Home » Security Bulletin » Two iPhones Walk Into a Bar…
services04

Two iPhones Walk Into a Bar…

Scenario:

Kevin O’Hoolihan is a sales representative for a competitive manufacturer. At an annual trade convention, Kevin is meeting with several industry colleagues and potential customers. Throughout the week he has come into contact with hundreds of new leads and sent out proposals that should net the company hundreds of thousands of dollars in revenue. That evening Kevin is talking with a representative from ACME Logistics about a possible collaboration when he realizes his phone is missing. He can’t remember if he had set it on the table during the evening mixer or left it in the bathroom.

Upstairs, a man also working for “ACME Logistics” has had Kevin’s phone for nearly 20 minutes. Kevin didn’t use a passcode on his phone, so the man was able to set the phone into “Airplane Mode” preventing a sudden remote wipe that could stop him in his tracks. From there he plugs the phone into his laptop and uses a file-browser specially designed for that phone and easily found online. Using this, the man is able to access Kevin’s personal and work contacts, vacation photos, and his personal and company email accounts — email’s containing contact information,pricing and proposals for all of his clients.

In a few minutes, an anonymous stranger will return a “lost” phone to the front desk. It will be returned to Kevin and he will never know how a competitor undercut him on every proposal he sent out as well as adopted their corporate strategy to be more competitive.

What could Kevin have done to prevent this?

Within organizations large and small, mobile devices play a critical role. Clearly, it allows your workforce to be productive and mobile whenever needed. Whether you are using a sophisticated system to manage company-owned devices, like BES 10, or you are using a relaxed bring your own device policy, you need to understand best practices for mobile device management.

Just like your laptops, workstations, and servers, mobile devices are susceptible to attacks and data theft by hackers. But there are ways to mitigate these threats. Here are some best practices that you should incorporate to protect yourself from data loss.

  1. Require authentication. Use a strong password / combination to unlock the device. That way if your phone is stolen (or lost in a bar… twice… c’mon Apple!) you are better protected against data loss. Some phones allow you to remote wipe  the phone if you realize it has been lost or stolen. This may prevent sensitive information falling into the wrong hands. It is strongly recommended that you utilize this!
  2. Update and apply patches to your OS and applications. Mobile devices are just like computers. They need to be updated regularly to remain secure. Would you go six months without installing critical patches and updates on your server? I hope not! Your mobile device should be no different as it is storing, processing, and transmitting sensitive information.
  3. Only allow approved applications on the device. Some applications on both iOS and Android have been designed to steal users’ information. Other applications tracks and posts user data, such as personal information, to social networks. Disable this as well as any geotagging options.
  4. Develop and maintain a strong mobile device policy. Decide if the company will provide the devices for employees. How will you keep track of the devices? How will you update the devices? What will you allow users to do with the device? What steps should an employee take if they have lost their phone? How will you dispose of outdated devices? This should be defined explicitly.
  5. Containerization allows you to virtually separate secure information from non-secure information on a mobile device. This solution allows organizations to eliminate the risk of users compromising company data through negligence. This is a very wise choice if your company employs a BYOD policy.
  6. Disable Bluetooth until you need it. While “Bluejacking” isn’t as common as it used to be, leaving your Bluetooth in “always on” mode may give hackers the footing that they need to compromise a device.
  7. Encrypt your data. Seriously. Do this.

Some organizations are incorporating a BYOD policy, but you need to determine if this is truly a good fit for your enterprise. The BYOD policy conveniently allows employees to utilize their own smartphone for company business. If your company chooses to do this, we strongly recommend utilizing containerization as a best practice. Additionally, be reminded that if an investigation ever arises due to a potential data leakage or an intrusion, forensic investigators will need to seize any devices that may have been involved or compromised for the duration of the investigation. This may include an employee’s personal mobile device if you have incorporated a BYOD policy. How would you handle an entire department’s personal mobile phones being confiscated for several months?

Every organization should choose the policies and procedures that best fit their needs and overall mission. Whether you are a large enterprise managing sensitive data or a small company utilizing a BYOD policy, proper mobile device management increases your security posture against data theft and corporate espionage.

 

About Jon

Jon is an experienced Technical Writer, Ethical Hacker, Privacy & Security Evangelist, and Master of the Margarita. With a equal passion for the Chicago Manual of Style and cyber security, Jon believes that creating security documentation is kind of a fun thing to do. He's also pretty good a "bricking" devices that were working just fine. When he's not buried in security documentation, screaming at his keyboard, sprinting to a Congressional hearing, or debating the Oxford comma way too seriously, he manages this blog from our super-secret Moonbase.