Mobile Security

You might also like

Download as pdf or txt
Download as pdf or txt
You are on page 1of 10

(SLIDE-1) MOBILE DEVICE

(SLIDE-2)______ A mobile device (also known as cell phone device, handheld device, handheld computer,
or "Palmtop") is a pocket-sized computing device, typically having a display screen with touch input or a miniature keyboard. In the case of the personal digital assistant (PDA) the input and output are combined into a touch-screen interface. Smartphones and PDAs are popular amongst those who require the assistance and convenience of a conventional computer, in environments where carrying one would not be practical. Enterprise digital assistants can further extend the available functionality for the business user by offering integrated data capture devices like Bar Code, RFID and Smart Card readers.

There are several Types of mobile devices like: Mobile computers_______(SLIDE-3)


y y y y y y

Notebook PC Ultra-Mobile PC Handheld PC Personal digital assistant/Enterprise digital assistant Graphing calculator Pocket computer

Are the types of mobile computers._______(SLIDE-4)

Handheld game consoles_______(SLIDE-5)


y y y y y y y y

Nintendo DS Game Boy, Game Boy Color Sega Game Gear PC Engine GT Atari Lynx Pandora PlayStation Portable N-Gage

Are the types of handheld game consoles. _______ (SLIDE-6)

Media recorders______(SLIDE-7)
y y y y y y

Digital still camera Digital video camera Digital audio recorders Media players/displayers Portable media player e-book reader
Are the types of Media recorders.________(SLIDE-8)

Communication devices______(SLIDE-9)
y y y

Mobile phone Cordless phone Pager

Are the types of Communication devices. _______ (SLIDE-10)

Handheld devices in our daily life: -_____(SLIDE-11)


Handheld devices have become ruggedized for use in Handheld computers used at work have molded over time
into a variety of form factors, including SmartPhones on the low end, handheld PDAs, Ultra Mobile PCs, Tablet PCs, and even notebook computers, which are being used by us in every aspects of our lives.

Most handhelds can also be used to send and receive faxes by email using an Internet fax service. Internet faxing also enables handheld users to print documents by sending them to a nearby fax machine. This service is available through most internet fax providers.

(SLIDE-12)____Wireless Communication: - Wireless communications offer organizations and users


many benefits such as portability and flexibility, increased productivity, and lower installation costs. Wireless technologies cover a broad range of differing capabilities oriented toward different uses and needs. Wireless local area network (WLAN) devices, for instance, allow users to move their laptops from place to place within their offices without the need for wires and without losing network connectivity. Less wiring means greater flexibility, increased efficiency, and reduced wiring costs. Ad hoc networks, such as those enabled by Bluetooth, allow data synchronization with network systems and application sharing between devices. Bluetooth functionality also eliminates cables for printer and other peripheral device connections. Handheld devices such as personal digital assistants (PDA) and cell phones allow remote users to synchronize personal databases and provide access to network services such as wireless e -mail, Web browsing, and Internet access. Specific threats and vulnerabilities to wireless networks and handheld devices include the following: y All the vulnerabilities that exist in a conventional wired network apply to wireless technologies. y Malicious entities may gain unauthorized access to an agencys computer network through wireless connections, bypassing any firewall protections. y Sensitive information that is not encrypted (or that is encrypted with poor cryptographic techniques) and that is transmitted between two wireless devices may be intercepted and disclosed. y DoS attacks may be directed at wireless connections or devices. y Malicious entities may steal the identity of legitimate users and masquerade as them on internal or external corporate networks. y Sensitive data may be corrupted during improper synchronization. y Malicious entities may be able to violate the privacy of legitimate users and be able to track their movements. y Malicious entities may deploy unauthorized equipment (e.g., client devices and access points) to surreptitiously gain access to sensitive information. y Handheld devices are easily stolen and can reveal sensitive information. y Data may be extracted without detection from improperly configured devices. y Viruses or other malicious code may corrupt data on a wireless device and subsequently be introduced to a wired network connection. y Malicious entities may, through wireless connections, connect to other agencies or organizations for the purposes of launching attacks and concealing their activities. y Interlopers, from inside or out, may be able to gain connectivity to network management controls and thereby disable or disrupt operations. y Malicious entities may use third-party, untrusted wireless network services to gain access to an agencys or other organizations network resources.

