Device security is a broad topic that covers a wide range of information security policies, rules and regulations. It is also clearly defined as requirements in the ISO 27000 group of standards.
What does device security cover?
A number of organizations use a combination of policies to limit the impact of physical compromise of devices and the information on them within the organization. Examples of such policies are:
Acceptable and Unacceptable Use of Devices and Media Policy – covers the definition of all unacceptable behaviors that are prohibited. Recommendations for working with temporary and interim information, printed documents.
Clean desk and clean screen policy – defining the minimum requirements for employees to work with external media such as (USB sticks and drives), responsible use of mobile devices and company laptops and equipment in a secure environment, setting short deadlines for locking screens in the presence of inactivity or leaving the site.
What threats can occur in the absence of appropriate and responsible behaviour?
The most common threat is human curiosity. In this line of thought, curiosity poses a serious threat because people without the necessary authority can gain access to sensitive or confidential information owned by the organization and subsequently have it intentionally or unintentionally leaked. This is the reason for a number of recommendations to lock devices after a short period of inactivity
Another threat is the handling of external storage devices (USB flash memory & USB drives). A number of safety procedures must be followed when working with them due to the high risk of virus infection and information compromise. Apart from viruses or careless storage and use of information on temporary removable media, there are other far more dangerous threats associated with so-called bad USBs.
What is a Bad USB??
These are small USB devices that resemble a USB memory stick, but actually simulate a keyboard. Their primary function is to execute a series of commands on the computer system in which it is plugged. In this way, a virus can be installed from the inside or critical information can be compromised. Bad USBs are involved in the classification from insider threats to the organization where we have an intentional or unintentional action by an insider to the organization.
What basic rules should we follow to protect ourselves?
- We should not use the same devices for work and personal life. This is associated with a risk that if a device is compromised (stolen or lost) it could cause harm both professionally and personally. Another known risk with such a combination is inadvertent mixing and dissemination of data due to carelessness or forethought
- We should not use external media (USB memory sticks and disks) with unclear origin and content, because antivirus programs and additional protections are not perfect and may miss and not detect danger.
- We need to use strong and unique passwords, pin codes and biometric authentication methods to make it as difficult as possible to gain access if a device falls into someone else’s hands.
- Our devices must be encrypted.
- User sessions must be terminated within a short period of inactivity. For example, a user should be disconnected no more than 5 minutes from the last activity on a computer or laptop to prevent a curious or malicious person from gaining unauthorized access to information