Hardware Security
Physical access to a system creates many avenues for a breach in security. Many tools can be used to extract password and account information that can then be used to access secured network resources. Given the ability to reboot a system and load software from a USB drive, attackers might be able to access data or implant Trojan horses and other applications intended to weaken or compromise network security. Unsecured equipment is also vulnerable to social engineering attacks. It is much easier for an attacker to walk into a reception area, say she is there to do some work on the server, and get access to that server in the closet in the front lobby than to get into a physically secured area with a guest sign-in and sign-out sheet.
A more serious threat is theft or loss. Laptops and handheld devices are easy targets for thieves. According to datalossdb.org, stolen laptops account for 18% of all data breaches. In order to prevent theft or loss, you must safeguard the equipment in your organization.
Cable Locks
In order to protect organizational resources and minimize liability costs, it is important for each employee to take responsibility for securing office equipment. Laptops should never be left in an area that is open where anyone can have easy access to them. Laptops, Apple iMacs, and any easily transportable office computers should be physically secured. Security cables with combination locks can provide such security and are easy to use. The cable is used to attach the computer to an immovable object. Computers have one and sometimes two security cable slots. The security cable slots allow you to attach a commercially available antitheft device to the computer. Computer locks commonly use steel cables to secure the PC to a desk. They're most commonly found in computer labs and internet cafes. Laptop locks are meant to protect both privacy and the computer. There are a number of different types of laptop locks: cable locks, case locks, and twist locks. The most common type of anti-theft devices for portable computers usually include a length of metalstranded cable with an attached locking device and associated key. The cable is looped around an immovable object and the locking device is inserted into a security cable slot. Anti-theft devices differ in design so be sure that it is compatible with the security cable slot on the computer. Never leave a laptop unsecured. If the area is not safe, don't leave a laptop even secured by a cablelocking device. Thieves have driven off with whole ATM machines, so they can find a way to bypass the lock.
Safe
Tower-style computers can also be targets of thieves, not only for a higher resale value than laptops, but also for the data they might hold. For example, financial businesses have been hit hard by theft of desktop computers because they hold a lot of personal data. PC Safe Tower and server cages, which have all-steel construction and a lever locking system, are designed to bolt to the floor. Drive access can be either completely restricted or left available for ease of use.
There are also laptop safe security cases used to protect an organization's computers and data out in the field. For example, Flexysafe Digital makes a safe that is designed for people who take their laptop computers home from work. Also available are high-security laptop safes, which store laptops in a manner similar to bank vault storage. There is individual storage for laptops in locking compartments which can then be additionally secured behind the high-security main safe door when required. The open compartment version offers open shelves (usually one laptop per shelf) for storage that can be secured by the safe's main door. Other computer safe options include types made to securely store laptops and carry cases plus other valuable equipment in reception areas, mobile car safes made to prevent smash and grab attacks, and a home computer safe with an electronic lock similar to the safes provided in hotel rooms.
Locking Cabinets
A locked cabinet is another alternative for laptop equipment that is not used or does not have to be physically accessed on a regular, daily basis. Vendors provide solutions such as a security cabinet locker that secures CPU towers. The housing is made of durable, heavy-duty steel for strength that lasts. The sides and door are ventilated to reduce risk of overheating. Another option is a wood laminate security computer cabinet that provides a computer workstation that can be locked away into a cabinet for space as well as security. Computer cabinets include a keyboard drawer and adjustable top shelf. A slide-out bottom shelf accommodates a CPU and printer. It has built-in cable management grommets. Depending on what needs to be secured, there are computer cabinets designed to hold everything from LCD/LED flat screens to entire systems. This type of security is often used for training rooms where the computers can be secure without the inconvenience of removing them after each training session.
Host Software Baselining
The measure of normal activity is known as a baseline. This gives you a point of reference when something on the computer goes awry. Without a baseline, it is harder to see what is wrong because you don't know what is normal. Baselines must be updated on a regular basis and certainly when the computer has changed or new technology has been deployed. Baselining should be done for both host and application processes so that you can tell whether you have a hardware or software issue. Host software baselining can be done for a variety of reasons, including malware monitoring and creating system images.
Generally, the environment needs of an organization fall into a legacy, enterprise, or high-security client. A legacy client has the lowest lockdown level. It is important that there is a good baseline for these computers because of their vulnerability and lack of ability to configure tightened security settings. The enterprise client environment is designed to provide solid security for the organization and allows the use of more restrictive security templates for added security. Using security templates also allows the organization to introduce additional roles on top of the baseline template for easier implementation of these new roles. In a high-security environment, the settings are very restrictive and many applications might not function under this type of configuration. Therefore it is very important to have a baseline.
