The blind spot of mobile computing, detecting a hack attempt and more

March EventSource Newsletter
By Brian Musthaler

Overcoming the blind spot of mobile computing

For many organizations, mobile computing has become a strategic approach to improve productivity for sales professionals, knowledge workers and field personnel.  As a result, the Internet has become an extension of the corporate network.  Mobile and remote workers use the Internet as the means to access applications and resources that previously were only available to “in-house” users – those who are directly connected to the corporate network.

Managing laptops and other portable devices such as smart phones and PDAs can be a real challenge for any organization.  Because these devices aren’t continuously connected to the corporate network in a secure manner, they pose a large security risk.   Once a mobile device is disconnected from the network, there is limited visibility to IT operations on the device.  For example, it’s difficult to tell if the device has its firewall engaged, the anti-virus signatures are up to date, or the operating system has all the necessary security patches.  What’s more, a disconnected device can’t “phone home” to provide the central systems management application with its log and intrusion detection system data.

Further exacerbating this challenge is the vast array of mobile devices with their unique mobile operating systems.  Depending on the manufacturer and brand, PDAs and smart phones use everything from Windows Mobile to Symbian OS.  Other popular mobile operating systems in play today include BlackBerry OS, Mac OS X, Palm OS, and various flavors of mobile Linux.  Moreover, the devices have diverse and often proprietary event logs.  It’s almost pure chaos for the IT department that is anxious to receive operational information from the devices to know if there are security events that can pose a risk to the individual devices, or worse, to the corporate network when the devices do connect again.  Unfortunately, there are no common methods of collecting, consolidating and reviewing these mobile device logs today.

Stephen Northcutt, president of the SANS Technology Institute, says this lack of mobile device log data creates a blind spot in the overall detective controls provided by log analysis.  This blind spot is a critical issue during forensic analysis when attempting to determine the source of an actual data breach or even in determining if attempts have been made to hack or corrupt a mobile device.

Without log data, organizations will have reduced situational awareness and difficulty in supporting device and application status reporting, the troubleshooting of problems with applications and equipment, incident response, and forensic investigation.

Knowing that you will not have this situational awareness of what is happening to mobile devices when they are not connected to the network, what can be done to improve the security of mobile devices and the data they hold?

First of all, recognize that log data management and analysis is just one part of a “controlled” mobility strategy and the overall IT system of internal controls, albeit an important one.  While a continuous feed of log data of mobile devices is highly desired and would be great to have, all is not lost without it.  When these devices do connect to the network, you can retrieve whatever log data is “available” and capable of being read in order to collect information on the software, hardware and security applications located on mobile devices.  This information can be used to support your compliance requirements, if nothing else.  You can show, for example, that a group of laptops all had a personal firewall and anti-virus software, and that the anti-virus DAT files were updated at a certain time.

Second, assess the risks associated with the data and devices that you are attempting to protect.  It should be part of an organization’s overall data protection process to identify data which is critical or sensitive and to develop and implement the appropriate policies and procedures concerning the use and care of that data.  Where mobile computing is concerned, the biggest risks are when the information is in motion (i.e., moving to/from the outside world via the Internet) or at the endpoints of the network (i.e., on mobile PCs, on USB devices, on external drives, or on other highly mobile devices such as smart phones and PDAs).

Third, implement strong preventative controls that assure secure communications, force encryption of sensitive data, and provide automated processes to manage the mobile platform.   There are numerous mobile device management products and services you can use to apply timely security patches and software updates; prevent an infected device from attaching to the network; back up or encrypt sensitive information; ensure that corporate policies are enforced, and so on.

By taking these and other steps required based on unique business risk, your organization can feel more comfortable about your mobile computing security posture, as well as your ability to demonstrate that the mobile devices connected to the enterprise network are in compliance with corporate security policies at the time that they are both on and off the network.

Brian Musthaler, CISA – is a Principal Consultant with Essential Solutions Corp. A former audit and information systems manager, he directs the firm’s evaluations and analysis of enterprise applications, with a particular interest in security and compliance tools.

Industry News

Get it free: Full-featured search engine for all log data
…A tip for any systems administrator who has had to dig through old log files, searching for clues about an event that happened on the network. Maybe it was a server configuration change, or an intrusion attempt, or a hardware device sending signals that it’s about to fail.

Workers stealing company data
Six out of every ten employees stole company data when they left their job last year, said a study of US workers. 24% could still access data after leaving the company

Did you know? EventTracker’s advanced user activity and USB monitoring provides in-depth protection from internal theft or inadvertent data loss without clamping down on normal usage.

Heartland breach bad as Tylenol poisonings?
Heartland Payment Systems stock (HPY) was hit hard in the wake of what is being described as the biggest single breach of consumer and financial data security ever. The company issued statements Friday (1/23) in an effort at damage control in which the CEO compares the potential industry-wide impact of the breach to none other than that of the Tylenol poisonings of some twenty-five years ago that nearly brought down the drug maker.

Did you know? EventTracker detects in real-time suspicious activity that often precedes a security breach, and enables instant remediation before costly data theft occurs.

Considering a SIEM solution? Read this first
Cutting through SIEM vendor hype – SIEM solutions are optimized for difference usecases and one size never fits all. The good news is that with the number of potential solutions to choose from, if you do your homework, you will find a product that meets your requirements.

Prism Microsystems named finalist in the 2009 CODiE awards
EventTracker recognised as top performer in the data security category; finalist selection made from over 850 nominations submitted by 600 companies.