Security for mobile devices in the federal space is improving, but there’s still a lot of ground to cover
In June, we partnered with Market Connections to survey decision makers and influencers within the US federal IT space. While the report covers several areas, and I strongly recommend having a look at the whole survey, the section on mobile device usage caught my attention.
What is clear from the report is that mobile devices and the security issues that come with them are being taken seriously in federal IT—or at least some sectors. The problem is that “some sectors” is not nearly enough.
Let’s take one of the first statistics on the survey—permitting personal devices to access internal systems.
The good news is that 88% of the respondents said that some form of restriction is in place. But that leaves 11% with more or less unfettered access on their personal mobile devices. Eleven percent of the federal government is a huge number and there is almost no way to look at that 11% and derive a situation that is acceptable in terms of risk. And that’s just the first chart. Other areas of the survey show splits that are closer to 50-50.
For example, 65% of the respondents say that data encryption is in place. That means 35% of the mobile devices in the field right now have no encryption. Honestly, for almost all of the points on the survey, nothing less than a number very close to 100% is acceptable.
What can be done about this? Obviously this one essay won’t untie the Gordian Knot in one fell swoop, but I am not comfortable throwing my hands up and saying “yes, this is a very bad problem.” There are solutions and I want to at least make a start at presenting some of them.
Let’s start with some of the easy solutions:
Whether or not phones are agency-provided, there should be a standard setup for each of them. Employees can provide their own phone as long as it’s on a short list of approved devices and allow for provisioning. This helps agencies avoid having devices on the network with known security gaps and allow certain other features to be implemented, like:
Any phone that connects to government assets should be subject to remote-wipe capability by the agency. This is a no-brainer, but 23% of respondents don’t have it or don’t know if it is in place (trust me, if it was there you’d know!).
Every mobile device that connects to federal systems should be set up with a VPN client, and that client set to automatically activate whenever a network is connected—whether wifi or cellular. Not only would this help with keeping the actual traffic secure, but it would force all federal network traffic through a common point of access which would allow for comprehensive monitoring of bandwidth usage, traffic patterns, user access, and more.
The number one vector for hacking is still, after all these years, the user. Social engineering remains the biggest risk to the security of any infrastructure. Therefore before a device (and the owner) is permitted onto federal systems, the feds should require a training class on security practices—including password usage, two-factor authentication, safe and unsafe networks to connect on (airports, café hotspots, etc.), and even how to keep track of the device to avoid theft or tampering.
All of those options, while significant, don’t require massive changes in technology. It’s more a matter of standardization and enforcement within an organization. Let’s move on to a few suggestions which are a little more challenging technically.
Note that this becomes much easier if the VPN idea mentioned earlier is in place. All mobile devices need to have their data usage monitored. When a device suddenly shows a spike in bandwidth it could indicate someone is siphoning the data off the device on a regular basis.
Of course, it could also mean the owner discovered Netflix and is binge-watching “The Walking Dead.” Which is why you also need…
Quantity of bytes only tells half the story. Where those bytes are going is the other half. Using a technique such as NetFlow, makes it possible to tell which systems each mobile device is engaged in conversations with—whether it’s 1 packet or 1 million. Unexpected connection to China? That would show up on a report. Ongoing outbound connections of the same amount of data to an out of state (or offshore) server? You can catch those as well.
The key is understanding what “normal” is—both from an organizational perspective and for each individual device. Ongoing monitoring would provide both the baseline and highlight the outliers that rise up out of those baseline data sets.
User Device Tracking
User Device Tracking correlates where a device logs on (which office, floor, switch port, etc.) along with the user that logs in on that device to build a picture of how a mobile device moves through the environment, who is accessing it (and accessing resources through it), and when it is on or off the network. Having a UDT solution in place is for more than just finding a rogue device in real-time. Like traffic monitoring, having a steady and ongoing collection of data allows administrators to map out where a device has been in the past.
The mobile device section of the federal survey has much more useful information, but these recommendations I’ve raised—along with the reasons for why it is so desperately important to implement them—would, if executed, provide a higher level of security and stability. I hope you’ll take a moment to consider them for your organization.