Internal attacks may be possible via ad hoc transmissions.

Maintaining a secure wireless network and associated devices requires significant effort, resources, and vigilance and involves the following steps: y Maintaining a full understanding of the topology of the wireless network. y Labelling and keeping inventories of the fielded wireless and handheld devices. y Creating backups of data frequently. y Performing periodic security testing and assessment of the wireless network. y Performing ongoing, randomly timed security audits to monitor and track wireless and handheld devices. y Applying patches and security enhancements. y Monitoring the wireless industry for changes to standards that enhance security features and for the release of new products. y Vigilantly monitoring wireless technology for new threats and vulnerabilities. Wireless networks serve as the transport mechanism between devices and among devices and the traditional wired networks (enterprise networks and the Internet). Wireless networks are many and diverse but are frequently categorized into three groups based on their coverage range: Wireless Wide Area Networks (WWAN), WLANs, and Wireless Personal Area Networks (WP AN). WWAN includes wide coverage area technologies such as 2G cellular, Cellular Digital Packet Data (CDPD), and Global System for Mobile Communications (GSM), and Mobitex. WLAN, representing wireless local area networks, includes 802.11, HiperLAN, and several others.
Wireless LANs______(SLIDE-13) WLANs allow greater flexibility and portability than do traditional wired local area networks (LAN). Unlike a traditional LAN, which requires a wire to connect a users computer to the network, a WLAN connects computers and other components to the network using an access point device. An access point communicates with devices equipped with wireless network adaptors; it connects to a wired Ethernet LAN via an RJ-45 port. Access point devices typically have coverage areas of up to 300 feet (approximately 100 meters). This coverage area is called a cell or range. Users move freely within the cell with their laptop or other network device.
The three basic security services defined by IEEE for the WLAN environment are as follows: y Authentication A primary goal of WEP was to provide a security service to verify the identity of communicating client stations. This provides access control to the network by denying access to client stations that cannot authenticate properly. This service addresses the question, Are only authorized persons allowed to gain access to my network? y ConfidentialityConfidentiality, or privacy, was a second goal of WEP. It was developed to provide privacy achieved by a wired network. The intent was to prevent information compromise from casual eavesdropping (passive attack). This service, in general, addresses the question, Are only authorized persons allowed to view my data? y IntegrityAnother goal of WEP was a security service developed to ensure that messages are not modified in transit between the wireless clients and the access point in an active attack. This service addresses the question, Is the data coming into or exiting the network trustworthyhas it been tampered with?

Ad Hoc Networks_______(SLIDE-14) Ad hoc networks such as Bluetooth are networks designed to dynamically connect remote devices such as cell phones, laptops, and PDAs. These networks are termed ad hoc because of their shifting network topologies. Whereas WLANs use a fixed network infrastructure, ad hoc networks maintain random network configurations, relying on a master-slave system connected by wireless links to enable devices to communicate. In a Bluetooth network, the master of the piconet controls the changing network topologies of these networks. It also controls the flow of data between devices that are capable of supporting direct links to each other. As devices move about in an unpredictable fashion, these networks must be reconfigured on

