Uses of mobile devices are
expanding in an increasing rate in both the private and public workforces. They
are offering organizations the ability to keep their employees well connected
at all times whether they are at home, in the office or travelling. However, mobile
devices present a special security risk due to their mobility and small size.
Objective of the paper is to assess vulnerabilities as well as policies,
standards and procedures for effective risk management of mobile devices. The
first section discusses about the benefits of mobile devices. The second
section deals with the vulnerabilities associated with mobile computing and
mobile devices. The third section introduces briefly policies, standards and procedures
for mobile device risks. Finally concluding remarks are forwarded.
Benefits of Mobile Devices
Mobile computing is a computing
that allows continuous access to remote resources. It requires the use of
mobile computing devices such as laptops, PDAs, Pocket PCs, smartphones. Those
smart smartphones include the Apple iPhone, Google Android, Research in Motion
(RIM) Blackberry and Windows Mobile-based devices (Microsoft Press, 2005).
Because of their movability and smallness in size, those devices pose much
higher risk of physical compromise and malware threats. In addition, most of
the mobile devices are built with a single user in mind and they lack the
necessary security and manageability features for enterprise IT systems and
network infrastructure.
Despite the risks associated,
mobile devices have become indispensable tool in today’s networked environment.
For many organizations using wireless communication and mobile devices have
become more convenient, flexible and easy to use. It helps to keep their employees in touch at
all times. Those devices aid people to conduct business anytime and anywhere -
at home, in the office or travelling. As a result, usage of mobile devices has
reached into unprecedented level. With its rapid growth, mobile cellular
subscription is estimated to reach 4.6 billion globally at the end 2009
(US-CERT, 2010).
Observing an increase in employee’s
productivity as a result of increase in mobile devices uses, many organizations
(private as well as public) have chosen to purchase, manage and support its use
by employees (ISACA, 2010). Some companies allow employee-owned mobile devices
to be used for business purposes. It may seem cost effective but difficult
manage and control leading to higher risks involved (NIST, 2008). Moreover,
providing security solutions will be more difficult when mobile devices are
regulated.
Benefits mobile devices experienced
by enterprises include increased employee productivity (connectivity to
knowledge workers and completion of work offsite), improved customer services (
timely responses to customer problems and increased efficacy of business
process), employee security and safety (device allow employee connected and in
touch while travelling to and from remote area), and employee retention
(creating positive environment as management support the use of mobile devices
within the enterprise). In addition, users of mobile devices can synchronize
data between desktops and mobile devices, helping them use wireless services
such as wireless email, internet access or web browsing, thereby reducing the
costs of wiring to the enterprise (Radack, 2003). However, the increased use of
mobile devices and their inherent vulnerabilities make them susceptible to
malicious activities as well as non-malicious internal threats.
Vulnerabilities, Risks and Security Concerns
While mobile devices provide
convenience and productivity, they also pose significant threat to the
enterprise security. Some of the vulnerabilities which are inherent to mobile
devices include mobility and data loss, wireless network use and exposure to
untrusted wireless network, difficulty in security updates and patches, mobile malware
and Bluetooth technology, social engineering and social network abuses (ISACA,
2010; Microsoft Press, 2005). In
addition to those threats, mobile devices are also facing the entire threats
desktop computers do.
Mobility
Because of their mobility mobile
devices have a much greater chance of being stolen. Most employees work on
their laptops at home or take their laptop or cellular on business or personal
trips. Stolen mobile devices may be sold to an attacker who can potentially
retrieve all the information from the devices. That information may include
passwords for network accounts, personal information or sensitive company data.
The information can be used to attack the organization's network or steal
identity causing greater negative impacts to the organization.
Some enterprises may face a greater
threat than others if the devices are fallen in the wrong hand. For example,
hardware and software companies might be the target of attackers in the hope of
stealing the companies' latest discoveries. Retailer enterprises might be
victims of stolen credit card information of customers. And law enforcement and
government agencies might be targeted by attackers to gain access to sensitive
information contained on their networks. Many cellular and smart phones have
internet access that they might have confidential information such as passwords
and e-mail messages. Attacker could retrieve that information to attack later
the user’s organization networks. Data in those devices mostly are not backed
up. To make it worse the information in those devices are not encrypted. Lost data means lost productivity as
employees are not able to do their job without backed up data.
These mobile devices also have
accessories with capability to store files, which an attacker could retrieve
from the stolen devices. Such accessories include floppy disks and CDs, USB,
Compact flashes, Secure Digital (SD), smart cards and Subscriber Identity
Module (SIM) cards. If they fall into the wrong hands, smart cards and SIM
cards, in particular, can contain data such as private keys and personal
information that could be used to attack the network of the device user's
organization.
