Predator: Chris C. – State Department Information Security Specialist
Subject: Mobile Device Security
TLO: Terminal Learning Objective is the specific message a lesson conveys to the student.
1. Introduction to Mobile Device Security
a. TLO: Familiarize the member with threats that impact intellectual property, security and safety.
b. Laptops, tablets and mobile phones are a business requirement. We rely heavily on these devices for almost every aspect of our day. We store documents and notes, track appointments on calendars, share and save contacts, emails, texts and catalogue thousands of images. We panic when they go missing or when all the sensitive data becomes stolen or compromised. When traveling, you will carry a laptop, tablet and cell phone. Lets face it, they are mandatory tools for business abroad. What steps are you taking to safeguard your mobile devices and their data? There are major risks associated with these devices when traveling, but there are also some simple key steps that you must take to keep your data safe. In this course we will briefly cover the most common mobile device threats, along with some ways to keep your data and devices safe from exploitation encountered during your travels. Why is this so important? Think about all that information that is contained on your laptop, tablet or mobile phone. In adversary’s hands, the information could lead them right to you or it could lead to a security breach within your company. The possible threats fall under the following categories.
i. Technical Threats – Technical threats are vast and most of the time invisible, making it easier to be complacent. Adversaries use cameras to collect passwords typed into keyboards or even at ATM machines. The most common technical threat is hackers trying to access your information.
ii. Physical Theft – Physical theft can happen anytime, at the airport, walking down the street or even in your hotel room. Most of the time, adversaries want the device not the information. “Apple Picking
has become a global epidemic. Thieves are targeting individuals with Apple products due to their expensive price tag and reselling them on the black-market.
iii. Foreign Intelligence – Foreign intelligence agencies want your information, why? Because it can provide them economic gains if the information is proprietary or trade secrets.
2. Personal Device Preparation
a. TLO: Enable Members using Best Practices to Prepare Personal Devices
b. Now that you know the potential impact of your data being compromised let’s look at some simple ways to safeguard your information.
c. The first thing you should do is ensure that you add a secure password. Weather for a laptop, tablet or mobile phone – Have a secure PIN and password to protect important information and also stop someone from using your device without your knowledge. There are some simple guidelines that you can follow.
d. For laptops and tablets, ensure your passwords are 24 or more characters long. Use a variety of characters and avoid dictionary words in any language. Also avoid using personal information such as your name, birthday, driver’s license number, passport number, or similar information. The longer the password the better – this will exponentially increase hacking time to sometimes 20 years.
e. For mobile phones, create a PIN that does not use dates or a sequence of numbers that can be easily guessed. Most mobile devices have a more complex password setting. We recommend you use this to create something longer than the typical 4-digit PIN.
f. Most important, never share your passwords with anyone and remember to change your passwords every 30 to 60 days.
g. Finally think about levels of passwords. Do not use the same password for your email as you do for your banking account. Don’t use the same PIN for all your mobile devices. Create different levels of passwords based on the information you are accessing. The goal is to always make it difficult on adversaries, not easy.
h. These days there are many digital mobile devices that people commonly traveled with. Before you pack your personal mobile devices, it is a good idea to sift through them thoroughly – check each device for personal and company sensitive information. This includes tablets, eReders, USB drives, cameras, GPS devices and anything else that has a USB port or WiFi capable.
i. Remember, if you plan on using another device as a backup make sure to encrypt your data first. Many viruses these days are transmitted via Wi-Fi and or USB port from one device to another. Before you plug anything into your laptop, tablet or phone – make sure that your devices are updated – updates contain patches that mitigate vulnerabilities and prevent virus or hacker attacks. Also many mobile devices have an auto run feature that automatically opens your browser once online – it’s a good idea to turn this off to prevent viruses from auto copying to your tablet.
j. Full disk encryption of your USB drives is a must. This is a very small device that can hold a lot of data. With the popularity of cloud services like Google Drive, Drop Box and Evernote – there is no need to carry USB memory sticks or thumb drives any longer.
k. When traveling overseas with your mobile phone, do not use it for anything that you wouldn’t use your company mobile phone for. In many countries the government owns the cell phone companies. This means everything that leaves your phone, whether it’s a text message, phone call, e-mail and/or web surfing can be seen by a local government. This is important because in some countries, corporate espionage is a sanctioned government mission.
l. In addition to your information being monitored, be aware of technologies used that turns your cell phone into a tracking device. Although this is a difficult tactic, it is something that can be done by anyone, not just local government.
m. Now for a fundamental question – do you really need to take your personal devices on a business trip overseas? Here are some steps to protecting your personal devices prior to traveling abroad.
3. Double Password Protect your Laptop: (Apple/PC option)
a. PC/Windows OS Password Protection Options.
i. Protect your PC with a BIOS password. A BIOS password is a extremely strong password that locks up the hardware and makes the laptop completely unusable. Only logging in with the password can you enter into the operating system.
1. Create a BIOS password. Restart the laptop, and press F2 continuously. Select the security option with the cursor and choose “Set User” password or “Set User Password”, PC dependent.
2. Note: The difference between Set User Password and Set Supervisor Password: User password controls access to the system at boot; supervisor password controls access to the setup utility.
3. Press enter and fill the three blanks with your password.
4. Press enter and pop up Setup Notice, which means that you have reset BIOS Password
5. Press F10 to save it and select yes to exit, your laptop will log on automatically.
b. Apple OS Password Protection Options.
i. Protect your Apple with File Vault
ii. Before enabling FileVault 2, it’s important to make a full backup of your data. While the encryption process is generally simple and reliable, we’re still talking about scrambling your data behind a virtually impenetrable digital wall, and if something goes wrong you’ll be thankful to have a working backup.
iii. Once all of your data is securely backed up, it’s time to start the FileVault process.
iv. First, log in to OS X with an account that has administrative privileges and head to System Preferences > Security & Privacy > FileVault. Click the padlock in the lower left of the window and enter your admin password in order to make changes, and then press Turn On FileVault.
v. That’s it. The process may take a while so do this well ahead of your trip and ensure your laptop is plugged in.
c. Password and PIN Selection
i. As mentioned, create passwords 24 characters or more long. Long passwords increase the hack and brut force time exponentially. It can take a “bot attack” running 500 characters per minute, 20 years to crack a 24 character password.
1. Here is a simple example: $tarBucksKoffeeT@stesGr8!
4. Physical Appearance
i. All your devices are less attractive to thieves if they don’t look attractive. Use phone, tablet and laptop cases/covers that are simple, non-alerting and boring. This will hide the true make and model of the devices you carry. When not in use, put them away, in a backpack, messenger bag or briefcase.
e. Sanitization – Remove anything you deem sensitive. Think about documents, presentations, contacts, emails, photos and texts. Back up this information to paper, yes paper, for your travel and delete it off devices.
f. Ensure devices are charged 100% – Immigration may need to ensure devices power on – if the battery is dead, this maybe grounds for confiscation by customs/immigration in some countries. And not to mention, a great excuse to take your data.
MORE TO FOLLOW!