150 likes | 241 Views
Mobile Device Security. Agenda. Top 12 security recommendations Google Android specific recommendations Apple iOS (iPad and iPhone) specific recommendations General Fermilab comments Official Support Recommendations. Top 12 Security Recommendations.
E N D
Agenda • Top 12 security recommendations • Google Android specific recommendations • Apple iOS (iPad and iPhone) specific recommendations • General Fermilab comments • Official Support • Recommendations
Top 12 Security Recommendations • Activate the password lock (screen lock) for accessing the device. • Please use some sort of unlock process; be it a password, a PIN, or at a minimum, use the simple pattern unlock. • Don’t use simple passwords. • While using a Fermi-grade password (complex) is the best for security, remember that virtual keyboards can make entering a complex password more difficult. • Use passwords that cannot be easily guessed (i.e., NOT birthday, anniversary, address, phone number, etc.)
Top 12 cont. • Don’t share your device with others. • The mobile device market is not mature enough to allow for a “multi-user” environment. (Rumored that Android 4.2 for tablets will have multi-user support) • Android Play Store, Amazon appstore, and iTunes can be linked to bank accounts so any users of your device can purchase items without your knowledge. • Any accounts you have synced with your device (email, calendar, Facebook, Twitter, etc.) are accessible to other users. • Don’t leave your device unattended. • Mobile devices are easy to set down and lose track of them. Thieves are now actively targeting users with mobile devices. They wait for a user to set down their device and look away. Once they are stolen, they are easy to hide. • Estimate that over $7 million worth of smartphones lost every day • Look for applications that may be used to track your device if it is lost or stolen.
Top 12 cont. • Encrypt device, if possible. • Many times the device can be accessed via USB cable or remove of memory cards; even with a device with a decent password lock. Encrypting the device can make that process more difficult to provide anything useful to unauthorized people. • Back up the device content regularly. • Devices can be misplaced or stolen so backup your device. This will reduce the hardship of losing a device. • If the device has to be reset to factory or wiped, vendors many times advise data be backed up.
Top 12 cont. • Don’t use the device to store passwords, login information, or personal information. • The loss of a device can be specially disturbing if you store passwords to other accounts (bank, email, Fermi systems). Remember, it is against Fermi policy to have Fermi related passwords stored on any device. “You must not allow anyone else to know or use your Kerberos password. Do not use your Kerberos password for other than Fermilab Kerberos. Do not transmit Kerberos passwords across the network. In the rare circumstances where transmitting a Kerberos password is necessary, it must be strongly encrypted. Never store Kerberos passwords (or the corresponding character strings) on a computer, encrypted or not. “ Computer Security Policy. • While having a list of all your (and family’s) personal information may be convenient, having it on a easily misplaced/stolen device means thieves will have all the information necessary to steal your identity (credit card numbers, social security numbers, birthday). If you feel it is worth the risk, use an encrypted application such as KeePass (256-bit AES) or mSecure(SHA-256 + Blowfish). iOS Password App review • Don't alter device’s default security settings. • Vendors spend a great deal of time researching the optimal settings to secure your devices. Be very careful altering these settings. If you DO change the default settings, please do so by increasing the security. Also realize that increased security may change the performance and battery life of your device. • Some applications may “require” you to change settings. This can open security holes in your devices. Read the fine print to verify this is really necessary and worth potentially the reducing security.
Top 12 cont. • Make sure your device is up-to-date. (Operating System & Applications) • Be it Android or Apple; install updates when they become available. These can provide critical security patches and may also provide performance enhancements and new features. • Android Play Store, Amazon appstore, and iTunes all notify you when an application you have installed has a patch available. Patches can be vital to keeping the application stable, improve performance, or patch a security hole.
Top 12 cont. • Don’t jailbreak/hack/root your device. • While many might consider modifying the default OS to allow for more freedom or access to features not available with the stock OS, this opens your device to greater access for applications to do things you might not be aware of. • Rooting a device usually voids any warranty the vendor may offer. Many of these devices are offered at a reduced cost for new customers or as part of a contract. If your device breaks and you have to replace it, you may be forced to pay full price for the device ($500+). • Be aware of public wireless networks. • The words “free” and “open” should warn you to be cautious. Open and free means no security. All traffic between your device and the wireless access point are not encrypted and could be intercepted. If a service set identifier (SSID) is provided and you are required to enter a password, then odds are you are getting some security. Still be wary of the data you are transmitting.
Top 12 cont. • Use SSL encrypted applications, if possible. • To go along with free and/or open wireless, if you have the option to encrypt transmitted data, do so to help assure your personal data is not intercepted. • Email and web browsing can be secured using SSL encryption. Web pages that start with https:// are using SSL encryption. This is not foolproof but better than no encryption.
Google Android Specific • Be careful what you install • Android Play Store • 50,000 apps in 3rd quarter 2012 found to contain malware • 40% of non-North American users infected • 0.3% of North American users infected • Google malware scanner, Bouncer, started scanning all requested apps in early 2012. • Do your research before installing applications. • Amazon appstore • Each application thoroughly tested for malware and performance. • No know infections to date • Amazon appstore and your device/vendor’s custom Marketplace, at this time, are not seeing much, if any, infected applications. This can change so be diligent in your research. • Be careful what documents you open • Major method of infection is from files such as PDFs. • Use the same caution we ask of you here at Fermilab. Only open files from people you know and when you are expecting the file. • Anti-Virus Application • Use reputable vendors and really research the application. “Free” may not be the best. • AV-Comparitives.org performs tests against 13 Mobile Security applications for Android.
Apple iOS Specific • Wipe after 10 failed login attempts • This is a good option to enable if you are the only user and really want some extra assurance that no one can steal your data. • Backup often just in case it IS wiped. • May not be a good idea if around kids because 10 attempts can be used up in about 7.4 seconds by the average 4 year-old. • Anti-Virus Application • iOS uses a segregated (sandbox) structure where applications cannot directly interact with each other. This, for now, protects the device for the most part. AV is a fairly new concept in iOS and will be better supported by iOS going forward as will the AV applications will get better over time. • Kaspersky request its AV for iTunes was denied. • iTunes and Malware • Apple approves & monitors iTunes applications for inappropriate and malicious applications… BUT malware and unethical applications have made their way into the store. Examples here and here. • Turn off picture frame • Nothing worse than having pictures start displaying that you NEVER intended to show everyone. You know what I mean. {wink}
General Fermilab comments • Service Desk Assistance (Fermi and Personal devices) • Email setup (Exchange) • Configuring Exchange will enable the ability for you and Fermi Exchange Admins to remotely wipe your device. (ActiveSync) • Network Registration (MISCOMP) • Cloud based storage is prohibited for Fermilab data. • Data generated on Fermilab equipment/property must be managed with Fermilab resources • Freedom of Information Act • Law Enforcement request for information • Report Stolen or lost Fermi devices to Security promptly • As with any Fermilab owned items, the quicker the item is reported missing the quicker it may be recovered.
Quote: “The form factor of these devices makes them easy to lose and misplace,” explained Nicholas Arvanitis, principal security consultant at South African IT infrastructure giant Dimension Data. “They're also attractive targets for theft -- consider that most consumers control a lot of their lives from these devices and often store credentials (usernames and passwords) for many services on them.” “Unfortunately, theft or loss of these devices is inevitable,” he added. “The most prudent approach is to configure the device and maintain it with the assumption that at some stage it will be lost or stolen.”
The End… • Questions? Illustration by Andrew DeGraff