Mobile Cybersecurity Policies in the Private and Public Sector

“We are moving into a new era of mobile computing, one that promises greater variety in applications highly improved usability, and speedier networking.” Godwin-Jones (2008). This statement rings true for the past five years where mobile computing has seen a massive explosion in growth.

Ever since the introduction of Apple’s iPhone followed by the popularity of Android devices, the computing landscape has seen a major shift in usage towards mobile platforms.Traditionally mobile devices were limited to Personal Digital Assistants (PDAs) and basic cellular phones used for voice communications. PDAs typically did not have access to external networks and were limited in how data was handled, typically through a synchronization process with the user’s personal computer.

These earlier devices posed lesser threats than today’s mobile technology, simply because they were under greater control, and had limited potential to cause harm to corporate networks. Typically PDAs and other mobile devices were company-issued, which meant that strict policies could be enforced on their usage. In recent years however the growth of the mobile landscape has meant that many individuals own personal devices, which are often brought to their place of work. In addition to this, modern devices have the ability to connect to other networks, download more sophisticated software, and therefore are at a higher risk of opening security vulnerabilities.

The evolution of the mobile workforce is being driven by lifestyle choices, productivity gains, and technology improvements. Friedman and Hoffman (2008). As more workers continue to take advantage of the flexibility of working from home, the use of mobile equipment to connect with colleagues outside the traditional workspace will need to be examined in the context of security. This article explores the current threats and vulnerabilities of mobile devices. For each threat and vulnerability, a probability of occurrence is provided and recommendations on policy changes have been made to mitigate the risk of security breaches. The article uses the NIST framework as a baseline of current threats and builds on this with other secondary research to give a better picture of the current challenges facing organizations in terms of mobile security.

Defining Mobile Devices

Along with the explosion in growth of mobile devices in the last five years, a significant increase in sophistication has occurred, meaning that many of these devices are just as advanced as the common desktop computer. In many instances, users have replaced their primary means of connecting to the Internet via their PC to their mobile device. Feature complete mobile applications are growing in popularity, which can be seen by the number of purchases and downloads in Apple’s and Google’s app stores for their respective devices. The line has become blurred in terms of separation of personally owned equipment, when most individuals now carry a mobile device with them to work, and many connect that device to their organizations personal computer and ultimately to the network.

In order to better understand the challenges that organizations face in keeping their networks connected, we must first define what a mobile device is. Souppaya & Kent (2012) in their recommendations for the National Institute of Standards and Technology (NIST) provide a list of characteristics that can be used to define a mobile device. In their publication they describe a mobile device being a small form factor with at least one wireless network interface for Internet access, local storage, an Operating System (OS), ability to run applications, and finally built-in features for data synchronization. Friedman and Hoffman (2008) define mobile devices as “portable electronic systems that store and manipulate potentially confidential information.” Their definition goes on to list laptops, handheld computers, cell phones, PDAs, BlackBerry devices, and digital music players.

While the list of characteristics typically describes commonly used devices, there is however other mobile hardware we should also be concerned with. Vacca (2009) described that USB flash storage devices are sometimes not considered to be a major threat; however these types of mobile storage device can be concealed and used to either introduce malicious code to a host computer, or to steal data. In addition to this, less commonly thought of as threats are digital cameras, which also have the capability to act as an external storage device and can equally cause the same level of concern as that of a USB drive or smartphone. These types of mobile hardware are also listed in the NIST recommendations under optional characteristics of mobile devices and should therefore be included when considering mobile threats and vulnerabilities.

Using NIST as a baseline for the research provided in this article, we can determine the overall objectives needed to be considered for mobile security. These include confidentiality, integrity, and availability. Confidentiality considers the importance that any data or information contained within a mobile device must not be accessible by unauthorized personnel. Integrity considers the importance of detecting any intent, malicious or otherwise, that results in a change of data stored or transmitted from the mobile device. Finally availability ensures that those who have the appropriate permission to do so, can access data from the mobile device whenever it is required.

