Mobile Policy Security Requirements Guide

Some networking protocols are considered less secure than others (e.g., Bluetooth, peer-to-peer, etc.). In its access control policy and security procedures addressing remote access to the information system, the organization, in order to protect and secure its network, must define those network protocols considered to be non-secure. Failure to define the non-secure network protocols could result in the organization's network being open to access by these non-secure protocols, which could result in unauthorized access to, modification of, or destruction of sensitive or classified data. For mobile systems, several non-secure protocols are used routinely in the commercial world. Many of these must not be allowed on DoD networks and specified.

If a TRANSEC vulnerability analysis has not been completed, the system may not be designed or configured correctly to mitigate exposure of DoD data, or may be vulnerable to a wireless attack. The purpose of the analysis is to determine the jamming and exploitation risk of a WMAN system based on the design of the system If the WMAN system is a tactical system or a commercial system operated in a tactical environment, the site WMAN system accreditation documentation must include a Transmission Security (TRANSEC) vulnerability analysis. The analysis must include a determination on whether the system has a low probability of exploitation (LPE) for the WMAN signal in space, and list recommended risk mitigation actions. NOTE: This check should only be reviewed during the initial system Certification and Accreditation (C&A). This requirement originated in DTM 08-039, "Commercial Wireless Metropolitan Area Network (WMAN) Systems and Technology."

A key security control for DoD Bluetooth devices is to limit the broadcast area of the Bluetooth signal to the personal area of the user (approximately 30 feet or less). Class 1 radios broadcast at a higher power and are more vulnerable than Class 2 or 3 radios. The Class 1 radio signal is broadcast much farther; therefore, an adversary can be much farther away to intercept or monitor the transmission. Class 3 radios – have a range of up to 1 meter or 3 feet. Class 2 radios – most commonly found in mobile devices – have a range of 10 meters or 33 feet. Class 1 radios – used primarily in industrial use cases – have a range of 100 meters or 300 feet.

When using a wireless system outside of the US&P, host nation wireless spectrum regulations must be followed. Otherwise, the system could interfere with, or be disrupted by, host nation communications systems.

If the policy does not include information on Wi-Fi security controls, it is more likely that the security controls will not be implemented properly. Without appropriate controls, Wi-Fi is vulnerable to a number of security breaches. These breaches could involve the interception of sensitive DoD information and the use of the device to connect to DoD networks.

Policy and training provide assurance that security requirements will be implemented in practice. Failure to use FIPS 140-2 validated cryptography makes data more vulnerable to security breaches as the data is unencrypted and in clear text.

Wireless signals can be intercepted more easily by an adversary than a wired signal due to the nature of the technology. DoD data may be at risk of exposure if the signals are not constrained to an area that is appropriately sized. This requirement originated in DTM 08-039, "Commercial Wireless Metropolitan Area Network (WMAN) Systems and Technology."

The 3.30-3.65 GHz frequency band WMAN interferes with DoD radar systems. Therefore, this range must be avoided. This requirement originated in DTM 08-039, "Commercial Wireless Metropolitan Area Network (WMAN) Systems and Technology."

If scan results are not properly reported and acted on, the site could be vulnerable to wireless attack. This requirement originated in DTM 08-039, "Commercial Wireless Metropolitan Area Network (WMAN) Systems and Technology."

Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must maintain precise inventory control over wireless and handheld devices used to store, process, and transmit DoD data as these devices can be easily lost or stolen, leading to possible exposure of DoD data.

The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data may be exposed to unauthorized individuals. Documentation of the enclave configuration must include all attached systems. If the current configuration cannot be determined, then it is difficult to apply security policies effectively. Security is particularly important for wireless technologies attached to the enclave network because these systems increase the potential for eavesdropping and other unauthorized access to network resources.

