This first-in-a-series guide gives you brief and easy recommendations on policies you can set at your organization to secure mobile devices, mitigate mobile threats, and secure company data.
To download a free Mobilsafe demo, click here: http://information.rapid7.com/mobilisafe-demo.html?LS=1428723&CS=Web
2. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Mobile Security Guide: Policies To Mitigate Device Threats
In order to protect corporate data and resources from mobile device security threats, it’s critical to have device security
policies in place—as well as processes and tools to ensure their effectiveness. Some of the greatest threats to
corporate data from mobile device use can occur via:
Lost/stolen devices and terminated employees
Employee behavior: Leaking corporate data into mobile apps, like Dropbox and Evernote
Jailbroken devices
Trojans that infect devices, such as DroidDream
Employees unknowingly install abusive apps that leak contact, calendar, and location data like prior versions of
LinkedIn and Path
Phishing attacks via SMS and Email
Sniffing and Man-In-The-Middle attacks from using unprotected networks
Password Policies
These policies specify that a password is required to unlock the mobile device on being
powered on or upon waking from an idle state. This policy can help protect in lost and stolen
device scenarios.
There are 4 key elements to an effective password policy:
Length
Complexity
Timeout duration before a password is required
Failed attempts before a reset
Device Security Recommendations
In order to mitigate the above mobile device threats, we recommend the following policies and practices.
3. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
There is a balance to strike here between making sure the password cannot easily be
guessed with minimal password strength requirements but also making sure that the password
complexity requirements do not annoy end users. Specifying the timeout duration is a part
of this balance as well. If the duration is set too short, users will be annoyed with repeated
password entries and if the duration is too long, then the device is more easily susceptible
upon being stolen or lost. You can also specify the number of failed password attempts before
a device is wiped. This policy is particularly tricky as your acceptable use policy must make the
consequences of failed password entry clear as a full device wipe will erase all personal and
corporate data on the device. There are numerous example of an employee’s child getting a
hold of a locked device and entering incorrect passwords accidentally until the device wiped
itself
Recommendation: At a minimum, require a numeric password that is at least four digits long.
Encryption
This policy enables whole device encryption on Android 3.0+ devices. This policy can help
protect company data in lost and stolen device scenarios. If an attacker were to get a hold of
a device and attempt to access stored data without the appropriate encryption PIN available,
they would fail to access decipherable data. iOS 4.0+ devices support encryption by default out
of the box and enabling this policy and disallowing non-provisioned devices will prevent iOS
devices running earlier versions from accessing corporate data.
Recommendation: Enable encryption but be cognizant of devices that fail to meet the minimum
platform version requirements to support the policy.
Remote Wipe
This isn’t a specific device policy that has to be configured, but it is a device security
recommendation that requires language in the acceptable use policy to cover this capability.
When devices authenticate with Exchange to access corporate data, they will be required to
allow remote wipe operations in order to sync data to their device.
Recommendation: Establish clear, easy-to-understand language in the company’s Acceptable
Use Policy (AUP) about when the company is permitted to remotely wipe a device and reset it to
factory state.
4. Rapid7 Corporate Headquarters 800 Boylston Street, Prudential Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717 www.rapid7.com
Peripheral Management
There are a variety of peripherals on smartphones today, including GPS, NFC, Bluetooth, and
cameras. There are a number of device security policies that can be used to ensure these
peripherals are not used.
Recommendation: Unless your organization is in an extremely information-sensitive industry
(e.g., Defense), skip policies that disable peripherals for employees bringing in personal
devices.
3rd Party App Stores
Malware is rampant in 3rd party app stores and downloading content from these sources
presents a significant risk to corporate data and resources. While Android does not support
remote management of access to 3rd party app stores and users with jailbroken iOS devices
can gain access to 3rd party app stores, it is critical to establish written policies that are clear
and easy to understand so employees are educated about the risks. This can be taken a step
further by starting to inventory the applications on employee mobile devices.
Recommendation: Establish clear, easy to understand language in the company acceptable
use policy about not allowing employees to access and download content from unauthorized
app stores.