Mobile Devices
There are specific steps for mitigating mobile attacks. Both enterprise administrators and users alike need to be aware of the growing risks associated with the convenience of having Internet as well as corporate network data in the palm of your hand. Most effective way to secure restricted data is not to store it on mobile devices. In many organizations this does not happen. The comingling of personal and organizational data is inevitable unless there are some safeguards in place, such as keeping sensitive data only on secure servers and accessing it remotely using secure communication techniques outlined in the security policy. Another option is to have the user and organizational data separated on the device. A company called Good Technology provides such a solution. This limits business risk associated with enterprise data on mobile devices by compartmentalizing the data. It leaves employees' private information untouched and enforces policies and compliance at the application level. The risk areas associated with mobile devices are physical risk, including theft or loss, unauthorized access risk, operating system or application risk, network risk, and mobile data storage device risk.
In order to mitigate these risks many of the same protections that apply to computers apply to mobile devices. Safeguards include screen locks, encryption, remote wipes, tracking, and strong passwords.
Screen Lock
A screen lock or passcode is used to prevent access to the phone. Screen locks can be set on just about any mobile device such as BlackBerrys, personal digital assistants (PDAs), and smartphones. This feature is used as a most basic form of security. It is done using a pattern lock or a passcode to secure the handset. It's similar to a password-protected screensaver on a computer. The lock code usually consists of a four-digit code. Screen lock only locks users out of the user interface. It does not encrypt data.
Screen locks should be configured to lock the device screen automatically after a brief period of about 10 or 15 minutes of inactivity. Androids can use a pattern on the screen instead of a password. One caveat, you need your Gmail/Google account credentials to reset the security lock should you forget it, so be sure to set up a valid Gmail/Google account beforehand. There are also a number of applications available on the Android application marketplace that can add additional security measures.
Strong Password
Passwords are one of the first pieces and the best methods of acquiring access; password length is an important consideration for mobile devices. Strong passwords can be derived from events or things the user knows. Password strength is a measure of the difficulty involved in guessing or breaking the password through cryptographic techniques or library-based automated testing of alternative values. A weak password might be very short or only use alphanumeric characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday; nickname; address; name of a pet or relative; or a common word such as God, love, money, or password.
Organizational policies should include training to educate users to create stronger passwords from events or things the user knows. For example, let's say that the password must be nine characters long and must be a combination of letters, numbers, and special characters. The user went to Fiji on August 8, 2011, with his spouse named Joan. The phrase "Went to Fiji on August 8, 2011 with Joan" can become wtF8811@J. Now you have a complex password that is easy for the user to remember. Alternatively, users can use a phrase that has more than 13 characters so that password-cracking utilities will not be able to crack it. For example, using the password ThisisDiane@sTempPa33w0rd creates a longer string than most programs can crack.
Strong password policies help protect the network from hackers and define the responsibilities of users who have been given access to company resources. You should have all users read and sign security policies as part of their employment process, and you should provide periodic training.
Using static passwords for authentication has a few security flaws because passwords can be guessed, forgotten, or written down. Mobile phones that are capable of running Java applets are becoming more common so a mobile phone can be used as an authentication token. Mobile-OTP is a free authentication solution for Java-capable mobile devices. The solution is based on time synchronous one-time passwords. It consists of a client component and a server component. The server component can easily be plugged into RADIUS to authenticate users. As of 2010, there were more than 30 independent implementations of the Mobile-OTP algorithm, making it a de facto standard for strong mobile authentication.
Device Encryption
Just like the data on hard drives, the data on mobiles can be encrypted but can present some challenges. First, it's difficult to enter complex passwords on small keyboards, and multifactor authentication is unfeasible. The limited processing power of mobiles also means the extra computation required for encryption may cause them to suffer performance issues and the always-on nature of these devices means that encryption can easily break functionality. Another consideration is that due to the variety of devices, a company may have to implement various encryption methods. For example, BlackBerry Enterprise Server can be used to manage built-in data encryption, whereas Windows Mobile devices can use a third-party encryption solution. In addition to built-in tools, here are some third-party encryption programs:
- Navastream
- PhoneCrypt
- Smartphone Encryption
- Cryptophone
- Kryptext
- Secure GSM
Most mobiles have an external media card used for storage. In addition to encryption of the data in the device, the data on the media card needs to be encrypted as well. Mobile Encryption is a feature that enables users to secure sensitive information on Windows Mobile device's removable flash memory storage card. The data is only accessible when the card is installed in a particular mobile device. If the card is ever lost or stolen, the information remains secure because it is encrypted.
Applications such as Good offer a security container that separates company and personal information. The enterprise container is an encrypted envelope that securely houses enterprise data and applications on the device, encrypting all data with strong AES 192-bit encryption. This solution also encrypts any data that's in transit between the device and servers behind the organization's firewall.
Enterprise encryption solutions are also available that encompass a number of different devices. For example, Sophos Mobile Control provides device protection on iOS, Android, and Windows Mobile devices. It can secure mobile devices by centrally configuring security settings and enabling lockdown of unwanted features; and it offers remote over-the-air lock or wipe if a device is lost or stolen in addition to having a self-service portal that allows end users to register new devices and lock or wipe lost or stolen phones.
Remote Wipe/Sanitation
The data stored on a mobile is worth a lot more than the device itself. Mobiles carry a variety of personal and business information, so it's imperative to prevent them from getting into the wrong hands. Many of today's smartphones support a mobile kill switch or remote wipe capability.
