Security Risk Comes in Small Packages

Security Risk Comes in Small Packages

With all the chaos, confusion, and consternation that’s going around in the wake of WannaCry (WannaCrypt) outbreak, our focus again turns to the proper care and handling of our computers – specifically those “traditional” computers like servers, desktops, and laptops. We have known for years that one of the best defenses against malware and viruses is a good offense – keeping your systems, apps and operating systems patched and up-to-date, and preventing unwanted access to the sensitive devices and overall device management.  But, what is lost in this renewed focus is our mobile devices.

The Study on Mobile Device Security published in early May by the Department of Homeland Security (DHS) Science and Technology Directorate and the National Institute of Standards and Technology (NIST) affirms that mobile security is critically important for our nation’s overall cyber-health.

The main takeaway from this landmark study is that despite advances, major mobile security gaps remain in most government and business infrastructures. Closing these security gaps is necessary to protect the significant amount of sensitive data and personally identifiable information (PII) that is now accessible by and resides on our mobile devices.

Applying the same management and security diligence to mobile devices is critically important for any organization that has employees that use their mobile devices for business functions (email, accessing files, etc.).  And, of course, the reality is most if not all organizations, no matter the size, have employees that are using their mobile devices in the same ways as that of a “traditional” computer.

It goes without saying that many of the protective technologies employed on our laptops and servers are available for mobile devices.  But, maybe more importantly is organizations need to approach the overall use, management and security of mobile devices with proper policies, education and controls.  Many of which can be implemented without significant financial costs.

Harbor is often asked by our clients for things they can do to help users keep their mobile devices secure. Here’s a quick list of some simple things you can do to ensure that your mobile devices are running with at least some security. These steps are free and raise the bar on both protecting against the unauthorized use of your device and the integrity of the applications you’re running on them. Our goal here is not to make your device impenetrable to attack, but instead to make it harder to attack than the next guy.

Security Tips for Android Devices

  • Turn on disk encryption (not explicitly tied to PIN/screen lock).
  • Use biometrics for unlocking normally with a longer passcode (instead of a simpler 4-character PIN).
  • Disable developer access (off by default).
  • Disable third-party app store access (off by default, but very common)
  • Evaluate and uninstall apps with excessive permissions using Android Permission Apps or other tools.
  • Install Android platform updates when they become available
  • Compare your Android version to recent releases. Is your phone getting updates? If not, it’s time for a new phone. (This is hard, because most users will find that Android phones are poorly supported and require more frequent replacements, which end up being costlier than iOS devices over time).
  • Turn on “Android Device Manager” for remote location services for lost devices or a third-party “Find my Android” tool if your Android device doesn’t support this feature.
  • Periodically erase your network settings to forget about old, insecure WiFi networks you don’t use anymore.
  • When plugging in USB, don’t say yes to “Trust this PC” when prompted, unless it is a personally owned system.
  • Set a strong Google password, better still, enable two-factor authentication.
  • Complain to your cell phone carrier about unwanted applications on device and loss of control. There’s no challenge currently, so the carriers do what they want.

Security Tips for iOS Devices

  • Make sure you update iOS when new updates come out.
  • Periodically erase your network settings to forget about old, insecure WiFi networks you don’t use anymore.
  • Make sure “Find my iPhone” is turned on for locating or wiping lost devices.
  • Use TouchID with a longer passcode in lieu of a 4-digit PIN.
  • When plugging in USB, don’t say yes to “Trust this Computer” when prompted, unless it is a personally owned system.
  • Turn off iCloud backup unless you are comfortable with your pictures being stored in the cloud.
  • Use iTunes to make a backup with a password to both encrypt and to capture all your settings.
  • Set a strong Apple iTunes password.
  • Review the Settings | Privacy settings, revoking permissions from apps that are unnecessarily greedy with permissions.
No Comments

Post A Comment