While the White House isn’t commenting on whether BlackBerries taken from a diplomatic meeting in New Orleans were compromised, security experts say the incident is a compelling reason to reassess security policies for mobile devices.
According to various published reports, at least two BlackBerry units belonging to U.S. delegation officials went missing after a summit meeting in New Orleans last week.
Surveillance tapes revealed Rafael Quintero Curiel, a press aide to Mexico President Felipe Calderon, picked up the devices. Secret Service personnel retrieved the devices from Curiel shortly after.
In a press briefing last Friday, White House Press Secretary Dana Marie Perino said she didn’t know whether the phones contained sensitive information or if they had been compromised.
The White House press office referred InternetNews.com to Perino’s statement and said it will not comment further while the investigation continues.
No matter what the outcome, the incident provides both a reminder and a lesson learned on why mobile device security is increasingly critical, according to experts.
“Companies can take a real valuable lesson from this,” Scott Totzke, vice president of BlackBerry maker Research In Motion’s (NASDAQ: RIMM) Security Group, told
“These devices are today’s personal computers, with lots of valuable information and sensitive data. They’re more of a target than ever,” he added.
Increasing risk is a primary reason RIM expanded
security policies in its January BlackBerry Server 4.1.5 release. The more than 400 policies range from password use to camera functionality as well as instant-messaging use. For example, users can set policies to have a BlackBerry locked when set into holster or destroyed when a battery is running low.
“The policies are to prevent attacks, and there are some that expand to higher levels of paranoia,” Totzke said. The smartphone can be instructed to self-destruct when password attempts hit a certain number. Another application destroys data when a device is out of network coverage for a certain time frame.
Using Bluetooth, RIM also provides two-factor authentication capabilities using a smart-card reader system in addition to password functionality. In addition, third-party applications alert administrators when a device is not within a set geographic range of its user.
“Things have gone beyond password security as the technology has matured and the infrastructure sign-on is coming into its own,” Totzke explained.
Those types of security functions are in addition to the longtime BlackBerry administration tools for remote security. Device administrators can “wipe kill” or “brick” a device in seconds of it being reported lost. The device has a remote shutdown option as well.
“Security is not a one-size-fits-all proposition as enterprises have different needs and so do their users. You have to provide flexibility to allow for those needs and for what makes sense for the enterprise domain,” Totzke said.
In the White House BlackBerry event, it’s not known if the devices were left on during the meeting, though security experts suspect they were turned off. When launched the first line of device defense is typically a password requirement. Administrators, if alerted to a lost device, can destroy and lock down a device once it’s repowered.
“The BlackBerry is the Sherman tank in terms of a secured device, as security has always been a focus for RIM,” Brian Reed, chief marketing officer for BoxTone, a BlackBerry management software and services provider, told InternetNews.com. “Organizations have to have best practices and as much enforcement technology as they can,” he said.
BoxTone makes software that instructs a BlackBerry Enterprise Server to send a ‘wipe clean’ command when deemed necessary, and then verifies in real time that the device is cleared of all data. That auditing aspect is important given today’s compliance rules and regulations, Reed noted.
The vendor’s BlackBerry management console also allows frontline IT support personnel to initiate a “wipe” command, which can save time when higher-level IT leaders are not within quick access.
The wipe command erases all personal and corporate data from the device if connected to the network, or once it reconnects to the network. It then generates reports to verify which devices were wiped and when.
As Reed explained, enterprises need to have a plan in place for device loss scenarios so that action can be taken quickly. The first step is password security and educating users on how important it is to notify IT as quickly as possible when a device is lost.
According to Reed, enterprises need to take a strong position as they often house data as critical as that on PCs and laptops these days. “It’s all about security and control and they need to be concerned about theft loss,” he said.