FORESEC
MOBILE SECURITY THREATS PROBLEM STATEMENT
THREATS ASSOCIATED WITH MOBILE
Mobile devices has become a part of daily tech for business as well as personal communication. Mobile devices often need additional protection due to their nature and exposure of threats that they face. Prior before implementing security for mobile devices, it is important that we identify the threats, vulnerabilities and security controls required for these devices modelling the threats based on the likelihood of successful attack scenarios and impact assessment. It is also important that we deepen our understanding of the existing security controls which may be already in place and looking forward for future control enhancement requirements.
LACK OF PHYSICAL CONTROL
LACK OF PHYSICAL CONTROL
1
USAGE OF UNTRUSTED MOBILE DEVICES
2
ATTACKS FROM HOSTILE NETWORKS
3
UNTRUSTED MOBILE APPLICATIONS
4
UNTRUSTED DATA CONTENTS
5
GPS DATA AND PRIVACY
6
As mobile devices such as smartphones in addition to tablets are becoming increasingly smaller in size and more attractive in design. Devices have now become a fashion statement rather than a gadget. But however the locations where these devices are used becomes a key concern. Coffee Shops, hotels, airports and conferences are namely some of the key places where mobile devices could be heavily utilised. The likely hood of the mobile devices to be stolen are generally higher than the actual laptops themselves as mobile devices generally carry more confidential and private data vs laptops themselves. Not to forget that the lost of a mobile device is equally as disastrous to a laptop computer
USAGE OF UNTRUSTED MOBILE DEVICES Personal mobile devices which is a common trend among organizations ( bring your own device BYOD ) are not necessarily trustworthy. Current mobile devices lack the root of trust features such as TPMs that are commonly built into laptops and other types of computing devices. There is also the issue of jailbreaking and rooting of mobile devices which only spells disaster as built in security restrictions on security, operating and other systems have been bypassed. Companies should always treat external mobile devices to be hostile before granting user access through these devices.
HOSTILE NETWORKS As mobile devices are primarily dependent on non-organizational network for internet access such as 3G, , LTE and WIFI Hotspots for connectivity. The possibility of communication systems to be compromised through - man in the middle attack is imminent where possible data and voice interception could prove to be threatening. The risk of hostile networks could be greatly reduced through the use of strong encryption technologies to protect the confidentiality and integrity of communications as well as mutual authentication mechanism to verify the identity of both parties prior before commencing transmission of data
75%
ANDROID
50%
IPHONE
25%
BLACKBERRY
UNTRUSTED APPLICATION Mobile devices are designed to easily acquire and install any third party applications with ease and which may pose serious security risks for the obvious reason, especially for the mobile device platforms that do not place security restrictions or other limitations on third party application publishing.Organizations should plan their mobile device security on the assumption that unknown third party mobile device downloaded by the users should not be trusted.
INTERACTION WITH OTHER SYSTEMS Mobile devices may associate with other systems in terms of data synchronization and storage. Local system interaction commonly involves connecting a mobile device to a desktop or laptop by a cable for charging and/or syncing. Remote system intercommunication most often involves automatic backups of data to a cloud-based storage solution. When all of these components are under the organizations control, risk is generally acceptable, but often one or more of these components are external. Examples include attaching a personally-owned mobile device to an organization-issued laptop, attaching an organization-issued mobile device to a personally-owned laptop, and attaching an organization-issued mobile device to a remote backup service. In all of these scenarios, the organizations data is at risk of being stored in an unsecured location outside the organizations control; transmission of malware from device to device is also a possibility.
ESCALATION OF MOBILE THREATS GLOBALLY 88
77 %
60
15
20
2007
2008
%
%
GPS AND PRIVACY
25
35
49
%
%
%
%
2009 UNITED STATES RANSOMWARE
Location Services Mobile devices with GPS capabilities typically run what are known as location services. These services map a GPS-acquired location through the corresponding businesses or other entities close to that location.Location services are heavily used by social media, navigation, web browsers, and other mobile-centric applications. In terms of organization security, mobile devices with location services enabled are at increased risk of targeted attacks because it is easier for potential attackers to determine where the user and the mobile device are, and to correlate that information with other sources about who the user associates with and the kinds of activities they perform in particular locations
%
2010
2011
2012
2013
2014 RUSSIAN FEDERATION MOBILE THEFT
ASIA PACIFIC INTERCEPTION
SOUTH AMERICAN DATA BREACH
FORESEC