Audio version of the article
As per definition in ISO 27002, user endpoint device is a endpoint device used by users to access information processing services. User endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, etc. According to ISO 27001,endpoint device is a network connected information and communication technology (ICT) hardware device. Endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware including smart meters and Internet of things (IoT) devices.
An endpoint device is a LAN- or WAN-connected hardware device that communicates across a network. Broadly speaking, the term can refer to any network connected device: desktop computers, laptops, smartphones, tablets, printers, or other specialized hardware like POS terminals or retail kiosks, that act as a user endpoint in a distributed network.One of the biggest issues with endpoint devices involves comprehensive security for a network or enterprise system. Security managers must determine whether various endpoint devices could be security gaps for a network – that is, whether unauthorized users can access an endpoint device and use it to pull off important or sensitive data. The endpoints are physical devices that can be linked to your network. The most common examples are laptops, mobile phones, and desktop computers. However, the list keeps growing and now includes many non-traditional gadgets that protect your network resources and limit access:
- Mobile phones
- Desktop computers
- Health trackers
- Navigation systems
- Point of sale systems
If a device can connect to the internet, it can be a fully functional part of your endpoint protection. Intruders lurk behind every corner, hoping to catch you off-guard and steal your data.Data loss isn’t the only consequence of endpoint breaches. Intruders can also overwhelm your servers with unwanted web traffic to prevent other users from regaining access.The only way to capitalize on endpoint devices is to limit access. This means you should only allow administrators to adjust security controls and not all employees.endpoint devices can help you set up a bulletproof network. They detect suspicious traffic according to specific criteria. Once they alert you to unusual behavior, you can react on time and keep your organization unharmed.
A.8.1 User Endpoint Device
Information stored on, processed by or accessible via user endpoint devices should be protected.
To protect information against the risks introduced by using user endpoint devices.
The organization should establish a topic-specific policy on secure configuration and handling of user endpoint devices. The topic-specific policy should be communicated to all relevant personnel and consider the following:
- the type of information and the classification level that the user endpoint devices can handle, process, store or support;
- registration of user endpoint devices;
- requirements for physical protection;
- restriction of software installation (e.g. remotely controlled by system administrators);
- requirements for user endpoint device software (including software versions) and for applying updates (e.g. active automatic updating);
- rules for connection to information services, public networks or any other network off premises (e.g. requiring the use of personal firewall);
- access controls;
- storage device encryption;
- protection against malware;
- remote disabling, deletion or lockout;
- usage of web services and web applications;
- end user behavior analytics
- the use of removable devices, including removable memory devices, and the possibility of disabling physical ports (e.g. USB ports);
- the use of partitioning capabilities, if supported by the user endpoint device, which can securely separate the organization’s information and other associated assets (e.g. software) from other information and other associated assets on the device.
Consideration should be given as to whether certain information is so sensitive that it can only be accessed via user endpoint devices, but not stored on such devices. In such cases, additional technical safeguards can be required on the device. For example, ensuring that downloading files for offline working is disabled and that local storage such as SD card is disabled. As far as possible, the recommendations on this control should be enforced through configuration management or automated tools.
All users should be made aware of the security requirements and procedures for protecting user endpoint devices, as well as of their responsibilities for implementing such security measures. Users should be advised to:
- log-off active sessions and terminate services when no longer needed;
- protect user endpoint devices from unauthorized use with a physical control (e.g. key lock or special locks) and logical control (e.g. password access) when not in use; not leave devices carrying important, sensitive or critical business information unattended;
- use devices with special care in public places, open offices, meeting places and other unprotected areas (e.g. avoid reading confidential information if people can read from the back, use privacy screen filters);
- physically protect user endpoint devices against theft (e.g. in cars and other forms of transport, hotel rooms, conference centers and meeting places).
A specific procedure taking into account legal, statutory, regulatory, contractual (including insurance) and other security requirements of the organization should be established for cases of theft or loss of user endpoint devices.
