An ISACA Emerging Technology White Paper

August 2010

Securing Mobile Devices

Abstract Mobile computing devices have become a critical tool in todays networked world. Enterprises and individuals alike rely on mobile devices to remain reachable when away from the office or home. While mobile devices such as smartphones, laptops, personal digital assistants (PDAs) and Universal Serial Bus (USB) memory sticks have facilitated increased convenience for individuals as well as the potential for increased productivity in the workplace, these benefits are not without risks. Mobile devices have been, and continue to be, a source of various types of security incidents. These stem from issues such as device loss, malware and external breaches. As the availability of human resources and systems continues to be critical to society and business operations, it stands to reason that mobile device usage will continue to escalate as will the features these devices offer. It is, therefore, imperative that proper risk management be applied and security controls implemented to maximize the benefits while minimizing the risks associated with such devices.

Securing Mobile DeviceS

ISACA With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards. It also administers the globally respected Certified Information Systems AuditorTM (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems ControlTM (CRISCTM) designations. ISACA offers the Business Model for Information SecurityTM (BMISTM) and the IT Assurance FrameworkTM (ITAFTM). It also developed and maintains the COBIT, Val IT and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business. Disclaimer ISACA has designed and created Securing Mobile Devices (the Work) primarily as an educational resource for security, governance and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security, governance and assurance professionals should apply their own professional judgment to the specific control circumstances presented by the particular systems or information technology environment. Reservation of Rights 2010 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and must include full attribution of the materials source. No other right or permission is granted with respect to this work. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail: info@isaca.org Web site: www.isaca.org

Securing Mobile Devices CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.

2010 ISACA. A

l l

r I g h t S

r e S e r v e d

Securing Mobile DeviceS

ISACA wishes to recognize:
Project Development Team Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece Mark A. Lobel, CISA, CISM, CISSP, PricewaterhouseCoopers LLP, USA Adam Meyers, SRA International, USA Naiden Nedelchev, CISM, CGEIT, Mobiltel EAD, Bulgaria Expert Reviewers Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain Jennifer Poore, SRA International, USA Ramesan Ramani, CISM, CGEIT, Paramount Computer Systems, UAE Peter Wood, CISSP, CITP, FCBS, First Base Technologies, UK ISACA Board of Directors Emil DAngelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President Rolf M. von Roessing, CISA, CISM, CGEIT, KPMG Germany, Germany, Vice President Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International President Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director Jeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee Guidance and Practices Committee Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Chair Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain Phillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA Ravi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India Anthony P. Noble, CISA, CCP, Viacom Inc., USA Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico Frank Van Der Zwaag, CISA, CISSP, Westpac New Zealand, New Zealand

2010 ISACA. A

l l

r I g h t S

r e S e r v e d

Securing Mobile DeviceS Impacts of Mobile Devices

Mobile devices are changing the business landscape. As enterprises have moved toward global business operations, these devices have become indispensable. Mobile devices offer enterprises the ability to keep their employees connected at all times. These devices afford people the ability to conduct business anywherewhether they are at home, in the office, or traveling between destinations. As a result of the increased use of mobile devices in business, many enterprises are seeing an increase in employee productivity. A recent Aberdeen study showed that best-in-class enterprises are enjoying a 40 percent increased productivity rate.1 These increases in productivity should be able to demonstrate a very quick return on investment (ROI) for enterprises that have chosen to purchase, manage and support the use of mobile devices for employees.

As a result of the increased use of mobile devices in business, many enterprises are seeing an increase in employee productivity.

While an increase in productivity and a quick and high ROI are positive attributes for any enterprise, the risks associated with mobile devices can be significant and include issues stemming from human factors to technology and architecture issues. A lack of enterprise control of physical devices, and employees using personal devices for business has increased mobile device risk levels. Therefore, it is imperative when considering the deployment of such tools to consider the potential benefits, risks and controls associated with the technology. What Are Mobile Devices? Mobile devices can mean many different things to people. For this paper, we will define mobile devices as: Full-featured mobile phones with personal computer-like functionality, or smartphones Laptops and netbooks Tablet computers Portable digital assistants (PDAs) Portable Universal Serial Bus (USB) devices for storage (such as thumb drives and MP3 devices) and for connectivity (such as Wi-Fi, Bluetooth and HSDPA/UMTS/EDGE/GPRS modem cards) Digital cameras Radio frequency identification (RFID) and mobile RFID (M-RFID) devices for data storage, identification and asset management Infrared-enabled (IrDA) devices such as printers and smart cards Devices such as these provide the user with the opportunity for seamless communication and/or information storage whether in the office or elsewhere. The communication capabilities allow workers to utilize wireless networks to communicate via phone, e-mail and text. Many provide access to the Internet, access to company documents and drives, video and photographic capabilities, and storage capability. In short, many of these devices enable an employee to be away from the office yet have the convenience of all the office resources.

