Trustworthy Mobile Security for Smartphones, Tablets, etc. Is there an App for that?

Transcription

1 Trustworthy Mobile Security for Smartphones, Tablets, etc. is there an App for that? intimus consulting is a division of the MARTIN YALE GROUP Bergheimer Strasse Markdorf / Germany Trustworthy Mobile Security for Smartphones, Tablets, etc. Is there an App for that? Five Ways to manage the emerging Security Risks in our increasingly mobile Life WHITEPAPER

2 Trustworthy Mobile Security for Smartphones, Tablets, etc. Is there an App for that? Five Ways to manage the emerging Security Risks in our increasingly mobile Life Summary The past ten years have witnessed a remarkable shift in the way that businesses, organisations and individuals can access computing power. The very concept of a computer has irrevocably changed. In the old days of 2001, a computer was something that sat on a desk, with a hard drive in a nearby tower. Laptop computers were widely considered to be too expensive or unreliable for everyday use, and were often assigned only to regular business travellers or to the more valuable members of the organisation. The first smartphone: The IBM Simon (1992) (Source: Wikipedia) In 2001, smartphones existed (see the photo at right of the Kyocera QCP6035 from the year ), but they were mainly used by technology enthusiasts and early adopters, An early Kyocera smartphone (Source: PC World) and were not nearly as widespread as they are today. Most people carried cell phones, which were big and bulky by today s standards, and were mainly used only to make phone calls. Simply being able to send a text message was considered the height of cell phone communications technology. The original iphone (Source: Wikipedia) 1 Liane Cassavoy, In Pictures: A history of cell phones, PC World, May 7, 2007, published online at [cited on June 19, 2011] Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 2

3 Content Introduction 4 The advantages of solid state media 6 The drawbacks of solid state media 7 Solid state media information security risks and best practices 8 Five ways to manage Information Security Risks on mobile devices 1. Automatic Locking Check Reputation Confidentiality Special precautions for high ranking officials Decommissioning 11 Conclusion 12 Company Profile 13 Contact Details 13 Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 3

4 Introduction What a difference ten years can make. Today, smartphone users can access their , take and share high quality digital photos and videos, listen to music, watch movies, and connect to the Internet from anywhere, allowing them to interact with their world and be productive in unprecedented ways. Even as desktop PCs and laptops/notebooks have grown in speed and power, they have also started to be eclipsed by ever smaller, ever lighter models like netbooks (popular during ) and more recently by tablet PCs like the ipad. According to research from Gartner, sales of tablet computers are expected to more than quadruple from 15 million units sold worldwide in 2010, to over 70 million sold during Total tablet computer shipments are expected to approach 250 million by Tablet computers enable the same kinds of constant connectivity and interactions as a smartphone, but their larger screens and easier operability make it possible to bring computing power into workplaces in new ways. With a tablet computer, the factory floor can now be easily connected to the company s main network. Knowledge workers can access information via tablet computers in a Image source: The Economist lighter, more portable format. Hospital workers can record patient information at the bedside using a simple touch screen Restaurant staff can take reservations and coordinate seating with a tablet. The possibilities are limitless. One of the biggest reasons for the differences between the fixed computers of 2001 and the smartphones and tablet computers of today is the rise of solid-state storage media. 2 Josh Halliday, Tablet sales poised for spectacular growth, claims Gartner, Guardian, April 11, 2011, published online at [cited on June 19, 2011] 3 The Economist, Taking the tablets, March 2, 2011, published online at [cited on June 19, 2011] Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 4

5 Rather than relying on the moving parts of a hard disk drive, smartphones and tablets are built with sold-state drives, which enable these devices to be more portable and powerful than ever before. Computers are no longer fixed objects sitting on a desk. People now have the ability to carry computers in their pockets in the form of smartphones (which recently surpassed PCs in total worldwide shipments). 4 Source: CNN Money The dramatic increases in portability and flexibility of computer power has made possible great gains in productivity and a significant transformation in online culture as the Internet begins to infuse every aspect of daily life. But along with the benefits of the rise of smartphones and tablet computers, there are risks. The same features that make smartphones and tablets so beneficial can also pose damaging threats to the sensitive data of organisations. This paper will discuss some of the information security risks posed by the emerging solid-state media, such as smartphones and tablet computers. By exercising best practices and information assurance strategies, organisations can successfully navigate the risks posed by these powerful new forms of electronic storage media. 4 David Goldman, Smartphones have conquered PCs, CNN Money, February 9, 2011, published online at [cited on June 19, 2011] Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 5