Use of personal devices
Where the organization allows the use of personal devices (sometimes known as BYOD), in addition to the guidance given in this control, the following should be considered:
- a) separation of personal and business use of the devices, including using software to support such separation and protect business data on a private device;
- providing access to business information only after users have acknowledged their duties (physical protection, software updating, etc.), waiving ownership of business data, allowing remote wiping of data by the organization in case of theft or loss of the device or when no longer authorized to use the service. In such cases, PII protection legislation should be considered;
- topic-specific policies and procedures to prevent disputes concerning rights to intellectual property developed on privately owned equipment;
- access to privately owned equipment (to verify the security of the machine or during an investigation), which can be prevented by legislation;
- software licensing agreements that are such that organizations can become liable for licensing for client software on user endpoint devices owned privately by personnel or external party users.
The organization should establish procedures for:
- the configuration of wireless connections on devices (e.g. disabling vulnerable protocols);
- using wireless or wired connections with appropriate bandwidth in accordance with relevant topic-specific policies (e.g. because backups or software updates are needed).
Controls to protect information on user endpoint devices depend on whether the user endpoint device is used only inside of the organization’s secured premises and network connections, or whether it is exposed to increased physical and network related threats outside of the organization. The wireless connections for user endpoint devices are similar to other types of network connections but have important differences that should be considered when identifying controls. In particular, back-up of information stored on user endpoint devices can sometimes fail because of limited network bandwidth or because user endpoint devices are not connected at the times when backups are scheduled. For some USB ports, such as USB-C, disabling the USB port is not possible because it is used for other purposes (e.g. power delivery and display output).
Endpoint devices are an integral part of endpoint security. Endpoint security refers to protecting your mobile device, desktop computer, or other endpoints from cyber security attacks. Endpoints often provide perfect gateways to your organizational network, which can be exploited by intruders. Endpoint security minimizes this risk by shielding the points from criminals. It examines your network or enterprise system, processes, and files, for malicious and suspicious activity. If it notices anything fishy, it can alert your security managers so they can react on time and protect your data. One of the most impressive features of endpoint security is that it can be installed on numerous devices. Whether you use smart phones, tablets, laptops, or servers, this strategy helps keep malicious users from infiltrating your network with malware. It can also be deployed alongside other monitoring and detection tactics to mark suspicious actions and prevent data breaches. There are three ways of organizing endpoint protection:
The on-premise or on-location approach typically involves data on host computers that function as hubs for your management consoles. These devices communicate with your endpoints via different channels to help patch up security gaps. This strategy can work great, but it has a few drawbacks. Primarily, it’s a legacy system. It’s not as advanced as modern solutions since network owners can only manage it within a limited perimeter.
If you want to ensure comprehensive security, consider setting up cloud-based endpoint devices. They allow you to manage and monitor nearly all network types in your cloud. Under this arrangement, endpoints are connected to your network remotely. Cloud-based solutions are superior to on-location endpoint security due to their greater scope. You can look past traditional perimeters and enhance your administrator reach.
Another way to safeguard your data assets through endpoints is to set up a hybrid network. It combines cloud and on-location technologies. The strategy has become more prevalent in recent years due to an uptick in remote workers. Organizations have streamlined their legacy systems and integrated with cloud-based endpoints to keep sensitive data intact.
