1

Controls for Mobile Devices

Naba Barkakati, Ph.D.Chief Technologist

U.S. Government Accountability Office (GAO)441 G St NW, Washington, DC 20548 USA

Email: barkakatin@gao.govPhone: 1-202-512-4499

2

Convergence

transformation of "atoms to bits“

conversion of everything from voice,

video, TV, etc. into digital information

flow across platforms on the Internet

Sintermask - fabbster

3D-printer v01

3

Growth of Mobile Computing

- Growth in broadband wireless connectivity adoption of

mobile devices such as smartphones and tablets

- Almost half of American adults own smartphones and a

quarter of the adults own tablets

4

Growth of Mobile Malware

Number of variants of “malware,” aimed at mobile devices

has gone from about 14,000 to 40,000, a 185% increase in

less than a year

5

GAO Report on Mobile Device Security

• GAO issued a report (GAO-12-757) on mobile

device security at the request of House Energy

and Commerce Committee.

• Consulted key federal agencies – FCC, NIST, DHS, DOD,

FTC – as well as wireless industry association (CTIA), and

mobile device manufacturers (HTC, RIM, Motorola Mobility,

Samsung, LG) plus information security companies

• Report presents mobile devices vulnerabilities as well as

security controls and practices to mitigate risks associated

with the vulnerabilities

6

Mobile Device Vulnerabilities

1. No password/PIN

2. No 2-factor authentication

3. Unencrypted wireless transmissions

4. Unknowingly install malware

5. No security software installed

6. Operating systems not updated

routinely

7. Apps not updated routinely

8. No firewall to limit Internet

connections

9. “Rooting” or “jailbreaking” of device

10.Unsecured communication channels

7

• How to protect against threats that may

exploit these vulnerabilities?

• Individuals can implement technical

controls such as enabling passwords

and encryption that can limit or prevent

attacks.

• Individuals can also adopt key practices

such as using passwords, installing anti-

malware software, limiting use of public

WiFi etc that can mitigate the risk that

their devices will be compromised.

• Organizations can also adopt

organization-wide controls and practices

Improving Mobile Device Security

8

Turn on 2-factor

authentication for

sensitive

transactions

Turn on remote disabling of lost or stolen devices

(you have to install an app)

Controls for Individuals

+

Enable PINs and passwords

as a first line of defense

9

Controls for Individuals (continued)

Install a personal firewall

Install antimalware

Verify authenticity of downloaded

applications (e.g., by verifying

digital signatures)

10

Controls for Individuals (continued)

Download and apply

software updates

whenever they are

available

Enable encryption,

where available

Use “whitelisting”

Lorem Ipsum dolor sit

amet, consectetuer

adipiscingelit. Duis

tellus.

?b6445Fmv+t50QE2mg

ElMaBug4QZ4EfYC77b

mwUzAgoFlCSiZDDx+J

F+VN+xZzGI

oeat5UxC9kz1YgdpxeN

FPvAuK4NWMaCaoJX

eb16Vtj4qtinRQa0UK4P

FdCU0ySzb

aaDyHtx5soNa836H9B

0XHn+lXA==?64b

11

Controls for Organizations

Implement centralized security management for

devices

Use integrity validation tools to scan devices to

detect compromise

Implement VPN

Use PKI digital certificates for digital signing

and encrypting emails

Conform to government security specifications

such as NIST, DOD

12

Controls for Organizations (continued)

Install enterprise firewall to isolate traffic

to and from wireless devices

Monitor incoming traffic from mobile

devices

Monitor and control mobile devices

Get device log files and analyze them

Intrusion

Prevention System

13

• DOs

1.Turn off or set Bluetooth to “undiscoverable”

2.Limit use of public WiFi for sensitive transactions

3.Configure accounts to use https

4.Maintain physical control of device

5.Delete all before discarding mobile devices

• DON’Ts

1. Don’t install unnecessary apps

2. Don’t click links sent in suspicious email

3. Don’t click on advertisements in applications

4. Don’t unnecessarily disclose mobile

phone numbers

5. Don’t store sensitive information on device

6. Don’t “jailbreak” devices

Security Practices for Individuals

14

1. Establish mobile device security policy

2. Train employees on mobile device

security

3. Establish deployment plan for mobile

devices

4. Perform risk assessments for mobile

devices

5. Implement configuration management

for mobile devices

Security Practices for Organizations

Mobile Security Training

15

GAO Recommendations to FCC, DHS

FCC – work with wireless carriers and device

manufacturers to implement baseline mobile

security safeguards; track progress once this is

done

DHS – establish baseline measure of consumer

awareness of mobile security and measure

effectiveness of awareness campaign of National

Initiative for Cybersecurity Education (NICE)

See http://www.fcc.gov/smartphone-security

16

http://www.fcc.gov/smartphone-security