Business Benefits of Mobile Devices

Mobile device usage is ubiquitous and continually expanding. According to the Gartner PC installed base forecast, by 2013, mobile phones will overtake PCs as the most common web access device worldwide.2 As individuals in society have experienced the convenience of mobile device use, enterprises across the globe are now equally realizing the benefits that mobile devices can bring to the enterprise.
1 2

Aberdeen Group, More MobilityLess Budget: Enterprise Strategies in the Current Economic Downturn, USA, 2009 Gartner, www.gartner.com/it/page.jsp?id=1278413 2010 ISACA. A
l l r I g h t S r e S e r v e d

Securing Mobile DeviceS

Some of the benefits currently being experienced by enterprises include: Increased workforce productivityMobile device strategies provide connectivity to knowledge workers who otherwise would not be able to access e-mail, corporate documents and other information. This facilitates the completion of work offsite. Best-in-business enterprises are capturing a 40 percent increase in employee productivity.3 Improved customer serviceBy providing enterprise representatives with up-to-date information irrespective of location, a sales person or account manager can access the customer relationship management (CRM) system while at a customer site and provide ad hoc solutions and current customer account information. Response to customer problems or questions at any timeAn average of 35 percent improvement4 in customer satisfaction has been seen in best-in-business enterprises using mobile device management strategies. Improved turnaround times for problem resolutionEnterprises that effectively employ mobile devices have more flexibility facing the challenges of time zones or office hours. Increased business process efficiencyMany enterprises are seeing shortened and more efficient business processes. Mobile devices have affected issues such as supply chain management (SCM) by providing employees with information to speed the capture of inbound supply chain data and shortening the feedback loop between the supply chain and production planning.5 Employee security and safetyWhile many mobile devices focus on the real-time access to information that a device such as a smartphone can offer, one of the first reasons for mobile device adoption was safety and security. These devices allow employees to travel to and from remote locations while staying in touch and connected. Employee retentionBy supporting the use of mobile devices within an enterprise, management creates positives for both the business and employees. The use of mobile devices can improve the work-life balance by facilitating the ability of employees to work remotely. This improvement in the work-life balance has been shown to increase employee retention by up to 25 percent.6 Although mobile devices can offer enterprises some highly valued benefits, it is important to recognize that these benefits can be realized only if the enterprise manages the technology effectivelyfor both value and risk.

Benefits can be realized only if the enterprise manages the technology effectivelyfor both value and risk.

Risks and Security Concerns With Mobile Devices

Deployment of mobile devices can present a significant amount of risk to the overall enterprise security posture. Mobile devices have numerous vulnerabilities that are susceptible to malicious attacks as well as nonmalicious internal threats. From the types of networks the mobile devices use to the threat of data loss, mobile devices have no shortage of inherent risk. Ironically, many of the risks associated with mobile devices exist because of their biggest benefit: portability. Mobile devices transport data via wireless networks, which are typically less secure than wired networks. These wireless networks can leave information at risk of interception. Additionally, many of these devices have storage capability and unencrypted data at rest, thus the information gathered from either the interception of data in transit or theft or loss of a device can result in the compromise of sensitive and proprietary information. In addition to data loss, mobile devices carry the risk of introducing malware. The devices themselves can be used as a platform for additional malicious activity. Devices and laptops with onboard microphones and cameras are particularly vulnerable because they can be activated easily using publicly available tools, possibly resulting in malware propagation, data loss and eavesdropping. Likewise, cellular and Voice-over IP (VoIP) technologies also have vulnerabilities that can be easily exploited, resulting in intercepted calls.
Aberdeen Group, op. cit. Ibid. 5 Burdon, K.; Business Benefits of Industry-Specific Mobile Applications, IDC, USA, 2005 6 Aberdeen Group, op. cit.
3 4

2010 ISACA. A

l l

r I g h t S

r e S e r v e d

Securing Mobile DeviceS

The risks of using mobile devices are certainly abundant. In addition to the previously mentioned issues, the potential exists for technical attacks against devices by using vulnerabilities in the communications layer. These attacks are perpetrated using remote access tools (RATs) that can be planted on a mobile device, and thereby access the physical device to recover information and data. These threats can be countered in many cases by using sound policy and judgment in the implementation and use of the devices. However, some threats require the additional layers of protection that technical controls and countermeasures offer, such as encryption and third-party security software designed to counter these threats. Figure 1 presents some known vulnerabilities and associated threats that need to be understood when dealing with mobile devices.
Figure 1Mobile Device Vulnerabilities, Threats and Risks Vulnerability Information travels across wireless networks, which are often less secure than wired networks. Threat Malicious outsiders can do harm to the enterprise. Risk Information interception resulting in a breach of sensitive data, enterprise reputation, adherence to regulation, legal action Malware propagation, which may result in data leakage, data corruption and unavailability of necessary data Device corruption, lost data, call interception, possible exposure of sensitive information Exposure of sensitive data, resulting in damage to the enterprise, customers or employees

Mobility provides users with the opportunity to Mobile devices cross boundaries and network leave enterprise boundaries and thereby eliminates perimeters, carrying malware, and can bring this many security controls. malware into the enterprise network. Bluetooth technology is very convenient for many users to have hands-free conversations; however, it is often left on and then is discoverable. Unencrypted information is stored on the device. Hackers can discover the device and launch an attack. In the event that a malicious outsider intercepts data in transit or steals a device, or if the employee loses the device, the data are readable and usable. Mobile devices may be lost or stolen due to their portabiliy. Data on these devices are not always backed up. In the event that the device is lost or stolen, outsiders can access the device and all of its data. If no mobile device strategy exists, employees may choose to bring in their own, unsecured devices. While these devices may not connect to the virtual private network (VPN), they may interact with e-mail or store sensitive documents.

Lost data may affect employee productivity.

Workers dependent on mobile devices unable to work in the event of broken, lost or stolen devices and data that are not backed up Data exposure, resulting in damage to the enterprise and liability and regulation issues Data leakage, malware propagation, unknown data loss in the case of device loss or theft

The device has no authentication requirements applied. The enterprise is not managing the device.

The device allows for installation of unsigned third- Applications may carry malware that propagates party applications. Trojans or viruses; the applications may also transform the device into a gateway for malicious outsiders to enter the enterprise network.

Malware propagation, data leakage, intrusion on enterprise network

Strategies for Addressing Mobile Device Risks

Creating a mobile device strategy will help ensure that risks are accounted for and managed appropriately.
As mobile devices are becoming such a prominent tool in business operations, it is important for security managers to consider how to manage the risks associated with these devices. With the introduction of new mobile devices and platforms, IT professionals should update existing, or create new, mobile device strategies. Creating a mobile device strategy will help ensure that risks are accounted for and managed appropriately. Information security managers will need to think about issues such as organizational culture, technology and governance when creating the mobile device strategy.
l l r I g h t S r e S e r v e d

2010 ISACA. A

Securing Mobile DeviceS

In the policy that sets the strategy goals, the following issues should be considered: Defining allowable device types (enterprise-issued only vs. allowing personal devices and types of devices such as BlackBerry or iPhone) Defining the nature of services accessible through the devices, taking into account the existing IT architecture Identifying the way people use the devices, considering the corporate culture as well as human factors and how the nondeterministic execution of processes through the use of mobile devices may lead to unpredictable risks Integrating all enterprise-issued devices into an asset management program Describing the type of authentication and encryption that must be present on the devices Outlining the tasks for which employees may use the devices and the types of applications that are allowed Clarifying how data should be securely stored and transmitted Establishing a program that creates value for the business and properly leverages available technology while mitigating risks is very challenging and difficult. However, an enterprise strategy should always start with a comprehensive policy and finish with a full device life cycle support program. Security controls to consider should include strong (multifactor) authentication, data ciphering, warranty of application integrity, management of the service life cycle and traceability of usage for all mobile devices and applications used inside the enterprise infrastructure. The policy should be: Enforceable on varied devices Centrally managed by the enterprise itself Simple to implement and support Flexible for administering users and devices Focused on hindering loss or theft Auditable in all of its parts Tested and verified in disaster response Attentive to possible external threats The use of built-in and commercially developed safeguards for protection of mobile devices should be promptly scheduled and deployed for a gradual mitigation of the associated risks. Commensurate with the risks, a holistic security management program for protection of mobile devices should become a key part of the overall security governance. The program for protection of mobile devices should ensure multilevel security for usage of such devices based on: User authenticity Application and platform integrity Data confidentiality Device trustworthiness Figure 2 provides strategies to address risks. Mobile devices have the potential to become the biggest threat for leakage of confidential information. Their protection, very much neglected until now, will become a primary task for enterprises. Creating a transparent, understandable, flexible and executable policy to protect against risks related to the use of mobile devices will support management in its effort to protect intellectual property and sustain competitive advantage.

An enterprise strategy should always start with a comprehensive policy and finish with a full device life cycle support program.

Mobile devices have the potential to become the biggest threat for leakage of confidential information.

2010 ISACA. A

l l

r I g h t S

r e S e r v e d

Securing Mobile DeviceS

Figure 2Strategies to Address Risks Risk A lost or stolen mobile device Strategy Implement a central management console for device remote controli.e., location tracking, data wipe-out, password/PIN change or strong user authentication. Ensure that mobile devices are encrypted so information is unusable in the event of loss or theft. Turn to cross-platform centrally managed mobile device managers. Secure the systems that are accessed with authorization, encryption and privileges control. Monitor and restrict data transfers to handheld or removable storage devices and media from a single, centralized console. Create keen user awareness on information assets, risks and value to the enterprise. Track the way devices are used, and provide regular feedback to management. Implement a central management console to manage all stages of asset management, from installation to retirement.

Providing support to various devices Controlling data flow on multiple devices Preventing data from being synchronized onto mobile devices in an unauthorized way Keeping up with the usage of the latest and greatest devices Promoting accountability, responsibility and transparency with device usage Demonstrating regulatory compliance

Governance and Change Issues With Mobile Devices

Deploying mobile devices cannot be addressed solely as a technical activity. It affects the daily operations of the employees; the organizational information flow; and, as a result, the business processes of the enterprise from many perspectives. For example, using mobile devices may: Slow down the daily tasks of a user due to communication problems. This may affect customer service and impact the implementation of the corporate strategy. Put corporate information at risk if the organizational culture dictates less attention to information security issues as a result of employees being used to working in a more controlled environment (office) Impede daily operations due to lack of employee familiarity with the additional security controls in place for protecting remote workers Impact existing elements of the technical infrastructure. For example, a web filtering mechanism, a data leakage protection system or a logistics application as installed and configured may not be compatible with the mobile device introduced, leading to technical security risks or interoperability issues that affect a business process. Be affected by external factors, such as the maturity of the security products supporting mobile devices. For example, access to digitally signed e-mails by mobile phones or the need to encrypt specific information types in PDAs according to the local legal framework may not be supported by the vendor. To ensure that the introduction of mobile devices in an enterprise serves the To ensure that the introduction of mobile corporate strategy and objectives, it is imperative to utilize a proven framework such as COBIT. This framework should ensure that the use of mobile devices in an enterprise serves the technology: corporate strategy and objectives, Brings added value by supporting corporate processes it is imperative to utilize a proven Is deployed in a manner that addresses the associated risks Fits the corporate culture framework such as COBIT. Is compatible to the level of familiarity of the users with this technology Fits the technical architecture of the enterprise Considers external factors, such as product maturity and the legal framework Is being supported by the appropriate resources, including required additional technologies, personnel effort (e.g., in information security), support or consultancy services Is monitored from a corporate perspective by deploying the appropriate performance metrics

2010 ISACA. A

l l

r I g h t S

r e S e r v e d

Securing Mobile DeviceS

The approval and support for using a framework should be the responsibility of executives who have the appropriate authority and overall control of the enterprise strategy. It is this strategy that is impacted by the introduction of mobile devices to the organization. The framework should also take into account the uncertainty factor introduced by the deployment of mobile devices. As demonstrated above, the introduction of mobile devices may trigger impacts related to cultural, technical, human and process-related issues. This domino effect may also include unpredictable results in the operations of the enterprise, depending on its architecture. For this reason, the chosen framework should encourage user feedback mechanisms from all levels of the organizational hierarchy in order to identify possible side effects in a timely manner and respond accordingly.

