Luckily, Ivan and his team changed the password before anyone could log in with the stolen credentials and get access to the AcmeGizmo customer database, but this issue was a huge wake-up call that spotlighted the importance of endpoint security for mobile devices. The CEO of AcmeGizmo demanded that all mobile phones with access to corporate information be equipped with endpoint security software — immediately, and securely ever after.
Ivan started his search by re-evaluating the AcmeGizmo mobile device security policy. While developing this policy, Ivan had included a section on endpoint security. Sadly, he hadn’t yet gotten around to deploying a solution to actually secure those endpoint devices, which was a big mistake, given the amount of attention this recent incident got. After talking to IT admins at a few other enterprises and evaluating some vendor solutions, Ivan decided to equip AcmeGizmo mobile devices with these basic security features:
Antivirus
Personal Firewall
Antispam
Encryption
That finally got some good, solid, basic endpoint security to where it was needed. Ivan slept better afterward. But he still jumps a little when his smartphone rings.
Endpoint security
Several of these technologies are covered in the same solution that Ivan selected for AcmeGizmo’s VPN access: Junos Pulse. That solution provides the antivirus, personal firewall, and antispam capabilities that Ivan’s corporate security policy requires, making it easy for him to simply enable the functionality inside his network. And since the smartphones are already running Junos Pulse for VPN, there’s no need to distribute additional software or try to get the employees to download it. In addition, the tie-in to the SSL VPN allowed Ivan to implement policies that prohibit end users from connecting to the corporate network if endpoint security applications are not installed and running on their smartphones or tablet devices.
Had Ivan already installed and enabled this solution, the phishing application that found its way into the executive’s smartphone would have been neutralized and removed before the executive could even attempt to input the username and password that the hacker wanted to steal. This would have saved a lot of trouble.
Ivan decided to implement the antispam functionality (in addition to the personal firewall and antivirus functionality) primarily because he anticipates that voice and SMS/MMS spam will become a problem for AcmeGizmo employees in the future. He hasn’t yet heard overwhelming demand for such a solution, but he’s (understandably) vigilant: There have been a few complaints, and he’s been reading in trade journals that these types of spam are becoming more prevalent. The antispam functionality provides additional coverage, supplementing the antispam solution that protects AcmeGizmo’s Microsoft Exchange Server (which processes the corporate e-mail).
Device encryption
Ivan has also decided to implement encryption on AcmeGizmo mobile devices. (Smart guy, Ivan.) Since sensitive corporate data is stored not only on the primary smartphone disc but also on removable media such as SD cards, Ivan created a policy that covered both those hardware components.
He surveyed the various devices and operating systems in use across the company, and he quickly found that some of those devices had native or built-in encryption capabilities, while others required additional third-party software in order to encrypt.
On platforms where encryption was native, Ivan configured the AcmeGizmo Mobile Device Management (MDM) solution to ensure that each device complied with the encryption policy. On other platforms, Ivan had to purchase a third-party software solution to enable device encryption. As with the native devices, Ivan made sure that both the on-device disc and any removable media were protected by the encryption product.
Flash forward
Several weeks later, Alvin from Accounting downloaded a malicious application from a shady website to his smartphone. Fortunately, the antivirus solution detected that application, saving Alvin (and Ivan) from the embarrassment of another malware incident on one of the company smartphones. This was very fortunate because (as is the case with more smartphones all the time) the AcmeGizmo smartphones contained sensitive corporate data. Alvin’s device, for example, contained all the company financial data from the recent quarter, because he wanted to review some of it while on vacation with his family.
Not only is the device protected from malware, but the encryption — along with the capability to wipe the device remotely if Alvin were to lose it — also has Ivan sleeping much better at night. Especially when he can turn off his smartphone.
Chapter 11
Protecting Against Loss and Theft
In This Chapter
Protecting personal and corporate data on smartphones
Remotely locking or wiping a smartphone if it’s lost or stolen
Remotely setting off an alarm on a smartphone or locating it via GPS
Detecting changes to the SIM card
Developing an enterprise-wide loss and theft action plan
Identity thieves look for easy pickings on smartphones — devices that can be unlocked without a password or apps that have stored passwords. These types of weaknesses can let a thief access critical information easily on a device and steal personal and corporate contacts, data, and other information without breaking a sweat.
This chapter covers the services available to protect users’ personal and corporate data from thieves. If a user’s phone has been lost or stolen, she can take actions to prevent a thief from stealing the data on that phone. For example, she can first try to find the phone using GPS. If she’s unable to locate it using GPS, she can remotely lock the device so a thief can’t unlock it and access the data on it. Other options include remotely setting off a loud alarm that the thief can’t turn off, obviously attracting the attention to the person carrying the stolen phone. These services can alleviate a lot of anxiety for users (and you!) in the case of a lost or stolen phone.
