Description
The documentation about Executive Challenges to Mobile Business Security, Smart-phone viruses, Exposure of critical information, Remote Wiretapping, Employee Compliance Challenges, Employee Risks, Technology based solutions, Handling data -encryption, Application Service Providers and Virtual Private Network, Phishing Detection, Mobile Authentication, Authenticating and protecting identity, Employee Compliance based solutions, An analytical framework for Mobile Business Security
Draft Version: An analytical Framework for Mobile Business Security
An Analytical Framework for Mobile Business Security
1|Page
Draft Version: An analytical Framework for Mobile Business Security
Contents
Executive Summary ...................................................................................................................................... 4 Chapter 1 ....................................................................................................................................................... 5 Introduction ............................................................................................................................................... 5 Chapter 2 ..................................................................................................................................................... 10 Challenges to Mobile Business Security ..................................................................................................... 10 Technology based challenges.................................................................................................................. 10 Smart-phone viruses............................................................................................................................ 11 Mobile Botnets ........................................................................................................................................ 13 Spam ................................................................................................................................................... 14 Safe Browsing Environment ............................................................................................................... 16 Difficult Patching/Update Process ...................................................................................................... 16 Exposure of critical information ......................................................................................................... 17 Remote Wiretapping ........................................................................................................................... 17 Employee Compliance Challenges ......................................................................................................... 18 Employee Risks .................................................................................................................................. 18 Employee Compliance ........................................................................................................................ 18 Governance Structure.......................................................................................................................... 21 Chapter 3 ..................................................................................................................................................... 23 Solutions for the Challenges ....................................................................................................................... 23 Technology based solutions: ................................................................................................................... 23 Handling data -encryption................................................................................................................... 23 Application Service Providers and Virtual Private Network .............................................................. 24 Mobile anti-virus ................................................................................................................................. 24 Phishing Detection .............................................................................................................................. 24 Centralized Blacklists ......................................................................................................................... 25 Mobile Authentication ............................................................................................................................ 25 Authenticating and protecting identity ................................................................................................ 25 Employee Compliance based solutions................................................................................................... 26 Employee participation and behavior ................................................................................................. 26
2|Page
Draft Version: An analytical Framework for Mobile Business Security Policies ................................................................................................................................................ 27 Training ............................................................................................................................................... 29 Governance framework ....................................................................................................................... 30 Best practices ...................................................................................................................................... 31 Chapter 4 ..................................................................................................................................................... 34 An analytical framework for Mobile Business Security ............................................................................. 34 Domains: What decisions need to be made? ........................................................................................... 35 Styles: Who has input and/or Decision Rights........................................................................................ 35 Mechanisms: How are the decisions formed and enacted ..................................................................... 37 Mobile Enterprise Architecture Framework ........................................................................................... 38 Handling Mobile Threats by Thread Modeling ...................................................................................... 40 Approach ............................................................................................................................................. 40 Conclusion .............................................................................................................................................. 42 References ................................................................................................................................................... 43
3|Page
Draft Version: An analytical Framework for Mobile Business Security
Executive Summary
The paper introduces us to the recent and continuously emerging threats from mobile devices that affect enterprises and organizations. It provides a structured approach to handle these threats. A mobile governance framework, architecture and mobile threat modeling approaches have been developed in this paper based on current Information Technology (IT) governance frameworks and design. Organizations face challenges from mobile devices which have a technological aspect and a human aspect. This paper identifies these aspects and then delves into the details of the challenges and the potential harm they can cause. The technological challenges faced by organizations are smart-phone viruses, spams, providing safe browsing environment, applying patches and updates, exposure of critical information and remote wire-trapping. Employee risks, employee compliance and governance structure are some of the compliance based challenges that are faced by organizations. This paper provides a solution to address the challenges faced by organizations. The solutions are also considered from a technological aspect and a human aspect. Handling data, configuring Application Service Providers (ASP) and setting up Virtual Private Networks (VPN), mobile anti-virus, phishing detection and centralized blacklists are the technological solutions that can be applied by organizations. Employee participation, compliance, training, policies and governance frameworks are solutions for employee compliance based solutions. Finally, an analytical framework to handle mobile business security for organizations is discussed. The framework provides guidelines for organizations to implement mobile governance and an approach to handle threats and issues that they continuously face.
4|Page
Draft Version: An analytical Framework for Mobile Business Security
Chapter 1
This paper proposes a framework to address the challenges that are faced in setting up mobile business security for organizations. It discusses the threats and issues that mobile devices have brought to enterprises and organizations. The paper provides solutions to those threats and issues by breaking them down into technical and employee compliance perspectives. The threats are new and currently there are not many mobile governance frameworks that specifically handle the issues raised by mobile devices. There is a need for mobile governance which includes employee participation, training, policies and procedures and above all a framework which organizations can follow so that it can safely mitigate the risks and threats.
