
perform in particular
locations
Mitigation




Disable location service
Prohibit use of location services
for particular applications such as
social networking or photo
applications
Turn off location services when in
sensitive areas
Opt out of Internet connection
location services whenever
possible
Bring Your Own Device (BYOD) - Benefits

Cost savings. The cost of organization-issued devices could
be reduced.

Productivity gains.
◦ Employees can work more effectively outside of the office, are
more likely to spend more time on work related activities.

Operational flexibility.
◦ Employees can carry out their work function away from their
desk.

Employee satisfaction.
◦ Employees can use devices that they enjoy using
BYOD - Challenges

Privacy issues.
◦ Mobile Device Management (MDM) system may require
accessing/processing of personal data.
◦ Employee consent should be obtained before MDM is
deployed
◦ Employee’s personal data may be lost if device data needs
to be wiped.

Cost issues.
◦ Whether reimburse employee-owned devices and
data/voice usage.
◦ Additional cost for implementing MDM and for handling
the support of BYOD users
◦ Tax implications for reimbursement
BYOD – Technological Approaches

Virtualization
◦ Provide remote access to computing resources.
◦ No organization’s data/application processing on the personal
devices

Walled garden:
◦ Organization’s data or application processing are contained in a
secure application that is segregated from personal data.

Limited separation:
◦ Organization’s data and/or application processing are comingled
with personal data and/or application processing, but policies are
enacted to ensure minimum security controls.
BYOD – Areas that Policies should Address

Eligibility
◦

Allowed devices
◦
◦

Whether to provide full or partial stipends towards the personal devices.
Who will pay for network access outside the organization firewall.
Security and compliance.
◦
◦
◦
◦
◦

Teach employees about responsibilities like how data is allowed to be accessed, used, and stored.
Cost sharing.
◦
◦

The specific services the organization wants to make available on BYO devices
Rollout
◦

Minimum specifications for OS and application support, performance and other device-specific
criteria.
Desktop virtualization eliminates these considerations.
Service availability
◦

Who is allowed to use personal devices
Use desktop virtualization
Disable printing or access to client-side storage.
Ensure antivirus/antimalware is installed and updated.
Network access control
mechanism to terminate access to data and apps from BYO device if device is lost or stolen, or
employee leaves the organization
Device support and maintenance.
◦
how various support and maintenance tasks will be addressed and paid for.
Components of BYOD Policies
Acceptable use policy for email, Internet,
mobile device, etc.
 Security policies such as mobile, encryption,
password, anti-virus, etc.
 Wireless access policy
 Remote access policy
 Remote working policies
 Privacy policies
 Employee code of conduct
 Incident response policies

Sample Policies

CIO council provided the following sample
policies:
◦ Policy and guidelines for government-provided mobile
device usage
◦ Bring your own device – policy and rules of behavior
◦ Mobile information technology device policy
◦ Wireless communication reimbursement program
◦ Portable wireless network access device policy
Reference: CIO council, Bring Your Own Device – A
toolkit to support federal agencies Implementing
Bring Your Own Device (BYOD) programs.
https://cio.gov/wp-content/uploads/downloads/2012/09/byod-toolkit.pdf
BYOD – Case Studies

The Department of the Treasury’s Alcohol and Tabacco Tax
and Trade Bureau (TTB) implemented a virtual desktop

The U.S. Equal Employment Opportunity Commission
implemented a BYOD pilot

The State of Delaware implemented BYOD and achieved cost
savings
Reference: CIO council, Bring Your Own Device – A toolkit to
support federal agencies Implementing Bring Your Own Device
(BYOD) programs.
https://cio.gov/wp-content/uploads/downloads/2012/09/byod-toolkit.pdf