How Old Is Your Smartphone?

Continued innovation in the smartphone market ensures the major manufacturers will debut a new flagship smartphone every 12-18 months. Even smaller, less known manufacturers are stepping up to the plate to provide new and innovative smartphone designs. The flurry of new features continually being developed (in both hardware and software) assure this pace is not likely to slow for at least the next several years. Yet, all this excitement around new smartphones likely won’t be the primary motivation for your organization to purchase new equipment every year. So how often should you replace your devices? Unfortunately, there is not an agreed-upon standard when it comes to smartphone replacement; however, the short answer is: no less frequently than every 36 months, with 24 months being the most prudent.
 

Patch Management Necessity and Shortcomings

The issue really comes down to one topic: Patch Management. Patch Management of PCs and servers has become a necessity for doing business securely. Improperly patched systems greatly increase the “attack surface” available to would-be hackers attempting to gain unauthorized access to your network. Typically, vulnerabilities are found in research labs or following an actual data breach, prompting software developers to create a “patch” to repair the vulnerability in said software. To make matters even less predictable, now we have hacktivists releasing state secrets full of previously unreleased vulnerabilities affecting many consumer and corporate-grade endpoint and networking devices. Once released, software developers must again scramble to fix the flaws or risk those vulnerabilities being exploited by malefactors.

Patch Management is not a foreign concept to PCs and servers. Typically, a Patch Management system consists of some type of management server that determines patch levels of all member servers and clients, downloads those patches into a repository, and distributes them to the appropriate client at the appropriate time. But what about your company-owned smartphones? Two (2) questions that you can ask of your organization:

• Are we actively managing smartphone patch levels?
• What type(s) of corporate data do we access on our smartphones?

While the answer to the second question is typically well-defined and controlled through mobile device management and written policy, the answer to the first question is very likely “I don’t know.” If that was indeed your answer, don’t feel bad. Most popular mobile operating system developers distribute their OS and security updates on their own and over-the-air.
 

What about Mobile Device Management?

Mobile Device Management (MDM) may offer some solutions. MDM is typically used to enforce certain security features in order to allow access to certain corporate information. For example, to receive corporate email on a smartphone, MDM would likely enforce:

• Device encryption
• Remote wiping capabilities
• Some form of device authentication
• Strict screen lock requirements

These are common security features intended to reduce the “attack surface” of mobile devices. Most mobile security controls are geared directly toward unauthorized physical access, since mobile devices are just that - mobile. They exist outside the safety of the corporate office. Does your MDM perform Patch Management on its managed devices? Does it require a certain “patch level” to access corporate information?

To further complicate matters, developers of popular mobile operating systems typically aren’t very forthcoming about End of Life dates. Some do. Google was kind enough to provide definitive dates at the time of purchase. The Nexus 6P will stop receiving new versions of Android in September 2017, and stop receiving security updates either three years from the phone’s release date or 18 months after the phones purchase, whichever is longer. Wouldn’t this type of information be handy for those in charge of managing mobile devices?
 

Utilize Your IT Risk Assessment

With limited control over patch management, multiple mobile operating systems available, and limited knowledge on End of Life dates; how do we ensure adequate mobile security? You should start by referencing your IT Risk Assessment. The following are processes you should consider when performing a risk assessment of mobile devices:

• Ensure all your mobile devices are appropriately identified and documented within your IT Risk Assessment.
• Ensure the data allowed to be stored, processed, or transacted on mobile devices are properly identified within your IT Risk Assessment.
• Ensure the controls you have implemented to mitigate risk to mobile devices are identified within your IT Risk Assessment.
• Once complete, if the identified mobile devices fall within established Risk Appetites, reasonable assurance should be provided.
• If Risk Appetites are not being met, revisit the Risk Assessment and ask the following questions:
  • What controls are still available?
  • How would their implementation help meet your Risk Appetite?
• Replacing mobile devices every 24-36 months should provide adequate assurance to the availability of security patches.
   

Written by: Cody Delzer
Senior Information Security Consultant, SBS CyberSecurity

Related Certifications

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

How SBS Can Help

For a better IT Risk Assessment, look no further than our TRAC risk management solution. TRAC’s IT Risk Assessment module allows you to perform a quantifiable and measurable asset-based risk assessment much more quickly than using a spreadsheet. TRAC is powered by predefined, industry-specific data that helps you know your risk assessment is correct and allows you to make better security decisions.