Cyber Security Review
JAZ123
LiteratureReviewExample.docx1
MO’ MOBILES, MO’ PROBLEMS 2
MO’ MOBILES, MO’ PROBLEMS 2
Running head: MO’ MOBILES, MO’ PROBLEMS
Abstract
Businesses continue to grow in acceptance and utilization of Bring Your Own Device (BYOD) policies because they can increase productivity while reducing costs; but they may be putting themselves at risk if they fail to implement proper security policies which include Mobile Device Management (MDM) controls. This literary review will research and identify the risks associated with mobile computing devices; and the threats they can pose to corporate resources in the event that they become compromised. It will review mobile computing trends, BYOD for businesses, prevalent security threats, MDM controls, and security best practices. It will include quantitative methods using a before-and-after approach with convenience sampling through administering of a survey questionnaire. Data analysis will be summarized and then it will discuss ways that businesses can implement various controls to strike an operationally feasible balance between productivity and security.
Keywords: mobile device security, MDM, BYOD, mobile threats
Literature Review
Mobile Device Trends
Understanding mobile device trends is important because it provides the background for the current and future capabilities of mobile device technologies; and new innovations in technology will lead to advanced capabilities in the mobile arena. The continued development and growth can enhance user productivity and consumer acceptance, but it will also provide hackers with new avenues to exploit vulnerabilities. This innovation cycle continues to produce hurdles for IT professionals and businesses as they must learn and adapt on-the-fly to ensure the security of personally identifiable information (PII) and corporate data. Edmondson et al. (2014) identify this trend with the mobile growth because fewer people are buying desktops, instead laptop and tablet sales have passed those of desktops; but more importantly, the purchases of smartphones have passed them all. They also feel that mobile boom is not over, but rather in its beginning stages as it continues to immerse itself in business and society; and that to allow for the delivery of future devices will require advances in infrastructure, networking and other fields that may not exist yet. Additionally, the mobile growth trend is discussed in a 2014 study which reveals that tablet and mobile phone worldwide shipments totaled 2 billion units in 2013, and are expected to ship 2.3 billion units in 2015 ("Gartner says worldwide traditional PC, tablet, ultramobile and mobile phone shipments on pace to grow 7.6 percent in 2014," 2014).
The trend is evident through the emergence of the operational concept of the Internet of Things (IoT), where multiple technologies are integrated to provide a way to manage and automate various facets of business, processes, and individual’s daily lives. The idea is based on the capability of appliances and systems having a network interface so that they can be added to a network or provided access through the internet. IoT can provide benefits in healthcare, production management, transportation, logistics and various industries. But the concerns are that the success of IoT and its acceptance on a worldwide scale will be minimal without any standards or governance being established (Xu, He, & Li, 2014).
Some considerations for emerging and future technologies are: wearables that will become of a Personal Area Network (PAN), new Wi-Fi standards that will overhaul current WiFi networks, and Enterprise Mobile Management (EMM) will combine aspects of MDM and
Mobile Application Management (MAM) in attempt to control mobile devices more effectively (Jones, 2014). Mobile commerce (m-commerce) has also grown as an answer to the consumer demand for mobile accessibility. Most banks have apps for users to complete banking transactions and this also translates to the convenience of goods to be bought and sold online in minimal transaction steps (Chang, Williams, & Hurlburt, 2014)
BYOD for Businesses
BYOD is the practice of companies allowing its employees to use their personal mobile devices in the workplace instead of company provided equipment. It is a more commonplace in Small-and-Medium Businesses (SMBs), as expected, because of the initial cost savings it provides along with a level of employee satisfaction. However, a Cisco 2012 survey of 600 U.S. IT leaders indicates that 89% of enterprise and medium-sized businesses support a form of BYOD. Security is a main concern in those enterprise and medium-sized businesses, as noted in the survey with only 50% and 41% respectively, having policies in place (Bradley, Loucks, Macaulay, Medcalf, & Buckalew, 2012). The BYOD initiative does have two points of view on its inception. The first being that employees wanted a way to access content of a personal nature, like webpages and email, while at work; but access was blocked by company IT policies, so they wanted to be able to use their personal devices to access that content. Which is nothing more than circumventing the security measures that were in place for good reason. The second belief, from the business point of view, is that an increase in productivity with a decrease in costs, plus employee satisfaction, leads to an increase in profits (Caldwell, Zeltmann, & Griffin, 2012). There are multiple reasons for a business to implement BYOD. Employees can access their work form anywhere and it provides the flexibility to let them take care of issues in a conference room before a meeting begins, or while on the train for their commute home. Files and other documents can be accessed from anywhere, providing 24/7 access for teams to collaborate while spread across physical locations; but when you start analyzing who the devices actually belong to (employee) and who the data belongs to (company), then an entirely new dilemma arises in the areas of security and ethics. Users feel like they have the freedom to install whatever apps or media they want onto their device; while companies believe they reserve the right to completely wipe the device in the event of employee termination or a lost device. These issues are strong reasons for companies to understand the need and thoroughness of a BYOD policy being in place before the practice is authorized. The policy should spell out exactly who is responsible for what in a way to provide a clear understanding to all employees. It should address what devices are allowed and supported, what apps are authorized, who to notify in the event that a device is believed to be lost. It should also inform employees of the consequences if they are caught with unapproved apps, or tampering with the security settings enforced by technical controls; then have each employee sign the policy to acknowledge their understanding and consent (Blizzard, 2014).
