Mobile Device Security

iStock_000043885882XXXLarge

When you think about cyber security, remember that electronics devices such as smartphones, tablets, and other devices are also vulnerable to attack. Take precautions to limit your risk.

Cyber-security for Electronic Devices

Why does cyber-security extend beyond computers?

Actually, the issue is not that cyber-security extends beyond computers; it is that computers extend beyond traditional laptops and desktops. Many electronic devices are computers—from cell phones and tablets to video games and car navigation systems. While computers provide increased features and functionality, they also introduce new risks. Attackers may be able to take advantage of these technological advancements to target devices previously considered “safe.” For example, an attacker may be able to infect your cell phone with a virus, steal your phone or wireless service, or access the data on your device. Not only do these activities have implications for your personal information, but they could also have serious consequences if you store corporate information on the device.

What types of electronics are vulnerable?

Any piece of electronic equipment that uses some kind of computerized component is vulnerable to software imperfections and vulnerabilities. The risks increase if the device is connected to the internet or a network that an attacker may be able to access. Remember that a wireless connection also introduces these risks (see Securing Wireless Networks for more information). The outside connection provides a way for an attacker to send information to or extract information from your device.

How can you protect yourself?

  • Remember physical security – Having physical access to a device makes it easier for an attacker to extract or corrupt information. Do not leave your device unattended in public or easily accessible areas (see Protecting Portable Devices: Physical Security for more information).
  • Keep software up to date – If the vendor releases updates for the software operating your device, install them as soon as possible. Installing them will prevent attackers from being able to take advantage of known problems or vulnerabilities (see Understanding Patches for more information).
  • Use good passwords – Choose devices that allow you to protect your information with passwords. Select passwords that will be difficult for thieves to guess, and use different passwords for different programs and devices (see Choosing and Protecting Passwords for more information). Do not choose options that allow your computer to remember your passwords.
  • Disable remote connectivity – Some mobile devices are equipped with wireless technologies, such as Bluetooth, that can be used to connect to other devices or computers. You should disable these features when they are not in use (see Understanding Bluetooth Technology for more information).
  • Encrypt files – If you are storing personal or corporate information, see if your device offers the option to encrypt the files. By encrypting files, you ensure that unauthorized people can’t view data even if they can physically access it. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.
Any piece of electronic equipment that uses some kind of computerized component is vulnerable and susceptible to attack!

Protecting Portable Devices: Physical Security

Many computer users, especially those who travel for business, rely on laptops and personal internet-enabled devices like smartphones and tablets because they are small and easily transported. But while these characteristics make them popular and convenient, they also make them an ideal target for thieves. Make sure to secure your mobile devices to protect both the machine and the information they contain.

What is at risk?

Only you can determine what is actually at risk. If a thief steals your laptop or mobile device, the most obvious loss is the machine itself. However, if the thief is able to access the information on the computer or mobile device, all of the information stored on the device is at risk, as well as any additional information that could be accessed as a result of the data stored on the device itself.

Sensitive corporate information or customer account information should not be accessed by unauthorized people. You’ve probably heard news stories about organizations panicking because laptops with confidential information on them have been lost or stolen. But even if there isn’t any sensitive corporate information on your laptop or mobile device, think of the other information at risk: information about appointments, passwords, email addresses and other contact information, personal information for online accounts, etc.

How can you protect your laptop or internet-enabled device?

  • Password-protect your computer – Make sure that you have to enter a password to log in to your computer or mobile device (see Choosing and Protecting Passwords for more information).
  • Keep your valuables with you at all times – When traveling, keep your device with you. Meal times are optimum times for thieves to check hotel rooms for unattended laptops. If you are attending a conference or trade show, be especially wary—these venues offer thieves a wider selection of devices that are likely to contain sensitive information, and the conference sessions offer more opportunities for thieves to access guest rooms.
  • Downplay your laptop or mobile device – There is no need to advertise to thieves that you have a laptop or mobile device. Avoid using your device in public areas, and consider non-traditional bags for carrying your laptop.
  • Be aware of your surroundings – If you do use your laptop or mobile device in a public area, pay attention to people around you. Take precautions to shield yourself from “shoulder surfers”—make sure that no one can see you type your passwords or see any sensitive information on your screen.
  • Consider an alarm or lock – Many companies sell alarms or locks that you can use to protect or secure your laptop. If you travel often or will be in a heavily populated area, you may want to consider investing in an alarm for your laptop bag or a lock to secure your laptop to a piece of furniture.
  • Back up your files – If your mobile device is stolen, it’s bad enough that someone else may be able to access your information. To avoid losing all of the information, make backups of important information and store the backups in a separate location (see Good Security Habits for more information). Not only will you still be able to access the information, but you’ll be able to identify and report exactly what information is at risk.

What can you do if your laptop or mobile device is lost or stolen?

Report the loss or theft to the appropriate authorities. These parties may include representatives from law enforcement agencies, as well as hotel or conference staff. If your device contained sensitive corporate or customer account information, immediately report the loss or theft to your organization so that they can act quickly.

Protecting Portable Devices: Data Security

In addition to taking precautions to protect your portable devices, it is important to add another layer of security by protecting the data itself.

Why do you need another layer of protection?