Introduction
Enterprise security on mobile operating systems and its installed applications is imperative. Historically, many users have migrated to mobile devices for a variety of reasons. These users include corporate users, users with limited to no access to a computer, and users wanting to connect to others for social purposes. Although all these three classes are equally important, the one major class of users where security is imperative is the enterprise user (Dwivedi, Clark, & Thiel, 2009). As mobile devices migrate from personal use to corporate use, the data it holds will be considered sensitive and confidential. Organizations are beginning to understand the possible pros and cons that mobile technology offers which will enable them to act appropriately. Smart phones, such as iPhones and BlackBerrys, USB memory sticks, net books and tablet computers are forcing a quantum change in the mobile computing paradigm (Oltsik, 2010) . The latest generation of mobile phone?s platforms is revolutionalizing the way that we access, use and store information. Modern mobile devices continue to approach the capabilities and
5|Page
Draft Version: An analytical Framework for Mobile Business Security
extensibility of standard desktop PCs. Unfortunately; these devices are also beginning to face many of the same security threats as desktops. Currently, mobile security solutions are similar to the traditional desktop model in which they run detection services on the device (Benett, 2008). This approach is complex and resource intensive in terms of computation and power. The responsibility of providing security to information and resources in organizations lies in the hands of Chief Technology Officers (CTOs) and Information Technology (IT) managers (Clark, 2005). The primary goal of any IT security manager is to establish an environment that has an adequate level of confidentiality, integrity, and availability of resource (Charles P. Pfleeger, 2003). IT managers must assess current and potential vulnerabilities, threats, countermeasures, and acceptable risk in order to promote an acceptable level of security for their mobile computing environment. Mobile devices are making employees more productive by giving them access from almost any part of the globe. This is encouraging large organizations to invest further in mobile devices and develop custom applications (Oltsik, 2010). Unfortunately, the data also indicates a growing mobile device security and management gap: mobile devices tend to be managed on an ad-hoc basis, increasing IT operations cost and complexity. Alarmingly, mobile devices remain relatively insecure even though they are used to access core applications and lots of sensitive data (Oltsik, 2010). The mobile security threat that is being faced is recent and a new challenge for many organizations. Goode Intelligence (GI) conducted a mobile security survey which included respondents from a wide cross section of sectors including finance, defense, government, healthcare, technology, telecommunications and utility. According to the survey, “just under half of the respondents (46%) did not have a specific documented security policy that covers mobile
6|Page
Draft Version: An analytical Framework for Mobile Business Security
phones. In answer to the question „how adequately do security standards and frameworks such as ISO 27001/2, COBIT and ISF Standard of Good Practice (SoGP) cover mobile? 45% said that mobile was covered slightly or not at all. Only 10% stated that the standards cover mobile security policy well (Goode, Managing Mobile Security, Goode Intelligence, 2009, p. 45).”
According to the survey conducted by the Enterprise Systems Group, the use of mobile devices has become pervasive in enterprises and in 44% of enterprise organizations, at least half of all employees use their mobile devices to get their jobs done (Oltsik, 2010). Large organizations are also spending more budget dollars on mobile devices as well as the people, processes, and technologies used to manage, support, and secure them. Eighty-two percent claim that mobile device spending is increasing and 37% of all large organizations are spending significantly more on mobile devices (Oltsik, 2010). Figure 1.1 shows the responses of 174 organizations when asked “How would you characterize the general trend with respect to your organization?s annual spending on mobile devices.”
Figure 1.1: Enterprise spending on mobile devices. Source: Enterprise Strategy Group, 2010
7|Page
Draft Version: An analytical Framework for Mobile Business Security
Enterprises also see that mobile device security goes hand-in-hand with IT operations. In fact, 80% of organizations believe it is “critical” or “important” to have integrated mobile device security and management solutions (Oltsik, 2010). Figure 1.2 shows the result of this survey and we can see how organizations are realizing the importance of mobile device security.
Figure 1.2: Mobile device security priorities. Source: Enterprise Strategy Group, 2010.
The remaining paper is organized into three more chapters. The next chapter lists the problems faced by organizations in dealing with mobile security for their organizations. It discusses the challenges that are faced by IT managers for organizations and classifies the challenges into two types, technology based challenges and employee compliance based challenges. Both can be serious threats to the proper functioning of the company and need to be given due consideration.
The third chapter of the paper provides solutions to the problems faced by organizations to provide mobile security. The solutions have also been classified as technology based solutions
8|Page
Draft Version: An analytical Framework for Mobile Business Security
and employee compliance based solutions. The mobile IT governance structure that needs to be in place is also discussed in this section.
The final chapter will develop an analytical framework based on the problems faced and the solutions provided in the earlier two chapters. The framework works towards creating a structured, organized way of handling threats and what policies and procedures needs to be followed by organizations to deal with mobile threats that surround them.
9|Page
Draft Version: An analytical Framework for Mobile Business Security
Chapter 2 Challenges to Mobile Business Security
This chapter will discuss the challenges that current business organizations face in terms of providing mobile business security. The types of challenges that are faced can be broadly classified as technology based challenges and employee compliance based challenges.
The technology based challenges are the challenges that come up when there are technical details involved. These challenges arise as a technology is developed and implemented. Since there are loop-holes in any form of technology, it can be exploited by potential hackers which can pose serious threats to organizations (Benett, 2008). The employee compliance based challenges are the human aspect of the challenges that are faced by organizations (Forge, 2007). These challenges mainly deal with what an employee understands and how he/she should comply with the policies of organizations and how employee non-compliance can become a serious security issue.
Technology based challenges
The security challenges that are faced by mobile applications are majorly similar to the ones that are faced by networked applications (Benett, 2008). Authentication of users and devices, viruses, access control and protecting data from hackers are some of the issues of the networked applications (Benett, 2008). However, the mobile world has its own set of unique issues which adds to the complexity in the security arena. The key concerns in mobile security are smartphone viruses, spam, providing a safe browsing environment, patch update and exposure of critical information. They are discussed in detail in this chapter.
10 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Smart-phone viruses
Mobile viruses can be a major threat for devices that have significant computational capabilities. Smart-phones share programs and data with each other representing a fertile ground for virus writers (Asaf, Yuval, Uri, Yuval, & Shlomi, 2009). An infected smart-phone can inflict severe damages to both the users and the cellular service provider. To the users, the damage may include the loss or theft of private data, the disruption of normal phone usage and also monetary losses (example, the virus may secretly use the Short Messaging Service/ Multimedia Messaging Service services). On the cellular infrastructure side, the smart-phone viruses present a serious threat of Denial of Service. (Asaf, Yuval, Uri, Yuval, & Shlomi, 2009). The following table classifies the type of smart-phone viruses based on the medium which they spread in. The medium is referred to as the infection vector.