the fly to handle the dynamic topology. The routing that protocol Bluetooth employs allows the master to establish and maintain these shifting networks.
Bluetooth_______(SLIDE-14) Bluetooth has emerged as a very popular ad hoc network standard today. The Bluetooth standard is a computing and telecommunications industry specification that describes how mobile phones, computers, and PDAs should interconnect with each other, with home and business phones, and with computers using shortrange wireless connections. Bluetooth network applications include wireless synchronization, email/Internet/intranet access using local personal computer connections, hidden computing through automated applications and networking, and applications that can be used for such devices as hands-free headsets and car kits. The Bluetooth standard specifies wireless operation in the 2.45 GHz radio band and supports data rates up to 720 kbps. 5 Benefits of Bluetooth include y Cable replacementBluetooth technology replaces cables for a variety of interconnections. These include those of peripheral devices (i.e., mouse and keyboard computer connections), USB at 12 Mbps (USB 1.1) up to 480 Mbps (USB 2.0); printers and modems, usually at 4 Mbps; and wireless headsets and microphones that interface with PCs or mobile phones. y Ease of file sharingBluetooth enables file sharing between Bluetooth-enabled devices. For example, participants of a meeting with Bluetooth-compatible laptops can share files with each other. In another example, a Bluetooth-compatible mobile phone acts as a wireless modem for laptops. y Using Bluetooth, the laptop interfaces with the cell phone, which in turn connects to a network, thus giving the laptop a full range of networking capabilities without the need of an electrical interface for the laptoptomobile phone connection. 40 y Wireless synchronizationBluetooth provides automatic wireless synchronization with other y Bluetooth-enabled devices. For example, personal information contained in address books and date books can be synchronized between PDAs, laptops, mobile phones, and other devices. y Automated wireless applicationsBluetooth supports automatic wireless application functions. Unlike synchronization, which typically occurs locally, automatic wireless applications interface with the LAN and Internet. For example, an individual working offline on e-mails might be outside of their regular service areaon a flight, for instance. To e-mail the files queued in the inbox of the laptop, the individual, once back in a service area (i.e., having landed), would activate a mobile phone or any other device capable of connecting to a network. The laptop would then automatically initiate a network join by using the phone as a modem and automatically send the e-mails after the individual logs on. y Internet connectivityBluetooth is supported by a variety of devices and applications. Some of these devices include mobile phones, PDAs, laptops, desktops, and fixed telephones. Internet connectivity is possible when these devices and technologies join together to use each others capabilities. For example, a laptop, using a Bluetooth connection, can request a mobile phone to establish a dial-up connection; the laptop can then access the Internet through that connection.

GPRS_____(SLIDE-16): General Packet Radio Service (GPRS) is a data network architecture that is designed to integrate with existing GSM networks and offer mobile subscribers always on packet switched data services access to corporate networks and the Internet. GPRS provides mobile operators with an opportunity to offer higher margin data access services to subscribers. In return, subscribers benefit from GPRS by being able to use higher bandwidth mobile connections to the Internet and corporate networks. GPRS Tunnelling Protocol (GTP) is the protocol used by GSM or UTMS operators to convert radio signals from subscribers into data packets, and then to transport them in non -encrypted tunnels. GTP does not provide for inherent security.

Classification of Security Services


Security services are protections and assurances that provide mitigation against various threats. They are generally known as:

Integrity: Integrity is a security service that assures that data cannot be altered in an unauthorized or malicious manner. Confidentiality: Confidentiality is the protection of data from disclosure to unauthorized third parties. Authentication: Authentication provides assurance that a party in data communication is who or what they claim to be. Authorization: Authorization is a security service that ensures that a party may only perform the actions that theyre allowed to perform Availability: Availability means that data services are usable by the appropriate parties in the manner intended.

GSM (Global System for Mobile communications:-__________ (SLIDE-17)


Originally from Groupe Spcial Mobile is the most popular standard for mobile phones in the world. Its promoter, the GSM Association, estimates that 82% of the global mobile market uses the standard. GSM is used by over 3 billion people across more than 212 countries and territories. Its ubiquity makes international roaming very common between mobile phone operators , enabling subscribers to use their phones in many parts of the world. GSM differs from its predecessors in that both signalling and speech channels are digital, and thus is considered a second generation (2G) mobile phone system. This has also meant that data communication was easy to build into the system. The ubiquity of the GSM standard has been an advantage to both consumers (who benefit from the ability to roam and switch carriers without switching phones) and also to network operators (who can choose equipment from any of the many vendors implementing GSM). GSM also pioneered a low-cost (to the network carrier) alternative to voice calls, the Short message service (SMS, also called "text messaging"), which is now supported on other mobi le standards as well. Another advantage is that the standard includes one worldwide Emergency telephone number, 112. This makes it easier for international travellers to connect to emergency services without knowing the local emergency number.