Assessing the Threats and Vulnerabilities of Mobile Devices

Many of the threats and vulnerabilities facing non-mobile equipment within organizations cross over directly into the mobile space. Lack of formal training, intentional and unintentional insider attacks, social engineering strategies, phishing attacks, and other forms of intentional security breaches are all areas of concern in a mobile security strategy. In addition to this, mobile devices introduce a number of new threats and vulnerabilities that need to be addressed. Friedman and Hoffman (2008) claim that mobile devices are typically both the most vulnerable systems within the enterprise as well as being the least defended. Their rationale is that mobile devices are susceptible to similar types of security vulnerabilities as their peer desktop counterparts, however because they are used both inside and outside the corporate firewall, there is a higher risk when outside physical corporate defenses. In addition to this, traditional desktop systems typically use wired LANs, whereby mobile devices use wireless technologies increasing overall risk of interception of data. Mobile devices are at a much higher risk of being lost or stolen than a desktop PC. Finally, in many organizations, security budgets are more closely tied to internal defenses and corporate LANs, since they are within physical reach of the Information Technology (IT) staff.

Sujithra and Padmavathi performed a survey on mobile device threats and vulnerabilities and from this they categorized them as follows. Mobile threats have been broken down into four main categories:

1. Application-based threats: Downloaded applications, which introduce either hidden security threats or unintentional exploits.
2. Web-based threats: Phishing scams, malicious code in downloads, browser exploits.
3. Network-based threats: Exploits via Bluetooth, Wi-Fi eavesdropping
4. Physical threats: Lost or theft of device

In addition to this Sujithra and Padmavathi discuss vulnerabilities including Trojan horses, botnets, worms and rootkits, which are all forms of malicious code that can be used to breach the device or network. Some publications that focus on mobile security overlap in areas of threats and vulnerabilities, while others go more in depth with specific threats. Nasim (2012) provides a complete analysis of the most critical Bluetooth attacks in real life scenarios. All of the vulnerabilities and threats can cause substantial harm to the organization in both financial losses as well as reputation. Some of this can be measured in the form of customer satisfaction of the organization. If a customer’s data has been stolen due to lack of mobile security measures implemented within the organization, their level of satisfaction will be greatly diminished, ultimately leading to an overall negative impact on reputation. It is therefore essential that current mobile vulnerabilities and threats are examined as closely as traditional systems security.

From current literature, including NIST recommendations and the publications outlined above, four major vulnerabilities or areas of concern have been compiled in the following table to outline the major vulnerabilities and threats facing the enterprise in the context of mobile device security. Four major vulnerabilities have been highlighted and each listed has associated threats, probability of occurrence, and policy suggestions to help mitigate the overall risk of successful security breaches.

Lack of Physical Control

This is one area of concern or major vulnerability facing any organization that either issues corporate mobile devices, or allows the use of personal devices in the office. The probability of occurrence has been marked as high simply because of the large number of lost and stolen devices every year. Due to the mobile nature of these devices, they can be used anywhere and this leaves open a very real possibility that unauthorized individuals could look over at a users’ device in a public environment or potentially read private information if the mobile equipment is left unattended.

Company owned devices could also be potentially used to upload sensitive data to unauthorized cloud backup services, such as Apple’s iCloud or used to connect and share data with a user’s home computer. Company owned devices should be encrypted so that in the event of theft, the perpetrator should not be able to access any sensitive data. Additional security also needs to be put in place at the network domain level in addition to the standard device Personal Identification Number (PIN) lock system, which is often inadequate in itself for comprehensive security. Finally company owned devices should be prohibited from connecting to third party backup services or home computers.

Use of Non-Corporate Mobile Devices

Most workers nowadays have their own mobile device and in many cases bring these devices to work. Without proper restrictions in place, it is very easy for an employee to plug their phone or other mobile device into their computer’s USB port, either for convenient charging or for synchronizing their data. This opens the possibility of sensitive company data being transferred to an unsecure personal device or worse still, the introduction of malicious code. Many people have started getting into the trend of ‘jail breaking’ their personal mobile devices to allow them to use unrestricted software. Jail breaking or ‘rooting’ a device can often leave it vulnerable to malicious code or unintentional security vulnerabilities. AhnLab (2012).

