Top Seven Failures in Mobile Device Security

Client inquiries and headline stories reveal weaknesses in mobile security, a few of which can be attributed to naiveté and others to apathy. All provide object lessons for security managers seeking to improve endpoint security governance.

Key Challenges

• The form factors, use cases and ownership of computing platforms are changing, but the same old security and privacy problems remain.
• Security measures that users accept on company PCs are met with frustration and usability challenges in the mobile world, fueled by bring your own device (BYOD) freedom of choice and usage autonomy.¹
• Laptop losses and security breaches draw the most attention in the press. Smartphone and tablet security breaches are underreported. Companies lack popular references on which to base risk comparisons that recognize the value of security practices for smaller devices.
• Laptop, smartphone and tablet security policies are still incomplete in many companies, and contain gaps and other inconsistencies that don't measure up to business obligations.

Recommendations

• In a business setting, treat all mobile devices with due care as work platforms, irrespective of who owns them or the choice of operating system, screen size, or personal and fashion appeal. Apply Gartner's managed diversity model to manage risks and costs of operation.
• When deciding on acceptable mobile security practices, anticipate that any loss of a business data-bearing device can be a potential breach event. This could require a disclosure, even if specific regulations are not involved. Basic inventories of devices and information in play are important.
• Consider that a compliance report, which shows that the company's mobile devices are properly protected and managed, is also a sales tool that will attract business and revenue from integrity-conscious buyers and investors.
• Periodically review Gartner's published recommendations for good mobile security practices, and take advantage of the Gartner inquiry service to conduct policy reviews.

Introduction

Throughout 2012, client feedback collected from inquiries, user roundtables, workshops and other sources indicated that companies experienced failures in mobile security stemming from policy gaps. Failure consequences are not well-understood outside of high-security industries, leading users to form casual perceptions of information protection value on a variety of mobile devices, which range from laptops to phones. Many users and decision makers remained convinced that there is little need to prepare for the loss or misuse of mobile devices, but any company that has a reason to be in business also has an obligation to treat business data with care across all allowed computing platforms, regardless of location and even if there is no external legal obligation involved.² Protection should be extended to basic intellectual property (IP), competitive analysis, accounting information, business correspondence and the user's personal information wherever possible.

This research presents best practices corresponding to seven failures in mobile device security. Table 1 summarizes action plans for each of the failure discussions.

Table 1. Suggested Actions and Research for Dealing With Mobile Security Failure Scenarios

Note: Some of the documents in the "Gartner Research" column have been archived; their contents may not reflect current conditions.
Source: Gartner (February 2013)

Analysis

Failure Scenario No. 1: Inconsistent Security Policies Across Different Endpoints

The scenario: Business data needs consistent treatment, but most mobile security policies create and then institutionalize gaps. Policy gaps are the origins of most mobile security failures. A typical example is a requirement for user IDs and strong passwords on laptops, but an allowance for weak or missing passcodes on tablets that are carrying the same types of information.

Impact: Device-oriented policies are typically focused on specific devices or platforms, such as laptops or phones. Business information requirements may be applied broadly without considering the impact of limitations and differences across devices. Platform-specific policies are difficult to normalize, even with the addition of third-party tools because of platform limitations and user resistance.

Best practice: Security policies need to account for overarching business information requirements. Each device's deficiencies to fulfill the common requirements should be identified and mitigated. App and data access may then be limited or altered, as appropriate, by security policy and configuration management decisions that are clearly documented. Gartner research on policies and managing diversity will help.

Failure Scenario No. 2: Laptop Encryption Invalidated in "Bypass Mode"

The scenario: Several clients reported that preboot authentication (PBA) had been disabled on mobile workstations (primarily laptops) that were configured with full-disk encryption (FDE) because the users found the extra PBA login step inconvenient.

Impact: PBA is the method by which FDE products prevent a PC or Mac system disk from being directly readable. The bypass mode exists for administrators to do maintenance on the OS, but this mode is not meant to be activated as a default for mobile devices. Without PBA, the OS and main drive are vulnerable to attack.

Best practice: PBA should never be deactivated on mobile workstations for user convenience. When FDE PBA is implemented without additional authentication methods, users can log in to the system by entering a username and password only once. After the PBA has completed its check, the user login is passed to the OS. PBA login should be suspended only if the risk is deemed appropriate, and only for systems that are permanently attached to the LAN and visible to the directory server. The PBA should be configured to reassert itself if the system is booted without the LAN connection.

Failure Scenario No. 3: Unmanageable BYOD Laptops

The scenario: Users don't want their companies to fully manage their personal laptops. In the case for contractors, no one company would be able to control all the policies. Traditional methods of virtualization and portal computing are too expensive or viewed as too complex to serve all business use cases.

Impact: BYOD laptops are increasing in proportion, but may have little or no management or encryption. Given the high profile of laptop data loss events, this practice is guaranteed to create data loss conditions. These devices are also vectors to bring malware inside the company via LAN and VPN connections.