Wireless Connection
and Exposure to Untrusted Networks:
Enterprise desktops or PCs are
connected to local area networks with managed security settings and they are
protected from intruders and untrusted networks by firewall and IPS tools. Mobile
devices use wireless network to connect the internet which is less secure than
the wired one. Malicious outsiders may intercept information leading to
breaches of sensitive data, negative enterpriser reputation or legal
consequences. Furthermore, laptops and other mobile devices when they leave
their enterprise boundaries, at home or in hotel, may connect to the internet
without protection. This may expose the device to attackers scanning for
vulnerable devices connected to the internet exposing the enterprise network to
malwares and causing data leakage or data corruption (ISACA, 2010).
Difficulty
of Applying Security Updates:
While PC have static place in the
network structure, mobile devices travel from network to networks. They often
leave their local area network. As a result, they have become the most
difficult to manage and secure centrally. Applying security updates, including
patches, service packs, and virus definition files become very difficult. Traditional
method of security application requires the static physical position of
computers as well as logical one on the LAN (Microsoft Press, 2005). Even with the
latest technology of automatic updates it will be difficult to assess the
current security situation of remote mobile devices. With the absence of a clear patch management
solution in mobile devices and their persistent connection to the internet, the
security threat to the devices, the information stored on the devices and the network
of their organization has become very serious.
Mobile
Malwares and Bluetooth
Various malicious malwares
are being created and used targeting mobile devices. The most wicked and recent
example of mobile malware is called Ikee.B, an iPhone worm created with
financial motivation. The worm searches and sends financially sensitive data
stored in the iPhone to the attacker (US-CERT, 2010). The worm coordinates
infected phones using botnet command and control server. The infected iPhones
may be exposed either because the have applications installed which allow
remote access or they are ‘jail broken’, configured to allow install unofficial
applications. A spy software called Flexspy, a commercial software, with the
capacity of listening conversations on the phone and viewing e-mails and texts
and trafficking user’s movement, without the user’s knowledge, has a serious repercussion
of possible usage by attackers (US-CERT, 2010).
Bluetooth and
possible synchronization between mobile devices and desktops are also potential
attack routes facilitating the platform for attackers. The Cardtrp worm infects
the devices through Bluetooth and Multimedia Messaging Services (MSM) (Whipp,
2005). It infects mobile devices running the Symbian 60 operating system like
most Nokia phones, overwriting system files, causing malfunction. This worm can
also infect desktop computers. The other most prevalent but less severe mobile
malware is called Cabir, which is also a Bluetooth worm. It spreads on
Bluetooth-enabled mobile devices which are in discoverable mode. The worm
causes the devices to continuously make a blue tooth connection attempt,
draining its batteries.
Social
Engineering
Social Engineering is one of the
known spreading malware through the internet. Users are deceived in to
believing that malicious activities are legitimate. Exploiting using social
engineering is widely spread from desktop into mobile market as it has become
extremely lucrative. One method of social engineering with significant cyber
threat in mobile devices is phishing (a criminal act of attempt to manipulate a
victim into exposing sensitive information by camouflaging as an honest entity
using e-mail scams). Two variants of phishing are used via mobile devices,
namely Vishing and Smishing (US-CERT, 2010). While the former leverages over voice
communication, calling the victim as if from financial institution and asking
to verify personal information, the later exploits SMS, or text messages
sending a text with a link, stating a ‘legitimate-like’ statement. Once the
link is clicked a Trojan horse virus is downloaded to access the device.
Exploitation
of Social Networking
Social media and networking sites,
such as Facebook and Facebook, have become pillars of information sharing and
communication electronically. As business and consumer continue to use those
websites, targeted abuse of personal identity and data has increased
substantially. Cyber threats prediction for the year 2011 by the leading
anti-virus provider, McAfee, mentioned the social media as the major area of
exploitation (McAfee, 2011). Significant increases in the type of threats
targeting iPhones applications and other mobile devices are the other cyber
prediction areas. User transition from the slower e-mail communication into speedy
methods such as instant messaging, Twitter and Facebook triggered this major
shift in threat.
Two major areas are focused in the
social media abuses, i.e. short URLs abuses and locative service abuses. As
users communicate and share their interests, Uniform Resource Locators (URL) is
continuously exchanged between users. The capability to shorten the traditional
long character URL by various websites is facilitating communications.
