jump to navigation

Weak Mobile Security December 7, 2013

Posted by patrickcallan2013 in Security.
trackback

The increasing use, power and capabilities of smartphones should make mobile security a top priority in every organization. The common practice of allowing, and in many cases encouraging, employees to use personal cell phones to conduct business, creates a complex and difficult environment for IT to maintain computer system security. Mobile represents a significant security risk that many organizations currently ignore as Chickowski comments “… many organizations these days not only do not manage their mobile security risks, they don’t even manage mobile devices. Organizations need better control over the devices that connect to their networks if they want to keep a tight reign over corporate data …” [1] As Chickowski notes there are a variety of steps that could be taken to enhance security including selecting a standard secure cell phone model, using encryption and authentication, etc., but many organizations do not apply these available security measures.

Many organizations have a variety of internal policies such as mandatory log off when an employee is not in front of the computer and this policy is reinforced in human resource evaluations and recorded reprimands that could lead to dismissal. Despite stringent internal policies accompanied by enforcement to protect the corporate network and data resources, a non-existent or extremely lax mobile phone policy exists with minimal oversight. Organizations need to balance these contradictory approaches to security as ultimately overall system security depends on attending to all network access points in a reasonable manner. Strong security internally is compromised by very weak mobile phone security externally. Security requires assessing all security risks and implementing policies, processes and technologies that mitigate the most likely risks.

Security depends upon people using computing resources, and mobile devices that access those resources, in a responsible and secure manner. People determine system security as they know how to defeat system security features or evade well intentioned security policies by leaving networked devices always logged on, using simple passwords or not encrypting data for convenience. The people aspect of security is often overlooked as organizations focus efforts on applying security technologies and modifying processes to improve security.

Security experts with decades of experience emphasize that security involves people not just technology and processes. [2] Spafford states “The Worm was caused by a breakdown of ethics as well as lapses in security – a purely technological attempt at prevention will not address the full problem, and may just cause new difficulties.” [3] In a 2011 MIT Killian Faculty Achievement Award Lecture, Rivest commented that prime factoring, the basis of RSA encryption, “… could turn out to be easy,” Rivest said. So it remains possible, he told the audience, that “maybe someone here will find the method” that renders the RSA encryption system vulnerable …” [4] Another article, “Reflections on Trusting Trust Revisited”, states “Given our nearly unbroken track record of failed security technologies, we should view claims regarding a system’s trustworthiness with skepticism … [and] can rest assured that the war for total control of computing devices cannot be won.” [5]

Mobile security appears extremely weak given the neglect of all three aspects of system security, people, processes and technology. Given the current extremely lax mobile security measures in place, system security is easily compromised in most organizations via mobile devices. Maintaining security using mobile devices will be very challenging but necessary to protect the organizations’ information systems and data.

sources

[1] Chickowski, Erika. “10 Best Practices for Mobile Device Security”. Baseline 2009-02-26. Accessed on 12/5/2013 at http://www.baselinemag.com/c/a/Mobile-and-Wireless/10-Best-Practices-for-Mobile-Device-Security/ .

[2] Wolff, Jeremy. “Smartphones: Business Risk or Opportunity?”. Information Management. October 28, 2013. Accessed on 10/28/2013 at http://www.information-management.com/news/smartphones-business-risk-or-opportunity-10024998-1.html#Login .

[3] Spafford, Eugene H.. “The Internet Worm Program: An Analysis”. SIGCOMM Computer Communication Review Volume 19 Issue 1. January 1989.

[4] Accessed on 11/13/2013 at http://phys.org/news/2011-02-rivest-cryptography-future.html .

[5] Spinellis, Diomidis. “Reflections on Trusting Trust Revisited.” Communications of the ACM Volume 46 Number 6. June 2003.

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: