Tools updates - Oct 2010
Some of my favorite tools have been updated recently. GnuPG was recently updated to version 1.4.11. OSSEC was updated to version 2.5.1. Speaking of OSSEC, there are a number of bloggers out there participating in the 2nd Annual Week of OSSEC. Daniel Cid appears to be doing wrap-up posts every day with pointers to the various blog posts, so go check them out. Here are the wrap-ups for days 1, 2, and 3. There is some interesting stuff there for those who want to get the most out of OSSEC. I also wanted to point out an interesting tip on using wireshark/tshark to decode SSL traffic by Mark Baggett and (fellow new GSE) Doug Burks.
---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
GIAC GSE #26
Cyber Security Awareness Month - Day 20 - Securing Mobile Devices
Over the last few years, the mobile devices in our lives have become much more complex and powerful, and as a result, more attractive as targets for malware authors. The iPhones, Androids, and Blackberries in our pockets (and the pockets of company executives) have more raw computing capabilities than the desktop machines of a few years ago (and the servers of a few years before that) and they run web browsers capable of running javascript or flash (hmm... haven't we seen issues with both of those technologies on other platforms?), plus they have built-in GPS capabilities that allow for tracking of our movements, and nearly constant access to the internet to potentially share that information (or any other data on the device) with "the bad guys." Unfortunately, defensive capabilities have not kept pace. To make matters worse, because of their size, these new mobile devices are small enough that they are also much easier to misplace (or steal). For this reason, it is probably even more important to that the human being involved be even more vigilant than ever. In the following discussion, I also make a somewhat artificial distinction between personal and corporate use of mobile devices.
Corporate usage
For corporate mobile devices, I would urge a few measures (where possible)
- Encryption - if the capability exists on the platform you are using, whole device encryption could provide some minimal protection to corporate (or personal) data on the device should it be lost or stolen.
- Remote Wipe - the ability to remotely kill or wipe a device that has been lost or stolen should be enabled if it exists.
- VPN - where possible, VPN back through the corporate environment (understanding all the issues discussed in yesterday's diaries apply here, too). This allows one to take advantage of proxies, firewalls, e-mail filtering of the corporate network. When possible, use the mobile device as a thin client to access data in the corporate network or in "the cloud" rather than keeping potentially sensitive data on the mobile device itself.
Personal usage
For personal devices, the biggest thing is to remember that the defenses on these mobile devices are even slimmer than on our home PCs and laptops.
- Fight the urge to do things like banking, that might reveal information that could be used for identity theft, from your mobile device.
- Don't click on links sent via IM, Facebook, SMS
General usage
In general, there are a few things that should probably be done all the time to protect yourself and your personal and corporate information (and they may increase your battery life, too).
- Turn off the GPS and data (3G/4G/wifi) capabilities when you aren't actually using them.
- If anti-virus software exists for your platform install it. It probably won't protect you from much, but if it stops even one attack, that's better than nothing.
- If at all possible, don't mix corporate and personal use on the same mobile device.
I've been starting to think about mobile malware lately, and frankly, it worries me. So, what are you doing to secure your mobile devices (both corporate and personal)?
---------------
Jim Clausing, jclausing --at-- isc [dot] sans (dot) org
GIAC GSE #26
Comments