Cyber Security Primer VIII
MOBILE DEVICES
Protecting Portable Devices:
Physical Security
What is at risk?
Only you can determine what is actually at risk. If a thief
steals your laptop or PDA, the most obvious loss is the machine itself.
However, if the thief is able to access the information on the computer or PDA,
all of the information stored on the device is at risk, as well as any
additional information that could be accessed as a result of the data stored on
the device itself.
Sensitive corporate information or customer account
information should not be accessed by unauthorized people. You've probably heard
news stories about organizations panicking because laptops with confidential
information on them have been lost or stolen. But even if there isn't any
sensitive corporate information on your laptop or PDA, think of the other
information at risk: information about appointments, passwords, email addresses
and other contact information, personal information for online accounts, etc.
How can you protect your
laptop or PDA?
• Password-protect your computer - Make sure that you have to
enter a password to log in to your computer or PDA.
• Keep your laptop or PDA with you at all times - When traveling,
keep your laptop with you. Meal times are optimum times for thieves to check
hotel rooms for unattended laptops. If you are attending a conference or trade
show, be especially wary—these venues offer thieves a wider selection of
devices that are likely to contain sensitive information, and the conference
sessions offer more opportunities for thieves to access guest rooms.
• Downplay your laptop or PDA - There is no need to advertise to
thieves that you have a laptop or PDA. Avoid using your portable device in
public areas, and consider non-traditional bags for carrying your laptop.
• Be aware of your surroundings - If you do use your laptop or PDA
in a public area, pay attention to people around you. Take precautions to
shield yourself from "shoulder surfers"—make sure that no one can see
you type your passwords or see any sensitive information on your screen.
• Consider an alarm or lock - Many companies sell alarms or locks
that you can use to protect or secure your laptop. If you travel often or will
be in a heavily populated area, you may want to consider investing in an alarm
for your laptop bag or a lock to secure your laptop to a piece of furniture.
• Back up your files - If your portable device is stolen, it's bad
enough that someone else may be able to access your information. To avoid
losing all of the information, make backups of important information and store
the backups in a separate location. Not only will you still be able to access
the information, but you'll be able to identify and report exactly what
information is at risk.
What can you do if your laptop
or PDA is lost or stolen?
Report the loss or theft to the appropriate authorities.
These parties may include representatives from law enforcement agencies, as
well as hotel or conference staff. If your device contained sensitive corporate
or customer account information, immediately report the loss or theft to your
organization so that they can act quickly.
Protecting Portable Devices:
Data Security
Why do you need another layer
of protection?
Although there are ways to physically protect your laptop,
PDA, or other portable device, there is no guarantee that it won't be stolen.
After all, as the name suggests, portable devices are designed to be easily
transported. The theft itself is, at the very least, frustrating, inconvenient,
and unnerving, but the exposure of information on the device could have serious
consequences. Also, remember that any devices that are connected to the
internet, especially if it is a wireless connection, are also susceptible to
network attacks.
What can you do?
• Use passwords correctly - In the process of getting to the
information on your portable device, you probably encounter multiple prompts
for passwords. Take advantage of this security. Don't choose options that allow
your computer to remember passwords, don't choose passwords that thieves could
easily guess, use different passwords for different programs, and take advantage
of additional authentication methods.
• Consider storing important data separately - There are many
forms of storage media, including CDs, DVDs, and removable flash drives (also
known as USB drives or thumb drives). By saving your data on removable media
and keeping it in a different location (e.g., in your suitcase instead of your
laptop bag), you can protect your data even if your laptop is stolen. You
should make sure to secure the location where you keep your data to prevent
easy access. It may be helpful to carry storage media with other valuables that
you keep with you at all times and that you naturally protect, such as a wallet
or keys.
• Encrypt files - By encrypting files, you ensure that
unauthorized people can't view data even if they can physically access it. You
may also want to consider options for full disk encryption, which prevents a
thief from even starting your laptop without a passphrase. When you use
encryption, it is important to remember your passwords and passphrases; if you
forget or lose them, you may lose your data.
• Install and maintain anti-virus software - Protect laptops and
PDAs from viruses the same way you protect your desktop computer. Make sure to
keep your virus definitions up to date. If your anti-virus software doesn't
include anti-spyware software, consider installing separate software to protect
against that threat.
• Install and maintain a firewall - While always important for
restricting traffic coming into and leaving your computer, firewalls are
especially important if you are traveling and using different networks.
Firewalls can help prevent outsiders from gaining unwanted access.
• Back up your data - Make sure to back up any data you have on
your computer onto a CD-ROM, DVD-ROM, or network. Not only will this ensure
that you will still have access to the information if your device is stolen,
but it could help you identify exactly which information a thief may be able to
access. You may be able to take measures to reduce the amount of damage that
exposure could cause.
Using Caution with USB Drives
What security risks are
associated with USB drives?
