Mobile device security in the US military comes under fire

Filed Under: Data loss, Featured, Law & order, Mobile, Security threats, SophosLabs

Update 4-April-2013: The report initially linked to in this story has been removed by the US Department of Defense. Presumably a modified version will appear at the same URL, as so the link has been left in place. Warning, the contents may have changed...

On March 26th, the Inspector General released a report on the effects of BYOD (bring your own device) on the U.S. military.

Inspector General report

Among the report's findings:

  • Mobile devices were not secured to protect stored information.
  • The US Department of Defense (DOD) did not have ability to wipe devices that were lost or stolen.
  • Sensitive data was allowed to be stored on commercial mobile devices acting as removable media.
  • DOD did not train users and did not have them sign user agreements.
  • The Army CIO was unaware of more than 14,000 mobile devices used throughout the Army.

Ouch.

This from an entity that seems to have policies and regulations for everything.

The Army did implement a good policy regarding geotagging a while back, realizing the risk that came with soldiers taking pictures that automatically had location information embedded in metadata.

Location smartphone. Image from ShutterstockHowever, given the lack of management of the devices, how would the military know for sure that the geotagging has been disabled?

And if the United States Army, with all the endless policies, is having a difficult time with BYOD, how is a small or medium-sized business going to cope?

Why does this all matter?

Answer: Data loss. Stolen data is massive business for the bad guys. A phone left in a cab or at an airport can be a goldmine of sensitive information. Consider the case of the US Secret Service contractor who left two tapes of sensitive data on the DC Metro train.

What crook wouldn't have loved to have gotten a hold of two databases full of juicy personal information of agency employees, contractors and possibly informants? It's just another example that even the most "security conscious" people have forgetful moments, or moments of distraction and can easily leave something behind.

Last year, Sophos did an informal study and found that 42% of lost mobile devices aren't protected with any security measures.

Now of that number, 20% had access to business email, which could contain confidential information. Small businesses are even more at risk - just because you are small doesn't make you less of a target.

We have written several articles about handling smartphones in a business before and have provided some sage advice within about how to implement BYOD, but how do you create a BYOD policy?

Where's the best place to start? Sophos CTO Gerhard Eschelbeck outlines the following tips in a recent whitepaper.

Mobile post it. Image from Shutterstock7 steps to a BYOD security plan

  1. Identify the risk elements that BYOD introduces. Measure how the risk can impact your business and map the risk elements to regulations, where applicable.
  2. Form a committee to embrace BYOD and understand the risks, including business stakeholders, IT stakeholders and information security stakeholders.
  3. Decide how to enforce policies for any and all devices connecting to your network including mobile devices (smartphones), tablets (e.g., iPad) and portable computers (laptops, netbooks, ultrabooks).
  4. Build a project plan to include these capabilities:
    • Remote device management
    • Application control
    • Policy compliance and audit reports
    • Data and device encryption
    • Augmenting cloud storage security
    • Wiping devices when retired
    • Revoking access to devices when end-user relationship changes from employee to guest
    • Revoking access to devices when employees are terminated by the company
  5. Evaluate solutions. Consider the impact on your existing network and how to enhance existing technologies prior to next step.
  6. Implement solutions. Begin with a pilot group from each of the stakeholders' departments. Expand pilot to departments based on your organizational criteria. Open BYOD program to all employees.
  7. Periodically reassess solutions. Include vendors and trusted advisors. Look at roadmaps entering your next assessment period. Consider cost-saving group plans if practical.

Regardless of how big or small your 'army', securing your organization's devices and the data on those devices is at the front line of maintaining a strong IT security defense.


Smartphone map and mobile note images from Shutterstock

, , ,

You might like

7 Responses to Mobile device security in the US military comes under fire

  1. Scott · 382 days ago

    Hi Beth, my company is considering options for full device encryption for our BYOD phones and tablets. What are some good companies to look at who offer this software?

    • Beth Jones · 382 days ago

      Hi Scott, While Sophos Mobile Control will manage your mobile devices (and their encryption settings), it may not be exactly what you need - I'd recommend contacting a Sophos partner or sales representative in your region for some more specific recommendations.

  2. MikeP_UK · 382 days ago

    Having worked in EDA and now retired, I am well aware that some businesses take sensible steps to protect their business and its data. Many Defence Contractors only use Ethernet within their offices, so no WiFi leaks. Many have two separate networks, one totally internal for all crucial and sensitive activities and a separate one for all external communications - with no physical or electronic connection between them. Plus ALL devices employees want to take in are physically and electronically 'searched' (condition of employment requires permission is granted). Any visitors may not bring devices in without them being searched. In some cases the offices were inside a Faraday Cage so no electronic/electromagnetic radiations can be emitted nor received - so even mobiles don't work! And no cameras either, not even on mobiles, if you have one it has to be left at Security!
    Tight, but only moderately safe as the determined can always find a way around any security system.

  3. Surely some endpoint security software would have been handy here. It's not like it is unattainable.
    Block all USB connections except predetermined devices and nobody can steal any data, simple.

  4. As predicted.

    Bring Your Own Disaster !

  5. C.W. · 382 days ago

    This is insane to me. I work for an insurance company and we first deployed company owned cell phones with a product that allows us to lock and wipe them. The company only allows iPhones at this time because they do not allow untested applications in their store. After they and the application was fully tested and vetted with a small group, we expanded the program, next we expanded to company owned iPads, and recently we started a BYO iPad program. However, the employees still have to have our software installed on those devices that allow us to wipe them if compromised. We have devised programs and procedures to handle issues and to minimize the chance of any data loss. NO program is perfect but there is a lot that can be done and the military is failing miserably.

  6. Nigel · 382 days ago

    "And if the United States Army, with all the endless policies, is having a difficult time with BYOD, how is a small or medium-sized business going to cope?"

    Hmmm...I'm not sure I follow that logic. It seems to me that it would be much more difficult to cope with BYOD in a large organization than in a smaller one. The "endless policies" provides a clue as to why that's true---namely, there's more entropy in a larger organization. They create "endless policies" in an effort to minimize the entropy, without which the organization would rapidly devolve into complete chaos. But the very concept of a command-and-control organization like an army---which is an attempt to create a machine from very un-machine-like elements (humans)---is already a difficult proposition.

    Anyhow, the most amazing thing about this story is the fact that the Army even allows BYOD in the first place. The security risk alone is huge, even in "peacetime" (which is a relative condition anyway). In wartime, the very concept of soldiers having knowledge of more than their immediate, local objective is a potentially fatal risk.

    Of course, war does have a tendency to be fatal for a great many people. It would be best to make it obsolete altogether, but it remains to be seen whether the human species is smart enough to figure out how to do that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Beth Jones Senior Threat Researcher, SophosLabs US Beth manages the day-to-day research and analysis activities of incoming suspicious malware threats that arrive in SophosLabs via customers, partners and prospects. Beth has worked in Sophos's Boston lab for more than five years and brings nearly a decade of network security experience to Sophos.