10:36 AM
Sophos released our "Security Threat Report: 2010" today and one of the more interesting statistics shows how awful users are at protecting their mobile devices.
At recent conferences, I have heard many administrators discussing their plans to roll-out full disk encryption solutions to all of their mobile devices. When I ask whether that includes their phones, they look surprised.
Next to USB keys, mobile phones, most of which are smartphones, are the items that are most often misplaced, lost or stolen. Almost every organization is hooked on them, whether they are iPhones, BlackBerries, or Windows Mobile. From our pockets, we access confidential email, customer relationship management systems, intranets and all sorts of sensitive documents.
As we discuss on our recently updated page "iPhone vs. BlackBerry: A mobile device comparison" there are many different options to encrypt mobile phones. The two primary considerations concerning encryption are whether the device offers secure transport over the internet, and whether the data is stored securely on the device in case it is lost or stolen. Here are some tips for each of the major smartphone platforms:
- BlackBerry: When using a BES server, configure your policies to send all traffic back through your network and disallow direct TCP connections. This ensures your traffic is encrypted to and from your own network. BlackBerries also meet FIPS 140-2 standards for encrypting data stored on the device. Ensure your BlackBerry policy enforces secure password restrictions to protect devices that go missing before you can remotely wipe them.
- iPhone: Of the iPhone devices, only the iPhone 3GS offers on-device hardware encryption. Make sure you are using 3GS devices in your environment for proper data protection. To enable encryption functionality turn on the ActiveSync setting in your policy. It's best to train users to use the built-in VPN client to secure data in transport and to enforce surfing policies. One weakness in iPhone devices is the ability for others to see the simple four-digit security code. Train staff to shield their PIN as if they were using an ATM. Note: iPhone is not FIPS 140-2 certified.
- Windows Mobile: Windows mobile only offers AES128 encryption, not the AES256 offered by BlackBerry and iPhone. This is not a major issue, but if you have compliance requirements it could be a factor. Windows Mobile can encrypt SD Cards if you enable a setting in the security control panel. It can also encrypt stored data in My Documents, email, and contacts through an MS Exchange policy. Windows Mobile is FIPS 140-2 certified and offers VPN connectivity via PPTP (don't use this!) and IPsec. Note: Windows Mobile does not offer the ability to back up encryption keys.
- Google Android: Google's 2008 entry into the smartphone market is still relatively immature for the enterprise environment. At this time the devices do not offer any centralized management, policies, or encryption capabilities. Third parties do offer some solutions, but we expect Google to advance their offering as adoption continues to increase.
Don't forget your cell phones, handies, or mobiles when considering your data protection strategies. If you would like more information on the Sophos Security Threat Report: 2010 listen to the podcast Carole and I recorded with more information.
Posted in: Malware