Security and privacy are the two biggest concerns. The security concern is that of the companies because any infected device that is connected to the network, or plugged into a desktop computer, could introduce a virus or malware. This would most definitely constitute a security incident and loss of corporate data is possible. The privacy concern is that of the users because of the personal nature of data that is also contained on a mobile device. It is possible that personal data could be disclosed when a device is scanned by the company’s IT department (Miller, Voas, & Hurlburt, 2012)
Security Threats
When thinking about threats to mobile devices, most people immediately think of a hacker; while that is fair to correctly acknowledge, it must also be understood that the users and the devices are also considered threats. In fact, in the IT industry, the end-users are still considered the greatest internal threat. Dimensional Research published a 2014 survey of 706 IT professionals across the world that serve a role in system security within their company. The report indicated that 87% of the respondents believe that careless employees are their greatest security threat; and 63% identified that employee carelessness is the likely cause of recent breaches that included data being compromised. It also included the top five factors for the high impact that users have on mobile security: accidentally accessing malicious sites or downloading malicious content, lack of awareness of security policies, intentionally ignoring security policies, lost or stolen devices, and device security updates not being current ("The Impact of Mobile Devices on Information Security: A Survey of IT and Security," 2014).
Devices have an assortment of reasons to be considered when addressing their topic as a threat to security. These problems include the many different types of devices which have various hardware configurations, the several different operating systems, and various components that have the capability to access the internet. Android and iOS are considered the prominent players in mobile devices, and Android is recognized as the more vulnerable of the two. This is mainly due to the difference in governance of the Google Play Store and Apple App Store. Google allows any developers to pay a minimum fee to register which gives them access to upload any apps they desire. Apple has a vetting process and also completes extensive testing on apps before they are published in the App Store. Additionally, Android is based on open source and is available in multiple flavors across multiple devices, while iOS is just on Apple products (La Polla, 2013).
Wahid, Kirmani, and Siddiqui (2014) completed a case study to evaluate the level of knowledge and programming required to break into various mobile device operating systems. This study also indicated that Android is more susceptible than iOS to be compromised and this could easily be accomplished by “average programmers that have access to the official tools and programming libraries provided by Smartphone platforms” (Wahid et al., 2014, p. 8). This proves how dangerous malware is to mobile devices and the caution that users should embrace when accessing questionable content.
Lookout, a mobile security company, published their 2015 Threats report that, “analyzed threats encountered by its global sensor network of more than 60 million Lookout-enabled mobile devices”("Enterprise mobile threats: 2014 year in review," 2014). It noted the top three trends as follows: malware attack methods are more sophisticated, threats have increased along with the impact to companies, and GPS and contact data was siphoned from devices and tracked to twenty different countries. A study was also completed on a U.S. federal agency which analyzed 488 mobile devices that also had access to corporate data. It identified 29% of those devices as containing a mobile threat; almost 8% of those as having Trojans or root enablers, which can allow attackers to gain admin rights and circumvent security policies ("Enterprise mobile threats: 2014 year in review," 2014).