In a similar situation, a corporate mobile device connected to a user’s personal computer at home increases similar security risks. Sujithra and Padmavathi G. (2012). The organization’s security policy should assume that all personal owned devices are untrusted and therefore restrict or prohibit the use of ‘Bring Your Own Device’ BYOD mobile devices. No personal device should be allowed to connect to the network unless the organization has a way of securing these devices by providing a technical solution. Souppaya and Kent, K. (2012). While the use of personal devices is a major security concern, it has been listed as medium on the probability of occurrence since organizations should have control of their network in order to restrict the usage of such devices.

Insecure Communications

Most mobile devices use external networks to connect to the Internet. This opens up the possibility of attacks such as ‘Man in the middle’ and Wi-Fi eavesdropping. If connected to an unsecured Wi-Fi connection, such as the types available at coffee shops and other public places, it is entirely possible for someone to ‘sniff’ the network and view activity and potentially sensitive information. Data in this situation can be compromised by an attacker “taking advantage of the fact that many applications and web pages do not use proper security measures, sending their data in the clear (not encrypted) so that it may be easily intercepted by anyone listening across an unsecured local wireless network.” Sujithra and Padmavathi (2012). Organizations need to enact strict security policies whereby all issued mobile devices are provided with sufficient encryption to prevent ‘leakage’ of information on external networks. If properly implemented, this will mitigate the risk of an outside person or group stealing information. The probability of occurrence is also rated as low since these types of security breaches are less common on mobile devices than loss or theft. If an organization-issued device is secured properly, it shouldn’t be as big a risk overall.

Mobile Apps and Web Content Exploits

Quirolgico, Voas, and Kuhn (2011) focus specifically on mobile apps vulnerabilities and how they can be ‘vetted’ to mitigate risk. In a Homeland Security Newswire publication, a mobile security company, Lookout, was looked at in depth. Lookout developed the “App Genome” project, which involved scanning and documentation of hundreds of thousands of apps that contain malicious code. Lookout created the App Genome project in order to gain a better understanding of what mobile apps are doing as well as to examine if “bad things are happening in the wild.” (HSNW, 2012). It was noticed that a lot of mobile apps had hidden code contained within that was used mainly for analytics and advertising, however this demonstrated the extent to which code could be easily hidden or embedded in an app without the users knowledge. Because of the nature and sophistication of such exploits, the probability of occurrence is higher since many employees will have access to install third party apps both on company issued as well as personal devices.

The NIST recommendations show the importance of mitigating risks with mobile apps that use location services. Souppaya and Kent (2012) inform us that hackers can use these types of services to figure out where the user of a mobile device is located. With this information they can then analyze this data with other sources to determine who this user associates with as well as the type of activities they commonly take part in at specific places.

Mobile apps are only part of the risk. Web applications visited in the browser are becoming more advanced. NIST refers to these types of risk as untrusted content. Mobile devices are prone to the same kinds of malicious code that desktop web browsers face. In recent years the use of Quick Response or QR codes has become common place in marketing and advertisements. A QR code can quickly direct a user to a specific web URL simply by scanning the code using the devices built in camera. QR codes could therefore be used to direct mobile devices to websites containing malicious code.

Policy changes that could be put in place to mitigate the risk of malicious code, web app and content exploits should look into restricting or prohibiting the installation of unapproved apps on company-owned devices. The assumption should be made that all third party apps are untrusted. For apps that are required, risk assessments should be carried out on these before whitelisting them. Educating users on the risks of untrusted content is an essential part of the security strategy and restricting certain functions on devices such as the camera to prevent scanning of QR codes is also another step that could be taken.

Conclusion

This article examined some of the literature already published on the vulnerabilities and threats of mobile devices in the workplace. This is an area of technology that is in a constant state of flux as new and more dangerous exploits are being discovered all the time. First of all, it was important to define what a mobile device is in order to determine the types of vulnerabilities and threats that face the enterprise. The literature helped with this definition and then research into the current vulnerabilities and threats were presented as four broad areas of vulnerabilities that organizations should be aware of.