Optimized endpoint security has emerged as a result of such combinations and contains the following software to combat unauthorized access:
- Machine learning that detects threats
- Firewall to safeguard against hostiles
- Email gateways to reduce the risk of phishing
- Insider protection to neutralize threats from within your network
- Advanced anti-malware and antivirus to remove malware on your operating systems and endpoint devices
- Proactive security for safe internet browsing
- Disk encryption to shield company data
Establishing a User Endpoint Device:
The organisation must be able to demonstrate policy and supporting security controls to reduce the risk posed by user end point devices. As a result of this, it is the organisation’s responsibility to issue a user end point devices policy that should cover the registration/de-registration of devices, physical security requirements, technical security requirements including remote connections, software control, access control and encryption at rest/in transit. The user end point devices. policy should state the businesses requirements for use of devices and when they are appropriate. It is in this policy that the company should specify its expectations for topics such as bring your own device (BYOD). BYOD is a hot topic for information security, with many practitioners agreeing that the risks posed by unmanaged, personally owned devices are too great. ISO 27001 requires that the organisation determines this, issues a policy stating their intentions and monitors compliance with this policy through an audit or technical controls. For example, a user end point device policy may state that “only corporately issued and managed devices can be used to process company data” and that “unauthorized devices must not be used to access store or process company data”. If this is the policy, the organisation must monitor for the use of unauthorized devices and specify what the consequences of not adhering to the policy may be e.g. disciplinary procedures. As well as BYOD, the policy should address technical subjects such as access control, secure configuration and remote access methods. For example, the organisation may require its employees to utilize secure authentication methods such as two-factor authentication and only connect over encrypted channels such as VPN’s. If these methods of connection are specified, as above, compliance with the policy should be enforced technically, monitored for compliance and reported on. In most cases, if the technical capability is not there to support the policy users will not adhere with it so making device builds include VPN clients and reminding users of the need for secure authentication goes a long way. Other considerations should include physical security of devices in public areas, shoulder surfing and other physical security issues. Employees should be aware of the need to protect their device from unauthorized access at all times, especially when in public places such as on trains and coffee shops. The policy should include a section addressing these requirements. Once the policy has been issued, signed-off by management and communicated to all employees the organisation should continue to monitor compliance through auditing and technical controls. For example, Mobile device management (MDM) tools may be used to enforce policy and monitor for policy violations. Furthermore, logs may be reviewed periodically to identify unauthorized access attempts.
A policy-based approach to network security is paramount when safeguarding a network. The policy should require endpoint devices to meet specific criteria before being granted access to network resources. Security architecture is designed to handle endpoint devices in order to safeguard the data assets accessed through these systems. Companies that allow employees to bring their own device, as in laptops or smartphones, frequently face endpoint device security issues. Without a well-considered bring your own device (BYOD) policy, employee-owned devices may compromise the security of company information, or of the network.
Organizations believe that close to 45% of corporate data is held on endpoint devices. These laptops, tablets and smartphones pose a huge risk to data security. The industry-wide growth of endpoint device exposure means that it’s easier than ever for data to be put at risk. Each time an employee connects over public WiFi, downloads a suspicious app, or is targeted by a phishing scam, the risk is amplified. This is especially important because endpoint devices not only expose their data to possible seizure, they also serve as a potential conduit for a network wide breach of security.
Security policies, especially as they relate to BYOD protections, are an essential part of protecting endpoint devices from being exposed to attack. But the largest contributor to vulnerability is the quality of training and awareness given to employees. Bad habits can have a serious effect on the integrity of a secure network:
- Lost or improperly decommissioned devices: Employees who lose devices that are connected to the company network may expose that network to attacks.
- Poor adoption of security updates: Out-of-date operating systems and applications can lead to any number of vulnerabilities within a device that has been given access to sensitive company information.
- Employees switching encryption off/on: people are more likely to adjust the security controls on devices they own, and will rework settings to suit their needs. This can lead to unwanted access points.
- With a proactive, always on’ technology, IT can avoid these types of issues, while maintaining compliance and mitigating risk.
Traditionally, endpoint security systems are built on the framework of a client-server model. The security program is managed by a central server that controls the client program installed on all network drives. More recently, with the increasing adoption of software as a service platforms (SaaS), the program and host server are both managed remotely by the SaaS provider. This business model gives organizations a chance to lower costs while ensuring constant updates to security parameters.
The steps involved in establishing the User End point Device Policy
Step 1: Define your scope.
1. Establishing rules people must follow (i.e., policies, standards, procedures) or non-binding recommendations (i.e., guidelines)? Some of both?
2. Do you have a clear definition of what a “user end point devices.” is for your organization?
- Your organization must define “user end point devices.” as any portable technology running an operating system optimized or designed .
- Strive to understand what user end point devices. your users actually have and use (including personally owned devices). There may be more of them out there than your expect!
3. Does ownership (i.e., personally owned vs. organization owned) of the device matter?
4. Requirements for the protection of physical assets?
- Fake or Stolen Hardware: Organizations and users should also be alert that they may encounter fake or stolen devices. These devices may not work at all, or may break, or may stop working at the next operating system upgrade. Only purchase devices from reputable authorized dealers.
- It’s A Hard World Out There: Many of the user end point devices are subject to a panoply of environmental threats ranging from being dropped to getting wet, or getting cooked in hot cars or frozen in cold ones. You may want to encourage users to keep their device on their person, and to consider purchasing and using a case or holster to minimize at least some of those threats.