As can be seen from Table 2.1, there are five mediums called as the „infection vectors? through which the viruses can be spread. They are discussed in detail below. Cellular Network: Smartphone viruses can use Multi-media Messaging System (MMS) to spread within the traditionally virus-free cellular network. The most well-known virus of such a kind is CommWarrior (Cheng, Wong, & Yang, 2009). When replicating over MMS, Commwarrior
11 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
sends out MMS messages containing the infected Software Installation Script (SIS) file. On opening the MMS message, the recipient then becomes infected. Depending on the variant, Commwarrior may send an infected MMS message to all users listed in an infected phone's contact book; to anyone who sends a message to the infected user; or to anyone the infected user contacts. By the virtues of its core telephony functionalities, every smart-phone is almost always on and always connected to the cellular network, making this infection vector extremely contagious (Cheng, Wong, & Yang, 2009). Bluetooth: Bluetooth virus is innovative in that its spreading does not rely on the existence of any network infrastructure. Instead, it leverages the mobility of the mobile users and the short range wireless connectivity to directly infect nearby Bluetooth users (Cheng, Wong, & Yang, 2009). It is especially contagious in a dense environment, as demonstrated the incidents of Cabir outbreak in the World Athletics Championships (Cheng, Wong, & Yang, 2009). Cabir was released in June 2004 (Benett, 2008). This worm infects Symbian Series 60 smartphones by sending itself over Bluetooth connections. It requires the victim to open a messaging inbox file and click “Yes” when prompted by the installer. Cabir then tries to spread by searching for nearby Bluetooth devices in discoverable mode (Benett, 2008). Internet: Most smart-phones are capable of accessing the Internet (via WiFi, GPRS/EDGE or 3G network access), and run the risk of contracting viruses through file downloading from the Internet much like desktop computers. A smart-phone user can still be lured into downloading files such as Skulls and Doomboot, disguised as games, and end up getting infected by a smartphone virus (Beaver, 2009). Figure 2.1 below shows Doomboot asking permission to install.
12 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Fig 2.1: Doomboot, Masquerading as the game Doom,2, asking permission to install. Source: (Abu-Nimeh, Becher, Fogie, Morales, & Wright, 2010)
USB/ActiveSync/Docking: Frequently, smart-phones are connected to a desktop computer in order to synchronize calendar events and new contacts. A smart-phone virus could potentially penetrate the computer in the event of synchronization (Cheng, Wong, & Yang, 2009).
Mobile Botnets
"A botnet is a set of compromised computers, or bot clients, running malicious software that enables a “botherder” or “botmaster” to control these computers remotely (US-CERT, 2010).” A botherder or botmaster can design a botnet to perform certain actions, such as information stealing or launching a denial of service, and issues commands to the bot clients from a command and control (C2) server. Since mobile networks are now well integrated with the Internet, botnets are beginning to migrate to mobile devices. Due to their ability to support rich content, MMS messages have a body field where Extensible Markup Language (XML) messages can be hidden (Ruste Flo & Josang, 2009). Unlike with Internet communication, Internet Protocol (IP) addresses are not used when exchanging SMS or
13 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
MMS messages. Instead, mobile devices have an International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network Number (MSISDN). These numbers are used to authenticate, register, and identify mobile network subscriptions by mapping the device to a phone number. The IMSI is embedded in the device hardware or contained on a removable card such as a Removable-User Identity Module (R-UIM) card in Code Division Multiple Access (CDMA) networks or a Subscriber Identity Module (SIM) card in Global System for Mobile Communications (GSM) networks (Ruste Flo & Josang, 2009). The MSISDN represents a phone number and is used to route communication to the subscriber. Domain Name System (DNS) also does not exist on mobile networks, making the use of advanced networking techniques such as fast flux and multi-homing impossible in mobile networks (Ruste Flo & Josang, 2009). However, since mobile devices can have constant connections to the Internet, they can potentially be utilized like any other computer while maintaining all of their functionality within a mobile network. Compromised text messaging services can have disastrous consequences.
Spam
Spam causes disruption and drives up costs when it's targeted toward wireless devices. According to a Cloudmark-commissioned survey from Harris Interactive, nearly two thirds of mobile device owners are concerned about security (Guerre, 2009). The survey showed security concerns are preventing many users from adopting new mobile services for financial transactions and shopping. Spam is reaching more mobile users and becoming a greater nuisance (Guerre, 2009). According to a recent report from Nucleus Research, “businesses lose an average of $874 per employee, per year, due to lost productivity related to handling spam” (NucleusResearch,
14 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
2007).Spam is a threat as it effects the productivity of employees in organizations. Spam causes wastage of band-width in a network and affects the mail servers in terms of storage. Figure 2.1 shows that users' perception of security is proving to be a significant barrier to their adoption, especially for mobile financial transactions.
Figure 2.2: Mobile device activities prevented by security concerns
Source: CloudMark survey(http://www.wirelessandmobilenews.com/2009/07/mobile-security-concerns-preventing-new-trans-sayscloudmark.html
The following was the analysis and the results that are seen in Figure 2.2 (Guerre, 2009):
? ?
65 percent of all mobile device owners expressed concerns about the security of their device. Nearly half (46 percent) of these concerned device owners said that their worries about security prevented them from conducting activities on their mobile device.
?
Of the activities mobile device owners said they were prevented from doing because of their concerns, financial transactions such as paying bills (73 percent), conducting banking activities (71 percent) and shopping (56 percent) were named most often.
15 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
?
79 percent of mobile device owners said that they have never sent or received confidential information of any kind through their device, which may further illustrate their lack of confidence in security.
Safe Browsing Environment
One of the biggest exposures to a mobile device is the user's browsing behavior. Many technical issues could be addressed here, but one of the basic issues is the lack of display space on the mobile device (Dwivedi, Clark, & Thiel, 2009). For example, the inability to view an entire URL on a mobile browser or in some cases the inability to view the URL at all, makes phishing links significantly more effective. The mobile browser security model for each device will have to pay special attention to such common but burdensome issues (Dwivedi, Clark, & Thiel, 2009).
