Last Updated: 2010-10-20 20:27:13 UTC
by Jim Clausing (Version: 1)
For corporate mobile devices, I would urge a few measures (where possible)
- Encryption - if the capability exists on the platform you are using, whole device encryption could provide some minimal protection to corporate (or personal) data on the device should it be lost or stolen.
- Remote Wipe - the ability to remotely kill or wipe a device that has been lost or stolen should be enabled if it exists.
- VPN - where possible, VPN back through the corporate environment (understanding all the issues discussed in yesterday's diaries apply here, too). This allows one to take advantage of proxies, firewalls, e-mail filtering of the corporate network. When possible, use the mobile device as a thin client to access data in the corporate network or in "the cloud" rather than keeping potentially sensitive data on the mobile device itself.
For personal devices, the biggest thing is to remember that the defenses on these mobile devices are even slimmer than on our home PCs and laptops.
- Fight the urge to do things like banking, that might reveal information that could be used for identity theft, from your mobile device.
- Don't click on links sent via IM, Facebook, SMS
In general, there are a few things that should probably be done all the time to protect yourself and your personal and corporate information (and they may increase your battery life, too).
- Turn off the GPS and data (3G/4G/wifi) capabilities when you aren't actually using them.
- If anti-virus software exists for your platform install it. It probably won't protect you from much, but if it stops even one attack, that's better than nothing.
- If at all possible, don't mix corporate and personal use on the same mobile device.
I've been starting to think about mobile malware lately, and frankly, it worries me. So, what are you doing to secure your mobile devices (both corporate and personal)?
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
GIAC GSE #26