- 5. Requirements for the protection of digital data?
- What Device Should You Support?
It is hard to support “everything” well, and your users may end up more-or-less randomly selecting a device based on word-of-mouth or aggressive salesmanship. Should you be making some specific recommendations? In fact, should you have a standardized list of supported devices?
If you want influence over device selection, are you willing to pay to obtain that influence (e.g., by subsidizing some device choices), or do you just want to try influencing those decisions via policy?
- What About Enterprise Device Management?
Some Organizations require all personal computers to be centrally managed. If you’re from one of those sites, will you be comfortable if mobile Internet devices aren’t also centrally managed? Central management of organizationally owned mobile Internet devices may allow you to do things such as: setting minimum device password length, complexity, the maximum time between changes, max failures before wiping, etc. adding or removing root certificates configuring organizational WiFi and VPN controlling installation of third-party applications, recreational uses, etc.
If you’re planning to centrally manage mobile Internet devices, you may want to review device enterprise management feature support options as part of deciding what mobile Internet devices you want to endorse and support. Also, consider that it may be desirable to use different policies for vendors and Guest than for employees. Network access control policies on your residence hall networks as compared to faculty and staff networks may be a good illustrative example of how some organizations treat these populations differently.
- How about Spam and Malware Management On user end point devices.
Recognize that spammers will target users on any user end point devices. What spam management options do users have for a given service? How can they report spam that slips through? Malware may target users of Your security team and/or operational support staff should talk about how they want to approach issues such as spam and malware on supported user end point devices..
- How About Hardware and Data Encryption?
Personally identifiable information (“PII”) is a material concern at many sites. Do the user end point devices. you’ve chosen to support have hardware encryption? Is that encryption solid enough to meet your PII protection requirements? Similarly, some user end point devices. may forgo the use of on-device storage and store all data “in the cloud.” You likely already have requirements in place to protect sensitive or important organizational data. Make sure devices that store organizational data in the cloud meet applicable security and privacy requirements for doing so.
- And Remote Wipe Capabilities?
If you lose control over an Organizational owned user end point devices, do you need the ability to remotely send the device magic “kill code?” (Note that even if you can remotely wipe the device, there may still be off-site backups floating around, or the device may get taken offline before the kill code can be sent and processed by the device, so don’t depend too much on being able to send remote kill codes)
5. Organizational Contact With Users’ Mobile Devices
Many Organizations ask their employees, vendors and customers to register their mobile numbers for purposes such as emergency notification. Be careful not to abuse the numbers entrusted to you solely for emergency purposes for unrelated activities, such as routine announcements or push marketing purposes. Expectations should also be set for work-related contacts over user end point devices. That is unless an employee is officially on call (and paid for that status), or it’s a real emergency, avoid calling employees outside of work hours. Let employees have some time off to spend with their families and their friends, or to just sleep and recuperate! Please don’t treat employees as if they’re on unpaid call status 24×7, or you may find a sudden increase in “cellular connectivity issues” spontaneously arising, potentially at some very inopportune times.
6. Requirements for the protection of personal privacy?
user end point devices devices can potentially have profound privacy implications. By way of example, almost all devices have the ability to have their physical location tracked by a variety of means, a wonderful invention if you’re having a heart attack and have just called 911 for an ambulance, but potentially a huge invasion of your privacy if this service gets abused by a stalker, or by an intrusive marketer. Most of the devices also emit cellular radiation. While those emissions are limited by law and are believed to be at safe levels, some phones emit less radiation than others, and use of hands-free devices may also reduce (or shift) the amount of radiation you receive. If this issue is important to you, we encourage you to make appropriate choices. Users of mobile devices need to be careful when it comes to where and when they use their devices. In particular, please NOT use your mobile Internet device while you’re driving. Driving while distracted can be as bad as driving while under the influence of alcohol, and you don’t want to see cool mobile Internet devices result in totally avoidable tragic accidents. Many organizations may want to explicitly forbid the use of mobile devices while driving.
7. Defining acceptable use in general? You will likely want to treat employee devices differently from vendors devices. What about guests?
