Technological Security of Devices

Because there are different types of controls that can help secure devices and communications, this section is divided into two sections: Applications and Systems and Physical Security of Devices.

Applications and Systems

The policies, procedures, and actions that can be applied to secure endpoint devices and the communication between them include the following:

• Ensure the browser supports SSL/TLS for entering or transmitting sensitive information to/from a website.

• Ensure an antivirus client is installed and configured to automatically scan all incoming files.

• Ensure anti-malware/anti-spyware capabilities are installed and configured to monitor as many communication methods as they are capable of integrating with.

• Install a personal firewall or similar packet-filtering measure on the endpoint device to protect against unsolicited inbound connections or communications, for example, DoS attacks, incoming probes/scans of services, and so on.

• Use services or software that provides encrypted transmissions:

  • Voice—Most cellular voice services are now encrypted. If in use, verify that VoIP or voice-over-data applications encrypt their transmissions.

  • Internet browsing—When logging onto or viewing sensitive information on websites, be sure the site is enabled for SSL/TLS or HTTPS. Look for the “lock” icon (see Figure 13-5) at the left end of the browser’s address bar and check that the URL starts with “https.”

  • Email—Install message or file encryption software on the device for sending sensitive information in an email. Freeware encryption software is available for most email clients.

  • Messaging/chat—Use messaging services or programs that offer encrypted, or “private,” connections to recipients.

  • SMS texting/MMS—On a smartphone, install and use an SMS/MMS application with encrypted messaging.

To ensure that these practices provide the security levels desired, your actions should provide security. You should not respond to communications that are unfamiliar or unsolicited. Phishing attacks and spam or unsolicited email messages are often used to attract users to malicious websites or disclose sensitive information. You should also be cautious about sending email, SMS, and MMS to multiple recipients. Sending “bulk” messages increases the likelihood of error, such as sending the message to a wrong person.

Physical Security of Devices

Another area of risk with mobile communication devices is physical security. Due to the variety and functions of mobile devices and their capability to be used in virtually any place, the risk of misplacing the device or having it stolen continues to rise. Fortunately, there are solutions and practices to reduce these risks and protect a device’s stored data in the event it is stolen or lost. Here are just a few ways to protect your device:

• Lock the device—Enable and use the device’s password/PIN or pattern-match locking feature. Many mobile devices support longer, more complex passwords and some are equipped with fingerprint biometric readers.

• Encrypt the device—Mobile devices commonly provide a feature that allows for whole-drive or whole-device encryption, which is a good way to thwart access to its storage in the event the device is stolen or lost.

• Remotely erase or reset the device—A variety of cloud-based or online services can be used to remotely erase the data stored on a lost or stolen mobile device, and some will completely erase everything stored on a device. While this will keep whoever found or stole the device from accessing your data, you may not be able to recover what is erased.

• Inventory and back up the device—If a device is lost or stolen, it is important to have the serial number, make and model, and other information available. Recovering the device will obviously depend heavily upon such information. Backing up a device provides for regaining the data as well as copies of important data.