Touchette
It’s that time of year when many organisations struggle to cope with workforces massively diminished. However, while many are relaxing away from the office, does that mean that the organisation’s security defences are also taking a break?
Our recent survey, conducted by OnePoll amongst 1,000 employed adults, found that 41% of respondents confirmed they’d be taking their phone with them when on holiday. Given the technology age we live in that might seem fairly normal, but there is the risk that phones left hidden under a towel on the beach or unsupervised beside a sun lounger are vulnerable to theft.
Here are a few simple things to keep in mind while you’re relaxing this summer:
Lock It and Block It
The first rule for safe mobile device usage is security on the device itself. However, according to our survey, only half of the people spoken to said they had any security installed on their phones meaning many are at risk of losing more than the device itself – whether at home or abroad.
The functionality of phones today means they are likely to contain personal information (such as stored logins to banking or social media sites) and could expose the user were the device to fall into malicious hands. To minimise this threat something as simple as activating a password means this sensitive information is afforded at least some protection.
However, while a password will thwart the opportunistic thief, against a more motivated criminal with a degree of technical expertise a stronger defence is needed. If your device contains confidential business material (and that was 12% of our respondents), or you/the organisation are serious about privacy, additional security must be deployed.
Encryption software on the device will help protect data in the event that the device becomes lost or stolen. In addition, the ability to remote wipe and brick the device completely is a very effective way to ensure sensitive information stays private.
Travelling Mobiles
When first available, every phone essentially had its own operating system. This meant it was usually a less than fruitful endeavour for malware authors to bother targeting any one of them. However, that has all changed. With two major mobile operating systems leading the way in the smartphone market - iOS and Android, mobile devices have become a much more profitable, and therefore appealing, target.
A simple rule of thumb everyone should heed is safe browsing habits regardless of network or device. As we’ve learnt with PCs and the web, the same dangers (i.e. black hat SEO poisoning, social media, email and SMS) can also exploit a mobile device. If you wouldn’t do it on a PC, don’t do it on a mobile.
Safe Gaming
The reason most of us love our devices is the apps we can ‘play’ with. While launching a favourite app or trying out some new games may keep us, and even the kids, entertained, it isn’t without risks. As we’ve said, criminals now spend time and money developing apps with a hidden payload. Always make sure apps are purchased from a reputable store, although this isn’t foolproof, and be aware of the permissions requested during the install. In any case, it’s best practice to read the reviews to research what others say about any program, before downloading and launching.
Trust No-One
SMS and voicemail are also common vectors of attack for phishing scams today. If you receive a message that you’re not expecting, especially if it’s too good to be true, chances are it is. If the message claims to be from the bank, for example, rather than respond in the manner the message asks, instead directly contact the organisation or individual and verify that the request is genuine. Better still, simply delete suspicious messages as often responding can end up in text charges or possibly even more.
When sending an email, think of it as sending a postcard – everyone and anyone can read it. If the text shouldn’t be exposed to unauthorised eyes then standard email is perhaps not the best method to send the information. Instead, either use an encryption solution or bite the bullet and call the information through.
Think Before you Link
To put Wi-Fi in perspective, and explain why it is so dangerous, every session utilises radio waves to communicate and is accessible to anyone.
Free wi-fi is tempting for holiday makers to quickly pull out the device and check everything is ticking over nicely in the corporate world, but convenience doesn’t always equate to security. We’d recommend establishing a VPN connection before utilising free Wi-Fi. This creates a secure SSL tunnel helping to secure the session and keep corporate network resources safe.
But remember that, even when using a secure connection, make sure to always and completely log out of sensitive sites. While it might seem a bit of media hype, the truth is an attacker can hijack an open session. In addition, don’t rely on sites performing automatic log-outs, either when closing the browser or inactivity. Even those few moments present an exploitable opportunity to an attacker. It’s also safer to close down other, non-related, Web browser tabs.
If set up properly, private Wi-Fi connections can be a viable remedy to surfing Wi-Fi spots. And at the very least, WPA2 encryption should be used. Additional security measures that can be put into place include MAC address filtering (though this can be a bit advanced and can lead to device lockout if not done correctly) and users certainly can’t count on the encryption being provided when using a public network.
When you’re planning your summer break this year, be it two weeks in an exotic location or a weekend in Blackpool, if you’re taking a device don’t forget to pack it with security.
Fred Touchette joined AppRiver in February 2007 as a Senior Security Analyst. Touchette is primarily responsible for evaluating security controls and identifying potential risks. He provides advice, research support, project management services, and information security expertise to assist in designing security solutions for new and existing applications. During his tenure at AppRiver, Touchette has been instrumental in accessing critical IT threats and implementing safeguard strategies and recommendations.
Touchette holds many technical certifications, including CCNA, COMP-TIA Security+, GPEN – GIAC Network Penetration Tester and GREM - GIAC Reverse Engineering Malware through the SANS initiative. He is highly regarded as an expert on email and Internet-based cyber threats, and has been referenced in several top technology publications including USA Today, Forbes.com, Dark Reading and more.