8. Does existing physical asset, technology or data-specific policy cover all or part of your defined scope?
If not, consider revising the existing policy. Doing so may be easier or more desirable than crafting a new policy. If at all possible, implement a technology-agnostic policy framework that allows you to create more specific standards, procedures or guidelines without having to modify the policy.
9. Communicate what you are trying to accomplish and a high-level implementation plan with your constituents.
Help your executives understand residual risks associated with your chosen approach and why/how some of the user end point devices. devices may be different from more familiar computing technologies.
Step 2: High-Level Threats and Vulnerabilities
User end point devices. typically need to support multiple security objectives. These can be accomplished through a combination of security features built into the devices and additional security controls applied to the devices and other components of the enterprise IT infrastructure. The most common security objectives for devices are as follows:
- Confidentiality—ensure that transmitted and stored data cannot be read by unauthorized parties
- Integrity—detect any intentional or unintentional changes to transmitted and stored data
- Availability—ensure that users can access resources using mobile devices whenever needed.
To achieve these objectives, user end point devices should be secured against a variety of threats. Before designing and deploying the device solutions, organizations should develop system threat models for these devices and the resources that are accessed through these devices. Threat modelling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, then quantifying the likelihood of successful attacks and their impacts, and finally analyzing this information to determine where security controls need to be improved or added. Threat modelling helps organizations to identify security requirements and to design the device solution to incorporate the controls needed to meet the security requirements. Major security concerns for these technologies that would be included in most mobile device threat models are listed below.
1.Lack of Physical Security Controls
Some of the user end point devices may be used in a variety of locations outside the organization’s control, such as employees’ homes, coffee shops, hotels, and conferences. The mobile nature of those devices makes them much more likely to be lost or stolen , so their data is at increased risk of compromise. When planning user end point device security policies and controls, organizations should assume that some of these mobile devices may be acquired by malicious parties who will attempt to recover sensitive data either directly from the devices themselves or indirectly by using the devices to access the organization’s remote resources. The mitigation strategy for this is layered. One layer involves requiring authentication before gaining access to the device or the organization’s resources accessible through the device. Many device usually has a single authentication—not a separate account for each user of the device—as it is generally assumed that the device only has one user. So there is no username, just a password, which is often a PIN. More robust forms of authentication, such as token-based authentication, network-based device authentication, and domain authentication, can be used instead of or in addition to the built-in device authentication capabilities. A second mitigation layer involves protecting sensitive data—either encrypting the device’s storage so that sensitive data cannot be recovered from it by unauthorized parties or not storing sensitive data on mobile devices. Even if a device is always in the possession of its owner, there are other physical security risks, such as an attacker looking over a remote worker’s shoulder at a coffee shop and viewing sensitive data on the device’s screen (for example, a password is entered). Finally, another layer of mitigation involves user training and awareness, to reduce the frequency of insecure physical security practices.
2. Use of Untrusted Mobile Devices
Many devices, particularly those that are personally owned (bring your own device, BYOD), are not necessarily trustworthy. Some devices may lack the root of trust features (e.g., trusted platform modules, TPMs) that are increasingly built into laptops and other types of hosts. There is also frequent jailbreaking and rooting of mobile devices, which means that the built-in restrictions on security, operating system use, etc. have been bypassed. Organizations should assume that all user end point devices devices not properly secured by the organization are not be be trusted unless the organization monitors their security continuously while in use with enterprise applications or data. There are several possible mitigation strategies related to using of untrusted devices. One option is to restrict or prohibit the use of BYOD devices, thus favoring organization-issued devices. Another effective technique is to fully secure each organization-issued device; this gets the device in as trusted a state as possible, and deviations from this secure state can be monitored and addressed. There are also technical solutions for achieving degrees of trust in BYOD devices, such as running the organization’s software in a secure, isolated sandbox/secure container on the mobile device, or using device integrity scanning applications.
