Most governments know the importance of conducting vulnerability assessments on a regular basis to baseline the current state of IT security. But many haven’t yet updated their security auditing practices to take into account the wide variety of mobile devices in use. This leaves a critical gap in vulnerability assessment results because of all the breaches and exploitations that occur through mobile devices.
Why don’t all organizations integrate mobile devices into their vulnerability assessments? For one, some agencies underestimate the security risk posed by smartphones or tablets. Another reason is that internal or external security auditors and other staff may lack knowledge and confidence in audit practices for mobile devices because they differ significantly from traditional IT systems. And then there’s the overwhelming diversity of mobile devices, with many operating system versions in use at any given time, not to mention millions of possible applications.
However, these excuses can all be overcome relatively easily. What follows are three options for integrating mobile devices into vulnerability assessment practices performed by internal staff or a third party.
States and localities that perform their own vulnerability assessments should consider simply expanding those practices to include mobile devices. Just as it isn’t feasible to audit every desktop or notebook in a large enterprise, there are also simply too many mobile devices to audit and assess. Instead, select representative devices that cover a wide range of operating system platforms and versions, as well as common applications.
Carefully audit devices according to the agency’s standard practices, tailored as needed to accommodate the security and functionality differences of mobile devices versus desktops and notebooks. Consider expanding penetration testing to include physical actions, such as stealing unattended mobile devices or using Bluetooth or other short-range wireless protocols to gain unauthorized access to sensitive data on mobile devices.
The audit should determine if the organization’s security policies are sufficiently strong and are being implemented effectively and efficiently.
Many organizations already outsource some of their vulnerability assessment responsibilities, so it’s logical for them to also outsource much of their mobile device vulnerability assessment procedures.
Discuss mobile device assessment with the service provider and ensure it’s qualified to audit mobile device security, then specify which types of mobile devices are within the scope of the audit. IT leaders may need to modify contracts or enter into new ones and potentially add funding to include mobile device auditing as part of the security assessment.
Governments need to be particularly careful when auditing mobile devices because of privacy and other issues surrounding bring-your-own-device initiatives. Suppose that a penetration tester gains access to an organization’s facilities and nabs a personal phone, then accesses the data it contains. What are the legal implications?
On the other hand, agencies need to know how secure personal devices are and what risks they pose to the organization. Therefore, states and localities may need to make it a condition of BYOD participation that organizations and agents acting on an agency’s behalf have the right to examine the security of devices.
Another outsourcing option is a managed mobility services (MMS) provider.
Organizations specializing in managing mobile devices can perform mobility health checks to assess the current state of mobile security, and perform broad risk assessments to determine how an organization should improve its mobile security. Using an MMS provider doesn’t replace the need for penetration testing. Instead, think of it as a complementary resource for strengthening mobile security. Many organizations use both an MMS provider and an external auditor to gain better control over mobility.