Difficult Patching/Update Process
Patching and updating a mobile device is not a challenge technically but other considerations make this process a bit of a problem (Dwivedi, Clark, & Thiel, 2009). The first big hurdle is the mobile carriers. Carriers have big problems with immediate system updates and patching because they have little response time for testing (Dwivedi, Clark, & Thiel, 2009). If a mobile operating system patch breaks few applications running on top of it, the carriers will be held responsible by its users. For example, if a Motorola phone is running a Android OS and a patch needs to be releases, Motorola will be asked to coordinate with the carriers for a proper release cycle. The mobile carriers can be T-mobile, Sprint, or AT&T. If any of the carriers see that its user base is being affected negatively, it will probably want to prevent the patch from being deployed quickly, even if it poses a significant security risk. This is an issue that regular desktop operating systems never have to deal with.
16 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Exposure of critical information
Wireless LAN (WLAN) signals can travel significant distance and these signals can be tapped using a wireless sniffer. A hacker can expose critical information if sufficient security has not been implemented. The Figure 2.2, shows the vulnerable areas of LAN
Fig2.2: Vulnerabilities of WLAN. Source: http://www.tml.tkk.fi/Studies/Tik-110.300/1999/Wireless/vulnerability_4.html
In Figure 2.2, it can be seen that to attack a wireless LAN area, the hacker can gain its entry from the access points. The Man-In-The-Middle (MIM or MITM) attack is an attack that is based on this vulnerability of LAN.
Remote Wiretapping
A smart-phone hacker can passively record the conversations of its owner with others; and then stealthily report back to some spies (Guo, 2008). Such attacks could be hard to detect since recording and reporting can be two asynchronous steps; the report traffic can even be encrypted and tunneled along with other legal Internet traffic to further evade detection. It is even difficult for the smart-phone owner to notice the spying activity (Guo, 2008).
17 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Employee Compliance Challenges
Employee Risks
Employees in organization having the mobile devices carry with them certain risks. The following are the risks (Beaver, 2009):
? ?
Losing the company data and files by overload of memory in the devices. The key sales contacts stored on the mobile devices could go to prying competitors or be completely lost.
? ?
There can be a physical loss of the device. The employee?s time to recover from the loss which can be a few hours or a few days is usually worth far more than the replacement costs of the device and software.
? ?
The time the network administration team needs to replace the device and handle the loss. Introduction of viruses and malware into the company?s installed computer base, usually when synchronizing PC and handset in the office and on a home PC.
?
The use of mobile devices as means of stealing company information. Data theft can be carried using a wide variety of mobile devices, from Personal Digital Assistants (PDAs) to MP3 players.
Employee Compliance
As the focus in mobile information security shifts toward individual and organizational perspectives, employee?s compliance with information security policies (ISPs) has emerged as a key socio-organizational resource (Boss & Kirsh, 2009) because employees are often the weakest link in information security (Mitnick & Simon, 2002). Organizations create ISPs to provide employees with guidelines concerning how to ensure information security while they
18 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
utilize information systems in the course of performing their jobs (Whitman, Townsend, & Aalberts, 2001); however these are not sufficient to ensure employees? compliance with them.
The employees who are authorized to use a particular system or facility may pose a challenge to an organization because their ignorance, mistakes and deliberate acts can jeopardize information security (Lee, Lee, & Yoo, 2002, pp. 57-63).Simple existence of policies does not automatically translate into desirable behaviors because employees may not be motivated to perform the activities require to protect their organization?s information and technology resources (Stanton, Stam, Mastrangelo, & Jolton, 2005). Hence, identifying what drives employees? compliance with the roles and responsibilities stipulated in the ISP is imperative. Although rewards and punishments provide external motivations, an employee?s intrinsic desires provide external motivation to follow rules and regulations (Tyler & Blader, 2005). An employee?s attitude is influenced by benefit of compliance, cost of compliance and cost of noncompliance which are beliefs about the overall assessment of consequences of compliance or non-compliance (Stanton, Stam, Mastrangelo, & Jolton, 2005) . Security on mobile devices continues to be a major challenge as companies struggle with increased levels of attacks and as mobile devices become the preferred platform for enterprise users. It is expected that notebooks would represent 50% of enterprise PC deployments within two to three years, and more than 85% of enterprise users will deploy smart-phone devices within the same time frame. (Beaver, 2009). It is clear, then, that mobile security should be at the forefront of most enterprises? security planning. Table 2.2 lists down actual examples where sensitive information was lost or mishandled due to employee non-compliance .The table also lists what disciplinary actions had to be taken.
19 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
20 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Governance Structure
Governance differs from management in that governance is about deciding who makes decisions, whereas management is about making decisions once decision rights have been assigned (McNurlin, Sprague, & Bui, 2008, p. 73).The process of organizational design often involves making determinations between competing design forms where there may be trade-offs between efficiency, flexibility, accountability and other factors (Straub,1988). Most employees are more motivated if they have more control over their work. If they are able to react to changes in their environment without seeking approval or waiting for oversight, they can quickly satisfy customer demand or respond to competitive pressures (Warkentin & Allen, 2008). However, the lack of control may open the organization to certain risks. For example, employees that are motivated by localized priorities may take decisions that will have a positive short-term benefit on the mid-level, but a negative long-term impact on the organization. The fundamental concerns of governance are (Warkentin & Allen, 2008): 1. To ensure that conditions apply whereby a firm?s directors and managers act in the interests of the firm and its shareholders. 2. Ensure the means are in place whereby managers are held accountable to investors for use of assets.
