Happy Friday, federal friends! I hope the post-holiday hangover has passed and your resolutions remain intact. It’s been a busy start to the year so far in Rapid7-Land and we’re only 2 weeks into ’14.
This week I read a great article on FederalTimes about how employee owned devices put agencies at risk, especially when it comes to wiping them. This is significant, especially with the holidays in the not-to-distant-past and the influx of new gift devices that will be hitting your network. The article is in response to a report put out this week from the Mobile Work Exchange, which analyzed the responses from 155 individuals and 30 agency responses. The important number that jumped off the screen was that 90% of government employees use at least one mobile device for work related activities. This leaves a lot of room for attacks to happen, with 6% responding that they've lost or misplaced their phone. These phones, that have easily extracted information if the device is not wiped by the end user or the agency enforcing their cyber policy. This can, according to the report, create an estimated 3,500 chances for a breach in any given agency. On top of that, only 53% of responding agencies have a remote wipe function in practice. Insert *gasp* here.
The rest of the risk comes from the usual suspects; weak passwords, connecting to open WiFi, text/email phishing, and no clear organization BYOD/Mobile strategy. The report highlighted 5 steps for individuals and 5 steps for organizations to put into practice to reduce their mobile risk and shore up their extended perimeters, which I've listed below.
- Always use a password on all mobile devices. Make it complex and change it often
- Always use a secure wireless connection
- Never open an email or text from someone you don't know
- Do not store personal info – address, credit card number, etc. – on a mobile device
- Adhere to security and IT training provided by your organization
- Establish a formal employee-focused mobile device program, including written mobile device security policies
- Create regular training and require all employees to participate in training
- Require all devices to utilize a password
- Install multi-factor authentication or data encryption on mobile devices to secure organization data
- Implement a remote wipe function for lost or stolen devices
As I've highlighted for the past few weeks, Rapid7 is hitting the road! We will be in DC on Feb. 11th for our FREE "Security at the Crossroads" seminar. This is a half day of discussions from various industry experts followed by a FREE session of Metasploit Tips and Tricks. If you are in the area and looking to attend, follow this link to the DC specific show, as space is becoming limited. As I'm sure you're all dying to ask, I WILL be in attendance, along with some of my colleagues from the various Rapid7 offices. I am excited to meet and connect with those that have already signed up and let me know if you read the blog and any suggestions for future write-ups, or links to hilarious memes that I can include when I'd like to write less.