Computing technology advances in the past decade have created a much more flexible corporate work environment. This flexibility is reflected in small mobile devices that are easy to use, provide the ability to initiate and receive phone calls and voice messages, send and receive emails and instant messages, access an intranet, surf the Internet, and access business applications. These capabilities are available to the mobile device user, whether out of the office or out of the country. Wireless devices make geographic distance a nonissue. Flexibility is also reflected in extremely small mass storage devices. Up to 4 gigabytes (GB) of data (equating to approximately 80,000 boxes of paper) can be stored in a device as small as a pen.
Mobile technology has provided business professionals and executives with the opportunity for greater productivity, availability and convenience. Unfortunately, it also has facilitated fraudulent and criminal behavior. Business resiliency mandates adequate security measures to mitigate the risks inherent in using mobile technology. As business risks and countermeasures are identified, the term "security" is focused on preventing breaches and protecting corporate data. Because information security options for commercial corporations have lagged behind the availability of new technology, businesses ultimately have to rely on employees' ethics and due diligence in protecting confidential corporate, market and customer information.
In the context of this article, the term "mobile devices" refers to smart phones, personal digital assistants (PDAs) (e.g., Blackberry, Treo, Palm, pocket PCs), flash drives, memory sticks, and other radio frequency (RF) and USB devices that enable remote access to business networks and the Internet, and the transfer of mass data to nonbusiness equipment. This article does not include laptops/notebook personal computers.
Each of the risks listed next is plagued by immature security solution options to mitigate the business risks. Corporate leaders should note that no single "golden bullet" eliminates all risks. Figure 1 identifies categories of security threats and available countermeasures.
Risks of Using Mobile Devices
- The most common risks of using mobile devices are:
- Viruses, worms or other PDA-specific malware
- Theft of sensitive data
- Exposure of critical information through wireless sniffers. Wireless intruders could capture e-mails, e-mail addresses and attached data if security is insufficient.
- Loss, theft or damage of device
- Use of the PDA as proxy to establish a virtual connection from an attacker to an internal network
- Data loss/leakage due to the small footprint and portability
- Fraud enabled by remote access or copying mass amounts of sensitive data
- Spam causing disruption and driving up service costs if targeted toward mobile devices
- Malformed Short Message Service (SMS) messages causing devices to crash
Inherent Security Issues for All Mobile Devices and Their Applications
Most security issues inherent to mobile technology must have a well-planned corporate approach to manage the issues and mitigate the business risk. The following list identifies some of these security issues:
- Threats differ by industry group (e.g., intelligence/security/police forces, fuel and energy, health and disease control, transportation, media, financial, food, retail sales, consumers); therefore, the countermeasures must appropriately match the threat.
- The cost-benefit case for mobile devices depends solely on the value of the corporate data at risk. Therefore, critical data must be inventoried and the appropriate security solutions implemented. Many references exist that provide step-by-step guidelines for quantifying risks for a given organization or industry (e.g., see Information Security Risk Analysis by Thomas R. Veltier or chapter 15 of IT Auditing by Chris David, Mike Schiller and Kevin Wheeler).
- Businesses cannot manage what they cannot identify and track or measure. Critical information is not always inventoried and proactively secured.
- Some companies outsource network security. When the thirdparty employees leave, what customer data leave with them? Business data are available to providers with different business goals and objectives.
- Network security issues include the following:
- Conventional firewall and VPN security systems are inadequate for wireless mobile devices.
- Lack of integration with evolving WAN network security solutions can be a problem.
- A blurred network perimeter can cause the boundary between the "private and locally managed and owned" side of a network and the "public and usually provider-managed" side of a network to be less clear.
- If communication can be intercepted, piggybacked, impersonated or rerouted to "bad" people, "good" people can look "bad" and "bad" people can look "good" from any location.
- Encrypted remote connections are assumed to be secure because the data are encrypted. Little consideration is given to securing the end point (e.g., blackjacking). E-mail and other communications are encrypted only from phone to phone, or mobile device to server. Beyond that point, e-mail, instant messages and file transfers may be transmitted unencrypted over the public Internet (e.g., a consultant using his/her own e-mail address or phone on a different carrier).
- Ad hoc service provisioning—requesting and receiving application service on demand wherever one is located— can also be a threat.
- Device-specific security issues include the following:
- USB device detection and authorization
- Deleted files that are not really deleted can bring back deleted files on memory devices.