3. Use of Untrusted Networks
Many of the user end point devices. devices may use non-organizational networks for Internet access outside the premise of the organization, organizations normally have no control over the security of the external networks the devices use. Communications systems may include wireless mechanisms such as Wi-Fi and cellular networks. These communications systems are susceptible to eavesdropping, which places sensitive information transmitted at risk of compromise. Man-in-the-middle attacks may also be performed to intercept and modify communications. Unless it is absolutely certain that the user end point device will only be used on trusted networks controlled by the organization, organizations should plan their user end point devices security on the assumption that the networks cannot be trusted. The risk from use of untrusted networks can be reduced by using strong encryption technologies (such as virtual private networks, VPNs) to protect the confidentiality and integrity of communications, as well as using mutual authentication mechanisms to verify the identities of both endpoints before transmitting data. Another possible mitigation is to prohibit the use of insecure Wi-Fi networks, such as those running known vulnerable protocols. Also, all network interfaces not needed by the device can be disabled, thus reducing the attack surface.
4. Use of Untrusted Applications
Many of the user end point devices such as mobile phones are designed to make it easy to find, acquire, install, and use third-party applications from application stores. This poses obvious security risks, especially for the device platforms and application stores that do not place security restrictions or other limitations on third-party application publishing. Organizations should plan their device security on the assumption that unknown third-party applications downloadable by users should not be trusted. The risk from these applications can be reduced in several ways, such as prohibiting all installation of third-party applications, implementing whitelisting to allow installation of approved applications only, verifying that applications only receive the necessary permissions on the device, or implementing a secure sandbox/secure container that isolates the organization’s data and applications from all other data and applications on the device. Another possible mitigation is to perform a risk assessment on each third-party application before permitting its use on the organization’s devices. It is important to note that even if these mitigation strategies are implemented for third-party applications, users can still access not trusted web-based applications through browsers built into their devices. The risks inherent in this can be reduced by prohibiting or restricting browser access; by forcing device traffic through secure web gateways, HTTP proxy servers, or other intermediate devices to assess URLs before allowing them to be contacted; or by using a separate browser within a secure sandbox/secure container for all browser-based access related to the organization, leaving the device’s built-in browser for other uses.
5. Interaction with Other Systems
Some user end point devices may interact with other systems in terms of data exchange (including synchronization) and storage. Local system interaction generally involves connecting a mobile device to a desktop or laptop wireless or via a cable for syncing. It can also involve tethering, such as using one device to provide network access for another device. Remote system interaction most often involves automatic backups of data to a cloud-based storage solution. When all of these components are under the organization’s control, the risk is generally acceptable, but often one or more of these components are external. Examples include connecting a personally-owned mobile device to an organization-issued laptop, connecting an organization-issued mobile device to a personally-owned laptop, connecting an organization-issued mobile device to a remote backup service, and connecting any mobile device to an not trusted charging station. In all of these scenarios, the organization’s data is at risk of being stored in an unsecured location outside the organization’s control; the transmission of malware from device to device is also a possibility. There are also concerns regarding devices exchanging data with each other. The mitigation strategies depend on the type of attachment. Preventing an organization-issued device from syncing with a personally-owned device necessitates security controls on the device that restrict what devices it can synchronize with. Preventing a personally-owned device from syncing with an organization-issued computer necessitates security controls on the organization-issued devices. Preventing the use of remote backup services can possibly be achieved by blocking the use of those services (e.g., not allowing the domain services to be contacted) or by configuring the devices not to use such services. Users should be instructed not to connect their devices to unknown charging devices; they should carry and use their own charging devices. Finally, devices can be prevented from exchanging data with each other through logical or physical means (blocking use of services through configuration or physical shielding, etc.)
6. Use of not trusted Content
Many of the user end point devices. devices may use not trusted content such as a Quick Response (QR) codes. They are specifically designed to be viewed and processed by device cameras. Each QR code is translated to text, typically a URL, so malicious QR codes could direct devices to malicious websites. This could allow for targeted attacking, such as placing malicious QR codes at a location where targeted users gather. A primary mitigation strategy is to educate users on the risks inherent in not trusted content and to discourage users from accessing not trusted content with any devices they use for work. Another mitigation is to have applications, such as QR readers, display the non obfuscated content (e.g., the URL) and allow users to accept or reject it before proceeding. Depending on the network configuration, it may also be possible to use secure web gateways, HTTP proxy servers, or other intermediate devices to validate URLs before allowing them to be contacted. In high-security situations, it is also possible to restrict peripheral use on devices, such as disabling camera use in order to prevent QR codes from being processed.