Code division multiple access (CDMA): - ___________ (SLIDE-18)


It is a channel access method utilized by various radio communication technologies. It should not be confused with the mobile phone standards called cdmaOne and CDMA2000 (which are often referred to as simply "CDMA"), that use CDMA as their underlying channel access methods. One of the basic concepts in data communication is the idea of allowing several tr ansmitters to send information simultaneously over a single communication channel. This allows several users to share a bandwidth of frequencies. This concept is called multiplexing. CDMA employs spread-spectrum technology and a special coding scheme (where each transmitter is assigned a code) to allow multiple users t o be multiplexed over the same physical channel. By contrast, time division multiple access (TDMA) divides access by time, while frequency-division multiple access (FDMA) divides it by frequency. CDMA is a form of "spread-spectrum" signalling, since the modulated coded signal has a much higher data bandwidth than the data being communicated.

An analogy to the problem of multiple access is a room (channel) in which people wish to communicate with each other. To avoid confusion, people could t ake turns speaking (time division), speak at different pitches (frequency division), or speak in different languages (code division). CDMA is analogous to the last example where people speaking the same language can understand each other, but not other peo ple. Similarly, in radio CDMA, each group of users is given a shared code. Many codes occupy the same channel, but only users associated with a particular code can understand each other.

Mobile Device Security: - ________(SLIDE-19)


Mobile devices are well on their way to surpassing the functionally of PCs, and we've become increasingly reliant on our mobile devices in our day -to-day lives. That's great news for operators and end users alike. Unfortunately, such devices also present new targets to hackers and cybercriminals. Mobile devices have wireless capability to connect to the Internet and office/home computer systems. However wireless capability poses a number of security risks. Managing the risks to mobile assets requires knowledge of the threats posed to mobile devices and the vulnerabilities that may allow those threats to be realized. The Mobile Device Vulnerability Database (MDVD) is an online database for collecting vulnerability and countermeasure information on mobile computing devices and their technologies (Smart phone, personal digital assistant (PDA), Wi-Fi, Bluetooth, WiMAX, VOIP, etc.)

According To McAfee Mobile Security Report 2008:


y y

(SLIDE-20)______More than 86 percent of consumers worry about receiving inappropriate or unsolicited content, fraudulent bill increases , or information loss or theft. More than 72 percent of users expressed concerns regarding the safety of using emerging mobile services.

(SLIDE-21) _____Nearly 14 percent of global mobile users have been directly infected or have known
someone who was infected by a mobile virus. In spite of these concerns, mobile security hasn't yet taken hold the way it has in the PC environment. (SLIDE-22)_____According to our report, at least 79 percent of consumers are knowingly using unprotected devices, (SLIDE-23)____with another 15 percent unsure of their devices' security levels.

Mobile devices -- Areas of risk: ______(SLIDE-24)


1. 2. 3. 4. Loss of general company data and files from these increasingly memory-laden devices. Key sales contacts could go to a competitor -- or be lost altogether. Physical loss of the device. The employee's time to recover from the loss -- which can be a few hours or a few days -- is usually worth far more than the replacement costs of the device and software. 5. The time needed by the network administration team to replace the device and handle the loss. 6. Introduction of viruses and malware into the company's installed computer base, usually when synchronizing PC and handset in the office and on a home PC. 7. The use of such devices as means of stealing company information. The "inside job" on data theft can be pulled off using a wide variety of mobile devices, from PDAs to lowly MP3 players.

Device theft : -______(SLIDE-25)


The theft of unprotected notebooks, PDAs or mobile phones is rampant. According to a recent study by Safeware, a computer insurance company, an estimated 319,000 13 laptops were stolen in the United States in 1999. Laptops, PDA and other wireless devices are certainly the easiest kinds of computers to steal. They are small, light weight, easily concealed, and easily resold on the black market. They can be taken home by a jealous co-worker or stranger, or used to gain access to company systems and proprietary data. There are steps you can take to protect your mobile equipment. Here are come safeguard tips: y Lock your laptop and mobile device in your desk when leaving the office. y Secure your laptop with a cable and put an alarm on your mobile device. y Permanently engrave your company's name and ID on the equipment y Keep the serial number, make and model information of your laptop and mobile device separate from the computer. y Never save passwords in the computer or store them in the computer bag. y You may even turn to innovative technologies like radio wave-based proximity cards, card keys that shut down computers when the particular users are out of range.

