Category Archives: Risk

  • 1

Private Information and Portable Devices

Category:Information Security,Infosec Communicator,Internet Safety,mobile device,Privacy,Risk,Uncategorized Tags : 
The entrance of the School of Medicine and Den...
Image via Wikipedia

Today, I had the privilege of being interviewed by our local YNN cable news about the challenges presented by placing private information on portable devices. A surgeon at the University of Rochester Medical Center had lost a flash drive containing the medical details of around 800 of his patients. The reporter, Anne Lithiluxa, asked me how loss of data could be prevented.

Generally, if you’re going to place private information on a portable device, either the device or the information needs to be encrypted The likelihood of exposure of private information through the loss of portable devices has increased tremendously lately due to the proliferation of smartphones and their use in accessing corporate email accounts. Good information security practice is always a combination of safe handling practices and technical protections.

However, the bottom line is that people are always the weakest link. Technical protections can always be defeated by poor practices.

Enhanced by Zemanta

  • 3

Is “Secure Mobile” an Oxymoron?

Category:Information Security,Infosec Communicator,mobile device,Risk Tags : 

If you haven’t noticed, mobile device use is pretty much ubiquitous. Apple iPhone/iPod/iPad, Windows Mobile, Palm, Google Android, Blackberry–all of these device families have their own Operating Systems that could be exploited by an attacker.  Yet, we’re seeing more and more mobile device use in business settings.

SMobile published a white paper yesterday (6/22), Threat Analysis of the Android Market,  about the ~20% of apps available from the Google Android Market that are granted permissions to potentially exploitable features/information when they’re installed. As they point out, it’s pretty easy for an attacker to encourage a potential target to install a seemingly innocent application when that application is available from the Google Market and was never vetted for security issues.

Another big issue is how easy it is to lose a mobile device. If the device is not encrypted, any confidential or private information you’ve placed on the device is at risk. If you’ve cached login credentials to your institution’s network, an attacker has easy access.

We’re working on developing mobile device security guidelines for use in accessing our university data. Because almost all devices are individually-owned and pose their own unique security risks, it’s hard to develop a one-size-fits-all policy. We’re looking at both general and device-specific guidelines.

I’ve included a preliminary draft below, parts of it based on materials developed by EDUCAUSE member institutions.  What would you add or subtract? Is it a good approach?

General Guidelines for Mobile Device Use

  • Configure mobile devices securely. Depending on the specific device, you may be able to:
    • Enable auto-lock. (This may correspond to your screen timeout setting.)
    • Enable password protection.
      • Use a reasonably complex password where possible.
      • Avoid using auto-complete features that remember user names or passwords.
      • You may want to use a password safe application where available.
    • Ensure that browser security settings are configured appropriately.
    • Enable remote wipe options.
      • If you’re connecting to the university email with ActiveSync for email and calendaring, you may be able to wipe the email and calendaring information from your device remotely.
      • Third party applications may also provide the ability to remotely wipe the device.
    • Ensure that SSL protection is enabled.
  • For improved performance and security, register your device and connect to the university WPA2 network where available.
  • Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.
  • Keep your mobile device and applications on the device up to date. Use automatic update options if available.
  • Install an antivirus/security program and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
  • Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.
  • Take appropriate physical security measures to prevent theft of mobile devices.
    • Never leave your mobile device unattended.
    • Report lost or stolen devices and change any passwords immediately.
    • Include contact information with the device.
      • On the lock screen (if possible). For example, “If found, please call 585-475-HELP.”
      • Engraved on the device.
      • Inserted into the case.
  • Know your mobile vendor’s policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.
  • Use appropriate sanitization and disposal procedures for mobile devices.
Enhanced by Zemanta

  • 6

On the Eve of the Latest Facebook Privacy Fix

Category:Facebook,Information Security,Infosec Communicator,Internet Safety,Privacy,Risk,Social Networking Tags : 

Facebook is releasing its latest privacy fix on Wednesday, May 26. I don’t have high expectations for the new controls as Facebook has not shown any ability to make the controls user friendly, or really understand what their users want for privacy.

A much bigger issue is that we seem to have abrogated OUR responsibility to protect our private information.

Fundamentally, information security is about managing risk. ANY involvement in social networking increases the risk of something negative happening–whether it’s loss of privacy, cyberstalking, identity theft, embarrassment, etc. It’s up to us to manage the risk. We should not expect the same amount of privacy protection from a free service that we would get from a credit card company, hospital, etc.

Although Facebook, Google, LinkedIn are all provided “free” to us, that freedom comes with a price–reduced privacy and some tracking of our web habits.

It’s up to us what we choose to share on social networking sites. We agree to EULAs (end user license agreements) that we click through to get to the “good stuff.” We blithely provide requested personal details and install apps that ask for even more and that tell us up front that they may share our information. Do you have to publish your date of birth? Hometown? 20 favorite things? (I’m just waiting for the next Facebook posting asking us, “What’s your mother’s maiden name?” and urging us to send the posting to all of our friends!)

Yes, Facebook, Google, and the other social networking applications have a responsibility to protect our information. However, WE have the responsibility to share ONLY the information we choose.


Categories