Especially for the character constrained Twitter, the shortened URLs are
becoming invaluable. However, those shortened URLs are abused by criminals
because users do not know where those shortened links might lead until they
clicked them (US-CERT, 2010). Most social media users are adding GPS (global
positioning system) information into their media updates to let their friends
see where they are. Locative services such as Gowalla, Facebook Places can
easily help you search, find and track your friends or strangers (McAfee,
2011). Based on the information from such services and other tweeting
information users can easily be targets of cyber criminals and scammers. To sum,
exploits in social media together with increased uses of mobile devices
intensified targeting and malware sophistication. The next section discusses
how to manage the risks associated with mobile devices.
Policies, Standards and Procedures for Mobile Device Risks
There is an increasing tendency of
enterprises using mobile devices in their working environment. Enterprises may
use either However, before implementing
their usage they should perform risk assessment and calculate the benefit
offered by the technology and the risks involved with applications. Once the
benefits and the risks are clearly understood, the enterprises have to make
sure the appropriate policies, standards and procedures involving mobile
devices are implemented (NIST, 2008).
Mobile devices security policies
should be established clearly defining the rules, standards and practices. The
policy should reflect the overall security and safeguard views of the company.
Restrictions on personal communications such as social media and networking
should be clearly stated. Like overall security policy, mobile security policy
depends on its quality, implementation and enforcement.
Operational plan regarding data
protection, users’ authentication, access to enterprise networks and resources,
and handling lost or stolen devices should be established. When preparing the
plan issue to consider include issuance of a new device, backup and recovery,
content erasing before disposing or reissuing, business applications to be
used, and other security issues. Moreover, existing disaster recovery,
contingency or business continuity plans should extend to encompass mobile
devices.
Ongoing risk analysis and
management is very important. Like the overall security, mobile devices
security involves continuous analysis and management of risks. The analysis
help identify vulnerabilities and threats, computes the potential attacks,
assesse the likelihood of occurrence. It also estimates the possible damages
from successful attacks. The risk management involves in taking the necessary
steps to minimize the risks assessed to an acceptable level.
Security involves continually
analyzing and managing risks. As seen in earlier sections, mobile devices have
their share of risks and must also contend with a dynamically changing
environment. A risk analysis identifies vulnerabilities and threats, computes
potential attacks, assesses their likelihood of success, and estimates the
potential damage from successful attacks. Risk management involves taking steps
to reduce assessed risk to an acceptable level and maintain that level of risk.
Ongoing risk analysis and management is an important organizational activity
that is increasingly being mandated by law and regulation.
A mere existence of mobile device
security policy is not a guarantee for its implementation. User awareness is a
precondition for its successful implementation. Employees should be aware of
the policies and the repercussions in violating them. There should be a
continuous awareness programs and trainings especially for new employees.
Mobile devices configuration
control and management is required in order to protect against improper
modifications. We have to make sure patches and upgrades are available,
unnecessary applications are disabled, Bluetooth are turned off until they are
needed, user authentications and access controls are available, and malware
prevention and detection software (antivirus, anti-spam and firewalls) are
installed.
Conclusions
Using mobile computing devices such
as laptops, PDAs, Pocket PCs, smartphones has become indispensable for
enterprises as they seek efficiency and productivity in their business
operation. However, there are risks involved in the use of those technologies.
Some of the vulnerabilities include mobility, exposure to unsecured networks,
mobile malware, identity theft and loss of data using social engineering and
social network abuses. Enterprises should undertake proper risk analyses
identifying the vulnerabilities and threats associated with mobile devices
before implementing the technology. A clearly stated mobile devices security
policy is indispensible. Moreover,
proper IDS and IPS software, deployment and operational plan, configuration
control and management, and security awareness trainings for mobile devices are
crucial for their successful implementation.
References:
ISACA, 2010. Securing Mobile
Devices. Retrieved from http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Securing-Mobile-Devices.aspx
McAfee, (2011). 2011 Threats
Predictions. Retrieved from
Microsoft Press, 2005. Implementing
Security for Mobile Computers. (Ed) Microsoft Windows
Security
Resource Kit, Second Edition. Retrieved from http://search.microsoft.com.
NASCIO, 2009. Security at the Edge
– Protecting Mobile Computing Devices. Retrieved from
http://www.nascio.org/publications/documents/NASCIO-SecurityAtTheEdge.pdf
NIST, (2008). Guidelines on Cell
Phone and PDA Security. Retrieved from
Radack, S., 2003. Security for
Wireless Network and Services. Retrieved from
http://www.itl.nist.gov/lab/bulletns/bltnmar03.htm
US-CERT, 2010. Cyber Threats to
Mobile Devices. Technical Information Paper 10-105-01. Retrieved
from http://www.us-cert.gov/reading_room/TIP10-105-01.pdf.
Whipp, M., (2005). Cardtrp Virus
can spread to PCs. Retrieved from
No comments:
Post a Comment