Although there are ways to physically protect your laptop, PDA, or other portable device (see Protecting Portable Devices: Physical Security for more information), there is no guarantee that it won’t be stolen. After all, as the name suggests, portable devices are designed to be easily transported. The theft itself is, at the very least, frustrating, inconvenient, and unnerving, but the exposure of information on the device could have serious consequences. Also, remember that any devices that are connected to the internet, especially if it is a wireless connection, are also susceptible to network attacks (see Securing Wireless Networks for more information).

What can you do?

  • Use passwords correctly – In the process of getting to the information on your portable device, you probably encounter multiple prompts for passwords. Take advantage of this security. Don’t choose options that allow your computer to remember passwords, don’t choose passwords that thieves could easily guess, use different passwords for different programs, and take advantage of additional authentication methods (see Choosing and Protecting Passwords and Supplementing Passwords for more information).
  • Consider storing important data separately – There are many forms of storage media, including CDs, DVDs, and removable flash drives (also known as USB drives or thumb drives). By saving your data on removable media and keeping it in a different location (e.g., in your suitcase instead of your laptop bag), you can protect your data even if your laptop is stolen. You should make sure to secure the location where you keep your data to prevent easy access. It may be helpful to carry storage media with other valuables that you keep with you at all times and that you naturally protect, such as a wallet or keys.
  • Encrypt files – By encrypting files, you ensure that unauthorized people can’t view data even if they can physically access it. You may also want to consider options for full disk encryption, which prevents a thief from even starting your laptop without a passphrase. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.
  • Install and maintain anti-virus software – Protect laptops and PDAs from viruses the same way you protect your desktop computer. Make sure to keep your virus definitions up to date (see Understanding Anti-Virus Software for more information). If your anti-virus software doesn’t include anti-spyware software, consider installing separate software to protect against that threat (see Recognizing and Avoiding Spyware and Coordinating Virus and Spyware Defense for more information).
  • Install and maintain a firewall – While always important for restricting traffic coming into and leaving your computer, firewalls are especially important if you are traveling and using different networks. Firewalls can help prevent outsiders from gaining unwanted access (see Understanding Firewalls for more information).
  • Back up your data – Make sure to back up any data you have on your computer onto a CD-ROM, DVD-ROM, or network. Not only will this ensure that you will still have access to the information if your device is stolen, but it could help you identify exactly which information a thief may be able to access. You may be able to take measures to reduce the amount of damage that exposure could cause.

Using Caution with USB Drives

USB drives are popular for storing and transporting data, but some of the characteristics that make them convenient also introduce security risks.

What security risks are associated with USB drives?

Because USB drives, sometimes known as thumb drives, are small, readily available, inexpensive, and extremely portable, they are popular for storing and transporting files from one computer to another. However, these same characteristics make them appealing to attackers.

One option is for attackers to use your USB drive to infect other computers. An attacker might infect a computer with malicious code, or malware, that can detect when a USB drive is plugged into a computer. The malware then downloads malicious code onto the drive. When the USB drive is plugged into another computer, the malware infects that computer.

Some attackers have also targeted electronic devices directly, infecting items such as electronic picture frames and USB drives during production. When users buy the infected products and plug them into their computers, malware is installed on their computers.

Attackers may also use their USB drives to steal information directly from a computer. If an attacker can physically access a computer, he or she can download sensitive information directly onto a USB drive. Even computers that have been turned off may be vulnerable, because a computer’s memory is still active for several minutes without power. If an attacker can plug a USB drive into the computer during that time, he or she can quickly reboot the system from the USB drive and copy the computer’s memory, including passwords, encryption keys, and other sensitive data, onto the drive. Victims may not even realize that their computers were attacked.

The most obvious security risk for USB drives, though, is that they are easily lost or stolen (see Protecting Portable Devices: Physical Security for more information). If the data was not backed up, the loss of a USB drive can mean hours of lost work and the potential that the information cannot be replicated. And if the information on the drive is not encrypted, anyone who has the USB drive can access all of the data on it.

How can you protect your data?

There are steps you can take to protect the data on your USB drive and on any computer that you might plug the drive into:

  • Take advantage of security features – Use passwords and encryption on your USB drive to protect your data, and make sure that you have the information backed up in case your drive is lost (see Protecting Portable Devices: Data Security for more information).
  • Keep personal and business USB drives separate – Do not use personal USB drives on computers owned by your organization, and do not plug USB drives containing corporate information into your personal computer.
  • Use and maintain security software, and keep all software up to date – Use a firewall, anti-virus software, and anti-spyware software to make your computer less vulnerable to attacks, and make sure to keep the virus definitions current (see Understanding Firewalls, Understanding Anti-Virus Software, and Recognizing and Avoiding Spyware for more information). Also, keep the software on your computer up to date by applying any necessary patches (see Understanding Patches for more information).
  • Do not plug an unknown USB drive into your computer – If you find a USB drive, give it to the appropriate authorities (a location’s security personnel, your organization’s IT department, etc.). Do not plug it into your computer to view the contents or to try to identify the owner.
  • Disable Autorun – The Autorun feature causes removable media such as CDs, DVDs, and USB drives to open automatically when they are inserted into a drive. By disabling Autorun, you can prevent malicious code on an infected USB drive from opening automatically. In How to disable the Autorun functionality in Windows, Microsoft has provided a wizard to disable Autorun. In the “More Information” section, look for the Microsoft® Fix it icon under the heading “How to disable or enable all Autorun features in Windows 7 and other operating systems.”