As our network security architectures have improved, hackers are bypassing our moats and gates by flying over the castle walls.
With the consumerization of IT and the subsequent dramatic uptick in personal mobile devices being brought onto our campuses, corporations must create a sustainable mobile risk management policy. Managing the risk posed by smart-phones and other mobile/wireless devices will curb your threat profile as well as reduce your exposure to industrial espionage, and is paramount for your go-forward strategies.
The following delineates best practice within the wireless infrastructure:
A Remote Access and Mobile Device Security Policy
- Establish and post non-employee wireless device use policy within your facility.
- Pre-designate mobile device rights and privileges for all job positions within your organization. Limit System Administrator rights.
- Inventory each access point within your network, including those that are wireless or remote, both inside and outside of the firewall.
- Ensure that all external communications, including dial-up lines that are connected to internal networks must pass through a firewall.
- Employ a network access control solution for all devices.
- Laptops, tablets and mobile devices need to have power-up passwords and to automatically lock it left idle for a significant period of time (e.g. 10 minutes)
- Encrypt data on any mobile devices. Specifically data at rest and external memory devices.
- All secure areas shall be governed as secure wireless zones wherein devices shall have limited functionality in accordance with security policy.
- Dynamic/location-based policy management shall exist for all mobile devices both on campus and off campus.
- Mobile devices shall have an application white-listing capability and also block the installation of non-approved software.
- Maintain the capacity to remotely “wipe” any data contained on mobile devices.
- Maintain the capacity to control under what circumstances sensitive data may be downloaded to an employee’s laptop, tablet or any other mobile device.
- Prohibit users from remotely accessing your network through an insecure connection.
- External access to sensitive data shall be encrypted using a minimum of SSL and preferably AES.
- Limit session lifetimes.
- In secure locations or circumstances, have all unnecessary services and applications on each device disabled.
- Establish policies around the use of social or collaborative networks. Review these semi-annually and inform your employee of these updates when the update affects them or involves their activities.
- Encrypt sensitive data being sent by e-mail.
- Employ data leakage or data loss prevention software.
- Keep logs and enforce real-time alerts based on rules or heuristics for suspicious activities both physical and cyber.
- Electronically monitor non-employees physical and wireless activities when accessing secure areas. Continuous monitoring of any radio frequency service like Wi-Fi; Bluetooth or cellular is paramount to limit espionage.
Thwart the dragon flying over your castle walls – manage your mobile risk.
Tom Kellermann is AirPatrol’s Chief Technology Officer.