In this chapter, we cover both consumer-grade and enterprise-class solutions to protect mobile devices from loss and theft. Additionally, we look at how a corporate loss and theft protection plan should be deployed across an enterprise.
Taking Precautions before Loss or Theft
As an administrator managing mobility for an enterprise environment, you want to enforce certain policies for all personal devices being used at work, especially if your IT policy allows personal devices to access network resources.
Here are some precautions you should advise users to take to prevent losing vital data on a smartphone if it’s ever lost or stolen:
Add a device password. Every smartphone needs to be protected by a password. Not setting one is simply too risky, because a thief can easily access all the phone’s information without having to guess the password. Also, users need to make sure that the phone is set to lock automatically after a certain duration of inactivity.
Back up often. The contents of the device must be backed up regularly, including photos, contacts, and videos. In the unfortunate circumstance that the device is lost, the phone’s contents may need to be wiped remotely to prevent a thief from accessing the information. As an IT administrator, you can choose to either deploy a corporate backup and restore system or advise users to manage their own backups and restoration. Having backups is particularly useful if a user loses his device and the device needs to be remotely wiped. When the user gets a new device to replace the lost one, the backed up data can easily be restored to the new device.
Chapter 12 describes backups and restorations in more detail, and in Chapter 15, we discuss several commercial enterprise solutions for mobile backups.
Store the device’s IMEI number. The device’s IMEI, or International Mobile Equipment Identity, is a 15-digit number that uniquely identifies it. Carriers use this number to identify and track the device. Ask device owners to locate the IMEI number using appropriate techniques for their phones and store it in a safe place. Different devices have different techniques for locating the IMEI number. For exampl
e, an iPhone’s IMEI number can easily be retrieved by using iTunes.
Deploy antitheft services. Several carriers offer insurance or other antitheft services for smartphones, including the ability to remotely lock, locate, or wipe devices. Device owners can purchase many such services from the carrier directly. Some device vendors also offer these services for their specific device types. For example, HTC offers HTC Sense with the ability to remotely lock or wipe devices. Apple’s MobileMe is another example of a service that device owners can deploy themselves.
Enterprise-grade services are available from vendors like Good Technology, McAfee, Juniper, and many others. The Junos Pulse solution from Juniper includes corporate remote access along with mobile antitheft and security services. Depending on the scale and nature of your need, you’ll find an appropriate solution out there. Chapter 15 discusses such solutions in more detail, so be sure to check it out.
The difference between a personal (consumer) solution and an enterprise-ready solution is that the latter lets you — the IT administrator — enforce mobile policies from a central management console. A personal solution relies solely on users doing the “right thing” in terms of setting passcode policies or remotely wiping the device if it’s been lost or stolen.
Educating Users about Securing Data on a Lost Phone
Despite your (and your users’) best attempts to prevent the loss or theft of a device, it does happen. If a user loses a device accidentally, there are ways to minimize the potential damage it could result in. Here’s a list of actions to ask users to take to prevent access to the data on their lost phone:
Inform your mobile carrier that you’ve misplaced your smartphone or tablet (if it’s a 3G-enabled device).
Locate the device using GPS.
Remotely lock the device so the thief can’t unlock it.
Remotely set off a loud alarm on the device.
Remotely wipe the device’s contents and reset it to the factory default settings.
Detect SIM card changes on the device.
How users protect a mobile device like a smartphone or tablet from loss and theft depends on the type of device and the operating system it runs. Nearly every mobile operating system has its own way of providing loss and theft protection. If your organization supports personal devices within the workplace, the choices of devices and options to enforce protection from loss and theft can be intimidating.
Consumer-grade, as well as enterprise-class, solutions are available to protect mobile devices. In the following sections, we focus on consumer-grade services. If you are an administrator looking to protect thousands of mobile devices at work, an enterprise-grade solution is a better option. For more information, check out “Exploring Enterprise-Grade Solutions for Various Platforms” later in this chapter.
In the sections that follow, we highlight some of the leading platforms and devices and talk about the availability of loss and theft protection services for your users. If you’re not deploying an enterprise-grade solution, this is what you should recommend to your users.
Protecting personal Apple iOS devices
Apple offers a sophisticated solution that users can employ to protect personal iOS devices such as iPhones, iPads, and iPod touch devices. Apple’s Find My iPhone service is a feature in MobileMe, and it’s also available for free for iPhone 4 users and iPad and iPod touch devices.
At the time of this book’s writing, Apple was transitioning its MobileMe product and service to its new iCloud product, and Apple was still a little nebulous about all the details. Depending on when you’re reading this book, the product could still be MobileMe, or it could have its new name and feature set. Rather than go off of rumors about a unreleased but announced product, we just refer to MobileMe throughout this chapter. If the URLs provided change, we’re fairly certain that Apple will redirect you to the proper pages. So MobileMe/iCloud, here we go.
