Upload File

the security challenges of mobile devices

3
Computer Fraud & Security March 2009 16 The security challenges of mobile devices As we can understand from reading the news headlines, we are not doing very well. We are bombarded with news of information lost, stolen or divulged, iden- tities stolen, breaches and break-ins. We do not have a comprehensive approach to this new computing architecture, which is common to the consumer and busi- ness markets, but obviously with different issues, numbers, and consequences. Moreover, we do not even have a clear idea of where we are heading and what the scenario will be in a few years, since technologies and products are changing so rapidly that we have serious problems in catching up with them. In this article we will consider vari- ous aspects of the latest mobile and embedded computing, discuss the challenges we face, and some of the possible approaches to at least reduce the risks. Classical mobile computing Let’s start with laptops. They’re not a novelty. I bought my first one in 1993. We should be used to them and should have learned to use them in a secure way. But in the last few years, two developments have changed the scenario of laptop security completely: the mass distribution of laptops, and wireless communication. When laptops were more expensive than desktop personal computers, few people had them both in the business and consumer markets. So people who had a laptop also had special needs, and usually it was possible to adopt ad hoc security policies for business users of portable PCs. Private users were often good enough to be able to deal with the security issues related to their use of the laptops by themselves. “In the last few years, two developments have changed the scenario of laptop secu- rity completely: the mass distribution of laptops, and wireless communication” Moreover, connection to the network was wired as a desktop PC, or through dialup to the company network. The main issue was the possibility for a lap- top to connect to different networks, and thus carry information and viruses from one network to the other. Compare this situation, which at that time we already considered quite risky, to the current situation where laptops are the most common personal computers, and have automatic wire- less connection to the best available local network. Laptops today are the main personal computing instrument, which implies that all information, both business and personal, is stored in them. It was not like this ten years ago, and this implies that the risks associated with the use of the laptops have increased just by the increased sensitivity of the infor- mation stored in them. In practice, the main risks with the current use of laptops are loss or theft of the laptop, leak of information, and distribution of unwanted or dangerous (viral) soft- ware. The number of laptops which are lost or stolen is unbelievable. Just check for the number of them lying at the deposits of airports and train sta- tions. Often the information stored in the lost or stolen laptops is quite sensi- tive, either for business, personal use or even national security. If you store in your laptop all your personal information like addresses, telephone numbers, bank account numbers and PIN codes, credit card numbers and so on, it becomes extremely easy to steal your money and your identity. The same applies if your laptop stores similar information about your company, or your nation if you are a public employee. The current approach to mitigate this risk is to encrypt the information stored on the laptop’s hard drive. This should prevent a third person from accessing the information stored in the PC. The problem with encryption In truth, even if the cryptography used is almost always practically unbreakable, there are other issues which make this approach less secure than we expect. First of all, people often leave their PC in sleep mode. This means that even if the data is encrypted on the disk, if you are able to access the PC as administra- tor without turning it off first, you could access all the information stored in it. Andrea Pasquinucci, PhD, CISA, CISSP In the last couple of years we have witnessed a silent revolution in computing and in our daily lifestyle. Computing and electronics have gone mobile without us changing our security approach. Moreover, thanks to the new communica- tion standards, mostly wireless, each piece of equipment is usually able to com- municate with each other device. So how can we balance security with mobile communicating, sometimes even embedded, devices? MOBILE DEVICES

Upload: andrea-pasquinucci

Post on 19-Sep-2016

224 views

Category:

Documents


3 download

Report

TRANSCRIPT

Page 1: The security challenges of mobile devices

Computer Fraud & Security March 200916

The security challenges of mobile devices

As we can understand from reading the news headlines, we are not doing very well. We are bombarded with news of information lost, stolen or divulged, iden-tities stolen, breaches and break-ins. We do not have a comprehensive approach to this new computing architecture, which is common to the consumer and busi-ness markets, but obviously with different issues, numbers, and consequences.

Moreover, we do not even have a clear idea of where we are heading and what the scenario will be in a few years, since technologies and products are changing so rapidly that we have serious problems in catching up with them.

In this article we will consider vari-ous aspects of the latest mobile and embedded computing, discuss the challenges we face, and some of the possible approaches to at least reduce the risks.

Classical mobile computingLet’s start with laptops. They’re not a novelty. I bought my first one in 1993. We should be used to them and should have learned to use them in a secure way. But in the last few years, two developments have changed the scenario of laptop security completely: the mass distribution of laptops, and wireless communication.

When laptops were more expensive than desktop personal computers, few

people had them both in the business and consumer markets. So people who had a laptop also had special needs, and usually it was possible to adopt ad hoc security policies for business users of portable PCs. Private users were often good enough to be able to deal with the security issues related to their use of the laptops by themselves.

