| |
| |
Acknowledgments | |
| |
| |
About the Author | |
| |
| |
Trademarks | |
| |
| |
Introduction | |
| |
| |
How Did We Get Here? | |
| |
| |
The Beginning of the End | |
| |
| |
Where We Are Now | |
| |
| |
The Real Problems | |
| |
| |
What You'll Learn in This Book | |
| |
| |
A Note on Technology and Terminology | |
| |
| |
Final Thoughts | |
| |
| |
| |
What Are You Trying to Protect? | |
| |
| |
Finding a Definition for Mobile Data | |
| |
| |
Mobile Data Scenarios | |
| |
| |
Other Factors to Consider | |
| |
| |
Defining a Mobile Device | |
| |
| |
Distinct, but Intertwined | |
| |
| |
Movable Data, Movable Risk | |
| |
| |
Following the Path | |
| |
| |
The Inverse Distance Principle | |
| |
| |
The Effect on Our Approach | |
| |
| |
Conclusion | |
| |
| |
Action Plan | |
| |
| |
Notes | |
| |
| |
| |
It's All about the Risk | |
| |
| |
Loss or Disclosure of Data to Inappropriate Persons | |
| |
| |
Loss of Money | |
| |
| |
Loss of Trust or Damage to Your Reputation | |
| |
| |
You Are Not Immune | |
| |
| |
Risk, Threat, and Value | |
| |
| |
Risk: Lost or Stolen Mobile Devices | |
| |
| |
Risk: Inability to Secure Devices to Desired Level, Granularity, or Uniformity | |
| |
| |
Risk: Access to Internal Information from Uncontrolled Devices | |
| |
| |
Risk: Introduction of Malware into the Environment from Unprotected Mobile Devices | |
| |
| |
Risk: Information Loss Due to Uneducated, Inattentive, or Uncaring Users | |
| |
| |
Risk: Lack of Compliance with the Legislation du Jour | |
| |
| |
Evaluating Your Risks | |
| |
| |
How Valuable Is Your Data? | |
| |
| |
What about Countermeasures? | |
| |
| |
Conclusion | |
| |
| |
Action Plan | |
| |
| |
Notes | |
| |
| |
| |
The Many Faces of Mobility | |
| |
| |
Following the Bits | |
| |
| |
Portable Storage Devices | |
| |
| |
Portable Storage Devices: Intentional Mobility | |
| |
| |
Portable Storage Devices: Unintentional Mobility | |
| |
| |
Tape Storage | |
| |
| |
Tapes: Intentional Mobility | |
| |
| |
Tapes: Unintentional Mobility | |
| |
| |
Dual-Use Devices | |
| |
| |
Dual-Use Devices: Intentional Mobility | |
| |
| |
Dual-Use Devices: Unintentional Mobility | |
| |
| |
Smartphones and Personal Digital Assistants | |
| |
| |
Smartphones and PDAs: Intentional and Unintentional Mobility | |
| |
| |
Optical Media (CD and DVD) | |
| |
| |
Optical Media: Intentional Mobility | |
| |
| |
Optical Media: Unintentional Mobility | |
| |
| |
Portable Computers | |
| |
| |
Portable Computers: Intentional Mobility | |
| |
| |
Portable Computers: Unintentional Mobility | |
| |
| |
Electronic Mail | |
| |
| |
E-mail: Intentional Mobility | |
| |
| |
E-mail: Unintentional Mobility | |
| |
| |
Instant Messaging and Text Messaging | |
| |
| |
IM and Texting: Intentional Mobility | |
| |
| |
IM and Texting: Unintentional Mobility | |
| |
| |
Conclusion | |
| |
| |
Action Plan | |
| |
| |
Notes | |
| |
| |
| |
Data at Rest, Data in Motion | |
| |
| |
It's All a Matter of Physics | |
| |
| |
More Definitions | |
| |
| |
Protecting Data at Rest | |
| |
| |
Physical Protection Methods | |
| |
| |
Keep the Storage Device Hidden | |
| |
| |
Split the Data onto Multiple Devices | |
| |
| |
Use a Locked Container | |
| |
| |
Use Tamper-Proof or Tamper-Evident Containers | |
| |
| |
Use a Special Courier | |
| |
| |
Use Obscurity to Your Advantage | |
| |
| |
Physical Protection Summary | |
| |
| |
Logical Protection Mechanisms | |
| |
| |
Authentication | |
| |
| |
Access Controls | |
| |
| |
Encryption | |
| |
| |
Effective Data Management | |
| |
| |
The Problem of Heterogeneous Information | |
| |
| |
Protecting Data in Motion | |
| |
| |
Physical Controls | |
| |
| |
Logical Protections | |
| |
| |
The Rise of Monocultures | |
| |
| |
Insecurity in the Links | |
| |
| |
Multiple Networks Mean Multiple Data Paths | |
| |
| |
Establishing PC Restrictions | |
| |
| |
Conclusion | |
| |
| |
Action Plan | |
| |
| |
Notes | |
| |
| |
| |
Mobile Data Security Models | |
| |
| |
A Device-Centric Model | |
| |
| |
Access Control | |
| |
| |
Data-Flow Restrictions | |
| |
| |
Device Management | |
| |
| |
Selective Feature Restrictions | |
| |
| |
Logging and Auditing Capabilities | |
| |
| |
Defining Your Scope | |
| |
| |
Defining Acceptable Use Cases | |