- US $100 can buy a developer key for Research in Motion's Blackberry devices. This key enables the Blackberry to be used as a proxy. Corporations that use a Corporate Blackberry Enterprise Server, and disable third-party applications installations, are not at risk for this issue since .JAD files can no longer be read. Individuals who purchase Blackberry devices through retail outlets and use public email service providers can be affected by this issue. The same issue may apply to all mobile devices.
- Common malware issues include the following:
- SNARF attacks allow for access to stored data portions of the phone or other mobile equipment without the owner's knowledge.
- Blackjacking allows for hacking into an enterprise system using a Blackberry. The communications channel between the Blackberry server and handheld device is encrypted and cannot be properly inspected by typical security products.
- Backdoor attacks allow for Bluetooth pairing with mobile equipment in a "trusted relationship"; when the relationship is unpaired, the connection remains.
- Blue bug allows for a serial profile connection to a device giving full access to the command set.
- Bluejacking allows for use of the Bluetooth pairing protocol; a command message can be inserted in the "name" field. If the information exchange handshake is successful, all data on the mobile device are available to the initiator.
- Data integrity for PDAs and smart phones relies upon synchronization with a stable-fixed server system for backup and management.
- Failure to protect corporate data may thrust businesses into violation of governmental regulations, such as:
- Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
- US: Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act, PII/Customer Data Privacy, Electronic Data Discovery, Department of Defense (DoD) Directive 1800.2, CA1386, and other state initiatives
- European Union (EU): Data Protection Directive
- ISO 27001
- Organization for Economic Cooperation and Development (OECD) International Guidelines for Data Privacy and Transborder Flows of Personal Data
All high-value data and targets should be appropriately assessed for vulnerabilities, and steps should be taken to prevent security breaches.
Many common assumptions regarding mobile device security are inaccurate. Security breaches of ordinary business networks by someone from the outside are not as frequent as business employees unintentionally doing something that has security ramifications. For example, in January 2007, a large study in the UK tested the probability of corporate employees introducing malware to corporate networks. The consulting firm sent flash drives containing an anonymous message about "Party of a Lifetime." Percentages of people placing the flash drive in computers connected to corporate networks varied by industry: 50 percent of finance directors, 65 percent of media company employees, and 38 percent of technology, retail and transportation companies' employees.
The key elements necessary for mobile device security are essentially the same as they have been for the past 20 years of technology security:
- Access control (Mobile devices inherently lack physical access control. They are used in public places where risks of data loss, device loss, probing and downloading data by unauthorized people are the highest.)
- User authentication
- Data encryption
- Intrusion prevention
- Antivirus and antimalware software
- Administrative standards and infrastructure
- E-mail security
- Network perimeter and transmission security
These elements just need to be logically extended to the mobile environment.
Security Metrics and Total Costs
The most common security metrics used by corporations today in evaluating the adequacy of mobile device security include:
- The number of breaches or successful attacks
- Virus protection and frequency of virus definition updates
- Currency of patch management on the servers
- Compliance with federal regulations
- Cost of security solutions
- Cost of loss
- Evaluation of risk
Are these metrics sufficient? Do the corporations factor total cost of ownership into the equation? How do they measure the benefit and value of both the mobile devices and the security solutions? The total cost of operation/ownership is the sum of the following:
- Cost of the actual device
- Cost of the security components and the server and software for managing mobile service
- Cost if device is lost or stolen
- Negative publicity
So, how can security managers explain the value of incorporating adequate security? By citing one failure that results in high-profile theft or fraud (e.g., TJ Maxx).
Security Improvement Measures
No single security activity addresses all of the security issues or business risks associated with mobile devices in the corporate environment. Figure 2 offers some of the most common improvements to consider. The options were assimilated from research at 250 companies in Canada, Europe, India, the UK and the US, as conducted by CIO magazine, PricewaterhouseCoopers, and through personal indepth interviews and audit research.
Security models include global network systems for FedEx and UPS. The biggest decision a corporation needs to make with respect to mobile device deployment is the cost of support based on graduated levels of security. If the total cost of the device and the risk it generates does not surpass the business benefit, corporate management should "just say no." It is important to standardize on compatible equipment. Not all mobile devices share a common infrastructure. Multiple infrastructures increase costs at all levels: operation, maintenance/support, security and servers.
The Future of Mobile Devices
Future predictions regarding mobile devices have been forecast based on trends identified by the Institute for Applied Network Security, Gartner and Forrester. These companies survey leaders in cybersecurity development and corporate security executives each year to identify, and then validate, the current trends that were most likely to happen, and those that would have the greatest impact if they did happen. Likelihood and impact constitute risk level. Those trends include the following:
- Mobile device data encryption will be made mandatory at government agencies and other organizations that store critical customer/patient data. Senior executives concerned about potential public ridicule will demand that sensitive mobile data be protected.