“In the last few years, two developments have changed the scenario of laptop secu-rity completely: the mass distribution of laptops, and wireless communication”

Moreover, connection to the network was wired as a desktop PC, or through dialup to the company network. The main issue was the possibility for a lap-top to connect to different networks, and thus carry information and viruses from one network to the other.

Compare this situation, which at that time we already considered quite risky, to the current situation where laptops are the most common personal computers, and have automatic wire-less connection to the best available local network.

Laptops today are the main personal computing instrument, which implies that all information, both business and personal, is stored in them. It was not like this ten years ago, and this implies that the risks associated with the use of the laptops have increased just by

the increased sensitivity of the infor-mation stored in them. In practice, the main risks with the current use of laptops are loss or theft of the laptop, leak of information, and distribution of unwanted or dangerous (viral) soft-ware.

The number of laptops which are lost or stolen is unbelievable. Just check for the number of them lying at the deposits of airports and train sta-tions. Often the information stored in the lost or stolen laptops is quite sensi-tive, either for business, personal use or even national security.

If you store in your laptop all your personal information like addresses, telephone numbers, bank account numbers and PIN codes, credit card numbers and so on, it becomes extremely easy to steal your money and your identity. The same applies if your laptop stores similar information about your company, or your nation if you are a public employee.

The current approach to mitigate this risk is to encrypt the information stored on the laptop’s hard drive. This should prevent a third person from accessing the information stored in the PC.

The problem with encryptionIn truth, even if the cryptography used is almost always practically unbreakable, there are other issues which make this approach less secure than we expect. First of all, people often leave their PC in sleep mode. This means that even if the data is encrypted on the disk, if you are able to access the PC as administra-tor without turning it off first, you could access all the information stored in it.

Andrea Pasquinucci, PhD, CISA, CISSP

In the last couple of years we have witnessed a silent revolution in computing and in our daily lifestyle. Computing and electronics have gone mobile without us changing our security approach. Moreover, thanks to the new communica-tion standards, mostly wireless, each piece of equipment is usually able to com-municate with each other device. So how can we balance security with mobile communicating, sometimes even embedded, devices?

MOBILE DEVICES

CFSmarch09.indd 16 24/03/2009 10:45:18

Page 2: The security challenges of mobile devices

March 2009 Computer Fraud & Security17

This is often not as difficult as it could seem, since passwords are always the weakest point in ICT security. Some laptops allow authentication with fin-gerprint scanning, which in principle should give a much higher level of security, but comes with many other well-known problems.

There have been demonstrated phys-ical attacks on PCs where it has been possible to recover the key used for encrypting the hard disk by analysing the RAM. Of course these are limited, extreme and expensive techniques, but they show that disk encryption is not the bulletproof solution to the prob-lem of laptop loss and theft. Instead, it’s better to turn laptops off when not using them, but it is very difficult to convince users of this.

An alternative to full disk encryp-tion is to encrypt only the information which are considered sensitive in a dedicated folder, with a different pass-word than the one used to access the PC. The practical problem is that the information can be stored or copied in other areas of the PC, from temporary files used by applications, to swap files used by the operating system, to copies done by the user. This means that it is usually possible to find unencrypted copies of the information on the PC. Keeping the sensitive information encrypted in a separated area of the hard disk requires a substantial effort by the user, which is often impossible to ask, so full hard disk encryption is usually adopted.

Connectivity concerns

But loss or theft of a laptop, even if dra-matic, is not the highest threat. Every day our laptops connect to many differ-ent devices and networks, and even if by now everybody has a personal firewall on the laptop, data has to be exchanged with these devices and networks.

Here you should consider not only line and wireless network connections, typically TCP/IP, but also USB and

Bluetooth connections to other devices from USB disks to cameras, tel-ephones, PDAs and whatever else.

Which data is exchanged between the laptop and these devices and net-works? Which sensitive information leaves the laptop (even just the fact that it exists) and what enters the lap-top? This is an endpoint management nightmare.

Indeed, some companies have decid-ed that the management and security issues associated with laptops are at the moment too risky and expensive, and they limit the adoption and use of the laptop within the company as much as possible.

Removable devices and storageThanks to the standardisation and use of cheap off-the-shelf components, we can store information on most electronic devices, even heavy duty or micro hand-held devices for construc-tion, gas, electricity, measurements and so on. So from a security point of view, we should assume that every pos-sible electronic device is equivalent for example to a USB (wired) or Bluetooth (wireless) disk.

What happens when we lose a USB disk or it is stolen? Usually, they are not encrypted, so all information con-tained can be easily retrieved by who-ever has the disk.

“Some companies have decided that the manage-ment and security issues associated with laptops are at the moment too risky and expensive”

Encryption of the USB disk can be mandated in some situations, but it often makes the disk unusable since its main purpose is to transfer data from one device to another, and encryption prevents that.

