STANFORD UNIVERSITY

SECURE COMPUTING

Best Practices for Securing Mobile Computing Devices

Information Security Office - June, 2005

Introduction

Many staff and students rely on mobile computing devices (MCDs) for work and personal uses.  Laptop computers, Personal Digital Assistants (PDAs), USB memory (aka thumb drives), smart phones (mobile phones with advanced communication, storage and processing capabilities), iPods, and a variety of wireless accessories  have become pervasive on campus and in society.   They bring a lot of convenience and ease of use. They also include unacknowledged risks.  This document discusses the main risks associated with using these devices in an academic environment and proposes some short-term and long-term approaches towards reducing these risks.

Risks of Mobile Computing

MCDs contain "lots" of memory (disks and/or RAM), are highly portable and are frequently unprotected: They are relatively easy to steal or lose, and unless precautionary measures are taken, an unauthorized person can gain access to all the information stored inside them.  Even if not stolen or lost, intruders can sometimes gain all the access they need if the device is left alone and unprotected, or if data is "sniffed out of the air" during wireless communications.  Under some circumstances, wireless mobile devices can be attacked from hundreds of yards to thousands of miles away.  The result can be crippled device, one infected with a virus, and/or a device whose data has been invisibly downloaded by an intruder.   In the worse case, an intruder can install a spyware program that surreptitiously captures the owner's keystrokes (e.g., credit card numbers, passwords) and other sensitive information.

The Critical Question

The "Critical Question" that mobile device users need to ask is: Do I really need to save confidential data on my mobile device, and what would happen if an unauthorized person gained control of this?  What kind of data is stored here?  Confidential financial information?  Account names and passwords?  Social Security and/or credit card numbers?  Unpublished research drafts?  Sponsor names and contract details?  Proprietary designs or undisclosed inventions?  Health data?  Benefactor names?  Course grade reports?  Staff member reviews?  Personal contact names and phone numbers?  Decryption keys or passphrases?  There are laws, both federal (e.g., HIPAA, FERPA) and state (e.g., social security number use, credit card exposure) which Stanford University may be held liable if confidential information was compromised. Weigh the consequences when you are saving confidential data and ask if it is really necessary to have it in your mobile device. Leave data on the server as much as possible, do not copy sensitive information to the mobile device. A password-protected mobile device will usually prevent a novice from gaining access to the internal information, but a skilled and motivated person generally has tools that allow him/her to crack the password or simply bypass it.   There's no foolproof way to prevent a laptop, PDA or other mobile device from being stolen, lost or otherwise accessed by an intruder.  But there are low-cost measures that can be taken - before a system is compromised - that will greatly reduce the probability of having your data viewed without your permission.  These are discussed in the next section.

Best Practices

The following best practices are intended to help mobile computing device owners better protect the data the devices contain.  These best practices are relatively inexpensive and easy to implement and use.  A "Suggested Products" section provides some specific examples for popular devices.

