Note: Supplemental materials are not guaranteed with Rental or Used book purchases.
- ISBN: 9781439820162 | 1439820163
- Cover: Hardcover
- Copyright: 6/16/2010
Smartphones, personal digital assistants (PDAs), and other mobile devices that employ a variety of data communication and storage technologies, such as e-maillPIM synchronization software, infrared data transmission, and removable data storage, are at risk for increasing security threats to corporate data. This book details how mobile devices can become a "backdoor" to the enterprise. It specifies immediate actions that can be taken by an IT security manager to defend against these threats and the regulatory and compliance issues relevant to a comprehensive handheld security policy.
Acknowledgments | p. xiii |
About the Author | p. xv |
Trademarks | p. xvii |
Introduction | p. xix |
How Did We Get Here? | p. xxi |
The Beginning of the End | p. xxii |
Where We Are Now | p. xxiii |
The Real Problems | p. xxiv |
What You'll Learn in This Book | p. xxv |
A Note on Technology and Terminology | p. xxvi |
Final Thoughts | p. xxvii |
What Are You Trying to Protect? | p. 1 |
Finding a Definition for Mobile Data | p. 2 |
Mobile Data Scenarios | p. 4 |
Other Factors to Consider | p. 5 |
Defining a Mobile Device | p. 7 |
Distinct, but Intertwined | p. 10 |
Movable Data, Movable Risk | p. 11 |
Following the Path | p. 13 |
The Inverse Distance Principle | p. 15 |
The Effect on Our Approach | p. 16 |
Conclusion | p. 18 |
Action Plan | p. 19 |
Notes | p. 20 |
It's All about the Risk | p. 21 |
Loss or Disclosure of Data to Inappropriate Persons | p. 24 |
Loss of Money | p. 26 |
Loss of Trust or Damage to Your Reputation | p. 28 |
You Are Not Immune | p. 29 |
Risk, Threat, and Value | p. 30 |
Risk: Lost or Stolen Mobile Devices | p. 31 |
Risk: Inability to Secure Devices to Desired Level, Granularity, or Uniformity | p. 33 |
Risk: Access to Internal Information from Uncontrolled Devices | p. 35 |
Risk: Introduction of Malware into the Environment from Unprotected Mobile Devices | p. 36 |
Risk: Information Loss Due to Uneducated, Inattentive, or Uncaring Users | p. 38 |
Risk: Lack of Compliance with the Legislation du Jour | p. 41 |
Evaluating Your Risks | p. 44 |
How Valuable Is Your Data? | p. 47 |
What about Countermeasures? | p. 49 |
Conclusion | p. 49 |
Action Plan | p. 50 |
Notes | p. 51 |
The Many Faces of Mobility | p. 53 |
Following the Bits | p. 54 |
Portable Storage Devices | p. 58 |
Portable Storage Devices: Intentional Mobility | p. 59 |
Portable Storage Devices: Unintentional Mobility | p. 60 |
Tape Storage | p. 62 |
Tapes: Intentional Mobility | p. 62 |
Tapes: Unintentional Mobility | p. 62 |
Dual-Use Devices | p. 63 |
Dual-Use Devices: Intentional Mobility | p. 64 |
Dual-Use Devices: Unintentional Mobility | p. 64 |
Smartphones and Personal Digital Assistants | p. 65 |
Smartphones and PDAs: Intentional and Unintentional Mobility | p. 65 |
Optical Media (CD and DVD) | p. 67 |
Optical Media: Intentional Mobility | p. 67 |
Optical Media: Unintentional Mobility | p. 67 |
Portable Computers | p. 68 |
Portable Computers: Intentional Mobility | p. 68 |
Portable Computers: Unintentional Mobility | p. 68 |
Electronic Mail | p. 69 |
E-mail: Intentional Mobility | p. 70 |
E-mail: Unintentional Mobility | p. 72 |
Instant Messaging and Text Messaging | p. 73 |
IM and Texting: Intentional Mobility | p. 74 |
IM and Texting: Unintentional Mobility | p. 74 |
Conclusion | p. 75 |
Action Plan | p. 76 |
Notes | p. 77 |
Data at Rest, Data in Motion | p. 79 |
It's All a Matter of Physics | p. 79 |
More Definitions | p. 80 |
Protecting Data at Rest | p. 82 |
Physical Protection Methods | p. 82 |
Keep the Storage Device Hidden | p. 83 |
Split the Data onto Multiple Devices | p. 84 |
Use a Locked Container | p. 85 |
Use Tamper-Proof or Tamper-Evident Containers | p. 85 |
Use a Special Courier | p. 87 |
Use Obscurity to Your Advantage | p. 87 |
Physical Protection Summary | p. 89 |
Logical Protection Mechanisms | p. 89 |
Authentication | p. 89 |
Access Controls | p. 92 |
Encryption | p. 93 |
Effective Data Management | p. 94 |
The Problem of Heterogeneous Information | p. 95 |
Protecting Data in Motion | p. 96 |
Physical Controls | p. 97 |
Logical Protections | p. 98 |
The Rise of Monocultures | p. 98 |
Insecurity in the Links | p. 99 |
Multiple Networks Mean Multiple Data Paths | p. 101 |
Establishing PC Restrictions | p. 103 |
Conclusion | p. 103 |
Action Plan | p. 105 |
Notes | p. 106 |
Mobile Data Security Models | p. 107 |