Protecting information at the application levelSome companies are trying to protect information at the application level. There are tools to introduce granular ad hoc policies for document con-trol, from no access at all, to read-only access, to write access subject to approval, to full access.

Apart from the complexity of intro-ducing and using such infrastructures and applications, the main issue is that often they do not solve the security problem because users can cheat easily. A document might first be written in draft form as a normal, non-protected file, and only when almost finished might it be uploaded to the secure application. The final version of the document is protected, but its earlier drafts are unprotected and there have been many cases of such leaks.

Similarly, it is very difficult to pre-vent an authorised user from extracting a document from the system to work on it offline, which would again defeat application security.

There are other approaches to pro-tecting documents. For example, there are systems which protect information by checking that it does not leave the perimeter of the company.

These systems usually work as fol-lows: there is a central database in which the security manager records all documents which have to be protected, and should not leave the perimeter of the company. Then components are installed on all firewalls, email servers, web servers and other egress points that check all data leaving the network.

This also means that all company desktops, laptops, telephones, PDAs and other devices must be managed in this way. In today’s business world, this is usually almost impossible both tech-nically and practically.

We also have to remember that information is not only stored in documents, but is more often stored in emails, internal web servers, and data-

MOBILE DEVICES

CFSmarch09.indd 17 24/03/2009 10:45:18

Page 3: The security challenges of mobile devices

Computer Fraud & Security March 200918

Businesses are composed of various cat-egories of employees. There are certainly honest employees who have a positive outlook on their companies and some degree of attachment to them. There are also employees who start out honest but may be led astray by circumstantial events, and other factors relating to their hierarchical and economic status within the company. Companies that ignore

disequilibrium among these factors do so at their own peril.

“Insider fraud is a continually shifting target”

Insider fraud is a continually shifting target. Many companies think they are safe just because they have already dealt with an instance of insider fraud, failing

to understand that it is an ongoing and shifting phenomenon that evolves along with trends in violations. A one-shot crackdown, even if carried out with grand style, is not going to do the trick.

The top-down response is still lim-ited. There has been much talk recently about getting top management involved in security issues. A recently published investigation by Carnegie Mellon

Can a fraud prevention plan be really effective?Dario Forte, CISM, CFE, founder and CEO, DFLabs, Italy

Why do insiders commit fraud? While there is no one answer to this question, we can make a few high-level observations that will help us get a grasp on the source of the problem.

Dario Forte

bases. There are many different ways, often individual to each company, in which it can be accessed.

Up to here we have mostly con-sidered mobile devices as a means of obtaining information, but they can also be a means of inserting unwanted data. They can store viruses as well as legitimate files, enabling us to infect a company’s entire network. Since we cannot prevent the use of mobile devices, we should understand how, when and what can be used and which protective measures should be imple-mented.

Intrinsic security of mobile devicesOur main problem is that the few security measures we can apply to laptops cannot usually be applied to mobile devices. Consider for exam-

ple smart-phones, one of the biggest nightmares of a security manager. Features outweigh security. Different protocols and network automatic connectivities are big pluses, but this means that the user cannot even be sure which network they are connected to at a certain moment, and which protocol is being used.

“Encrypting data on the hard disk is often difficult, as is the possibility of limiting functions depending on the network to which the phone is connected”

We need to be able to deploy our security policies on all IT devices, mobile and fixed, but it is difficult to see how it could be possible in the near future. We have too many different objects which interact and

which we should manage in different ways. The only way out probably is to rationalise, adopt some standards, and restrict access to devices which are authenticated and which satisfy our security policies.

Encrypting data on the hard disk is often difficult, as is the possibility of limiting functions depending on the net-work to which the phone is connected. On the other side, being mini-computers these devices are liable to bugs, which makes them open to compromise.

Ultimately, today it is up to the user to protect data coming in and out of mobile devices. But we cannot expect everyone to be an ICT security expert, so we face some hard times. Technology and security solutions will catch up but for the moment the big-gest burden unfortunately remains not just on the security managers, but also on the final users.