Wireless clients, DoD data, and the DoD network could be compromised if operational policies for the use of wireless remote access are not documented by the site. A site's Remote Access Policy will be written and signed by the site DAA, Commander, Director, or other appropriate manager(s). The policy should include required security controls for the DoD-owned/operated wireless client (laptop or CMD): - Device unlock password requirements. - Anti-virus application. - Personal firewall. - Client software patches kept up to date - Internet browsing through enterprise Internet gateway. - Device security policy managed by centrally-managed policy manager. - Anti-spyware app (recommended). - Procedures after client is lost, stolen, or other security incident occurs. - Host-based Wireless Intrusion Detection and Prevention System (WIDPS)/monitor WIDPS. - Configuration requirements of wireless client - Home WLAN authentication requirements. - Home WLAN SSID requirements. - Separate WLAN access point required for home WLAN. - 8+-character authentication password required for home WLAN. - Use of third-party Internet portals (kiosks) (approved or not approved). - Use of personally-owned or contractor-owned client devices (approved or not approved). - Implementation of health check of client device before connection is allowed. - Places where remote access is approved (home, hotels, airport, etc.). - Roles and responsibilities: --Which users or groups of users are and are not authorized to use organization's WLANs. --Which parties are authorized and responsible for installing and configuring APs and other WLAN equipment. - WLAN infrastructure security: --Physical security requirements for WLANs and WLAN devices, including limitations on the service areas of WLANs. --Types of information that may and may not be sent over WLANs, including acceptable use guidelines. - WLAN client device security: --The conditions under which WLAN client devices are and are not allowed to be used and operated. --Standard hardware and software configurations that must be implemented on WLAN client devices to ensure the appropriate level of security. --Limitations on how and when WLAN client's device may be used, such as specific locations. - Guidelines on reporting losses of WLAN client devices and reporting WLAN security incidents. - Guidelines for the protection of WLAN client devices to reduce theft.

The organization's access control procedures and security policies establish the requirement to control the use of various mobile devices and connected or imbedded capabilities. These policies and procedures are ineffective if there is no process in place ensuring the policies and procedures are being followed. A process of randomly inspecting or reviewing the various mobile devices, to include connected or imbedded capabilities, can be effective in ensuring compliance with the organization’s mobile device policies and procedures.

The security integrity of the CMD system depends on whether local sites, where CMDs are provisioned and issued, are complying with IA requirements. The risk of both malware being introduced on a handheld device, and of avenues of attack into the enclave being introduced via a CMD, are heightened if IA control procedures are not followed.

Scan results must be maintained, so auditors can verify mitigation actions have been completed, so a scan can be compared to a previous scan, and to determine if there are any security vulnerability trends.

If organizations do not maintain scan logs, it cannot be determined if intrusion detection findings are isolated and harmless events, or a more sustained, methodical attack on the system.

If the organization does not review the integrity tool scans, an attacker may not be noticed by the administrator, and gain control of DoD data or compromise the system.

Malware can be introduced on a DoD enclave via personally-owned applications and personal website accounts. In addition, sensitive DoD data could be exposed by the same malware. The DoD component must publish a Personal Use Policy for DoD component managed or owned CMDs. The policy will provide information on allowed personal use of DoD component mobile devices, including devices approved for connection to DoD networks and processing of sensitive data and for devices not approved for connection to DoD networks and processing of DoD data (for example, non-enterprise activated devices). The policy will be approved by the DAA based on a risk based assessment. The assessment will consider costs to the Command that could result from additional wireless service charges from personal usage of the device.

CMDs with cameras are easily used to photograph sensitive information and areas if not addressed. Sites must establish, document, and train on how to mitigate this threat.

Malware may be installed on a device at some point between shipping from the factory and delivery to DoD. The malware could result in the compromise of sensitive DoD information or result in the introduction of malware within the DoD network.

Improper use of wireless remote access to a DoD network can compromise both the wireless client and the network, as well as, expose DoD data to unauthorized individuals. Without adequate training, remote access users are more likely to engage in behaviors that make DoD networks and information vulnerable to security exploits. The security personnel and the site wireless device administrator must ensure all wireless remote access users receive training before they are authorized to access a DoD network via a wireless remote access device.

The security posture of the MDM server could be compromised if the administrator is not trained to follow required procedures.

Users are the first line of security controls for CMD systems. They must be trained in using CMD security controls or the system could be vulnerable to attack. All CMD users must receive security training on the device before they are issued a CMD. If training is not renewed on an annual basis, users may not be informed of new security procedures or may forget previously trained procedures, which could lead to an exposure of sensitive DoD information.

If procedures for lost or stolen CMDs are not followed, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD information systems and data.

Sensitive DoD data could be stored in memory on a DoD operated CMDs and the data could be compromised if required actions are not followed when a CMD is lost or stolen. Without procedures for lost or stolen CMD, it is more likely that an adversary could obtain the device and use it to access DoD networks or otherwise compromise DoD IA. The site (location where CMDs are issued and managed and the site where the MDM server is located) must publish procedures to follow if a CMD has been lost or stolen.

If appropriate procedures are not followed prior to disposal of a CMD, an adversary may be able to obtain sensitive DoD information or learn aspects of the configuration of the device that might facilitate a subsequent attack.

Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to these requirements or the risk to the network remains. User agreements are particularly important for mobile and remote users since there is a high risk of loss, theft, or compromise. Thus, this signed agreement is a good best practice to help ensure the site is confirming the user is aware of the risks and proper procedures.