How securely are you using your smartphones or network-enabled tablets? CompTIA reached out to industry experts for their top personal best practices for mobile device security, and here’s the resulting checklist:
1) Password-protect your device. This was the starting rule for all experts CompTIA contacted. “Passwords matter a lot,” said Rebecca Lawson, director of WW Enterprise Security Solutions for HP Enterprise Business. “You need to use them.”
2) Lock your phone when it’s not in use. “Set the security setting to lock automatically after a period of time, say two to three minutes, and set your device to automatically wipe its data after a certain number of failed log-ins,” said Spencer Wilcox, CISSP, CPP, and member of the American Society for Industrial Security’s IT Security Council. “That way, if you do lose it, your pictures, your GPS data, your personal phone numbers, all that information isn’t readily accessible to a person on the street who picks your phone up.”
3) Separate the personal from the work. Using a smartphone for both work and personal activities potentially exposes you to liability if there’s a data leak or security breach via your phone. “It’s a hassle, but I’ve seen people very successfully separate them with two different devices,” said Lawson. Another option, said Wilcox, is to use software to “sandbox” or partition the phone’s business apps and data separate from personal apps and data on the device.
4) Encrypt Yourself. Winn Schwartau, chairman of the Atlanta-based smartphone security company Mobile Active Defense, advocates using a VPN to encrypt all communication from mobile devices. “That should be mandatory in my opinion.” At minimum, don’t use unencrypted Wi-Fi networks for connecting to company servers or banks or engaging any financial transactions. Avoid doing online banking at Starbucks, said Marcus Burton, director of product development at CWNP Inc., the Atlanta-based Wi-Fi certification and training company. “The quality of security attacks out there are getting better and better. Save that stuff for home.” Added Andrew Hoog, chief investigative officer of Chicago-based viaForensics, “It’s very, very simple for a malicious attacker to set up a fake ATT Wireless network.” Full-disk data encryption on smartphones is a work in progress. With Android OS, it’s done via third-party apps; iPhones, especially OS5, have built-in data protection that can be reinforced by third-party apps. Blackberry devices feature built-in, password-protected, content encryption.
5) Click with Caution. Be extremely careful about clicking on email or text message web links via a mobile phone. Mobile users are three times as likely to fall for a Phishing attack, said Hoog, in part because a fake web page is harder to detect on a smartphone screen.
6) Beware the Apps. App developers are not held to the same standard as professional software developers, and apps can be a source of malware/spyware. Even the “clean” app can expose confidential user data —storing credit card numbers or passwords in plain text on the phone’s memory, for example, notes Hoog, whose company’s appWatchdog posts its security analysis of popular mobile apps. HP’s Security Laboratory Blog also tracks web app vulnerabilities.
7) Beware the App Marketplace. “App stores are the greatest hostile malware distribution systems ever invented by man,” quips Schwartau. Those plug-ins and hacks for Angry Birds can contain hostile malware, “and people download them and infect their phones and networks.” Jonathon Giffin, assistant professor associated with the Georgia Tech Information Security Center, cautions against using third-party Android marketplaces where consumers can pay a $9.99 annual subscription to download apps for free. “The user has no way of knowing whether the third party is inserting malicious software into the apps.”
8) Beware the Content Marketplace. Downloading the Super Bowl for free off that sketchy website might seem like a good idea when you were flying to Shanghai, but what else came onto your smartphone or tablet with that download?
9) Beware the Hacked Phone. Hoog warns that “jailbreaking” or hacking a smartphone to get give root access to the device can compromise the security mechanisms managed by the device’s OS. “If you don’t know what you’re doing, you can put yourself at greater risk.”
10) Follow the Rules. If you are using a mobile device for company business, protect yourself by following the company’s standard of conduct for that device. “A lot of this has to do with training and understanding that security is everybody’s business,” said Lawson. “Data loss, or somebody finding your credentials on a lost or stolen device, is ultimately tied to personal behavior.”