Best practice: Personal, noncompany laptops should not be allowed on company LANs or VPN tunnels without going through network access control (NAC) tests, which include a check for malware protection and misconfiguration. Systems that don't belong on the LAN can be redirected to the Internet or a limited access zone. Compatible endpoint tools may supplement and enhance the NAC policy. If the user only works online, then portal-based applications delivered through secure Web sessions or secure viewing software should be considered. Segregation of locally stored business data can be achieved by virtualization, container solutions, or robust user account-based encryption instead of FDE. "Workstation on a stick" — that is, bootable USB drive solutions — may apply in some cases.

Failure Scenario No. 4: Shared Media Leakage

The scenario: Users want the flexibility of removable media, but don't want access restrictions. IT departments don't want to pay extra for specialized or rugged drives. Companies may sacrifice the chance to inventory removable media in favor of honesty systems, where users are counseled to voluntarily encrypt files or ignore the issue altogether. USB flash drives were the most common device example, but other storage media, such as secure digital (SD) cards and optical media, are also cited.

Impact: Sensitive and confidential information constantly moves among generic devices under conditions that clearly need accountability. Anecdotes of leaked government, financial, and medical information on shared media are present in client feedback and public forums, and raise the chances of breach disclosures and costly damage control. In 2012, many organizations overlooked relatively simple copy control protections that were available through existing software contracts.

Best practice: Companies should invest in removable media encryption and/or access controls. External media writing should simply be deactivated if it is not needed to prevent "sideways" movement of business data outside of company policies. Major endpoint protection (EPP) and mobile data protection vendors can detect the insertion of flash drives or other media, and offer a range of full volume and per-file encryption choices, combined with device control and governed by project keys, passwords and so on. Audit logs track the copied files. Some vendors can filter file contents, and enforce geolocation access policies and other context-aware conditions. Companies that support both PCs and Macs should check carefully for consistent functionality across platforms.

Failure Scenario No. 5: Minimal Management Fuels BYOD Phone and Tablet Proliferation

The scenario: Unregistered, noncompany consumer smartphone and tablet devices connect into company systems and store business data without any form of identification, tracking or management. A minimal investment in Microsoft EAS will not prevent jailbreaking nor enforce device, OS or app version controls. This "free and easy" access was rarely tolerated for laptops.

Impact: Clients in this circumstance have remarked that large numbers of devices — up to several thousands, in larger examples — are connected to company systems, but no one knows for certain. The ability to enroll devices on the fly is extremely easy and sets off no alerts. Users can retire these devices without removing apps and network access credentials, perhaps selling them, or giving them to children or friends. In this circumstance, the company's security posture is no longer credible. Unknown devices could remain fully active on company systems until passwords expire.

Best practice: No device should gain access to email, LAN, VPN, Wi-Fi or other services without some form of device authentication involving X.509 and other certificates. User connectivity could be limited to a default number of devices, such as one smartphone and one tablet. Users operating under enrollment limits will be less likely to allow personal devices to get lost, stolen, sold or swapped without notifying the company. Self-service registration is possible by using mobile device management (MDM) tools, but going through the help desk adds formality that may be desirable. Companies should invest in NAC and MDM tools that verify that the devices are operating properly and within agreed configurations.

Failure Scenario No. 6: Readable Data Persists in "Properly" Disposed-Of Devices

The scenario: Data is difficult to delete from solid-state storage.^{3, 4} Recycled phones and tablets, especially if unlocked at the time of recycling, can contain active email and VPN accounts, as well as other sensitive business and personal information. Even a device that was encrypted after a period of use may still yield the older unencrypted data.

Impact: Recyclers have expressed concern to Gartner over the cost of attempting full wipes of smart mobile devices and their potential liability for the future misuse of processed devices. Stories have surfaced where devices that were returned for warranty replacement reappeared in the used market with all data intact.

Best practice: Assume that recycling, warranty service and other device exchanges will not guarantee wiping. Instead, set a policy that no device, personal or company-owned, should be allowed to access business data until appropriate encryption controls are put in place. Choices include self-encrypting apps and various mobile device container technologies. The choice and enablement of encryption methods should be made as part of the "opt-in" agreement for BYOD programs. Physical destruction disposal services may need to be considered in high-security environments.

Failure Scenario No. 7: Interapplication Data Leakage

The scenario: Smartphones and tablets can store huge amounts of business information that simply cannot be tracked. The current lack of attention on mobile data breaches keeps this topic at a low visibility, but stories circulate continuously about compromised business decisions driven by blunders, including unlocked devices left on airplanes and password hacks that open up cloud storage services.⁵ Security managers report that these events tend to be ignored by decision makers, who are also usually the culprits.