Virus Infection: - Viruses can infect wireless devices as other wired computers. In fact, there are
records of virus infections to mobile devices. There is a virus called Palm/Phage, which is able to infect Palm OS, but it is not in the wild and poses little threat. Nonetheless, it is sensible to keep backups of any Palm applications and data. There is also a Trojan horse known as Palm/Liberty -A, which is able to infect the Palm OS. It deletes Palm OS applications. Like Phage, it is low risk and you are unlikely to ever encounter it. The question one ponders is, can mobile devices be protected from virus? The answer yes, we may add that one of the most efficient way to protect mobile d evices is to check data when transferring it to or from the device.
y

Make sure all host systems that your users are connecting their devices to are protected with current antivirus software. In many cases, the desktop system can catch infected applications before they are installed on the mobile device. If your users are not using Bluetooth on their phones, PDAs, luxury automobi les or other gadgets, have them disable the feature altogether. In addition to closing the door on some types of malware and unwanted advertising, this will improve battery life on the device. If your users simply cannot live without their Bluetooth accessories, make sure that at the very least, their phone/PDA/etc. is not set to be discoverable. While this is not a guarantee that a skilled attacker will not see the device given time and motivation, it will provide some defence against attackers of opportunity. A better practice is to instruct users to activate Bluetooth when they need it and turn it off when not in use. While it may seem a bit obvious, we infosec types need to educate our users that, just as they should not click on every attachment sent to their PC e-mail inbox, they should view unsolicited messages and software on PDAs and phones with suspicion. The malware released to date for phones and PDAs requires help from the victim in order to spread. No help, no virus. Information kept on phones and PDAs should exist somewhere else as well. Malware is one threat to mobile devices, but there are many others: theft, loss, damage to name a few. No matter which of these results in data loss, having a backup will make recovery easier.

Restricting mobile security threats______(SLIDE-26)


Here are some key defences against data loss, network compromise and compliance threats:
y y

y y y

Develop a comprehensive, strategic plan for mobile devices that incorporates security policies and procedures with strict accountability. When it comes to security, treat smartphones, laptops, personal digital assistants and other mobile devices no different than desktop computers. Apply the same security software to them, including antispyware software. IT, not employees, should select which mobile devices to use in the enterprise, and the company should own them and maintain central control. This way, IT can easily apply software patches and end-to-end encryption. Install acceptable software applications on mobile devices and warn users against adding unauthorized applications on their own. Create acceptable usage policies for mobile device and proactively educate users about them. IT should put in place an enforcement technology behind written usage and security policies for mobile devices. In other words, apply technologies that make it impossible (or near impossible) for users or devices to break company policy. Audit and monitor mobile device activity among employees to prove security policy compliance. Audits can reveal how effective a written policy is and how soundly employees are adhering to it. Regular audits can also help amass proof of compliance to HIPAA and other regulations.

Best practices for protecting handhelds from mobile malware : -_______(SLIDE-27)


Here are some best practices to help your users avoid mobile malware and its potential woes:
y y y y y Computers To Which The U sers Are Connecting Their Mobile Devices Should Be Virus Protected. Keeping The Bluetooth Of Mobile Devices Disabled When Not In Use. Suspicious E-mail Attachments Should Not Be Downloaded As They May Contain Malicious Programs. Backup of Information on Phones and PDAs should be kept In Some Other Storage Device. Neglecting Unwanted Advertisements.

Critical mobile security mistakes -- things to look out for and gain control of going forward. ______(SLIDE-28)
1. Not knowing what is really at risk Most employees and managers haven't really thought about what there is to lose -- especially when it comes to the lack of physical security controls with mobile devices. Simply put, people aren't valuing business assets and treating the threats and vulnerabilities seriously enough. 2. Not taking the complexities involved seriously enough It is easy to assume that mobile security is simply achieved. You just encrypt wireless traffic and laptop hard drives and all is well, right? Not really. For starters, it's all in how encryption is used and when it's used. Also, with the lack of physical controls, unauthorized usage is very difficult to prevent or trace back. The software side of mobile security is a complex beast and it cannot be taken lightly. 3. Being too trusting of people Many in IT and upper management are too trusting of employees and with outside contractors and visitors. They are often given a lot of privileges with mobile devices -- both on and off the network -but no one really knows how they're using them.

