Everyone has a smart phone. Everyone is downloading apps. Every day is “Bring your toy to work day.” Portable media introduces unique risks for which existing controls are less effective. What are these risks? Are they unique to your institution?
For those of you who have time, let’s run those pesky mobile devices through your trusted risk management framework and figure out if this Droid invasion is really anything to worry about. With the new year nearly upon us, now is the perfect time for an updated information security risk assessment and decide if existing policies are sufficient or if a new set of mobile security controls are needed.
Hold on, here we go:
1) System Characterization – Perhaps the most important component. What is the impact to the business if a critical system was unavailable or sensitive information was compromised? If the answer here is “no impact,” then the risk introduced by a new iPad is nonexistent. So, for the sake of argument, we will assume the system characterization is high.
2) Threat Identification – What possible threat-sources could originate from a little iPhone? Using the physical device (Mail in your business card for a free smart phone!) or any one of its supported apps, malicious users (on the Internet or in the parking lot) have yet another avenue to access your corporate network. Don’t forget about internal employees. How much sensitive information was immediately compromised when Gerald left the phone on the bus?
3) Vulnerability Identification – Out-of-date software, weak or non-existent passwords, poor physical security…the list is endless and will be changing constantly. Given the futility of eliminating every vulnerability, what control options are there?
4) Control Analysis – This is where dusting off all those old policies may provide some value. What works and what doesn’t? Prohibiting the use of portable media will not work. Creating a segmented wireless network to allow Internet access from your portable device may work. Asking users to not email confidential information will not work. Encrypting data in transit and storage may work. Are you doing anything more than relying on default vendor settings?
5) Likelihood Determination – My personal favorite. How likely could specific vulnerabilities be exploited by specific threat sources? Based on this recent report that claims “More than 80 percent of Fortune 500 companies are ‘deploying or piloting’ the iPhone,” it appears the likelihood is increasing every day.
6) Impact Analysis – What kind and how much data is stored on the device when it is compromised? To what critical internal systems does it have access? If a vulnerability is exploited on a single device, does that mean all ten thousand throughout the enterprise are also compromised?
7) Risk Determination – Let’s look at a few threat-source/vulnerability pairs and factor in likelihood and impact.
i) A malicious attacker writes an app that dynamically replaces all the simple words in your email to make one sound smarter. Once the user downloads this “free” app, it also sends a copy of every email back to the author including non-public financial forecasts that your company was not quite ready to release yet. Risk level is high. ii) A doctor just downloaded a recent list of patient data to his iPad so he would have something to read on the plane to his vacation in Costa Rica. Several hours later he awakens and finds the device is gone. No authentication was enabled and now the insurer is prosecuting the patient for false claims. Risk to the patient high, risk to the doctor high, risk to the insurer high, risk to the hospital high, etc.
8 ) Control Recommendation – What can we do to reduce the risk of both threats just described? Mitigating controls include anti-virus programs, restricting software available for download, better logging and monitoring systems, strong authentication, user awareness training, incident response…basically the same set of controls we have been living with in the enterprise all along.
To make a long story short, adjust current policies and procedures to incorporate these new assets and continue to manage the tightrope between security and business agility.