Risk
10/26/2011
04:20 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Stolen iPads A Special Problem For Fed Agencies

Mobile devices will inevitably go missing, as a recent theft at the VA shows. So security and device management work continues.

14 Most Popular Government Mobile Apps
Slideshow: 14 Most Popular Government Mobile Apps
(click image for larger view and for slideshow)
No sooner than a few weeks after the Department of Veterans Affairs opened up its networks to iPads, the agency reports the first stolen iPad. Not that VA CIO Roger Baker wasn't expecting this to happen.

According to a report first released as part of a monthly cybersecurity report posted on the VA's website, an iPad2 was likely stolen out of one of the VA's IT offices in Washington, D.C., in early September, before the agency ever authorized iPads for broader use. The iPad hadn't been configured for employee use, wasn't storing personally identifiable information, and had its data service canceled as soon as the agency discovered it was missing. However, the device's theft speaks to larger security concerns as iPads become more prevalent on federal agencies' networks.

That day is rapidly approaching. The VA became one of the first agencies to authorize iPads on its networks earlier this month. While Baker estimated on a call with reporters Wednesday that fewer than 500 iOS devices (including iPads and iPhones) currently have access to VA networks, he expects the number of iPads to quickly grow to a thousand and eventually tens of thousands. Other agencies, including the Department of Transportation and the Department of Homeland Security, are also piloting the devices.

"It's very clear from the public demand and the clinician demand that there's a real use for them in areas that would make a clear business case," Baker said.

[Learn about the government's new "future-ready" approach to IT in U.S. CIO VanRoekel Outlines What's Next For Fed Tech.]

While Apple devices aren't currently compliant with the key federal encryption standard, Federal Information Processing Standard 140-2, the VA will require encrypted applications, including email, which is one of the first applications supported on iOS devices inside VA. The agency is also developing an iPad version of the VA's Computerized Patient Record application that will support encryption. "Since the device doesn't support encryption, we are enforcing encryption at the application level," Baker said.

The VA is also piloting mobile device management software to manage mobile device security by locking down configuration settings, controlling what apps can be installed on devices, and by remotely wiping devices if they go missing or stolen.

In a request for information issued October 20, the VA indicated that it was looking for mobile device management software that could control up to 100,000 tablets, including iPads, Androids, and Windows devices. The VA is looking for a suite of features, including reporting, automated enforcement of enterprise rules via actions like device locking or wiping, ability to offer an enterprise application store, ability to view a device's GPS history, and white and blacklisting of apps.

Finally, VA will track instances of iTunes installed on laptops and desktops inside VA. "We're going to watch every [computer] where iTunes is loaded and make sure it's specifically approved for an iPad user," he said. In other words, he said, security with tablets isn't just about the tablet itself, but also about the devices that support that tablet, such as a PC loaded with iTunes.

The VA's monthly security report indicated that police are combing through camera footage at the scene of the crime for any clues on the iPad2's theft. The iPad was one of 21 desktops and laptops that went missing or were stolen in September. All of those computers were either encrypted or stored no sensitive or personally identifiable information.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FlavoredAir
50%
50%
FlavoredAir,
User Rank: Apprentice
11/1/2011 | 9:04:21 AM
re: Stolen iPads A Special Problem For Fed Agencies
You must not have been a math major in college. The iPads that the government are buying are not top-of-the-line 64gig 3G units. They're buying 16gig units, some of which have 3G and some of which have just wifi. The base price of an iPad 16gig with wifi only is $499 - and that's NOT including the federal discount that they get (~10% off, sometimes more if bought in higher numbers).

The cost of securing these devices - on a per device basis - is far cheaper than securing any Windows computer. The sheer amount of money spent on software and hardware to protect a desktop or laptop within the government is astronomical in comparison to what's spent on a similar level of securing an iPad.

And how do I know this? I'm someone who has overseen a federal deployment of iPads just a few months ago at another HHS agency.

If you're going to bloviate, at least do it with facts, not speculation posing as fact.
Bprince
50%
50%
Bprince,
User Rank: Ninja
10/31/2011 | 6:10:57 PM
re: Stolen iPads A Special Problem For Fed Agencies
As someone whose phone slipped out of his pocket in a cab once (I was able to get it back thankfully) I feel like I can relate somewhat to someone losing a device or having it stolen. I think rather than trying to stop people from using popular devices, it may be a better strategy to focus on device management and protecting the data on the device itself through encryption, data masking, etc if it is sensitive.
Brian Prince, InformationWeek contributor
ajones320
50%
50%
ajones320,
User Rank: Apprentice
10/28/2011 | 1:07:04 AM
re: Stolen iPads A Special Problem For Fed Agencies
Why do the feds use excessively overpriced hardware in the first place? I know that it doesn't matter if a 2000$ or 500$ laptop gets lost with sensitive data on it, but how about buying a cheap 500$ Windows laptop and spending 1000$ on securing it...still cheaper than a friggin iPad.
John Douglas
50%
50%
John Douglas,
User Rank: Apprentice
10/27/2011 | 9:28:50 PM
re: Stolen iPads A Special Problem For Fed Agencies
At some public restrooms where anyone, including government employees, are allowed to use the keys, they chain them to big boards. Or spoons to the pen at the front desk. Maybe if we encase the iPad in an PC terminal, no one will walk off with it.
Bob Forsberg
50%
50%
Bob Forsberg,
User Rank: Apprentice
10/27/2011 | 8:05:12 PM
re: Stolen iPads A Special Problem For Fed Agencies
Anyone who has worked for or used Government facilities and services realizes the rank and file employees are not the sharpest tacks in the box or the most honest.

Placing large ID/serial numbers or a persons name and phone number on these items would keep theft of iPads at a minimum. Apple provides that service for free. You just need to ask when purchased.

Using readily available consumers products is a great idea for government agencies. It minimizes $20 pencils, $400 hammers and $2,800 toilets.
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
10/27/2011 | 4:26:50 PM
re: Stolen iPads A Special Problem For Fed Agencies
Maybe the issue here is that there are just some Tech sectors -- Gov't for instance -- that should not be allowed to embrace consumerization.

Tom LaSusa
InformationWeek
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.