- New PDAs will have encryption preinstalled at the factory.
- Theft of PDAs and smart phones will grow significantly. The value and volume of data on the PDA will dictate the price.
- State and federal governments will pass more legislation governing the protection of customer information. If the requirements for data breach notification are reduced, the loss of sensitive personal data from mobile devices will incur harsh penalties.
- Targeted attacks on military contractors and businesses with valuable customer information will increase.
- Smart-phone- and PDA-specific worms will successfully attack up to a million devices globally (more than 200,000 in North America) by moving from phone to phone over wireless data networks. Adware profitability will be a trigger for spammers.
- Security researchers will often exploit the wireless vulnerabilities prior to selling the information to manufacturers and service providers.
With respect to mobile devices and security, business executives rarely know where to start. While mobile technology is burgeoning with new innovations, time-tested mitigation techniques and evolving tool sets are available and highly effective. Foremost, corporations need to:
- Recognize the risks of mobile technology and commit resources to take decisive actions that will control their vulnerabilities
- Inventory the high-value data and most serious exposures
- Evaluate which countermeasures directly and cost-effectively reduce their highest risks
- Implement a reasonable strategy that phases in improvements in information security commensurate with risk and resources
- Commit ongoing resources to revise and refine over time as circumstances evolve
For business leaders who fail to implement sufficient safeguards, the costs can be catastrophic. Further, with the integration of an increasingly networked world, their problems become everyone's.
Colubris WLAN Solutions, "RF Manager," www.colubris.com
Espenschied, Jon; "Ten Dangerous Claims About Smart Phone Security," Computerworld, 23 March 2007, www.computerworld.com/action/article
Eval NAC Solutions, Multimedia Session, 13 March 2007
Fraud Summit, "Fraud 2.0," University of Texas at Dallas, 23 March 2007
Guest contributor; "Identify and Reduce Mobile Device Security Risks," TechRepublic, 19 July 2004, http://articles.techrepublic.com.com/5100-6314_11- 5274902.html
Institute for Applied Network Security, "Who Is the Bad Guy for 2007?," Regional Dinner for North Texas Security Executives, 24 January 2007
Jackson, William; "Can You Trust Your Blackberry," Government Computer News, 18 September 2006, www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn&story.id=41977
Jensen, Wayne; "Intrusion Detection with Mobile Agents," white paper, National Institute of Standards and Technology, USA
Muir, John; "Decoding Mobile Device Security," ComputerWorld, 14 July 2003, www.computerworld.com/securitytopics/ security/story/0,10801,82890,00.html
Naraine, Ryan; "Cracking the Blackberry with a $100 Key," Security Watch—Exploits and Attacks, 30 November 2006
North American Electric Reliability Council, CIP Network Security, Multimedia Session, 28 February 2007
SANS Institute, "Half of Finance Managers Put Unsolicited USB Drive in Computers," SANS NewsBites, vol. 9, no. 8, 25 January 2007
SANS Institute, "The Ten Most Important Security Trends of the Coming Year," 2006
Wailgum, Thomas; "Mastering Mobile Madness," CIO, 1 December 2005
Patricia Mayer Milligan, Ph.D.
is an associate professor of information systems at Baylor University (Texas, USA). Her research is in the areas of outsourcing and IT auditing. She coauthored Understanding and Using Microsoft Word 97, Southwestern Educational Publishing. Prior to joining the faculty at Baylor in 1983, she was on the team that put together the first mobile computing project enabling insurance agents to use personal computers on the road. She volunteers her technology skills to advise and implement information systems for many nonprofit organizations in her community. She can be reached at email@example.com.
Donna Hutcheson, CISA
is the information technology audit director for TXU Corp. She is also principal and managing consultant for XR Group Inc., where she counsels global companies with information technology management and audit issues. Hutcheson supports her profession by serving on the ISACA Academic Relations Committee (2006-present) and the ISACA North Texas Chapter's board of directors as certification coordinator (2003- 2005), vice president of education (2005-2006) and university relations director (2006-current).
She has coordinated and taught CISA exam preparation courses, as well as seminars at the University of Texas at Dallas (USA) and Southern Methodist University (Dallas, Texas, USA). She can be reached at firstname.lastname@example.org.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.