A Device-Centric Model | p. 108 |
Access Control | p. 108 |
Data-Flow Restrictions | p. 109 |
Device Management | p. 110 |
Selective Feature Restrictions | p. 112 |
Logging and Auditing Capabilities | p. 114 |
Defining Your Scope | p. 115 |
Defining Acceptable Use Cases | p. 117 |
Who Gets Access? | p. 117 |
Keeping Up with Device Technology | p. 118 |
Device-Centric Challenges | p. 119 |
A Data-Centric Model | p. 120 |
Data-Centric Access Controls | p. 121 |
Blocking Certain Data Types | p. 122 |
Encryption | p. 124 |
Information Rights Management | p. 128 |
Data-Centric Challenges | p. 131 |
Which Model Do You Choose? | p. 132 |
Conclusion | p. 136 |
Action Plan | p. 136 |
Encryption | p. 139 |
Uses for Encryption | p. 140 |
The Importance of Standards | p. 140 |
Symmetric Encryption | p. 141 |
Asymmetric Encryption | p. 143 |
When to Use Encryption | p. 146 |
Infrastructure and Workflow Compatibility | p. 147 |
Encryption Impediments | p. 149 |
Mobile Data Encryption Methods | p. 150 |
Full-Disk Encryption | p. 151 |
File- and Directory-Based Encryption | p. 152 |
Virtual Disk and Volume Encryption | p. 154 |
Hardware-Encrypted Storage Drives | p. 155 |
Tape Encryption | p. 156 |
Key Management | p. 158 |
Data Protection vs. Data Recovery | p. 160 |
Conclusion | p. 162 |
Action Plan | p. 163 |
Notes | p. 164 |
Defense-in-Depth: Mobile Security Controls | p. 165 |
Countermeasures as Controls | p. 166 |
Directive and Administrative Controls | p. 168 |
Policies | p. 168 |
Administrative Changes | p. 169 |
Deterrent Controls | p. 170 |
Policies | p. 170 |
Education and Awareness | p. 171 |
Organizational Culture | p. 174 |
Preventive Controls | p. 175 |
Encryption | p. 176 |
Trusted Platform Modules | p. 176 |
Content Filtering and Data Loss Prevention | p. 177 |
Desktop Virtualization | p. 179 |
Centralized Device Management | p. 181 |
Detective Controls | p. 181 |
The Importance of Logs | p. 182 |
Auditing as a Detective Control | p. 184 |
Physical Security | p. 184 |
Conclusion | p. 185 |
Action Plan | p. 189 |
Notes | p. 189 |
Defense-in-Depth: Specific Technology Controls | p. 191 |
Portable Computer Controls | p. 192 |
Antimalware Services | p. 192 |
Workstation-Based Firewalls | p. 193 |
Standard Configurations | p. 193 |
VPN and Multifactor Authentication | p. 194 |
Network Access Control | p. 195 |
Disabling Automatic Program Execution | p. 196 |
Removing Unnecessary Data | p. 196 |
Physical Protection | p. 197 |
Portable Storage Devices | p. 198 |
Dual-Use Devices | p. 199 |
Smartphones and PDAs | p. 199 |
Optical Media | p. 200 |
p. 201 | |
Instant Messaging (IM) and Text Messaging | p. 205 |
Conclusion | p. 206 |
Action Plan | p. 211 |
Note | p. 211 |
Creating a Mobile Security Policy | p. 213 |
Setting the Goal Statement | p. 215 |
Mobile Device Policy Issues | p. 217 |
Device Ownership | p. 219 |
Device Management | p. 222 |
Device Personalization | p. 222 |
Mobile Data Issues | p. 223 |
Data Can Be Moved to Any Mobile Device | p. 223 |
Data Is Not Allowed to Be Moved to Any Mobile Device | p. 224 |
Data Is Allowed to Be Moved to Only Approved Devices | p. 225 |
Only Certain Types of Data Can Be Transferred to Mobile Devices | p. 226 |
All Data Transferred to a Mobile Device Must Have Minimum Security Protections | p. 227 |
Defining Technology Standards | p. 228 |
End-User Standards | p. 229 |
Device Standards | p. 230 |
Data Protection Standards | p. 232 |
When Are Protections Required? | p. 233 |
Conclusion | p. 233 |
Action Plan | p. 234 |
Building the Business Case for Mobile Security | p. 237 |
Identifying the Catalyst | p. 239 |
Forward-Thinking Leadership | p. 239 |
Recent Incidents or Losses | p. 240 |
Fear of Publicity and Reputational Damage | p. 241 |
Audit Findings | p. 242 |
Legislative or Regulatory Changes | p. 243 |
Contractual or Business Obligations | p. 243 |
Alignment with Company Objectives | p. 244 |
Determining the Impact of the Problem | p. 245 |
Financial Losses | p. 246 |
Reputational Damage | p. 247 |
Cost of Remediation and Cleanup | p. 248 |
Operational Impact | p. 248 |
Describe the Current State of Controls | p. 250 |
The Proposed Solution | p. 252 |
Program Time Line | p. 255 |
Financial Analysis | p. 257 |
Calculating the Return on Investment | p. 258 |
Alternatives Considered | p. 260 |
Conclusion | p. 261 |
Action Plan | p. 263 |
Index | p. 265 |
Table of Contents provided by Ingram. All Rights Reserved. |
What is included with this book?
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.