FRAUD PREVENTION

CFSmarch09.indd 18 24/03/2009 10:45:18


BLE authentication design challenges on smartphone ... Gogor… · BLE authentication design challenges on smartphone controlled IoT devices: ... Mobile App notify ECU_Response

The International Mobile Learning Phenomenon · unique features of mobile devices including communication and location-aware capabilities. Also, one of the biggest challenges for

Addressing Challenges in Automotive Connectivity: Mobile Devices ...go.sae.org/rs/525-RCG-129/images/ePubs_2015_10... · available in connected devices like mobile phones and tablets

Security of Mobile Devices€¦ · Mobile Devices and Security Technologies for secure mobile devices-Secure Elements-The SIMAlliance Open Mobile API-The Trusted Execution Environment

Evolution of Mobile devices: User experience and design ... · Evolution of Mobile devices: User experience and design challenges ... Agenda Evolution of mobile phone Latest Smartphone

Mobile Devices in Software Engineering Week I. Overview What is a Mobile Application? Why Develop Mobile Applications? Challenges of Mobile Application

Mobile "challenges"

Mobile Application Testing Challenges and Solutions · Emulated devices for mobile application testing have a number of advantages: Ease of transfer between devices – By using an

WebRTC on Mobile Devices: Challenges and Opportunities

SECURITY CHALLENGES FOR BANKS - Accenture · 3 | MOBILE BANKING APPLICATIONS: SECURITY CHALLENGES FOR BANKS The wealth of information stored on and transmitted via mobile devices

Mobile eHealth devices : progress and potential MiDIS and mobile information delivery within the community Purpose : A brief look at the challenges within

COMP327 Mobile Computingtrp/COMP327_files/LS8UIDesign15.pdfThe Challenges in design for Mobile Devices • Mobile devices are fundamentally different to traditional PC based devices

Cloud Based Augmentation for Mobile Devices Motivation Taxonimies and Open Challenges

Mobile Computers and Mobile Devices

Limitations of Mobile Devices and Mobile Devices and · PDF fileQuality of Service constraints ... such as size, weight, and bulk of mobile devices ... Limitations of Mobile Devices

GOVERNMENT USE OF MOBILE TECHNOLOGY · Current devices and standards for Personal Identity Verification (PIV) authentication to mobile devices pose challenges given the difficulty

Catalogue - Fall 2013 - Mobile Devices · 2014-02-27 · MOBILE DEVICES ENVIRONMENT Mobile Devices focuses on responding to the 3 greatest Telematics challenges: Time to Market, Cost

COMP327 Mobile Computingtrp/COMP327_files/LS7 MobiWeb 14.pdf · The challenges in moving from fixed line PCs to Mobile Devices • To understand the challenges (and pitfalls) of

COMP327 Mobile Computingcgi.csc.liv.ac.uk/...Lecture6-UserInterfaceDesign.pdf · The Challenges in design for Mobile Devices • Mobile devices are fundamentally different to traditional

Prevention of Counterfeit and illegal Devices for a ...€¦ · Prevention of Counterfeit and illegal Devices for a Healthy Mobile Ecosystem Challenges, Regulatory Framework & Open

Mobile devices workshop - edps.europa.eu · communication mobile devices: –Most corporate smart mobile devices are either Iphones (iOS) or Blackberries, with a few Window mobile

Mobile Devices Lesson 11. Objective: The challenges of designing for mobile devices Using CSS3 media queries Converting a fixed width layout to a single

Challenges in creating interactive content for mobile devices

Cloud-based augmentation for mobile devices: Motivation, Taxonomy, and Open Challenges

COMP327 Mobile Computingtrp/Teaching_Resources/COMP327/327-Lect… · The Challenges in design for Mobile Devices • Mobile devices are fundamentally different to traditional PC

Challenges in Obtaining and Analyzing Information from ... · Challenges in Obtaining and Analyzing Information from Mobile Devices by Oxygen Forensics ... from Mobile Devices by

View-Dependent Real-Time 3D Video Compression for Mobile Devices · 2015-07-28 · Overview • Introduce mobile devices to real-time 3D video rendering • Challenges in bandwidth

POWER AND THERMAL CHALLENGES IN MOBILE DEVICES · PDF filePOWER AND THERMAL CHALLENGES IN MOBILE DEVICES Krishna Sekar ... Samsung ® Galaxy S →S3: 5 ... requirements for fast vs

Mobile devices

Interaction and Recognition Challenges in Interpreting Children's Touch and Gesture and Input on Mobile Devices

Benefits and Challenges of Integrating Mobile Devices

GOING MOBILE Course Brochure - The Consultants-E · Mobile devices: practicalities & considerations, benefits & challenges Mobile devices in high- and low-resource contexts Designing

COMP327 Mobile Computingcgi.csc.liv.ac.uk/~trp/Teaching_Resources/COMP327/... · The challenges in moving from fixed line PCs to Mobile Devices • To understand the challenges (and

Digital, Mobile, and Virtual Medicine: Legal Challenges · 2018. 4. 2. · • Includes mobile health (“mHealth”), health information technology (“HIT”), wearable devices,

LTE Positioning Technology for Mobile Devices: TEsT .../media/White Papers/Mobile/LTE_Test... · SPIRENT WhITE PAPER • 2 LTE Positioning Technology for Mobile Devices: Test Challenges