Incorporating Mobile Devices into Enterprise Security

People use the term consumerization of IT when discussing the effects of user-owned and managed devices being increasingly used within an enterprise environment. Approaches to enterprise information security haven’t yet caught up to this trend. The urgency with which we need to account for consumerization is particularly great with respect to modern mobile devices—powerful handheld gadgets such as smartphones and tablets.

Mobile Device Forensics

The majority of tools and techniques for mobile device forensics presently focus on examining the device belonging to a suspected criminal to recover evidence.  Another scenario, which is currently not being addressed, is how to examine a mobile device that was infected while being used by a non-malicious employee. With the increased popularity of mobile devices, it won’t be long until an infected mobile device provides the attacker a gateway to the user’s enterprise network.

Eric Huber highlighted this trend in his must-read article on the topic of forensics in the era of mobile devices, where he noted:

“The incident response and penetration testing world will need to rapidly adjust to the mobile device era given how the criminal element will be increasingly targeting these devices.”

Adjusting the Security Architecture

Enterprises are coming to terms with the idea of employees connecting to the corporate network over a VPN from personal laptops and home workstations. However, most organizations haven’t look at the effect that the proliferation of powerful mobile devices has on the enterprise security architecture.

Mobile devices sometimes have VPN-like access to the corporate network and in most cases have access to the company’s email contents, calendar and address book. The devices are as powerful as laptops were just a few years ago. Yet, their operating system’s security has not benefited from the test of time, and lacks most of the security controls we’d expect to find in a “legacy” workstation OS.

We need to understand how to model the threat vectors related to mobile devices and how to adjust the security of the enterprise architecture accordingly. The measures will probably involve:

  • Greater segmentation of the company’s network
  • Treating any device device that users interact with, whether it’s a desktop or a mobile phone, as an untrusted node
  • Standards and tools to lock down the configuration of mobile devices
  • Practices and technologies for managing vulnerabilities in applications and the OS of mobile devices
  • Incident response plans that incorporate not only “legacy” IT infrastructure assets but also mobile devices

About the Author

Lenny Zeltser is a business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more