6 The advantages of solid state media Solid state media offer several advantages that have made them the ideal foundation for the recent revolution in portable computing power. Traditional magnetic hard disk drives (HDDs), like the ones in 2001-era computers, are made of moving parts. There is literally a spinning disk within the drive, and movable read/write heads. Data is recorded into memory via electromagnetism. This type of storage media worked very well for the days when computers were immovable objects sitting on desks, but in order to create a more mobile computer, solid state storage was needed. Solid state drives (SSDs) have no moving parts, and rely on microchips and non-volatile memory chips, instead of magnetic media, to store data. SSDs are often used for external drives such as USB drives and mobile devices like smartphones and tablets. The can also be used internally as drives for laptops. The characteristics that make SSDs ideal for small, portable devices like smartphones and tablets include: Silent performance: SSDs do not make any sounds, like a spinning magnetic hard disk drive. Less susceptible to physical shock: Smartphones and tablets can be jostled or dropped, without losing data. Faster performance: SSDs deliver quicker access time and latency. Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 6

7 The drawbacks of solid state media As the size and stability of digital storage media has exponentially grown, it has become more difficult for organisations to prevent data breaches. There is simply too much information, too easily available, too easily duplicated, and stored in too many different places. As such, organisations are challenged with having to safely dispose of their obsolete devices. Hard disk drives (HDDs) are magnetic storage media, meaning that the recorded data can be successfully erased from the disk by using a degausser (subjecting the disk to a highly focused electromagnetic field). Another option to erase an HDD is to use the Secure Erase function built into most standard HDDs ever since From an information security standpoint, the primary drawback of solid state media is that the solid state drives (SSDs) are not as easy to purge of data as the magnetic HDDs. Since the SSDs do not rely on magnetic media for data storage, degaussers are not effective in sanitising the data. Secure Erase does not successfully erase an SSD, either. According to recent research from the University of California at San Diego, tests on the Apple Mac OS X showed that as much as 57% of stored data remained intact even after using the Secure Erase feature. 5 So if the old methods of data sanitisation will not succeed on these new forms of solid state storage media, how are organisations supposed to protect themselves? There are several significant risks posed by solid state media, and several key recommendations to help overcome those risks. 5 Dan Goodin, Flash drives dangerously hard to purge of sensitive data, The Register, Feb. 21, 2011, published online at [cited on June 17, 2011] Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 7

8 Solid state media information security risks and best practices Many users of solid state media, especially smart phones, get lulled into a false sense of security. After all, how can such a friendly, useful device possibly pose any information security risk? Many solid state media users become almost too comfortable with their devices, and fail to protect them the same way they would treat a workplace desktop PC. Other people see their mobile devices as an extension of themselves, and fail to uphold a proper division between work and personal use, for example, by downloading certain apps onto a work-issued smartphone or tablet, even though the apps might pose an information security risk. Mobile solid state media devices like smartphones are more vulnerable than many people realise, with possible negative consequences including hacking, identity theft, data breach, or wrongful disclosure of financial information. According to a 2008 CompTIA survey of more than 2,000 information security professionals, over half responded that risks related to mobile devices and remote workers were up compared to When employees work remotely or carry devices with them, especially when using their devices to access the Internet via public networks, there is a risk of theft or loss. Organisations need to ensure that they have trained their staff on how to properly handle their tablet PCs and other portable devices using secure passwords, data encryption, and other methods to thwart potential data thieves. An additional security risk of solid state media which is often overlooked is the sheer quantity of devices that are now in use. Smartphones especially tend to have short life cycles of 2 years or less, as people constantly trade up for the newest models with the fastest performance and the fanciest technology. This means that in a few years, organisations could potentially be faced with vast numbers of obsolete solid state media devices, which are no longer needed by the business and which could pose a threat if not disposed of safely. Organisations need to start planning now to properly decommission and sanitise their solid state media devices (smartphones, tablets, USB drives, and others) once they have gone out of service. 6 Al Sacco, Six essential Apple iphone security tips, PC World, October 12, 2008, published online at [cited on June 19, 2011] Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 8

9 In December 2010, ENISA (European Network and Information Security Agency) published a paper on smartphone security, outlining the top 10 risks of smartphone usage (for business and personal use) and also made several recommendations for how to counteract the risks. Many of these risks apply to tablet users as well, since the technology and usage of these devices is similar. Some of the top risks identified in the ENISA report include: 7 Data leakage: an attacker successfully accesses the data on a lost or stolen device. Improper decommissioning: the device is disposed of or reassigned to another user without successfully deleting sensitive data stored on the device, allowing this information to fall into the wrong hands. Unintentional data disclosure: Many users are unaware of the privacy settings on the various apps that they use with their devices. Sensitive data might be transmitted via an app, without the knowledge of the user. Phishing: A data thief steals user credentials, passwords or credit card numbers using fake apps, text messages or s that seem credible. Spyware: The device becomes affected by invasive software that is installed by an attacker to access sensitive data by abusing privilege requests. Network spoofing attacks: A data thief creates a rogue network access point to attract users, and then captures the user s communications and sensitive information to carry out additional attacks such as phishing. Surveillance: Spying on a person by using that person s smartphone or tablet device. Diallerware: Stealing money from a person by using malware to exploit premium SMS (text) message services. 7 Dr. Giles Hogben, Dr. Marnix Dekker, ENISA, Smartphones : Information security risks, opportunities and recommendations for users," December 10, 2010, published online at [cited on June 19, 2011] Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 9