The vulnerabilities and threats presented here were ranked as low, medium or high in terms of the probability of their occurrence. Each of these areas were examined and recommendations were made on how to mitigate the risks associated with them. As hackers continue to exploit mobile devices in more sophisticated ways, organizations will need to continue to be vigilant in mitigating risks to security breaches leading to loss, theft or unauthorized tampering of their intellectual assets. More resources will need to be put into mobile security and a recognition of the complexities of the mobile landscape will need to be considered when developing and refining policies. There is a wealth of literature to guide companies including the NIST framework, which can be used to help strengthen their own security policies, which will need to continually evolve to combat the newest threats and vulnerabilities facing them.

References:

1. AhnLab Reports 2012 Mobile Security Threat Trends. (2012). Computer Security Update, 13(2), 1–4.
2. Ali A Altalbe. (2013). Do New Mobile Devices in Enterprises Pose A Serious Security Threat? Advanced Computing : an International Journal, (1), 53.
3. Curran, J. (2012). Panelists: Mobile Applications Present Largest Security Threats. Cybersecurity Policy Report, 1–2.
4. Ernest-Jones, T. (2006). Pinning down a security policy for mobile data. Network Security, 2006(6), 8–12. doi:10.1016/S1353-4858(06)70399-3
5. Friedman, J., & Hoffman, D. V. (2008). Protecting data on mobile devices: A taxonomy of security threats to mobile computing and review of applicable defenses. Information Knowledge Systems Management, 7(1/2), 159–180.
6. Godwin-Jones, R. (2008). Mobile computing trends: Lighter, faster, smarter. Language
7. Homeland Security Newswire. July 29, 2010. New cybersecurity threat: smartphone apps that do more than what they say they do. Retreived from http://www.homelandsecuritynewswire.com/new-cybersecurity-threat-smartphone-apps-do-more-what-they-say-they-do
8. Learning and Technology, 12(3), 3-9. Retrieved from http://www.postgradolinguistica.ucv.cl/dev/documentos/90,927,Mobile_goodwin_2008.pdf
9. Maity, S., Bera, P., Ghosh, S. K., & Dasgupta, P. (2010). A Formal Verification Framework for Security Policy Management in Mobile Ip Based Wlan. International Journal of Network Security & Its Applications, 2(4), 194–211.
10. Massé, D. (2012). $389 M Mobile Application Security Market Set to Explode as Threats Increase. Microwave Journal, 55(11), 56–56.
11. Mont, J. (2012). Developing Policies That Address Mobile Computing Risk. Compliance Week, 9(106), 46–48.
12. Nasim, R. (2012). Security Threats Analysis in Bluetooth-Enabled Mobile Devices. International Journal of Network Security & Its Applications, 4(3), 41–56.
13. Quirolgico, S., Voas, J., & Kuhn, R. (2011). Vetting Mobile Apps. IT Professional, 13(4), 9–11.
14. Rouse, J. (2012). Mobile devices – the most hostile environment for security? Network Security, 2012(3), 11–13. doi:10.1016/S1353-4858(12)70045-4
15. Souppaya, M., & Kent, K. (2012). Guidelines for managing and securing mobile devices in the enterprise (draft) [electronic resource] : recommendations of the National Institute of Standards and Technology / Murugiah Souppaya, Karen Scarfone. Gaithersburg, MD : U.S. Dept. of Commerce, National Institute of Standards and Technology, [2012].
16. Sujithra M, & Padmavathi G. (2012). Mobile Device Security: A Survey on Mobile Device Threats, Vulnerabilities and their Defensive Mechanism. International Journal of Computer Applications, (14), 24.
17. Unal, D., & Caglayan, M. u. (2013). A formal role-based access control model for security policies in multi-domain mobile networks. Computer Networks, 57(1), 330–350.
18. Wilshusen, G. C. B. (2012). INFORMATION SECURITY: Better Implementation of Controls for Mobile Devices Should Be Encouraged. GAO Reports, 1.
19. Zawoad, S., & Hasan, R. (2012). The Enemy Within: The Emerging Threats to Healthcare from Malicious Mobile Devices.