MobileMe requires users to register at www.apple.com/mobileme with an Apple ID. After they’ve registered their device (per the instructions described by Apple at the preceding web page), they can locate, lock, or wipe devices remotely. The following actions available in MobileMe are key to protecting Apple iOS devices:
Locate lost devices using GPS. Locating a lost device using GPS is perhaps the first step that users might take if they lose their smartphone. Apple’s MobileMe Find My iPhone service provides this feature as long as the device is registered for it. Figure 11-1 shows what users see on their computer screen when searching for an iPhone with MobileMe.
Remotely lock or wipe the device. Another option is to lock the device remotely so the person who has the phone can’t retrieve the contents from it. This is especially critical if the user hasn’t set up a password for the phone.
Apple’s MobileMe provides this option. Users need to log in to MobileMe via a web browser. Once logged in, they simply select the action to remotely lock the device. (See Figure 11-1.) The device remains locked until the user chooses to unlock it again from the same web page.
If the user feels that the device is indeed lost, the best course of action may be to simply wipe its contents to prevent any data from falling into the wrong hands. In that case, the same service allows the user to remotely wipe the device, thereby resetting it to the factory default state.
Remotely play a sound or message. If the user can’t find the phone, he might want to play a sound on the lost device to attract attention to it, or simply display a message on it, something like “I’ve lost my iPhone; if you find it, please call me at 555-555-5555.” Both options are available via MobileMe. The user needs to log in to the MobileMe service on a computer and set a message to be displayed or select a sound to be played on the device. (See Figure 11-2.)
Figure 11-1: Locating an iPhone with MobileMe.
Figure 11-2: Setting a remote message on an Apple iPhone.
Protecting personal Symbian devices
Devices running Symbian include Nokia’s smartphones, such as the N-series and E-series devices. These smartphones run the Symbian mobile operating system. Users can take the following actions to protect their personal devices from loss or theft:
Locate the lost device using GPS. When a Symbian phone is first purchased, the user should inquire with the wireless carrier whether a GPS locating service is available. Some carriers offer services for various types of phones for a nominal monthly or annual charge.
Alternatively, vendors like McAfee WaveSecure or Kaspersky offer online services that users can buy to help locate Nokia devices. These services largely work in the same way as MobileMe for Apple iOS devices: They provide a web-based interface that users can log in to, in order to locate the missing phone. These services typically cost $20–30 per year and can help alleviate panic when a phone is lost.
Remotely lock or wipe the device. If the user is unable to find the device using GPS, many Symbian devices have built-in capabilities to remotely lock the device or remotely wipe it and reset it to factory default settings. The device can also be wiped automatically if a wrong passcode is entered too many times. These settings are built into the device itself and can be activated easily.
To set up remote locking and wiping before the device is lost or stolen, users must do these two things: Enable remote locking and set a wipe message. The steps are somewhat different depending on which device the users own, so they may need check the device’s documentation for clarification. If it’s an N97 phone, for example, users should go to Settings⇒Phone⇒Phone Mgmt.⇒Security Settings⇒Phone and SIM card. Users then see a Remote Phone Locking option that can be either enabled or disabled, as shown in Figure 11-3.
Enabling that setting activates this feature, which works by sending an SMS message from another phone to the lost phone with a message — like “wipephone” — that the user has set on the phone. Once the setting is activated, the user can remotely lock or wipe the device by sending an SMS message with the text he configured on the device.
Wiping the dev
ice removes all personal contents from the device, leaving it in a factory-default state. This makes regular backups all the more important. Regular backups can save the user in such situations by enabling him to restore to a previously saved configuration.
Remotely set off an alarm. If a user can’t find his lost Symbian device, he may want to remotely set off alarms on it. Many Symbian devices have built-in capabilities to remotely wipe the device when a SIM card change is detected. This prevents a thief from simply removing the phone’s SIM card and replacing it with a different one. When such a change is attempted, the device wipes its own contents, thereby preventing any personal data from being visible to the thief.
Even if the person is left with a stolen Nokia device with factory default settings, no personal data is compromised. At the end of the day, that’s what matters to prevent identity fraud from occurring. Users can check the device’s documentation for information on how to set a remote alarm.
Figure 11-3: Phone and SIM card settings on a Symbian phone.
Protecting personal Android devices
Google’s Android operating system powers a number of smartphones and other devices from various handset manufacturers. Vendors such as Motorola, Samsung, and HTC make several devices that run the Android operating system. The user’s ability to remotely control Android devices largely depends on the type of Android device. We show you the options available to protect some of the leading Android devices from loss and theft.
Mobile Device Security For Dummies Page 26