Mobile Device Security Recommendations
Mobile computing devices are devices such as tablets, smart phones, USB devices, and laptop computers. The very features that make these devices useful (portability, access connectivity, data storage, processing power, etc.) also make them a security risk to users and to the University of Maryland (UMD) when those devices contain University data. Major features of mobile devices that create risk to the user, and potentially the University as well, include their small size (they can easily be lost or stolen), weak user authentication mechanisms that can easily be compromised or simply disabled by the user, and their ease of disconnectedness.
This document explains general end-user security measures that can be taken on mobile devices. Taking action to personally ensure computer security helps protect everyone from data and identity theft, viruses, hackers, and other threats. Every member of the UMD community who uses a mobile computing device can make the Maryland computing environment more secure by following these best practices.
General Security – Your IT staff may be able to assist you with the following
- Obtain management approval of mobile devices prior to using the devices to handle and store University data. Management may also require the completion of training on proper device handling and management practices prior to receiving authorization. The LinkedIn Learning website offers mobile security training
- Keep your mobile devices with you at all times or store them in a secured location when not in use. Do not leave your mobile devices unattended in public locations (e.g. airport lounges, meeting rooms, restaurants, etc.).
- Deploy approved hardware encryption software. Ensure that the selected software employs whole disk encryption. Please contact the Service Desk for information about encryption software.
- Mobile devices should be password protected and auto lockout should be enabled. The password should block all access to the device until a valid password is enabled. The password used should be as strong a password as your device will support. Learn more about strong passwords at password.umd.edu.
- If available, enable a remote wipe feature. This also includes features that delete data stored on the mobile device if a password is not entered correctly after a certain number of specified tries.
- Do not circumvent security features or "jailbreak" your mobile device.
- Wipe or securely delete data from your mobile device before you dispose of it.
- Lost or stolen mobile devices should be immediately reported to the police. If your mobile device contained University of Maryland data, also inform your IT department about the loss or theft of the device. Learn more about security incidents by visiting the Report a Security Incident page.
- Apply computing device security software patches and updates regularly.
- Apply computing device operating system patches and updates regularly.
- Apply computing device application software patches and updates regularly (e.g. word processor software, IM clients, and other programs).
- Install and use anti-virus and anti-spyware software on the computing device, keep software definitions up to date, and run regular scans. We recommend you obtain antivirus software from http://terpware.umd.edu. For anti-spyware we recommend the following free software: Malwarebytes, SUPERAntiSpyware, and Spybot.
- Install and enable a hardware and/or software firewall. Information about firewalls can be found at:
- Configure computing device so that it runs in least privilege mode (e.g. user) and times-out after a 15-minute period of inactivity.
- Activate and utilize a lock feature prior to leaving the computing device unattended.
- Regularly verify that system security measures are enabled on your computing device.
- Never share directories and files without access controls.
- Where possible, data transmissions from mobile devices should be encrypted. UMD offers VPN Client Software for students, faculty, and staff, which is available at terpware.umd.edu.
- Wireless access (Bluetooth, Wi-Fi, etc.) to mobile devices should be disabled when not in use to prevent unauthorized access to the device.
- If available, wireless access should be configured to query the user for confirmation before connecting to wireless networks.
- For example, when Bluetooth is on, select the check with me before connecting option to prevent automatic connections with other devices.
- Use the VPN Client Software offered by UMD to connect to campus resources.
- Avoid unencrypted public wireless networks. Such Wi-Fi networks require no authentication or password to log into, so anyone can access them--including the bad guys.
Application and Data Security
- Do not install software from unknown sources as they may include software that is harmful to your device. Research the software that you intend to install to make sure that it is legitimate. Be sure to only download mobile apps from a trusted source, for example Apple's App Store or Google Play, rather than directly from a website.
- When installing software, review the application's permissions. Modern applications may share more information about you than you are comfortable with, including allowing for real time tracking of your location and or access to your photos, microphone, and other apps that may be on your phone.
- Be careful when storing your personal data on your mobile device. If you lose the device, you could lose your data
- Follow the Click to learn about State of Maryland Mobile Device Security Policy with respect to the University of Maryland data stored on your mobile device.
- Additional information on how to securely use mobile applications is available from SANS at https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201703_en.pdf
Disposing of Mobile Devices
At some point all of our mobile devices will become obsolete and we will want to replace them with something new. When the time finally comes to get rid of these old devices, be sure to do so with care. Mobile devices often contain a plethora of sensitive information like addresses and phone numbers; sometimes even online account credentials. Thankfully the Federal Trade Commission (FTC) provides some useful guidance on the best ways to prepare your devices for disposal. Please visit https://www.consumer.ftc.gov/articles/0200-disposing-your-mobile-device to view their guidance.
For additional help please contact DIT's Compliance Team at email@example.com.