McAfee Labs published their threat predictions for 2015 and it stressed the evolution of current types of attacks into those that will focus on mobile devices and ones that will become advanced persistent threats (APT). They indicate that cyber espionage will see changes from single swift attacks for financial gain to those where they remain hidden over time and collect information on their target as an APT. It would provide a greater return on their attacks. They expect attacks on IoT devices (IP webcams, home automation, and appliances) to increase rapidly because of poor security practices coupled with an influx of connected devices. They believe there could be an opportunity for high-value data on vulnerable devices. Finally, they foresee malware and ransomware infections growing significantly on mobile devices; and the evolution of attacks on cloud-based storage sites like Dropbox, Google Drive, and OneDrive. This is due to the believed high value of data that is very personal, like personal pictures and documents ("McAfee Labs Threats Report," 2014)
Mobile Device Management
An MDM solution is highly recommended and can be implemented locally, through a Software as a Service (SaaS) subscription, or as an appliance integrated into the network. The capabilities that should be evaluated for an MDM include “password management, remote data wipe, data encryption, jailbreak/root detection, data loss prevention, remote configuration, remote OS and application updating, remote inventorying, and remote control” (Harris & Patten, 2014). The addition of a mobile application management (MAM) piece is also recommended because it can set application level policies and only allow applications to be installed from the local application stores as defined in policies by the administrators.
The same concepts of defense-in-depth apply to MDM as well, meaning that layered security controls provide the greatest protection. Containerization is an additional layer that should be considered. It includes an encrypted storage area for the corporate applications and security policies, and it allows these more sensitive objects to be handled separately from the operating system. This technique is an efficient way to address the concerns between personal devices and corporate data because it allows users to access their personal data and applications as they want, but it gives control of corporate data to the businesses. It allows the company to remotely wipe all corporate data while not affecting the users’ personal data; thus achieving the desired balance of user freedom and data security (Leavitt, 2013).
Kilpatrick (2014) provides some insight to the issues with MDM and he acknowledges that it just isn’t the responsibility of the IT department to protect the enterprise. He understand the pace at which technology is deployed and the business needs that require new programs or devices before full testing. This is most important because it provides an insight to non-technical executives and decision makers that, “it is not possible for most IT security teams to carry the responsibility of securing the whole business and every user singlehandedly” (Kilpatrick, 2014, p. 13).
Security Best Practices
The application of security best practices in regards to hardware, software, policies and business processes is not a singular magic answer. It is a roadmap that provides people and businesses with various levels of security strategies that can be implemented based on the technologies employed and resource availability. The National Institute of Standards and
Technology (NIST) provides publications and guidance as part of its responsibilities under the Federal Information Security Management Act (FISMA), Public Law 107-347. They are intended for Federal information systems, but can be used by any entity. NIST Special
Publication (SP) 800-124 addresses security of mobile devices in the enterprise; and contains four sections that provide various considerations that can be addressed based on company needs.
They should be integrated with an MDM or existing security solution.
General policy. This is where “centralized technology can enforce enterprise security policies on the mobile device, including (but not limited to) other policy items” (Souppaya & Scarfone, 2013). This suggests limiting user access to hardware (GPS, camera, USB), allow user access only to native operating system services, manage WiFi and Bluetooth connections, use an active monitoring and reporting feature that can devices against a baseline, and prevent access to corporate data if device is not on latest firmware or if the device has been jailbroken/rooted
(Souppaya & Scarfone, 2013).
Data Communication and Storage. Recommends strong encryption of communications
between the client and server; this is usually accomplished through the use of a VPN. The device’s storage should also be encrypted to include any type of removable storage. Cryptographically binding the media to a device renders the media only accessible with that device; this prevents the media from being stolen and accessed on another device. The device should be wiped for the following reasons: before re-issue or being recycled, lost or stolen, failed logon attempts (Souppaya & Scarfone, 2013).
User and Device Authentication. This includes device password (lock screen), authentication to company resources before access is granted, having password complexity requirements, automatic lock screen (screensaver), and ability to remotely lock the device (Souppaya & Scarfone, 2013). It is also recommended to include the practice of central management of assets and the ability to manage devices through a cloud-based portal. Asset management should be sole possession of the IT department and allow them to test and apply the needed policies before the device gets to the end-user. Cloud-based administration allows IT to perform their controls remotely so they can enroll or wipe a device from anywhere as long as they have an internet connection (Vaidyanathan, 2014).
