Mobile guidance on encryption/VPN from CESG

The CESG, the security offshoot of GCHQ, has published in-depth guidance for users of laptop, tablet and smartphone operating systems, offering specifics on how to deploy and use the operating systems on a mobile platform.

NSA has cracked the iPhone, claims researcher
NSA has cracked the iPhone, claims researcher

The advice centres on BlackBerry 10.2.1, Google Android 4.4 and Chrome devices, with extra advice for iOS (iPhone and iPad) users.

The idea behind the guidance is to help organisations better understand and manage the risks associated with different devices as part of their normal risk management processes.

Interestingly, the CESG says that each platform's encryption and VPN usage should be areas that organisations need to be aware of and manage appropriately.

Chrome's VPN, in particular, has not been independently assured to Foundation Grade, and does not currently support some of the mandatory requirements expected from assured VPNs, according to the group.

Similar issues apply to the Android and Blackberry native VPNs, suggesting that the CESG may favour third-party paid-for VPNs.

Delving into the guidance reveals that the CESG advises that all data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic - and to allow the devices and data on them to be protected by enterprise protective monitoring solutions.

"The VPN should be configured in always-on mode where possible," says the guidance, adding that particular attention needs to be taken with data-in-transit and data-as-rest protection - and the fact that users can run applications from unapproved sources needs to be addressed.

The guidance singles out Android VPN and encryption technology for subtle criticism, noting that Android devices do not use any dedicated hardware to protect data encryption keys.

"If an attacker can get physical access to the device, they can extract password hashes and perform an offline brute-force attack to recover the encryption password," says the CESG notes, adding that admins should only provision Android devices with locked bootloaders.

Commenting on the guidance, Mike McLaughlin, senior pen tester and technical lead with First Base Technologies, said the publication is a good move, especially for SMEs, many of whom lack the in-house expertise to deploy these technologies securely.

"This is great advice, especially when it comes to the VPN side of things. This is especially true with all Google services, as when you use a Google service, whilst it is free, you do pay in other ways. This means you must defend your corporate data using encryption and VPN technologies," he explained.

Check Point's UK managing director Keith Bird agreed, also welcoming the guidance, noting that mobile security is still an issue that many organisations have yet to address.

"In 2013, we surveyed nearly 800 IT professionals about mobile security and 63 percent of those that allow personally-owned mobile devices to connect to their corporate networks do not manage corporate information on those devices. Just 15 percent used Mobile Device Management (MDM) tools, and 8 percent used on-device secure containers," he said.

Scott Lester, a senior researcher with Context Information Security, said that the guidance forms part of the latest effort by CESG to improve the security of UK Government deployments of mobile devices, which combines their own research with assistance from companies including Context.

"While some of these devices do not fully meet the required security standards, implementing the guidance should at least improve the security of such deployments by mitigating some common threats,” he explained.

Daniel Drummond, a technology consultant at Apadmi, a mobile specialist, told SCMagazineUK.com that the government's advice on securing its own remote worker's mobile devices is a good place for any corporation to start when defining and reviewing their own security policies.

"Android and Blackberry enterprise features are maturing and although there is still some way to go, they are suitable choices for workers in the field if secured appropriately. Chrome OS devices are only going to become more popular for workers in the field, with their strong enterprise features, low cost, and long battery life," he said.

“Securing these devices in this way is, and will continue to be, only a half-measure: user education is vital to ensuring information security. The most vulnerable piece is still the user, and without proper vigilance any of these security measures can be undermined," he added.