Assurance Considerations for Mobile Devices

What can be done to improve the assurance professionals ability to show that the processes and policies associated with mobile devices provide trust in and value from their use and implementation? There are important considerations when reviewing mobile devices in nearly every phase of the audit process. Mobile devices usually are not under the full physical control of the enterprise. However, they still should be managed, controlled and secured by enterprisewide policies, standards and procedures. Audit professionals will naturally experience difficulties in verifying that controls and safeguards stated in the policies are efficiently implemented to prevent against data leakage or loss.

Mobile devices should be managed, controlled and secured by enterprisewide policies, standards and procedures.

Some special considerations that auditors should bear in mind when verifying the operational efficiency are: PolicyDoes a security policy exist for mobile devices? Does it include rules for appropriate physical and logical handling? The enterprise should have a policy addressing mobile device use and specifying the type of information and kind of devices and information services that may be accessible through the devices. Antivirus updatesAuditors should verify that the enterprise updates the mobile device antivirus software to prevent perpetuation of malware. EncryptionAuditors should verify that any data labeled as sensitive are properly secured while in transit or at rest. Secure transmissionAuditors should determine whether mobile device users are connecting to the enterprise network via a secure connection. VPN, IP security (IPsec) or Secure Sockets Layer (SSL) can offer some levels of assurance. Device managementAuditors should determine whether there is an asset management process in place for tracking mobile devices. This asset management program should also detail procedures for lost and stolen devices as well as procedures for employees who have been terminated or have resigned from the enterprise. Access controlAuditors should verify that data synchronization of mobile devices is not set to receive access to shared files or network drives that contain data that are prohibited for mobile use by the policy. Awareness trainingThe auditor should verify that the enterprise has an awareness program in place that addresses the importance of securing the mobile devices physically and logically. The training should also make clear the types of information that can and cannot be stored on such devices. RiskMobile devices have the capability to store large amounts of data and present a high risk of data leakage and loss. As such, mobile device policies should be created and enforced to ensure that information assets are not exposed.

2010 ISACA. A

l l

r I g h t S

r e S e r v e d

Securing Mobile DeviceS

Providing assurance that an enterprise has implemented a sound mobile device strategyincluding asset management, policy, technical controls and awareness trainingwill help the enterprise to be aware of the types of devices and traffic that are crossing the network, as well as how those devices are being used. At the time of writing this paper, there are no publicly available standards specific to mobile device management; however, frameworks such as COBIT and Risk IT can provide a strong foundation for technology management.

Frameworks such as COBIT and Risk IT can provide a strong foundation for technology management.

Conclusion
Technical innovation has paved the way for mobile device assimilation into the workplace. These devices have acted as a catalyst for improving efficiency, productivity and availability in business operations. While many enterprises have chosen to utilize this technology, they have often not considered the business risk or the governance implications associated with these devices. Loss, theft or corruption of sensitive or confidential data; malware that can affect not only the mobile device itself, but also the enterprise network; and the way in which employees use the devices are just a few of the risks involved with this type of technology. In addition to the governance and security that already exist within the enterprise, risks and associated controls (if they exist) that accompany this boundaryless technology must be assessed to ensure that enterprise information assets are protected and available. Enterprises that have been considering the use of mobile computing devices in their environment should calculate the benefits that the technology can offer them and the additional risks that are incurred. Once benefits and risks are understood, businesses should utilize a governance framework to ensure that process and policy changes are implemented and understood, and that appropriate levels of security are applied to prevent data loss.

Additional Resources and Feedback Visit www.isaca.org/mobiledevices for additional resources and use the feedback function to provide your comments and suggestions on this document. Your feedback is a very important element in the development of ISACA guidance for its constituents and is greatly appreciated.

10

2010 ISACA. A

l l

r I g h t S

r e S e r v e d