  • If the device is a computer, keep the patches up to date.  This reduces the possibility that a system can be compromised by attacker, or some kind of malware (computer virus, worm or Trojan horse program).  Stanford provides an automated patch update service for Microsoft Windows computers. This service is called BigFix.  PC users should download the BigFix client from: http://ess.stanford.edu/pc/index.html.  In addition, most vendors (e.g., Microsoft, Apple, Red Hat) provide simple notification and update procedures.  Make sure that all portable computers have the patches kept up to date.
  • Use a password to lock the system.  The system should require that a password be provided when a user first logs in, or when the system is accessed after a period of inactivity (e.g., 30 minutes).   Enable the password locking feature of the screensaver on laptops.   Choose a strong password, appropriate for the device (i.e., a PC should have a stronger password than a smart phone).  Some computers now include small fingerprint readers that can prevent anyone but the owner or administrator from logging in.  Note: A password is not guaranteed to stop a determined attacker in possession of your system from gaining access.  But it will make it more difficult (i.e., it will require a level of effort that many thieves will simply not have).
  • Use locking devices on portable computers.  A laptop computer should always be locked to a large heavy object when it's not being transported or otherwise protected.  Locking cables that fit most computers are usually available for under $30.  Some Stanford departments may provide these to staff on request.
  • Use a "personal firewall".  A personal firewall is a complex but inexpensive program that can be installed on PC or Mac systems. [Unix/Linux systems also generally include some firewall capabilities.]  Both Microsoft and Apple provide simple firewalls on their latest operating systems.  Windows XP SP2 automatically enables the firewall.  Windows XP SP2 users may access the firewall in the Control Panel item, Security Center.  Mac OS X users may access and enable the firewall by opening the System Preferences menu and selecting the "Sharing" item, then clicking on the Firewall tab.  Users of older versions of Windows, Mac, and Linux users should consult with Helpdesk staff for details on setting up vendor-provided firewalls.   Several third party vendors (e.g., Symantec, Zone Labs, Sygate: www.symantec.com, www.zonelabs.com, www.sygate.com respectively) also provide easy-to-configure free and inexpensive firewalls. Use of a personal firewall is strongly recommended.  It will effectively defend a computer from many of the most pervasive and dangerous network attacks:  an intruder will have a much harder time getting into your system if a firewall is installed, configured and running.
  • When using wireless connectivity features (e.g., 802.11, 802.16, Bluetooth) make sure the device's security settings are set "as strong as possible".   Even though the state of wireless security has improved significantly in the last couple years, it is recommended that this technology still be regarded with suspicion.   Thus: Never send/receive sensitive data over a wireless link unless another more secure end-to-end (encryption) technology is also being used.  Examples of more secure technology include: SSL, SSH, IPsec and VPNs.
  • The only "guaranteed" way to prevent people from viewing confidential data is to encrypt it.  The two basic approaches are: 1) to either encrypt individual files and/or folders that contain sensitive information, or 2) to encrypt the entire disk or device.  Each of these approaches has some advantages and disadvantages.  The main advantage to approach (1) is that it's relatively easy and straightforward.  Microsoft and Apple provide OS-level support for this and several third-party vendors do as well.  Third-parties also provide encryption software for Palm and Pocket PC devices.  The main disadvantage to approach (1) is that it can require a lot of discipline to ensure that all confidential data is created and stored only in encrypted locations.  Furthermore it's possible that an attacker might be able to determine a user's password and use that to decrypt the data.  That's why many organizations and people opt for approach (2).  Full disk encryption can be slightly more complicated to set up and generally requires a third-party solution.  The advantage is that once configured, an encrypted disk environment is relatively transparent to the system user.  A system with an encrypted disk appears virtually identical to a running system with a non-encrypted disk, the only difference being that a decryption password needs to be provided when the system is booted.  Should a system with a decrypted disk be lost of stolen, there is an extremely low probability that the confidential data it contains could ever be viewed by an unauthorized person.
  • If any device containing Prohibited or Restricted Data is lost, stolen or appears to have been accessed without permission, report this to appropriate university staff.  [Stanford data classification information, including what is Prohibited or Restricted Data, is described at: http://www.stanford.edu/services/securecomputing/dataclass_chart.html.]   The reason this is so important, even if the equipment is not university-issued, is that  this allows Stanford to comply with applicable state, federal and international laws.

Things to Keep in Mind

 
  • All the encryption in the world won't help if your laptop briefcase gets stolen and it contains plain text (unencrypted) copies of confidential data on CDs or hardcopy.
  • Locking devices are useless when mobile computers aren't actually locked to them.
  • The strongest password is almost useless when it is written down next to the computer.
  • All encrypted data can be permanently lost if a user looses a key (or passphrase).  Decryption keys locked in safes, safety deposit boxes, or otherwise stored (escrowed) in a safe location can help prevent a data loss catastrophe.
  • Mobile device users should never download free software from the Internet without a high level of assurance that the product is safe: no adware, no spyware, no viruses.

Suggested Encryption Products

The following products are suggested "starting points" for staff who are evaluating encryption tools for mobile devices.  Note that some of them support strong (e.g., two-factor) authentication, including smart cards, tokens, USB dongles, PKI certificates and fingerprints as well as conventional passwords.

  • Apple and Microsoft: User-accessible file and folder encryption built-in to the OS.
  • Pointsec for PC and Pointsec for Pocket PC: Encryption software for PCs and Pocket PC devices.  File, folder and full disk encryption.
  • SecureDoc and SecureDoc PDA: Encryption software for PCs and Pocket PC devices.  File, folder and full disk encryption.
  • DESlock+: File and folder encryption for PCs.
  • NMS for PC: File, folder and disk encryption for PCs.
  • PKWARE SecureZIP: File and folder encryption for PCs and Unix/Linux.
  • SafeBoot: File, folder and disk encryption for PCs.
  • PGP Desktop: File, folder (and optionally, disk encryption on PCs) encryption for PCs, Macs, and Unix/Linux.

Some of these products may also be used to encrypt USB memory devices, thus reducing the risk of accidental data disclosure should the device get lost/stolen.

Last modifiedTuesday, 28-Apr-2009 09:48:43 AM

Stanford University Home Page