| |
| |
Who Gets Access? | |
| |
| |
Keeping Up with Device Technology | |
| |
| |
Device-Centric Challenges | |
| |
| |
A Data-Centric Model | |
| |
| |
Data-Centric Access Controls | |
| |
| |
Blocking Certain Data Types | |
| |
| |
Encryption | |
| |
| |
Information Rights Management | |
| |
| |
Data-Centric Challenges | |
| |
| |
Which Model Do You Choose? | |
| |
| |
Conclusion | |
| |
| |
Action Plan | |
| |
| |
| |
Encryption | |
| |
| |
Uses for Encryption | |
| |
| |
The Importance of Standards | |
| |
| |
Symmetric Encryption | |
| |
| |
Asymmetric Encryption | |
| |
| |
When to Use Encryption | |
| |
| |
Infrastructure and Workflow Compatibility | |
| |
| |
Encryption Impediments | |
| |
| |
Mobile Data Encryption Methods | |
| |
| |
Full-Disk Encryption | |
| |
| |
File- and Directory-Based Encryption | |
| |
| |
Virtual Disk and Volume Encryption | |
| |
| |
Hardware-Encrypted Storage Drives | |
| |
| |
Tape Encryption | |
| |
| |
Key Management | |
| |
| |
Data Protection vs. Data Recovery | |
| |
| |
Conclusion | |
| |
| |
Action Plan | |
| |
| |
Notes | |
| |
| |
| |
Defense-in-Depth: Mobile Security Controls | |
| |
| |
Countermeasures as Controls | |
| |
| |
Directive and Administrative Controls | |
| |
| |
Policies | |
| |
| |
Administrative Changes | |
| |
| |
Deterrent Controls | |
| |
| |
Policies | |
| |
| |
Education and Awareness | |
| |
| |
Organizational Culture | |
| |
| |
Preventive Controls | |
| |
| |
Encryption | |
| |
| |
Trusted Platform Modules | |
| |
| |
Content Filtering and Data Loss Prevention | |
| |
| |
Desktop Virtualization | |
| |
| |
Centralized Device Management | |
| |
| |
Detective Controls | |
| |
| |
The Importance of Logs | |
| |
| |
Auditing as a Detective Control | |
| |
| |
Physical Security | |
| |
| |
Conclusion | |
| |
| |
Action Plan | |
| |
| |
Notes | |
| |
| |
| |
Defense-in-Depth: Specific Technology Controls | |
| |
| |
Portable Computer Controls | |
| |
| |
Antimalware Services | |
| |
| |
Workstation-Based Firewalls | |
| |
| |
Standard Configurations | |
| |
| |
VPN and Multifactor Authentication | |
| |
| |
Network Access Control | |
| |
| |
Disabling Automatic Program Execution | |
| |
| |
Removing Unnecessary Data | |
| |
| |
Physical Protection | |
| |
| |
Portable Storage Devices | |
| |
| |
Dual-Use Devices | |
| |
| |
Smartphones and PDAs | |
| |
| |
Optical Media | |
| |
| |
E-mail | |
| |
| |
Instant Messaging (IM) and Text Messaging | |
| |
| |
Conclusion | |
| |
| |
Action Plan | |
| |
| |
Note | |
| |
| |
| |
Creating a Mobile Security Policy | |
| |
| |
Setting the Goal Statement | |
| |
| |
Mobile Device Policy Issues | |
| |
| |
Device Ownership | |
| |
| |
Device Management | |
| |
| |
Device Personalization | |
| |
| |
Mobile Data Issues | |
| |
| |
| |
Data Can Be Moved to Any Mobile Device | |
| |
| |
| |
Data Is Not Allowed to Be Moved to Any Mobile Device | |
| |
| |
| |
Data Is Allowed to Be Moved to Only Approved Devices | |
| |
| |
| |
Only Certain Types of Data Can Be Transferred to Mobile Devices | |
| |
| |
| |
All Data Transferred to a Mobile Device Must Have Minimum Security Protections | |
| |
| |
Defining Technology Standards | |
| |
| |
End-User Standards | |
| |
| |
Device Standards | |
| |
| |
Data Protection Standards | |
| |
| |
When Are Protections Required? | |
| |
| |
Conclusion | |
| |
| |
Action Plan | |
| |
| |
| |
Building the Business Case for Mobile Security | |
| |
| |
Identifying the Catalyst | |
| |
| |
Forward-Thinking Leadership | |
| |
| |
Recent Incidents or Losses | |
| |
| |
Fear of Publicity and Reputational Damage | |
| |
| |
Audit Findings | |
| |
| |
Legislative or Regulatory Changes | |
| |
| |
Contractual or Business Obligations | |
| |
| |
Alignment with Company Objectives | |
| |
| |
Determining the Impact of the Problem | |
| |
| |
Financial Losses | |
| |
| |
Reputational Damage | |
| |
| |
Cost of Remediation and Cleanup | |
| |
| |
Operational Impact | |
| |
| |
Describe the Current State of Controls | |
| |
| |
The Proposed Solution | |
| |
| |
Program Time Line | |
| |
| |
Financial Analysis | |
| |
| |
Calculating the Return on Investment | |
| |
| |
Alternatives Considered | |
| |
| |
Conclusion | |
| |
| |
Action Plan | |
| |
| |
Index | |