4. Not using technology for help There is a great over-reliance on policies to keep information safe -- especially at the management level. The assumption is that a policy is in place, so everything is safe and sound. There are lots of security controls from power-on passwords to BitLocker drive encryption in Windows Vista, from WPA encryption to the Microsoft PPTP VPN (among others). The key is making the choice to use them. If the controls you need are not there by default, there are solutions available to keep mobile systems secure from the elements. 5. Not understanding how the bad guys work Mobile systems (wireless LANs included) aren't being properly tested for security exploits. In fact, mobile systems are often outside the scope of security assessments. Of the testing that is being done, it is often a checklist audit with no in-depth testing ethical hacking to find out just what controls can be bypassed and exploited. Looking at mobile systems with a malicious attitude and good tools is absolutely necessary to find the real problems.

Gain control with a mobile security policy : - ______(SLIDE-29)


To manage security risks, companies need to define which mobile devices are allowed and under what conditions. They should place limits on network and application access and on business data storage and transfer. Security measures and practices should be required and processes defined to monitor and enforce compliance. These decisions should be documented in a mobile device security policy -- a formal statement of the rules by which mobile devices must abide when accessing business systems and data. Such policies may include the following sections: 1. Objective: Identify the company, organizational unit and business purpose of the policy. 2. Ownership and authority: Identify those responsible for policy creation and maintenance (development team), those responsible for policy monitoring and enforcement (compliance team), and those responsible for policy approval and management oversight (the policy's owners). 3. Scope: Identify the users/groups and devices that must adhere to this policy when accessing business networks, services and data. Enumerate the mobile device models and minimum OS versions allowed to access or store business data. Identify the organizational units that are (or are not) permitted to do so. 4. Risk assessment: Identify the business data and communication covered by this policy -- your company assets that may be placed at risk by mobile devices. For each asset, identify threats and business impacts, taking into consideration both probability and cost. 5. Security measures: Identify recommended and required mobile security measures and practices, including: o Power-on authentication to control lost/stolen device use o File/folder encryption to prevent unauthorized data disclosure o Backup and restore to protect against business data loss or corruption o Secure communication to stop eavesdropping and backdoor network access o Mobile firewalls to inhibit wireless-borne attacks against devices o Mobile antivirus and IDS to detect and prevent device compromise o Application and interface authorization to control program installation, network use, synchronization and data transfer to/from removable storage 6. Acceptable usage: Define what users must do to comply with this policy, including procedures required for device registration, security software download and installation, and policy configuration and update. Enumerate best practices that users are required to follow, including banned activities. If users understand what they can and cannot do and why, they will be less frustrated and more likely to comply with stated policy. 7. Deployment process: Define how you plan to implement and verify your mobile security policy. It is a good idea to begin with a trial, taking both your mobile security software and defined procedures

out for a test drive with a small group of users. Many security policies fail because they prove impractical to deploy or use. Working out these kinks before requiring everyone to follow your policy will increase voluntary compliance and overall effectiveness. Don't forget to include training for administrators and users in your deployment process. 8. Auditing and enforcement: Voluntary compliance is nice, but insufficient for truly managing business risk. Effective policies ensure compliance through monitoring and enforcement.

Summary: -_________(SLIDE-30) As the use of mobile devices in enterprise organizations increases, corporate and government organizations need to take the necessary steps to maintain the security of their email and application data. In using wireless devices, data is increasingly transm itted outside the corporate network and stored on mobile devices outside the physical boundaries of the organization. Mobile devices are potentially subject to man -in-the middle attacks, DoS attacks, malware threats, and other data breaches. While losing d ata is only an embarrassment for some organizations, financial and legal risks may result in many cases. An effective wireless solution should be designed for enterprise -grade security and provide an architecture specifically for the realities of mobility . In many cases, solutions that work in a desktop environment are impractical for mobile computing, given the constrained processing, memory and battery resources of mobile devices. The corporate firewall is a critical component in protecting an organizations data and should protect against opportunities for attack or malicious use. The connection over the wireless network must be secure to maintain confidentiality, authenticity, and integrity of the data transmitted. And finally, mobile devices must be pr otected from data loss, tampering and malware infection.

(SLIDE-31)

You might also like