Impact: Users mingle and copy information by forwarding and saving emails and attachments, and by sharing and saving local and cloud copies through an endless variety of apps and sync tools. These data fragments cannot be easily traced or audited, even if the mobile device is managed by the company. Email data can be tagged and selectively deleted, but other copies remain. Leakage problems are gaining attention on small devices due to a lack of standards for sandboxing data; lack of standard enterprise apps; lack of data loss prevention (DLP) methodologies; and convenient, new cloud synchronization services. This example is related to Failure No. 4: shared media leakage.

Best practice: Companies should not wait for "perfect" platform solutions in dynamic mobile markets. Various forms of container solutions suitable for protecting business information are available for tactical implementation, ranging from email encryption, self-defending and security-wrapped applications to rights-managed document viewers. There is no one single solution for all use cases. Companies should prioritize choices based on the way that information will be accessed and shared. Users should be advised in policy to not use the same password for multiple systems associated with their mobile devices, since password recovery from any system compromises the rest. Unfortunately, the policy will be difficult to impossible to enforce. Companies may consider using Web/email gateway filter capabilities or cloud email and Web services to perform blocking and malware detection/prevention on mobile devices. To reduce file sharing exposures, they can purchase a preferred file sync and share service or build their own.

Critical Questions to Build a Best-Practice Consensus for Mobile Device Security

Business obligations for security and privacy must be carried forward with new technologies and work styles. Companies should review their mobile security practices to determine if they would stand up to the following questions in an audit or deposition:

• How would your investors, partners, supply chain and customers react if they were to discover that you were not extending consistent protection to their data?

Gartner is aware of several companies in 2012 that were challenged to provide proof of diligence to their customers. In some cases, this required companies that had turned to BYOD to reinstitute locked-down, business-owned platforms:

• If you believe that only some of the people in your organization are handling sensitive or confidential information, how can you verify that the information is not crossing the boundaries to lower confidentiality?

Information does not neatly stay with one person, group, queue, database, app or drive. Gartner clients frequently call for suggestions to belatedly corral distributed information:

• Have you failed to disclose a real or potential data breach on your mobile devices?

Frequent anecdotes indicate that employees tend not to report lost or stolen personal devices, especially if enrollments are not formally managed or if the company has a policy to wipe personal devices. A lack of knowledge of the extent of the exposed information, as mentioned in the previous question, will further diminish the realization that a breach or data loss requiring legal disclosure has occurred. Security planners should review public records to find examples to scope potential breaches in their own companies:⁶

• If your company's executive team members were summoned to give evidence on questions about mobile information privacy, is it possible to quantify data protection practices and points of exposure?

Without clear, basic management practices, a company would be unable to answer critical fact-finding questions. Gartner clients increasingly express strategic concern on this possibility, but often fail to reach an agreement between IT operations and executive teams. The best practices defined in this research can help company leadership understand potential problems and form the basis for building consensus.

• Are you prepared to bear the cost of mitigation if a mobile breach occurs, and have you done enough to prevent a breach?

The costs and efforts to resolve data exposures are expensive and distracting. A study by the Ponemon Institute indicates that the damage costs of a data breach have declined but still number in the millions of dollars per incident and hundreds of dollars per compromised record.⁷ Implementing mobile best practices will reduce the chance of a breach and allow the company to better focus on the business mission.

Evidence

¹ Experian. (1 November 2012). "BYOD Leads to Data Breaches in the Workplace." Retrieved from www.experian.com/blogs/data-breach/2012/11/01/byod-leads-to-data-breaches-in-the-workplace

² United Press International. (23 October 2012). "Many Smartphone Users Lax on Security." Retrieved from www.upi.com/Science_News/2012/10/23/Many-smartphone-users-lax-on-security/UPI-85691351030042

³ Ramsay, M. (23 August 2010). "Phone Recycling and Data Wiping: A Cautionary Tale." Wireless Week. Retrieved from www.wirelessweek.com/articles/2010/08/phone-recycling-data-wiping-cautionary-tale .

⁴ BullGuard. "The Dangers Involved With Selling or Recycling Your Mobile Phone." Retrieved from www.bullguard.com/bullguard-security-center/mobile-security/mobile-threats/the-dangers-of-recycling-your-smartphone.aspx .

⁵ Kerr, D. (31 July 2012). "Dropbox Confirms It Was Hacked, Offers Users Help." Retrieved from news.cnet.com/8301-1009_3-57483998-83/dropbox-confirms-it-was-hacked-offers-users-help .

⁶ Privacy Rights Clearing House. "Chronology of Data Breaches: Security Breaches 2005-Present." Retrieved from www.privacyrights.org/data-breach .

⁷ Olavsrud, T. (20 March 2012). "Cost of Data Breaches Declines." CIO Magazine. Retrieved from www.cio.com/article/702494/Cost_of_Data_Breaches_Declines.

Source: Gartner Research, G00237091, D. Plummer, D. Mitchell Smith, 15 August 2012