Jan 15 2015
Security

Don’t Overlook Mobile Devices in Security Assessments

Learn three ways to integrate mobility into vulnerability testing.
Karen Scarfone
by

Karen Scarfone is the principal consultant for Scarfone Cybersecurity. She provides cybersecurity publication consulting services to organizations and was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST).

Most governments know the importance of conducting vulnerability assessments on a regular basis to baseline the current state of IT security. But many haven’t yet updated their security auditing practices to take into account the wide variety of mobile devices in use. This leaves a critical gap in vulnerability assessment results because of all the breaches and exploitations that occur through mobile devices.

Why don’t all organizations integrate mobile devices into their vulnerability assessments? For one, some agencies underestimate the security risk posed by smartphones or tablets. Another reason is that internal or external security auditors and other staff may lack knowledge and confidence in audit practices for mobile devices because they differ significantly from traditional IT systems. And then there’s the overwhelming diversity of mobile devices, with many operating system versions in use at any given time, not to mention millions of possible applications.

However, these excuses can all be overcome relatively easily. What follows are three options for integrating mobile devices into vulnerability assessment practices performed by internal staff or a third party.

1. Expand Existing Assessments

States and localities that perform their own vulnerability assessments should consider simply expanding those practices to include mobile devices. Just as it isn’t feasible to audit every desktop or notebook in a large enterprise, there are also simply too many mobile devices to audit and assess. Instead, select representative devices that cover a wide range of operating system platforms and versions, as well as common applications.

Carefully audit devices according to the agency’s standard practices, tailored as needed to accommodate the security and functionality differences of mobile devices versus desktops and notebooks. Consider expanding penetration testing to include physical actions, such as stealing unattended mobile devices or using Bluetooth or other short-range wireless protocols to gain unauthorized access to sensitive data on mobile devices.

The audit should determine if the organization’s security policies are sufficiently strong and are being implemented effectively and efficiently.

2. Outsource Vulnerability Assessment

Many organizations already outsource some of their vulnerability assessment responsibilities, so it’s logical for them to also outsource much of their mobile device vulnerability assessment procedures.

Discuss mobile device assessment with the service provider and ensure it’s qualified to audit mobile device security, then specify which types of mobile devices are within the scope of the audit. IT leaders may need to modify contracts or enter into new ones and potentially add funding to include mobile device auditing as part of the security assessment.

Governments need to be particularly careful when auditing mobile devices because of privacy and other issues surrounding bring-your-own-device initiatives. Suppose that a penetration tester gains access to an organization’s facilities and nabs a personal phone, then accesses the data it contains. What are the legal implications?

On the other hand, agencies need to know how secure personal devices are and what risks they pose to the organization. Therefore, states and localities may need to make it a condition of BYOD participation that organizations and agents acting on an agency’s behalf have the right to examine the security of devices.

3. Use a Managed Mobility Services Provider

Another outsourcing option is a managed mobility services (MMS) provider.

Organizations specializing in managing mobile devices can perform mobility health checks to assess the current state of mobile security, and perform broad risk assessments to determine how an organization should improve its mobile security. Using an MMS provider doesn’t replace the need for penetration testing. Instead, think of it as a complementary resource for strengthening mobile security. Many organizations use both an MMS provider and an external auditor to gain better control over mobility.

MDM Offers a Helping Hand

Many governments already use a valuable tool for aiding mobile security audits: mobile device management software. MDM solutions manage devices by locking down their security configuration settings and logging all significant security-related events.

Because MDM solutions can detect deviations from approved security baselines and determine if patches and updates are missing from devices, these tools are invaluable for finding known vulnerabilities in mobile devices.

If an organization already has an MDM solution, the IT department should by all means use this data to find the low-hanging fruit in vulnerability assessments. But don’t expect MDM data to completely replace vulnerability assessment, penetration testing and other auditing methods. That’s especially the case for BYOD technologies that aren’t addressed by MDM solutions.

byryo/thinkstock

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now