MobileMe is a service offered to Mac users that allows a remote wipe on a lost or stolen iPhone. There is also an option to erase all data on the iPhone after so many failed passcode attempts. The iPhone 3GS includes hardware encryption and all data is encrypted on the fly. This means that for the iPhone 3GS, you don't need to actually wipe the phone's entire contents; remote wiping the encryption key works. Any BlackBerry Enterprise Server (BES) handset can be erased, reset to factory default settings, or set to retain the IT policy it previously had via remote administration. This is done via the Erase Data and Disable Handheld command over the wireless network. By default the device deletes all data after 10 bad password attempts. Microsoft's My Phone Windows Mobile service enables users to locate lost handhelds via GPS and erase their data remotely. To enable remote wipe on enterprise Android phones, the phone must have the Google Apps Device Policy app installed. This is similar in functionality to the remote control features for a BES. In fact, soon Androids and iPhones will be able to be managed through a BESlike solution.
Remote wipes aren't fail-safe. If someone finds the phone before the remote wipe occurs and either takes the device off the network or force-reboots and restores the device, sensitive data can still be recovered. In the case of BlackBerry devices, if the device is turned off or outside the coverage area, the command is queued on the BlackBerry Enterprise Server until the device can be contacted. If a user is removed from the BlackBerry Enterprise Server before the command has reached the smartphone, data will not be erased from the device.
In addition to enterprise or built-in remote wiping tools, third-party products such as SecuWipe can be used to remove sensitive information. This type of product is good as a solution for Windows phones and Pocket PCs. It can securely wipe media cards, and it can be configured to wipe data remotely from a device that has been lost or stolen, automatically wipe the device clean when there is an attempt to insert another SIM card, or disable the phone function.
Voice Encryption
Mobile voice encryption can allow executives and employees alike to discuss sensitive information without having to travel to secure company locations. There are a variety of options available for voice encryption. Secusmart makes microSD flash cards that fit into certain Nokia devices. The software is installed on the phone when the card is first inserted into a device. Another hardware option is what is called embedded encryption. KoolSpan's TrustChip is one such solution. TrustChip consists of three main components:
- Embedded encryption software on the chip
- Linux-based management server
- TrustChip software development kit (SDK)
Kryptos is a secure VoIP application for the iPhone. It utilizes 256-bit AES military-grade encryption to encrypt calls between users. For added security, it uses 1024-bit RSA encryption during the symmetric key exchange. Kryptos can provide VoIP connectivity for secure calls over several networks including 3G, 4G, and Wi-Fi.
One thing to keep in mind when using voice encryption software is that it must be installed on each mobile phone to create a secure connection. You cannot create a secure encrypted connection between a device that has software installed and one that does not. This includes hardware solutions as well. For example, the TrustChip encrypts voice only when the phone calls another TrustChip phone. The user sees an icon on his display that informs him that the call is encrypted.
As with many other solutions, using voice encryption is not an end-all solution. It has been has discovered that 12 commercially available mobile voice encryption products can be intercepted and compromised using a little ingenuity and creativity. Some application can be compromised in as little as 30 minutes. Although some of these applications are not entirely secure, it would take a lot of effort to bypass them. However, the point is, it can be done.
Virtualization
Virtualization has many benefits from the data center to the desktop. For example, when working in a development environment, running the new system as a guest avoids the need to reboot the physical computer whenever a bug occurs. A "sandboxed" guest system can also help in computer-security research, which enables the study of the effects of some viruses or worms without the possibility of compromising the host system.
The use of desktop virtualization allows an organization to run multiple OSes, including Windows and Linux, on a single computer. With technology permeating every facet of modern life, the flexibility of being able to run a Windows guest operating on top of a Linux-based host operating system allows an added layer of security as well as access to both environments without having to dual boot the machine.
Virtualization reduces an entire functioning computer down to just a couple of files, which is obviously far easier to manage than the thousands and thousands of files found in the Windows directory alone. With virtualization, it is not only practical but also logical to simply discard an old or infected VM in favor of a fresh copy.
Full streaming of an OS is also a new approach to desktop virtualization, which is making its way into the mainstream IT community. A streaming OS provides the same benefit as a virtualized desktop but with more use of the desktop hardware in a traditional manner. With a streaming OS, an end user downloads a complete package, OS, and applications. The benefit is that of a full OS to distributed users who can enjoy the benefits of customization, security, patches, and updates. The trade-off with this architecture is similar to that of other virtualization models: the greater the distance, the slower the performance.
Some good uses of streaming OSes are as follows:
- Diskless workstations with a streaming OS that is used for sensitive or classified work environments. With this model, there is no need for lockdown protocols or secure storage for hard drives. The diskless client system increases security, and the network storage aspect allows for indefinite scalability.
- OS Streaming could be used quite effectively in an education environment where configuration and maintenance costs can be prohibitive.
- OS Streaming, much like a virtual desktop environment, can make the introduction of a new OS much easier. Users can be offered choices allowing for the selection of which OS they want to use based on their needs at that time.