10 Financial malware: Malicious software (malware) designed to steal credit card numbers, online banking credentials or subverting online banking or ecommerce transactions. Fortunately, the ENISA report also outlines some key recommendations for how individuals and organisations can minimise the risks of solid state devices. Many of the risks can be mitigated with good security practices and training throughout the organisation. Key recommendations include: 1. Automatic locking: Configure the device so that it locks automatically after a few minutes. This will prevent the device from being easily accessed by a data thief. 2. Check reputation: Prior to installing or using any new apps or services on the smartphone or tablet, make sure to check the reputation of the app being installed. Organisations should also consider creating a whitelist of acceptable apps that employees have permission to install on their work-issued devices, especially if the devices are used to handle sensitive internal data, or if the organisation s internal network is accessible to the devices. 3. Confidentiality: Use memory encryption for the device s memory and any removable media that accompany the device. 4. Special precautions for high ranking officials: When high ranking people within an organisation use mobile solid state media devices, a few extra precautions are needed. The devices of high ranking individuals can be especially valuable to data thieves, as they often contain the most restricted sensitive information that can be most highly damaging to the organisation if it falls into the wrong hands. For these reasons, ENISA recommends the following precautions: Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 10

11 o o o No local data: High ranking officials should not be able to store sensitive data locally on the device. Instead, the users should only be able to access sensitive data online via the organisation s internal network, using a non-caching app. This will limit the exposure of the organisation s most sensitive data, keeping it contained within the company s network, rather than dispersed onto multiple mobile devices. Encryption software: Just as many organisations use encryption to send highly confidential messages, it is also possible to encrypt VOIP calls and SMS (text) messages to protect highly confidential conversations from end-to-end. Periodic reload: Smartphones and tablets may be periodically wiped (using secure deletion) and reloaded with a specially prepared and tested disk image. While this periodic reloading can minimise the amount of sensitive information on the device at any one time while it is being used, the only secure way to sanitise data on the device is done at the point of decommissioning. 5. Decommissioning: Before decommissioning, disposing of or recycling an obsolete or unneeded smartphone or tablet device, apply a thorough memory wipe procedure to the device. One of the most reliable methods to sanitise data from a solid state drive, according to recent research 8, is to fully encrypt the drive s contents, and then delete the corresponding encryption keys from the key store. This results in putting the drive s contents into a permanent mode of encryption, unable to be deciphered or recovered by anyone. The drive can then be physically destroyed using a disintegrator. The biggest challenge of safely decommissioning solid state media devices is that even after an SSD has received a wiping procedure, a certain amount of information from the device can still be restored (with some effort) even without the encryption keys. Encryption keys are also do not provide failsafe security. Many encryption keys have been cracked by hackers, and other encryption keys have back doors that are vulnerable to exploitation. 8 Dan Goodin, Flash drives dangerously hard to purge of sensitive data, The Register, Feb. 21, 2011, published online at [cited on June 17, 2011] Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 11

12 Conclusion Solid state media such as smartphones and tablets are becoming an ever-increasing presence in the daily operations of organisations. With over 100 million smartphones shipping worldwide in 2010, and over 200 million tablets per year expected to ship during 2014, more organisations will need to adapt their security protocols to handle the unique risks of these powerful, portable media. In addition to the security risks posed by such highly portable, versatile devices, one of the principal challenges of these new media is that they are so difficult to securely erase. The traditional methods of securely erasing a hard disk drive (HDD) do not apply to the microchipbased solid state drives (SSDs) that power smartphones, tablets and many laptops. Along with ensuring good security practices while the devices are in use, many organisations will need to re-evaluate their decommissioning and disposal methods. Otherwise, the organisation s secrets may prove to be more portable than anyone had expected. Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 12

13 Company Profile Data protection was something unheard of when the first shredders were introduced in the 1960 s. Starting with the "electronic wastepaper basket" INTIMUS Simplex in 1965 the product range nowadays meets all the requirements imposed with regard to information assurance. It does not only contain devices for the shredding of classical data media, such as print outs, computer lists or even complete folders, but also features machines to destroy information on modern endpoint devices like CDs, floppy disks, Hard Disk Drives and Solid State Media. intimus Security Consulting is a concept to assist organisations worldwide to define, implement and monitor procedures for information security beyond the endpoint. More information is available under The MARTIN YALE GROUP was formed in 2003 by the former individual organisations MARTIN YALE Industries (North America) and Schleicher International (Germany). Today the Group has got an extensive worldwide distribution network with 7 branch offices and over 150 distributors. Contact Details MARTIN YALE GROUP Bergheimer Strasse Markdorf / Germany Tel / (0) / Fax 0049 / (0) / mailto: strunz@martinyale.de Trustworthy Mobile Security for Smartphones, Tablets, etc. - Is there an App for that? 13