Employees these days are buying consumer oriented smartphones (such as the: iPhone, Android, Windows Phone, and Blackberry) that meet their needs, then they’re requesting that their IT departments support them in the corporate environment. Most of these mobile devices are targeted at a consumer oriented market, which means that they can be inherently insecure in their default configuration.
Some of the issues when using these devices is that they’re constantly moving between secure and insecure networks, which means that they can be exposed to network attacks without the owner being aware of it. Also, threats that traditionally only plague computer operating systems can now attack smartphones, when they’re transmitted via email, web sites, SMS, IMs, or shady URL-shortening services.
Then there are other issues such as companies having no way to control what type of sensitive and proprietary data might get stored on them, which means it can be lost or leaked. All IT departments can do is mitigate problems by enforcing security policies on them to protect the stored data.
The information below is a list of guidelines that should be used for all smartphones and other mobile devices like the iPad as long as the platform supports them.
- Make sure the device has the latest firmware updates installed
- Enable the following device policies:
- Screen locking when the device is accessed
- Remote data destruction if the phone is lost or stolen
- Encryption of the all data on the smart phone file system
- Enforce the use of strong passwords
- Authorization/certificate security for connecting to corporate resources over VPN.
- Encrypted communication (WPA/WPA2 with certificates) connecting to corporate wireless network.
- Encrypted communication connecting to corporate resources that are publicly accessible.
- Create and enforce user policies and best practices for these devices. Such as, if a phone is stolen its should be reported to IT so it can be remotely wiped.
Note: Any iPhones that are “Jail Broken” should not be allowed on the network. These phones are generally open to root password hacks.
- Firewalls – There are no exploits as of the writing of this article that require a firewall to be installed on these devices. Although, looking ahead into the future this could become a necessary consideration.
- Anti-Malware – The Android platform has had instances where malware has been released through applications that were installed on the device. Its worth noting that if an attack is sophisticated enough, it could infect an unsecure mobile device, then spread to other machines on a corporate network.