Determining who decides
Decision making can be confusing as new technology is emerging and evolving at an everincreasing rate. Certain decisions need to be made regarding the mobile governance in organizations. These decisions are similar to the framework of the IT Governance proposed by
21 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Peter Weill and Marianne Broadbent (2009). Based on the work done by them, the following are the proposed decisions that would be needed to be made in case of mobile governance: 1. What are the mobile IT principles, how will value be generated? 2. What are the mobile infrastructure strategies? 3. What is the mobile IT architecture? 4. What are the mobile business applications? 5. How much investment needs to be made for mobile technologies? After the above questions are answered, it would be required to identify who is involved in decision making and how they are involved. This is discussed in more detail in the mobile framework provided in chapter four. Thus, it can be seen that the main challenges that are seen for mobile security in organizations today is technology and compliance challenges. They can be summarized in the Table 2.3 listed below: Technology Challenges 1. Smart phone viruses 2. Spamming 3. Safe browsing environment 4. Exposure of critical information Compliance Challenges Employee action risks Employee behavior Employee non-conformity Ambiguous policies
Table 2.3: Major technology and compliance challenges faced by organizations
22 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Chapter 3 Solutions for the Challenges
This chapter discusses the solutions that can be implemented by organizations for mobile security. The solutions can be classified as technology based solutions and compliance based solutions. The section also talks about the importance of mobile authentication as this can be a critical aspect for an organization?s security. The implementation of proper authentication is also discussed in this section. Given the nature of mobile environment, unfortunately there is no single security solution that will work. This is a key issue to mobile security. Enterprises must treat mobile security as an independent task (Benett, 2008). Mobile-usage-specific security policies must be created and implemented. A comprehensive risk analysis of the potential security hazards associated with the use of mobile devices should be implemented (Benett, 2008) .
Technology based solutions:
Handling data -encryption
A good compromise between ease of use and total security is to encrypt selected confidential or sensitive data files (Benett, 2008). Even if the data does not fall into the wrong hands, loss of critical information can be costly as seen in table 2.2. Synchronizing and backing up hand-held devices and laptops at regular intervals will help to protect against this.
23 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Application Service Providers and Virtual Private Network
Hosting a mobile application with an application service provider (ASP) has inherent security and confidentiality risks (Benett, 2008). Although highly secure applications may rule out an ASP solution altogether, one way to overcome concerns is to use a virtual private network (VPN). In a VPN, the hosted infrastructure simply supports a secure tunnel between the client devices and the enterprise (Benett, 2008).
Mobile anti-virus
Mobile viruses are beginning to take shape with the release of smart-phones almost every day. The major antivirus vendors like McAfee and Symantec have products designed specifically for the mobile and wireless devices (SunBeltSoftwarePaper, 2008). Some of them are focused on protecting the mobile device; others focus on protecting the enterprise from viruses when a mobile device is synchronized. Network-level scans are the most effective, centralized way of preventing viruses and other disruptions associated with mobile devices.
Phishing Detection
“Phishing is an attempt to fraudulently acquire users? sensitive information, such as passwords or ?nancial information, by masquerading as a trustworthy entity in online transactions” (Kiagui, Park, Hsiao, Belanger, & Hiller, 2008). Just as a centralized view of the web has helped Google develop strong anti-phishing tools, a centralized view of mobile activity in the service provider can help mobile operators detect and prevent phishing attacks against their customers (Benett, 2008). A phishing detection tool can tell you whether a particular website you are entering the information is genuine or not. The phishing detection tools work by detecting fraudulent sites by observing content-related attributes and can protect the user from going to a malicious site.
24 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Centralized Blacklists
Blacklists of various communication addresses such as Bluetooth and IP may be implemented as an off-device security service (Oberheide, Veeraraghavan, Cooke, Flinn, & Jahanian, 2009). These blacklists can be maintained on a global level by a service provider for known malicious entities or on a personal user-specified level. These centralized policies may be pushed to client devices for enhanced performance (Oberheide, Veeraraghavan, Cooke, Flinn, & Jahanian, 2009).
Mobile Authentication
Authentication is the process by which a device is verified for it claims to be. Many critical breaches can be attributed to weak or absent authentication (Benett, 2008). This section describes ways in which authentication can be implemented and the best methods to protect identity.
Authenticating and protecting identity
Non-text passwords: User can be required to enter or tap symbols with a randomly generated sequence of points to determine their authenticity. Unlocking a device this way could also decrypt other credentials stored on that handheld so the authenticated user can access his company's network (Benett, 2008). Certificates: Digital certificates are fixed to an identity and link it to a public/private key pair. They are considerably stronger than passwords as long as the owner's private key is protected (Forge, 2007). Smart cards: Smart card is one step above the certificates and it stores and enters the owners? private key. A smart card is a security chip, embedded in a credit card, badge or memory. It can provide safe storage for cryptographic keys used by authentication algorithms (Benett, 2008).
25 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Hardware tokens: Many companies authenticate laptop users with hardware tokens as they generate one-time passwords. Each password is part of a series generated from a cryptographic source which is known to the network and the user and is valid for about a minute. The user typically enters his text password, followed by the string displayed in the token (Benett, 2008). Biometric: Biometrics is typically used for multi-factor authentication. Multi-factor authentication combines at least two of the following: something you know like a password, something you have, like a token and something you are, like fingerprints (Benett, 2008).
Employee Compliance based solutions
Employee participation and behavior
Organizations create Information Security Practices (ISPs) to provide employees with guidelines concerning how to ensure information security while they utilize information systems in the course of performing their jobs (Whitman, Townsend, & Aalberts, 2001); however, while creating guidelines and policies is an essential starting point, it is not enough to ensure employees? compliance with them (Bulgurcu, Cavusoglu, & Benbasat, 2010). The employees may have a valuable role in the mobile security design for an organization. Employee awareness of the risks to mobile security is widely believed to be fundamental to effective mobile security (Aytes and Connolly, 2006). Organizational behavior scholars have argued that the greatest effect of participation may be cognitive, such as information exchange and knowledge transfer (Latham ,1994). An employee?s intention to comply with the organization?s ISP is influenced by subjective norms, perceived behavioral control, and attitude toward compliance (Bulgurcu, Cavusoglu, & Benbasat, 2010). The role of information security awareness influences an employee?s outcome belief as well as attitude toward compliance.