Because USB drives, sometimes known as thumb drives, are
small, readily available, inexpensive, and extremely portable, they are popular
for storing and transporting files from one computer to another. However, these
same characteristics make them appealing to attackers.
One option is for attackers to use your USB drive to infect
other computers. An attacker might infect a computer with malicious code, or malware
that can detect when a USB drive is plugged into a computer. The malware then
downloads malicious code onto the drive. When the USB drive is plugged into
another computer, the malware infects that computer.
Some attackers have also targeted electronic devices
directly, infecting items such as electronic picture frames and USB drives
during production. When users buy the infected products and plug them into
their computers, malware is installed on their computers.
Attackers may also use their USB drives to steal
information directly from a computer. If an attacker can physically access a
computer, he or she can download sensitive information directly onto a USB
drive. Even computers that have been turned off may be vulnerable, because a
computer's memory is still active for several minutes without power. If an
attacker can plug a USB drive into the computer during that time, he or she can
quickly reboot the system from the USB drive and copy the computer's memory,
including passwords, encryption keys, and other sensitive data, onto the drive.
Victims may not even realize that their computers were attacked.
The most obvious security risk for USB drives, though, is
that they are easily lost or stolen. If the data was not backed up, the loss of
a USB drive can mean hours of lost work and the potential that the information
cannot be replicated. And if the information on the drive is not encrypted,
anyone who has the USB drive can access all of the data on it.
How can you protect your data?
There are steps you can take to protect the data on your
USB drive and on any computer that you might plug the drive into:
• Take advantage of security features - Use passwords and
encryption on your USB drive to protect your data, and make sure that you have
the information backed up in case your drive is lost.
• Keep personal and business USB drives separate - Do not use
personal USB drives on computers owned by your organization, and do not plug
USB drives containing corporate information into your personal computer.
• Use and maintain security software, and keep all software up to
date - Use a firewall, anti-virus software, and anti-spyware software to make
your computer less vulnerable to attacks, and make sure to keep the virus
definitions current. Also, keep the software on your computer up to date by
applying any necessary patches.
• Do not plug an unknown USB drive into your computer - If you
find a USB drive, give it to the appropriate authorities (a location's security
personnel, your organization's IT department, etc.). Do not plug it into your
computer to view the contents or to try to identify the owner.
Securing Wireless Networks
How do wireless networks work?
As the name suggests, wireless networks, sometimes called
WiFi, allow you to connect to the internet without relying on wires. If your
home, office, airport, or even local coffee shop has a wireless connection, you
can access the network from anywhere that is within that wireless area.
Wireless networks rely on radio waves rather than wires to
connect computers to the internet. A transmitter, known as a wireless access
point or gateway, is wired into an internet connection. This provides a
"hotspot" that transmits the connectivity over radio waves. Hotspots
have identifying information, including an item called an SSID (service set
identifier), that allow computers to locate them. Computers that have a
wireless card and have permission to access the wireless frequency can take
advantage of the network connection. Some computers may automatically identify
open wireless networks in a given area, while others may require that you
locate and manually enter information such as the SSID.
What security threats are
associated with wireless networks?
Because wireless networks do not require a wire between a
computer and the internet connection, it is possible for attackers who are
within range to hijack or intercept an unprotected connection. A practice known
as war driving involves individuals equipped with a computer, a wireless card,
and a GPS device driving through areas in search of wireless networks and
identifying the specific coordinates of a network location. This information is
then usually posted online. Some individuals who participate in or take
advantage of war driving have malicious intent and could use this information
to hijack your home wireless network or intercept the connection between your
computer and a particular hotspot.
What can you do to minimize
the risks to your wireless network?
• Change default passwords - Most network devices, including
wireless access points, are pre-configured with default administrator passwords
to simplify setup. These default passwords are easily found online, so they
don't provide any protection. Changing default passwords makes it harder for
attackers to take control of the device.
• Restrict access - Only allow authorized users to access your
network. Each piece of hardware connected to a network has a MAC (media access
control) address. You can restrict or allow access to your network by filtering
MAC addresses. Consult your user documentation to get specific information
about enabling these features. There are also several technologies available
that require wireless users to authenticate before accessing the network.
• Encrypt the data on your network - WEP (Wired Equivalent
Privacy) and WPA (Wi-Fi Protected Access) both encrypt information on wireless
devices. However, WEP has a number of security issues that make it less
effective than WPA, so you should specifically look for gear that supports
encryption via WPA. Encrypting the data would prevent anyone who might be able
to access your network from viewing your data.
• Protect your SSID - To avoid outsiders easily accessing your
network, avoid publicizing your SSID. Consult your user documentation to see if
you can change the default SSID to make it more difficult to guess.
• Install a firewall - While it is a good security practice to
install a firewall on your network, you should also install a firewall directly
on your wireless devices (a host-based firewall). Attackers who can directly
tap into your wireless network may be able to circumvent your network
firewall—a host-based firewall will add a layer of protection to the data on
your computer.
