Industry Best Practices – Security For Smartphones / Mobile Devices San Diego Industrial Counterintelligence Working Group (SDICIWG) Date: 11 July 2012

Table of Contents What is a Smartphone Background - Smartphones / Mobile Devices Cyber Security Threat – Methods Used to Access or Collect Data Industry Best Practices - How to Protect Yourself Against the Threat Conclusion

What is A Smartphone? Smartphone: Is a mobile communication device that offers users expanded capabilities from traditional mobile devices. The features can include text messaging, e- mail access, Internet browsing, and mobile operating systems that enable incorporation of third-party applications to offer even more expanded features.

Background - SmartPhones / Mobile Devices According to the National Security Institute there are now over 100 million smartphone users in the U.S., and research shows they check their phones an average of 34 times a day. Because of their highly portable nature, smartphones are particularly prone to loss or theft, resulting in unauthorized persons gaining physical access to the devices. Cyber Criminals are increasingly targeting smartphones – mobile devices for Illegal activity, such as acquiring company or personal data.

Cyber Threat - Methods Used To Access or Collect Data Cyber criminals increasingly targeting smartphones & personal digital assistants (PDAs) for illegal activity. Some of the ways in which they gain access to personal or sensitive company data includes: Lost and Stolen Cell Phones: According to security experts, lost and stolen cell phones and other mobile devices such as PDA are the biggest mobile security threat to companies. Distribution Malicious Apps: Cyber criminals and hackers distribute Malicious Apps that Contain Trojans to access or steal data. Malicious Apps and software is sometimes downloaded via seemingly trusted links. Malicious Apps - Frequently this malware is distributed through application stores that have minimal or no review process for their content. In some cases malware has been hidden in pirated versions of legitimate apps, which are then distributed through 3rd party app stores. Malware risk also comes from what's known as an "update attack," where a legitimate application is later changed to include a malware component, which users then install when they are notified that the app has been updated. Additionally, the ability to acquire software directly from links on the web results in a distribution vector called "malvertizing," where users are directed to click on links, such as on ads that look legitimate, which then open in the device's web browser and cause malware to be downloaded and installed automatically

Cyber Threat - Methods Used To Access or Collect Data Wi-Fi Threat: Attackers can create phony Wi-Fi hotspots designed to attack mobile phones and may patrol public Wi-Fi networks for unsecured devices. Phishing or Smishing Attacks: Cyber criminals use electronic communication to trick users into installing malicious software or giving away sensitive information. Smishing exploits vulnerabilities through text messages (SMS/MMS).

Best Practices - Steps to Take To Protect Smartphones Recommended Security Tips For Smartphone Users Passwords: Require a strong password of at least six characters. Auto Lock: Set up smartphones - mobile devices to automatically lock after 5 minutes inactivity. Auto Wipe: Configure devices to automatically wipe after 10 failed login attempts or if the mobile device is reported lost or stolen. Mobile Security Software: Require the IT Department to install mobile security software on their phones to protect against viruses and malware. Security Education: Remind employees to not click - follow unsolicited links sent in suspicious email or text messages. Unknown links may lead to malicious websites. Passwords - A basic measure is to require all employees safeguard their devices by enabling PIN or password protection to get into the operating system when you turn the phone on or to unlock it.

Best Practices - Steps to Take To Protect Smartphones Turn Off Unneeded Apps: Educate employees / users to turn off the applications such as Bluetooth, Wi-Fi, Infrared, and GPS when not specifically in use. This will not only reduce the attack surface, it will also increase battery life of the mobile device. Encryption: Have the IT Department install and enable local encryption to help protect data stored on the mobile phone. Device Restrictions: Implement a policy that restricts employees from accessing certain apps (e.g., password spoofers) and sites with explicit content. Security Configuration: Some smartphones can be configured to use your rights management system to prevent unauthorized persons from viewing sensitive information on the phone or to prevent “authorized users” from copying or forwarding the data to third parties. Device Restrictions – Password Spoofers are people (hackers – cyber criminals) or a program that successfully masquerades as another by falsifying data and thereby gaining an illegitimate access into a system. Set Bluetooth-enabled devices to non-discoverable. When in discoverable mode, your Bluetooth enabled device are visible to other nearby devices, which alerts an attacker or infected devices to target you. When in non-discoverable mode, your Bluetooth-enabled devices are invisible to other unauthenticated devices.

Security Best Practices For Smartphone Users Smartphone Security: Consider deploying smartphone security, monitoring, and management software such as that offered by Blackberry, iPhone, Android, Symbian, and Juniper Networks for Windows Mobile. Have users connect to the corporate network through an SSL VPN. Company IT Security Policy: Ensure your company establishes a comprehensive IT Security Policy that covers all mobile devices (laptops, smartphones, smartpads, PDAs, and flash sticks). Smartphone Security - Mobile security software is available for all of the major smartphone platforms. Some of the most popular mobile security suites include Kaspersky Mobile Security, Trend Micro Security, F-Secure Mobile Security, and Norton’s Mobile Security Products.

CONCLUSION Questions?

Sources Cyber Threats to Mobile Phones, US-CERT United States Computer Emergency Readiness Team, By Paul Ruggiero and Jon Foote, 2011 Carnegie Mellon University, Produced for US- CERT Smartphone Enterprise Security Risks and Best Practices, By Debra Littlejohn Shinder, December 2, 2010, 5:04 PM PST, http://www.techrepublic.com/blog/smartphones/smartphone- enterprise-security-risks-and-best-practices/1935 Five Tips For Securing Mobile Data, Tech Republic, By Shun Chen, November 22, 2010, 9:50 AM PST, http://www.techrepublic.com/blog/five-apps/five-tips-for-securing-mobile-data/419 Wikipedia, The Free Encyclopedia, Smartphones, 09 July 12 Top 5 mobile phone security threats in 2012, SearchSecurity, By Robert Westervelt, News Director, 09 Dec 2011, http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile- phone-security-threats-in-2012 Blackberry Photos, http://uk.blackberry.com/devices/blackberrybold/bold_photos.jsp