26 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
It has been found that employees add value to mobile security risk management when they participate in the prioritization, analysis, design, implementation, testing and monitoring of userrelated security controls within business processes, which in turn contributes to more effective security control development and performance (Spears, 2010). Boss and Kirch (2007) introduced the concept of „mandatoriness?, which motivates individuals to take security precautions. While rewards have not been found to be effective in convincing individuals that security policies are mandatory, specifying policies, evaluating behaviors and computer self efficacy have been effective. Later, Boss et al. (2009) showed that mandatoriness mediates the relationship between the control element (specification, evaluation and reward) and security precautions taken. Pahnila et al. (2007) proposed a theoretical model which demonstrated that information quality had a significant effect on actual compliance, threat appraisal and facilitating conditions had a significant effect on attitude towards compliance, and sanctions and rewards did not influence intention to comply or actual compliance. Security managers can harness regulatory compliance as an opportunity to engage users, raise organizational awareness of security, and better align security measures with business objectives (Spears, 2010)
Policies
Strict access privileges on mobile users to protect sensitive information should be implemented. The purpose of the policy should be to establish an authorized method for controlling mobile computing and storage devices that contain or access information resources at the company (SANS, 2010). This pertains to all the devices connecting to the network regardless of the ownership.
27 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
The policies should clearly indicate what the mobile computing and storage devices include. They can be and are not limited to: laptop computers, personal digital assistants (PDAs), plugins, Universal Serial Bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, modems, handheld wireless devices, wireless networking cards, and any other existing or future mobile computing or storage device, either personally owned company owned, that may connect to or access the information systems at the company (SANS, 2010). A risk analysis for each new media type should be conducted and documented prior to its use or connection to the network at the company (SANS, 2010). The policy should address handling the portable devices. Portable computing devices and portable electronic storage media that contain confidential, personal, or sensitive company information must use encryption or equally strong measures to protect the data while it is being stored (SANS, 2010). Unless written approval has been obtained from the Data Resource Manager and Chief Information Security Officer, databases or portions thereof, which reside on the network at the company, shall not be downloaded to mobile computing or storage devices (SANS, 2010).Table 3.2 provides a brief description of the policies of some of the more popular vendors
28 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Table 3.1: Application development policies of some major vendors Source: http://www.us-cert.gov/reading_room/TIP10-105-01.pdf
Training
While attaching great emphasis to the consequences of mobile device misuse, loss, or theft will give employees a greater incentive to follow corporate policy, training these users on the specifics of the policy is required (Tauschek, 2008). Among others, an enterprise mobile training plan should address the following key topics:
29 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Protecting devices: Users should be instructed to follow proper procedures for storing and transporting devices, and specifically not to leave devices unattended in vulnerable locations such as offices, airports, and hotels (Tauschek, 2008). Data encryption: A high level overview of the data safeguarding and remote management technologies currently employed by the enterprise will drive more responsible usage. Users should be made aware that breaking enterprise policy by copying sensitive server-hosted data, including confidential member information and company IP, to unencrypted local device storage can have serious repercussions for the individual (Tauschek, 2008). Password management: Users should be educated on the help desk procedures to follow or alternative requirements for changing or setting passwords for mobile devices, in accordance with an existing enterprise password policy (Tauschek, 2008).
Governance framework
Various researchers and organizations have defined the components of information security and how an organization should go about implementing them (ISO 17799, 2005; Tudor, 2000; McCarthy and Campbell, 2001; Teufel, 2003). Information security components can be described as principles that enable the implementation and maintenance of information security such as an information security policy, risk assessments, technical controls, and information security awareness (Veiga & Eloff, 2007, p. 361). These components can be encompassed in a mobile security governance framework. The mobile governance framework provides organization with an understanding of the requirements for a holistic plan for information. The mobile governance framework should identify key players in the organization and assign them a role in governance. As can be seen in Table 3.2, organizations comprise of different levels of employees. The table then explains the specific role should be played by the employees
30 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
in terms of governance. The C-level executives refer to the Chief Technology Officers (CTOs) and Chief Information Officers (CIO).
Table 3.2: Key players and the governance role. Source: Avepoint: IT Governance Whitepaper (Link:
http://www.avepoint.com/assets/pdf/sharepoint_whitepapers/IT_Governance_White_Paper.pdf
Best practices
There are certain best practices that IT managers can use to help users avoid mobile malware and avoid potential problems. They are listed below (Forge, 2007):
?
All host systems that users are syncing their devices to should be protected with current antivirus software. In many cases, the desktop system can catch infected applications before they are installed on the mobile device.
31 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
?
If the users are not using Bluetooth on their phones, PDAs, or other gadgets, have them disable the feature altogether. In addition to closing the door on some types of malware and unwanted advertising, this will improve battery life on the device.
?
If those cannot be removed then the phone or the PDA should not be set to be discoverable. While this is not a guarantee that a skilled attacker will not see the device given time and motivation, it will provide some defense against attackers of opportunity. A better practice is to instruct users to activate Bluetooth when they need it and turn it off when not in use.
?
Information kept on phones and PDAs should be stored somewhere else as well. Malware is one threat to mobile devices, but there are many others: theft, loss, damage to name a few. No matter which of these results in data loss, having a backup will make recovery ea sier.
The table 3.3 summarizes the technological challenges and solutions for mobile devices in organizations that we discussed in the previous and current chapter.
32 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Threat Mobile viruses
Challenge
Solutions specific anti-virus
Can take advantage of security Install holes in applications
or programs like McAfee and for mobile and
operating system and cause Symantec damage Phishing
wireless devices.
Fake programs can pretend to Mobile anti-phishing tools can be actual applications and be implemented by the mobile steal user information operators of the Apply Spam filtering solutions
Spam
Causes
disruption
device and drives up cost when targeted towards
wireless device. E-mail viruses E-mail viruses can disrupt Download and install mobile business working and prove to e-mail anti-virus software that be a costly fix. Lost or stolen data Critical employee are specific to the device and Have physical when locks for
organization information can devices fall in the wrong hands
un-manned.
