We have discussed at length about the 12 policy areas of CJIS and the latest addition to these policy areas is about how mobile devices need to be compliant with the CJIS. To close the gaps introduced by mobile devices, CJI has come up with a comprehensive policy area that applies to all mobile devices irrespective of the form factor or communication medium. The agency shall authorize, control wireless access and monitor the information system; shall establish implementation guidance and restrictions on usage of mobile devices.
Wireless Communications Technologies
The wireless technologies like cellular, microwave, 802.11x, land mobile radio (LMR), satellite and Bluetooth, etc. should adopt at least the minimum security that applies to wired technology and depending on the type of technology there need to be additional security controls, as discussed below.
All 802.11 Wireless Protocols
For all the wireless access points managed by the agency, they should implement the following controls
- Completely understand the security posture of the wireless network by performing validation testing to ensure that there are no rogue APs (Access Points)
- Should maintain a complete list of 802.11 wireless devices and access points and also the agency should place all the APs at secure areas to prevent user manipulation and unauthorized access to them.
- Should enable encryption and user authentication mechanisms for management interface of the AP
- Need to test the AP range boundaries and determine the wireless coverage and design the AP coverage to limit the coverage area to only what is required for operational purposes.
- The agency also needs to ensure that the APs have strong administrative passwords and to ensure that all the passwords are changed by the specifics mentioned in policy area 6
Apart from the above controls, there are several other controls that the agency should adopt to ensure the access points are secured, and all the encryption mechanisms are in place.
Smartphones, tablets, cellular phones, “aircards” and personal digital assistants are among the various handheld cellular devices that are capable of using mobile technology. Additionally, these devices include infrared, Bluetooth and other wireless network protocols that enable these devices to join infrastructure networks or even create a dynamic ad-hoc network. There can be several threats to these mobile devices owing to their portability, vulnerability to hacking and size. These threats include loss, malware, unauthorized access, cloning, electronic eavesdropping, and electronic tracking among others
For cellular devices authorized to be used outside the US, the agency should inspect and ensure that all the controls are in place and are working as stipulated by the policies.
All cellular devices that are used to transmit CJI through voice mode are exempted from the requirements of authentication and encryption.
- Cellular Service Abroad
- Voice Transmissions Over Cellular Devices
Bluetooth technology has been integrated into several mobile devices such as phones, laptops, printers, headsets, and mice among others. This technology is subject to various wireless networking threats and certain Bluetooth specific threats. Hence, the security policy of the organization shall include the security systems for Bluetooth devices in its business and operational processes.
Mobile Device Management (MDM)
If it is deemed necessary by the agency, mobile device management (MDM) can be enforced with facilitates implementation of robust security controls for mobile devices. MDM also allows for centralized control of application usage, device protection and recovery and configuration control. Superior configuration management is possible when MDM systems in conjunction with device-specific policies are used to govern the mobile devices.
It is of prime importance that devices that have unauthorized changes made to them such as rooted or jailbroken shouldn’t be used to store, process or transmit CJI data at any time. Agencies should also ensure that all the policies that govern the transfer, processing, storing and transmission of CJI should be followed even when the CJI is transmitted using mobile devices.
Wireless Device Risk Mitigations
Organizations, on their part, should also ensure that they
- Update the security patches as an when they are available to their operating systems.
- Should ensure that they are configured for local device authentication
- Should encrypt all CJI that is resident on the device
- Should use the most advanced authentication procedure
- Should erase all the cached information after the session is terminated
- Run an MDM system that facilitates the ability to provide antivirus services at the agency level or employ an antivirus software
- Employ personal firewalls to ensure maximum security
Maintaining the integrity of the system on mobile devices that typically have a limited function operating system is difficult, and hence, the System and Communications Protection and Information Integrity policy area that applies for operating systems can’t be applied to mobile devices. The only possible way is to install a third-party mobile device management system or a supporting service infrastructure.
Patching the mobile devices to assure that the patch or update is most current is tough given the fact that an always-on network connection is hard to achieve on mobile devices. Agencies should monitor the mobile devices and ensure that a constant tracking is done on those devices that don’t have an always-on cellular connection and update the security patches on them.
- Malicious Code Protection
Protecting the device from malicious applications is important and to achieve that, an appropriately configured MDM software can be used to check the authenticity of installed applications. Agencies that allow smartphones to access CJI should have a process to allow the use of specific applications and software on the devices. Furthermore, the agencies should use a properly configured MDM on the devices to prevent the installation of unauthorized applications and software.
- Physical Protection
The small form factor of mobile and cellular devices increases the risk of theft. Additionally, these devices are stored in areas with little security further compounding the risk of loss of critical and sensitive data. Hence, it is the responsibility of the user to ensure the safety of the device. In the event of loss of the device, the agency should have the ability to track the location of the tablets and smartphones that have authorized access to CJI and also should immediately wipe the device to ensure to damage done to the sensitive CJI data.
- Personal Firewall
Devices such as desktops and laptops that have full-fledged operating systems have a personal firewall that prevents unauthorized access to CJI. However, mobile devices have limited feature operating systems, and these devices may not support a personal firewall. In such instances, an appropriately configured MDM software would carefully monitor and control which applications are being allowed on the device.
As discussed in a separate blog about Incident Response, agencies should develop enhanced or additional incident handling and reporting capabilities for mobile devices. Rapid response to incidents involving mobile devices helps in mitigating the risk of data access and data loss. Special reporting procedures should be designed in case of the following situations with respect to mobile devices
- When the control over the device is lost
- When the device is lost
- When the security of the device is compromised
- When the device is lost or compromised outside the United States.
Auditing and Accountability
The ability to implement accountability and audit functions may not be inherently included in a mobile device that has limited feature operating systems. Such devices shall be monitored by an MDM, application or any other management system that is capable of collecting required log data necessary for auditing and accountability purposes.
Multiple user accounts on a single mobile device are typically not supported and hence, the policy requirements discussed in access control can’t be applied to the entire operating system but only on specific applications that are either part of a client-server architecture or a standalone device.
Wireless Hotspot Capability
Many mobile devices have the capability to act as wireless hotspots to allow other devices to connect to an internet network using their device. When the agency allows mobile devices to function as wireless access points, they should ensure that the devices be configured
- To allow only those connections that emanate from devices authorized by the agency
- By the protocols discussed in the Wireless Protocols section above.
Identification and Authentication
Given the fact that technical methods are used to authenticate and identify mobile devices that are accessing CJI, different components are required to ensure compliance with CJI. Local device authentication shall be used to authenticate mobile devices that are authorized to access CJI
Device certificates are used to uniquely identify mobile devices. When cryptographic keys or certificates that are used to authenticate mobile devices are stored on a device, they should be
1. Configured in such a way that they can be wiped from a remote location or can self-delete based on some unsuccessful access or login attempts
2. Protected from extracted from the device
3. Configured in a such a way it uses a secure authenticator to unlock the cryptographic key for use.
DoubleHorn is a leading Cloud Services Brokerage provider established in 2005 and located in Austin, Texas. Our products combine offerings from top Cloud providers and are designed to meet the technology requirements of the Enterprises and Government agencies. As a Cloud Broker, DoubleHorn helps in selecting the right Cloud solution, implements, maintains and offers a single source for billing and support. Contact DoubleHorn for a complimentary consultation at firstname.lastname@example.org or (855) 618-6423.