7. Use of Location Services
Some of the user end point devices with GPS capabilities typically run what is known as location services. These services map a GPS-acquired location to the corresponding businesses or other entities close to that location. Location services are heavily used by social media, navigation, web browsers, and other mobile applications. In terms of organizational security and personal privacy, devices with location services enabled are at increased risk of targeted attacks because it is easier for potential attackers to determine where the user and the device are, and to correlate that information with other sources about who the user associates with and the kinds of activities they perform in particular locations. This situation can be mitigated by disabling location services or by prohibiting the use of location services for particular applications such as social networking or photo applications. Users may also be trained to turn off location services when in sensitive areas. However, a similar problem can occur even if GPS capabilities or location services are disabled. It is increasingly common for websites and applications to determine a person’s location based on their Internet connection, such as a Wi-Fi hotspot or IP address range. The primary mitigation for this is to opt-out of such location services whenever possible. Organizations should be aware that keeping location services enabled can also have positive effects on information security. For example, different security policies can be enforced depending on whether the mobile device is being used within the organization’s facilities or outside the organization’s facilities.
Step 3: Establishing the required Technologies for user end point devices.
Centralized user end point device management technologies are a growing solution for controlling the use of both organization-issued and personally-owned devices by enterprise users. In addition to managing the configuration and security of devices, these technologies offer other features, such as providing secure access to enterprise computing resources.
1.General policy. The centralized technology can enforce enterprise security policies on the mobile device. General policy restrictions of particular interest for mobile device security include the following:
- Restrict user and application access to hardware, such as the digital camera, GPS, Bluetooth interface, USB interface, and removable storage.
- Restrict user and application access to native OS services, such as the built-in web browser, email client, calendaring, contacts, application installation services, etc.
- Manage wireless network interfaces (Wi-Fi, Bluetooth, etc.)
- Automatically monitor, detect, and report when policy violations occur, such as changes from the approved security configuration baseline, and automatically take action when possible and appropriate
- Limit or prevent access to enterprise services based on the mobile device’s operating system version (including whether the device has been rooted/jailbroken), vendor/brand, model, or mobile device management software client version (if applicable). Note that this information may be spoofable.
2. Data Communication and Storage
Strongly encrypted data communications between the device and the organization. This is most often in the form of a VPN, although it can be established through other uses of secure protocols and encryption. Strongly encrypt stored data on both built-in storage and removable media storage. Removable media can also be “bound” to particular devices such that encrypted information can only be decrypted when the removable media is attached to the device, thereby mitigating the risk of offline attacks on the media.Wipe the device (to scrub its stored data) before reissuing it to another user, retiring the device, etc. Remotely wipe the device (to scrub its stored data) if it is suspected that the device has been lost, stolen, or otherwise fallen into not trusted hands and is at risk of having its data recovered by an non trusted party A device often can also be configured to wipe itself after a certain number of incorrect authentication attempts.
3. User and Device Authentication
Require a device password/passcode and/or other authentication (e.g., token-based authentication, network-based device authentication, domain authentication) before accessing the organization’s resources. This includes basic parameters for password strength and a limit on the number of retries permitted without negative consequences (e.g., locking out the account, wiping the device). If device account lockout is enabled or the device password/passcode is forgotten, an administrator can reset this remotely to restore access to the device. Have the device automatically lock itself after it is idle for a period (e.g., 5 minutes). Under the direction of an administrator, remotely lock the device if it is suspected that the device has been left in an unlocked state in an unsecured location.
Restrict which app stores may be used. Restrict which applications may be installed through whitelisting (preferable) or blacklisting. Restrict the permissions (e.g., camera access, location access) assigned to each application. Install, update, and remove applications. Safeguard the mechanisms used to perform these actions. Keep a current inventory of all applications installed on each device. Restrict the use of operating system and application synchronization services (e.g., local device synchronization, remote synchronization services and websites). Verify digital signatures on applications to ensure that only applications from trusted entities are installed on the device and that code has not been modified. Distribute the organization’s applications from a dedicated mobile application store.
Back to Home Page
If you need assistance or have any doubt and need to ask any questions contact me at firstname.lastname@example.org. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.