Devices can be tracked and tagged so that the location can be determined
Table 3.3: Technological challenges and solutions for mobile threats in organizations
33 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Chapter 4 An analytical framework for Mobile Business Security
This chapter formulates an analytical framework to handle mobile business security for organizations. The framework provides guidelines for organizations to implement mobile governance. Organizations are faced with mobile threats that need to be handled in a structured manner. A threat modeling approach is developed in the last section to handle those threats. Designing a simple and clear approach to mobile governance will lead to increased effectiveness. This can be done by correlating mobile governance and IT governance as both of them have the same fundamental roots of technology. This chapter will provide an overview of mobile governance and explain why such governance is important. According to Peter Weill and Jeanne Ross, IT governance is defined as “Specifying the design rights and accountability framework to encourage desirable behavior in using IT. IT governance is not about making specific decisions—management does that – but rather determines who systematically makes and contributes to those decisions.” (Weill & Ross, 2004) A similar definition can be adopted for Mobile IT governance as well. The model of mobile governance framework proposed here is similar to the framework proposed by Weill and Ross. The mobile governance framework will include three major components: domains, styles and mechanisms. Each component poses a question related to IT. By answering these questions, organizations can evaluate the current institutional approach to governance and design a more effective decision making methodology. The three questions are:
34 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
? ? ?
Domains – what decisions need to be made? Styles – who has input and/or decision right? Mechanisms – how are the decisions formed and enacted?
Domains: What decisions need to be made? Identifying decisions that must be made enables the organization to translate its institutional business principles into IT principles and provides the alignment to drive IT to effectively support the enterprise. The mobile governance framework based on the IT Governance framework proposes that an institution make five key governance decisions, captured by the following questions: ? ? Mobile IT principles – how will mobile applications create business value? Mobile IT infrastructure strategies – how will we build shared services for mobile applications? ? Mobile IT architecture – what technical guidelines and standards will we use for mobile applications? ? Mobile business applications – what applications we need to support mobility of workers? ? Mobile IT investment and prioritization – how much and where will we invest?
Styles: Who has input and/or Decision Rights Once the scope has been defined, the next step is to identify just who is involved in decision making and how they are involved. Both parameters of „who? and „how? of involvement are critical to the success of mobile governance (Clark, 2005). Different types of people and different groups will need to be involved in the various IT decisions that must be made. For each
35 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
person or group, the level of involvement must be decided, agreed upon and communicated throughout the enterprise. Each person or group may simply provide input to a decision or he/she may be involved in considering all the inputs and making a decision. The Weill and Ross model proposes that organizations consider the involvement of six groups of people (the „who?) and specify whether each has input and/or decision rights (the „how?) for each of the five „domain? IT questions listed above. The model uses six political archetypes to describe input and/or decision rights for each decision. ? ? ? ? ? Business monarchy – includes the CEO, CIO, COO, the groups of business executives Mobile IT monarchy – CIO and/or IT directors acting as individuals or a group Federal – CxOs and at least one business unit leader Feudal – business unit leader(s), key process owners or their delegates Duopoly – CIO/IT directors and at least one group (CxO or business unit or process leader) ? Anarchy – a business unit that owns a business process or an end user
Constructing a table from the questions that must be answered, combined with who has input to and /or decision rights for each of these questions, determines an institution?s IT governance (See table 4.1). Decision rights determine who will decide and be held accountable.
36 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Mechanisms: How are the decisions formed and enacted
The last component of the framework is how the organization implements a mobile governance arrangement: what decision-making structures, processes, and approaches are used. Once the decisions and the specification of input and/or decision rights are identified, the organization must decide detailed decision responsibility and accountability, how alignment will occur, and how information will be communicated throughout the institution (Clark, 2005). When these three mechanisms are properly selected, it will ensure the institution?s approach to mobile IT governance will be performed as desired. The Weill and Ross model provides three categories of mechanisms to specify how the decisions made by the identified individuals (or groups) will be enacted. ? Decision-making structures – these mechanisms clarify who is responsible and accountable for decisions. Examples of these are executive teams, committees, and business/ IT relationship managers.
37 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
?
Alignment processes – these mechanisms ensure effective input to decision makers and implementation of their decisions. Examples of these processes are architecture exception processes, service-level agreements, chargeback and metrics.
?
Communication approaches – these mechanisms disseminate governance processes and individual responsibilities to everyone who needs to know. Examples of these are advocates, channels and announcements. For each question to be answered, an institution considers which decision-making structure is involved, how the institution will ensure the decisions made will be effectively implemented, and how the decision outcome will be communicated to the organization?s constituents (Clark, 2005).
Mobile Enterprise Architecture Framework
The Federal Enterprise Architecture Framework (FEAF) defines enterprise architecture as “a strategic information asset base, which defines the mission, the information necessary to perform the mission and the technologies necessary to perform the mission, and the transitional processes for implementing new technologies in response to the changing mission needs. Enterprise architecture includes baseline architecture, target architecture, and a sequencing plan (FEAF, 2006)". Lankhorst (2004) described a layered approach to enterprise architecture that identified the following (Lankhorst, 2004): 1. Business Layer that consists of the products and services that support the business processes that provide products and services to customers.
38 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
2. Application Layer that supports the business layer with services that are utilized by mobile applications. 3. Technical Layer that provides the infrastructure support and communication services to run applications. Based on the FEAF, a mobile enterprise framework can be developed. Like the FEAF, the architecture can include business, data, applications, and technology domains that serve as a reference point to guide the efficient flow of information, common business processes and technology across the organizations. A mobile framework matrix can be developed based on these, as seen in table 4.2, which considers the various perspectives of the different users involved.
Table 4.2: Mobile Architecture Framework Matrix based on FEAF
39 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Handling Mobile Threats by Thread Modeling
Threat modeling is an engineering technique which organizations can use to identify threats, attacks, vulnerabilities, and countermeasures (Meier, Mackman, & Wastell, 2005) . This model can be applied to handle the mobile threats that are faced by organization. The mobile threat modeling activity helps an organization to: ? ? ? Identify mobile security objectives. Identify relevant mobile threats. Identify relevant mobile vulnerabilities and countermeasures.
Approach There are five major modeling steps to deal with the mobile threats which can be seen in Figure 4.1.
