Don't miss all of the installments of this mobile device security series:
- Mobile device security policies: Asserting control over mobile devices
mobile authentication methods
Mobile devices used by employees for business without IT oversight can expose employers to unacceptable risk. From sloppy configuration to dangerous connections, many unmanaged devices -- and the business assets they contain -- are ripe for attack. In this section, we explain how to reassert IT control with mobile device security by automatically discovering and provisioning those mobile laptops, PDAs and smartphones.
Preventing attacks with mobile device security
In years past, mobile devices touched corporate networks through a relatively small number of interfaces. Laptops gained entry through a handful of VPN concentrators, while PDAs synchronized with individual desktops. But today, high-speed wireless has turned those tightly defined network perimeters into hard-to-manage Swiss cheese. Most mobile devices now have multiple connections -- Ethernet and Wi-Fi are standard on laptops, Bluetooth and 3G are standard on smartphones, and some mobile devices have all four. Corporate network entry points have also grown more diverse, with off-site users arriving through a variety of application portals and on-site users connecting via Wi-Fi access points and Bluetooth-enabled desktops.
The bad news: Each of these network connections and entry points represents a potential vector for attack. The good news: Those points also represent opportunities to detect unmanaged or non-compliant mobile devices, giving you a chance to assert IT control.
Detecting mobile devices
Company-purchased laptops and handhelds can be registered at time of issue, but employee-purchased devices can fly under the radar until they visit your office or try to connect to a corporate resource. Establishing a complete mobile inventory over which you have control therefore requires device discovery.
Mobile devices come and go. A given device may connect through multiple entry points throughout the day, while a single person may use multiple devices simultaneously. To discover all of those devices, you cannot simply rely upon conventional wired network tools. Instead, you must complement your existing network port scanners and LAN managers with new wireless scanners, endpoint security managers and remote access platforms, and/or mobile device managers.
Wireless scanners can detect on-site devices with active Bluetooth or Wi-Fi interfaces even before they try to connect to corporate resources. Bluetooth scanners use Discovery protocols to find nearby devices that advertise supported Bluetooth services. Wi-Fi "stumblers" use 802.11 beacons and/or probes to find Access Points and Ad Hoc (peer-to-peer) nodes. But those periodic scans will overlook the vast majority of mobile devices that are not on site full-time. Instead, a more effective way to discover transient Wi-Fi clients is to use a full-time Wireless Intrusion Prevention System (WIPS). Alternatively, your WLAN switch may provide continuous "rogue detection" that can alert you to the presence of not just unknown APs but also unknown Wi-Fi clients.
Endpoint security managers can try to detect hosts connected to a corporate network, as a precursor to performing a security assessment or configuring endpoint security measures. These systems may help detect mobile devices in several ways. First, a mobile laptop directly connected to a corporate (wired or wireless) LAN can be discovered in the usual manner. Second, some endpoint assessment programs can scan a desktop's registry, processes and ports for telltale signs of mobile device use, such as active synchronization and email redirection programs. Third, some endpoint security managers interact with endpoint agent programs that continuously watch for unauthorized activity, perhaps intercepting mobile/desktop synchronization and acting as a conduit for registration and provisioning.
Remote access gateways and application portals can detect off-site mobile devices that use corporate mail and other business applications, even if those devices never visit the office. For example, VPN gateways can be configured to provide access to known/registered users only. To discover unknown mobile devices, however, they must also be able to differentiate between an authenticated person using a registered device and that same person accessing the network from any other device. Consider these needs when choosing remote-access authentication methods, and look for opportunities to leverage proprietary gateway/portal endpoint assessment features and emerging network access control (NAC) capabilities. Mobile device managers distribute software and configurations to registered laptops, PDAs and/or smartphones.
An MDM can play a critical role in asserting IT control over mobile devices, but some MDMs can also help you to discover mobile devices and then kick off automated registration and provisioning processes.
Bringing mobile devices into the fold
By documenting all discovered devices, you can assess the size and scope of the problem without disrupting business activities. Once you have a good handle on the risk posed by unmanaged mobile devices, you can take appropriate action.
You may decide to ban business use of unmanaged mobiles by blocking corporate resource access and instituting a manual process for administrator-provisioning of approved devices. Or you could explicitly permit them, using automated self-enrollment to register and provision newly discovered mobile devices. Small businesses may find manual provisioning workable, but those with large distributed workforces will save time and money by investing in mobile device management.
MDMs provide a centralized method of tracking and controlling mobile devices. Templates are often used to define the hardware, software and configurations that apply to each workgroup or device type. When a device is first discovered, they can be provisioned with the appropriate software and configurations. When patches are issued or security policies are revised, the same mechanism can be used to apply those changes. For wireless mobile devices, secure over-the-air management is clearly desirable.
Of course, asserting IT control over mobile devices is an ongoing task. Over time, even correctly provisioned devices may be reconfigured or become corrupted. Some MDMs can audit mobile devices to detect those unexpected changes. They may even enforce policies by restoring devices to an earlier backup or freshly provisioned state.
Read this SearchMobileComputing.com article to learn more about mobile device management and key capabilities. Whether you invest in an MDM or configure a small pool of devices one by one, asserting IT control over those unmanaged laptops, PDAs and smartphones can help your company avoid making headlines the hard way.
This was first published in February 2010