Applications. This covers an app store and the enforcement of approved (whitelisting) and blocked (blacklisting) applications; while application access to system resources should be restricted and approved applications should be updated to newer versions automatically. It is also recommended that digital signatures be enforced to ensure applications are only installed from trusted vendors (Souppaya & Scarfone, 2013). Virtualization is an option that can utilize server resources to minimize the overhead on mobile devices. It provides guest operating systems to be launched on the devices while maintaining the desired separation of business and personal data (Chang, Pao-Chung, & Teng-Chang, 2014).
In summary, the literature provided a look into the current and expected mobile device trends. The growth and popularity of the devices will contribute to the adaptation of the IoT in more mainstream societies. Emerging and future technologies will play a part in the need for standards and oversight to continue developing secure devices. BYOD for businesses supported the increase in user productivity that also decreases company expenses, resulting in larger profits. Employee happiness with BYOD use allows them to feel better supported by their company and allows them to complete tasks whenever they have time and are not in the office. Security and privacy are the key concerns because companies want their data secured while employees’ personal data maintains its privacy.
The security threats identified lack of user understanding and careless users as the prime concern for device and data security. Android and iOS are the prominent mobile operating systems; and the security of their respective application stores points to Android being the more vulnerable of the two. Malware and ransomware are expected to evolve and target mobile devices in an effort to collect information of value off of the devices (corporate and personal). MDM provides local and subscription based solutions that provide better advanced controls to IT administrators. Features for separating corporate and personal data are encouraged to provide the desired levels of security and privacy. Security best practices were highlighted by the NIST publication that cited four main areas of general policy, data communications and storage, user and device authentication, and applications. It is understood that there are various levels of controls and solutions that can be implemented, but the costs of multiple controls can increase greatly based on the characteristics of the various mobile devices in use. This will all lead to a more granular look at the hypotheses and research design that attempts to answer the research questions that will be addressed.
Methodology
Hypotheses
The following research questions were the basis to guide this study. What levels of mobile device management controls provide the best protection from security threats? How can user awareness training help reduce the chance of a device becoming compromised? These research questions allowed for the formulation of the following hypotheses. The inclusion of multiple controls of mobile device management provides a significant level of protection from security threats. User awareness training can greatly reduce the risk of their mobile devices becoming compromised. These hypotheses will lead to the explanation of the research design that is being completed solely as a hypothetical case for the purpose of this course.
Research Design
This hypothetical research is based on quantitative methods that are focused on the number of contacts with the study population. The before-and-after study approach will provide the opportunity to measure the current study population’s posture as it pertains to the research, and measure the impact of changes made between the two samplings after a year’s time. It is assumed that some of the businesses would implement additional controls that could positively affect the data of the study. This could help to reinforce the hypotheses this study is based on.
Variables. The dependent variables for this study will be security threats, mobile devices, and data security. The independent variables will be MDM security controls, user awareness training, and associated levels of risk.
Sampling Plan. A non-random, non-probability sampling will be used for this study. Based on limited funds, and accessibility within northwest Florida, a convenience sampling is the best option at this time. The study population will include multiple businesses in the local area that have their own dedicated IT department. The goal is to attain a sample size of 100 respondents while providing a high level of anonymity.
Data Collection. The data collection tool will be a survey questionnaire designed to identify background information of the sampling elements as well as particular questions related to information needed for this study. It will attempt to gather the size of the business, the type of industry they are in, their use of mobile devices, if they have a BYOD policy, do they provide user awareness training, and what types of MDM security controls they utilize. The questionnaire will also be identified that the information and responses will be completely anonymous.
Analysis of Data. The data will be manually analyzed by the researcher but computer equipment will be the prime medium for storing, coding, and analyzing the responses. The intent is to understand the use of mobile devices in various sizes of business, to what extent they implement MDM security controls, and if they have experienced security breaches or data loss.
Cross-tabulations will be conducted with the mobile devices and data security in relation to the attributes that provide company background information.
Conclusion
Limitations. While understanding the severity that responses could provide too much information for an anonymous survey, it must be understood that business would not be likely to identify any of their shortcomings within their IT infrastructure. There may be resistance by the sampling elements to answer questions because they do not want their personal understanding of their security posture to reflect poorly on their company. There may not be enough reliable data provided in the intended areas of business sizes (enterprise and small-medium).