• Maintain anti-virus software - You can reduce the damage
attackers may be able to inflict on your network and wireless computer by
installing anti-virus software and keeping your virus definitions up to date.
Many of these programs also have additional features that may protect against
or detect spyware and Trojan horses
Cyber security for Electronic Devices
Why does cyber security extend
beyond computers?
Actually, the issue is not that cyber security extends beyond
computers; it is that computers extend beyond traditional laptops and desktops.
Many electronic devices are computers—from cell phones and PDAs to video games
and car navigation systems. While computers provide increased features and
functionality, they also introduce new risks. Attackers may be able to take
advantage of these technological advancements to target devices previously
considered "safe." For example, an attacker may be able to infect
your cell phone with a virus, steal your phone or wireless service, or access
the data on your PDA. Not only do these activities have implications for your
personal information, but they could also have serious consequences if you
store corporate information on the device.
What types of electronics are
vulnerable?
Any piece of electronic equipment that uses some kind of
computerized component is vulnerable to software imperfections and
vulnerabilities. The risks increase if the device is connected to the internet
or a network that an attacker may be able to access. Remember that a wireless
connection also introduces these risks. The outside connection provides a way
for an attacker to send information to or extract information from your device.
How can you protect yourself?
• Remember physical security - Having physical access to a device
makes it easier for an attacker to extract or corrupt information. Do not leave
your device unattended in public or easily accessible areas.
• Keep software up to date - If the vendor releases patches for
the software operating your device, install them as soon as possible. These
patches may be called firmware updates. Installing them will prevent attackers
from being able to take advantage of known problems or vulnerabilities.
• Use good passwords - Choose devices that allow you to protect
your information with passwords. Select passwords that will be difficult for
thieves to guess, and use different passwords for different programs and
devices. Do not choose options that allow your computer to remember your
passwords.
• Disable remote connectivity - Some PDAs and phones are equipped
with wireless technologies, such as Bluetooth, that can be used to connect to
other devices or computers. You should disable these features when they are not
in use.
• Encrypt files - Although most devices do not offer you an option
to encrypt files, you may have encryption software on your PDA. If you are
storing personal or corporate information, see if you have the option to
encrypt the files. By encrypting files, you ensure that unauthorized people can't
view data even if they can physically access it. When you use encryption, it is
important to remember your passwords and passphrases; if you forget or lose
them, you may lose your data.
Defending Cell Phones and PDAs against Attack
What unique risks do cell
phones and PDAs present?
Most current cell phones have the ability to send and
receive text messages. Some cell phones and PDAs also offer the ability to
connect to the internet. Although these are features that you might find useful
and convenient, attackers may try to take advantage of them. As a result, an
attacker may be able to accomplish the following:
• abuse your service - Most cell phone plans limit the number of
text messages you can send and receive. If an attacker spams you with text messages,
you may be charged additional fees. An attacker may also be able to infect your
phone or PDA with malicious code that will allow them to use your service.
Because the contract is in your name, you will be responsible for the charges.
• lure you to a malicious web site - While PDAs and cell phones
that give you access to email are targets for standard phishing attacks,
attackers are now sending text messages to cell phones. These messages,
supposedly from a legitimate company, may try to convince you to visit a
malicious site by claiming that there is a problem with your account or stating
that you have been subscribed to a service. Once you visit the site, you may be
lured into providing personal information or downloading a malicious file.
• use your cell phone or PDA in an attack - Attackers who can gain
control of your service may use your cell phone or PDA to attack others. Not
only does this hide the real attacker's identity, it allows the attacker to
increase the number of targets.
• gain access to account information - In some areas, cell phones
are becoming capable of performing certain transactions (from paying for
parking or groceries to conducting larger financial transactions). An attacker
who can gain access to a phone that is used for these types of transactions may
be able to discover your account information and use or sell it.
What can you do to protect
yourself?
• Follow general guidelines for protecting portable devices - Take
precautions to secure your cell phone and PDA the same way you should secure
your computer.
• Be careful about posting your cell phone number and email
address - Attackers often use software that browses web sites for email
addresses. These addresses then become targets for attacks and spam. Cell phone
numbers can be collected automatically, too. By limiting the number of people
who have access to your information, you limit your risk of becoming a victim.
• Do not follow links sent in email or text messages - Be
suspicious of URLs sent in unsolicited email or text messages. While the links
may appear to be legitimate, they may actually direct you to a malicious web
site.
• Be wary of downloadable software - There are many sites that
offer games and other software you can download onto your cell phone or PDA.
This software could include malicious code. Avoid downloading files from sites
that you do not trust. If you are getting the files from a supposedly secure
site, look for a web site certificate. If you do download a file from a web
site, consider saving it to your computer and manually scanning it for viruses
before opening it.
• Evaluate your security settings - Make sure that you take
advantage of the security features offered on your device. Attackers may take
advantage of Bluetooth connections to access or download information on your
device. Disable Bluetooth when you are not using it to avoid unauthorized
access.
Comments
Post a Comment