References
Blizzard, S. (2014). The BYOD Full Circle: How Advantageous Is The Phenomenon? Software
World, 45(5), 3-4.
Bradley, J., Loucks, J., Macaulay, J., Medcalf, R., & Buckalew, L. (2012). BYOD: A global perspective. Retrieved January 25, 2015, from http://www.cisco.com/web/about/ac79/docs/re/BYOD_Horizons-Global.pdf
Caldwell, C., Zeltmann, S., & Griffin, K. (2012). BYOD (Bring Your Own Device). Competition
Forum, 10(2), 117-121.
Chang, J. M., Pao-Chung, H., & Teng-Chang, C. (2014). Securing BYOD. IT Professional,
16(5), 9-11. doi: 10.1109/MITP.2014.76
Chang, J. M., Williams, J., & Hurlburt, G. (2014). Mobile Commerce. IT Professional, 16(3), 4-
5. doi: 10.1109/mitp.2014.36
Edmondson, J., Anderson, W., Gray, J., Loyall, J. P., Schmid, K., & White, J. (2014). Next-
Generation Mobile Computing. IEEE Software, 31(2), 44-47. doi: 10.1109/ms.2014.39
Enterprise mobile threats: 2014 year in review. (2014). Retrieved February 6, 2015, from https://www.lookout.com/static/ee_images/Enterprise_Report_Final_1.13.pdf
Gartner says worldwide traditional PC, tablet, ultramobile and mobile phone shipments on pace to grow 7.6 percent in 2014. (2014). Retrieved February 4, 2015, from http://www.gartner.com/newsroom/id/2645115
Harris, M., & Patten, K. (2014). Mobile device security considerations for small and mediumsized enterprise business mobility. Information Management & Computer Security, 22(1),
97-114. doi: 10.1108/imcs-03-2013-0019
The Impact of Mobile Devices on Information Security: A Survey of IT and Security. (2014). Retrieved February 2, 2015, from http://www.checkpoint.com/capsule/check-pointcapsule-2014-mobile-security-survey-report.pdf
Jones, N. (2014). Top 10 mobile technologies and capabilities for 2015 and 2016. Retrieved February 6, 2015, from https://www.gartner.com/doc/2665315?ref=SiteSearch&sthkw=mobile%20device%20gr owth&fnl=search&srcId=1-3478922254
Kilpatrick, I. (2014). Mobile Device SecurityTacklingThe Risks. Database and Network
Journal, 44(5), 13-14.
La Polla, M., Martinelli, F., & Sgandurra, D. (2013). A Survey on Security for Mobile Devices.
IEEE Communications Surveys & Tutorials, 15(1), 446-471. doi:
10.1109/SURV.2012.01 3012.00028
Leavitt, N. (2013). Today's Mobile Security Requires a New Approach. Computer, 46(11), 16-
19. doi: 10.1109/mc.2013.400
McAfee Labs Threats Report. (2014). Retrieved February 2, 2015, from http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2014.pdf
Miller, K. W., Voas, J., & Hurlburt, G. F. (2012). BYOD: Security and Privacy Considerations.
IT Professional, 14(5), 53-55. doi: 10.1109/MITP.2012.93
Murtagh, R. (2014). Mobile now exceeds PC: The biggest shift since the internet began. Retrieved February 5, 2015, from http://searchenginewatch.com/sew/opinion/2353616/mobile-now-exceeds-pc-the-biggestshift-since-the-internet-began#
Souppaya, M., & Scarfone, K. (2013). Guidelines for managing the security of mobile devices in the enterprise (U. S. D. o. Commerce, Trans.): National Institute of Standards and Technology.
Vaidyanathan, R. (2014). The Present and Future of Mobile Device Management. Software
World, 45(6), 12-13.
Wahid, A., Kirmani, M., & Siddiqui, A. (2014). Mobile OS Security and Threats: A Critical
Review. International Journal of Computer Applications, 86(9), 8-13. doi:
10.5120/15011-3293
Xu, L. D., He, W., & Li, S. (2014). Internet of Things in Industries: A Survey. IEEE
Transactions on Industrial Informatics, 10(4), 2233-2243. doi: 10.1109/tii.2014.2300753