1. Identify Mobile Security Objectives
2.Mobile Application Overview
3. Decompose Mobile Application
5.Identify Mobile Vulnerabilities
4. Identify Mobile Threats
erative
Figure 4.1: Iterative threat modeling process (Meier, Mackman, & Wastell, 2005) 40 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
The five threat modeling steps are (Meier, Mackman, & Wastell, 2005): Step 1: Identify mobile security objectives. Clear objectives help organizations to focus the threat modeling activity and determine how much effort to spend on subsequent steps. Step 2: Create a mobile application overview. Itemizing the mobile application's important characteristics helps organizations to identify relevant threats during step 4. Step 3: Decompose your mobile application. A detailed understanding of the mechanics of the mobile application makes it easier for organizations to uncover more relevant and more detailed threats. Step 4: Identify mobile threats. Organizations can use details from steps 2 and 3 to identify threats relevant to its mobile application scenario and context. Step 5: Identify mobile vulnerabilities. Organizations should review the layers of its mobile application to identify weaknesses related to its threats. It should use vulnerability categories to help it focus on those areas where mistakes are most often made. To summarize, this chapter discussed the mobile governance framework that includes three major components of domains, styles and mechanisms and how they provide structure to the decision making process in organizations. The mobile enterprise framework architecture and the matrix framework with the layers were discussed. Finally, to deal with the threats faced by organizations the thread modeling process was discussed.
41 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Conclusion
This paper thus proposed a framework that addresses the challenges that are faced by organizations to setup mobile security. It discussed the threats and issues that mobile devices have introduced to enterprises and organizations. The paper provided solutions to those threats and issues by breaking them down into technical and employee compliance perspectives. These threats are new and currently there are not many proper governance frameworks in place to specifically deal with mobile security issues. There is a need for mobile governance and a framework which includes employee participation, training, policies and procedures and above all a framework which organizations can follow so that it can safely mitigate the risks and threats.
42 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
References
Abu-Nimeh, S., Becher, M., Fogie, S., Morales, J., & Wright, C. (2010). Mobile Malware Attacks and Defense. Syngress Publishing. Asaf, S., Yuval, F., Uri, K., Yuval, E., & Shlomi, D. (2009, March 4). Google Android: A State-of-the-Art Review of Security Mechanisms. Beaver, K. (2009, January 6). Meritalk. Retrieved April 15, 2011, from SmartMobileComputing: http://www.meritalk.com/uploads_legacy/whitepapers/Nokia_eGuide_2.pdf Benett, C. (2008, February 3). Challenges of Mobile Security. Retrieved April 5, 2011, from Search Mobile Computing: http://searchmobilecomputing.techtarget.com/tip/Challenges-of-mobile-security Boss, S., & Kirsh, L. J. (2009). The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines. Proceedings of the 28th International Conference on Information Systems, (pp. 562). Montreal. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An empirical study of rationality-based beliefs and Information Security Awareness. MIS Quarterly , 523-545. Charles P. Pfleeger, S. L. (2003). Security in Computing. Prentice Hall PTR. Cheng, J., Wong, S., & Yang, H. (2009, April 5). SmartSiren: Virus Detection and Alert for Smartphones. Los Angeles, California, United States. Clark, J. A. (2005). IT Governance: Determining who decides. Educause Center for Applied Research , 2. Dwivedi, H., Clark, C., & Thiel, D. (2009). Mobile Application Security. In H. Dwivedi, C. Clark, & D. Thiel, Mobile Application Security (pp. 344-363). Forge, S. (2007, October 3). Mobile security, Understanding and controlling risks. Retrieved April 7, 2011, from SearchMobileComputing.com: http://searchmobilecomputing.techtarget.com/feature/Mobilesecurity-ndash-Understanding-and-controlling-risks Goode, A. (2009). Managing Mobile Security, Goode Intelligence. Goode Intelligence. Goode, A. (2009, February Monday). Managing mobile security: How are we doing? Guerre, J. d. (2009, July 13). Mobile Security Concerns Preventing New Trans. Retrieved April 21, 2011, from Wireless And Mobile News: http://www.wirelessandmobilenews.com/2009/07/mobile-securityconcerns-preventing-new-trans-says-cloudmark.html Guo, C. (2008). Smart-Phone Attack and defenses.
43 | P a g e
Draft Version: An analytical Framework for Mobile Business Security Kiagui, B., Park, J.-M., Hsiao, M. S., Belanger, F., & Hiller, J. (2008). Evaluation of Online Resources in Assisting Phishing Detection. Virginia Tech. Lankhorst, M. (2004). Enterprise Architecture modeling: The issue of integration. Advanced Engineering Informatics , 205-216. Lee, S., Lee, S., & Yoo, S. (2002). An Integrative Model of Computer Abuse based on Social Control and General Deterrence Theories. Information Management and Computer Security , 57-63. McNurlin, B., Sprague, R., & Bui, T. (2008). Information Systems Management in Practice. In B. McNurlin, R. Sprague, & T. Bui, Information Systems Management in Practice (pp. 73-75). Pearson Education. Meier, J., Mackman, A., & Wastell, B. (2005, May 4). Thread modeling Web Applications. Retrieved April 4, 2011, from Microsoft: http://msdn.microsoft.com/en-us/library/ms978516.aspx Mitnick, K., & Simon, W. (2002). The Art of Deception: Controlling the Human Element of Security. Indianapolis: Wiley Publishing Inc. NucleusResearch. (2007). Nucleus Research: Spam Costing US Businesses $712 Per Employee Each Year. Nucleus Research Report. Oberheide, J., Veeraraghavan, K., Cooke, E., Flinn, J., & Jahanian, F. (2009). Virtualized In-Cloud Security Services for Mobile Devices. Michigan. Oltsik, J. (2010). Addressing Mobile Device Security and Management Requirements in the Enterprise. Enterprise Strategy Group. Republic, T. (2004, February Tuesday). Tech Republic. Retrieved April Friday, 2011, from Identify and reduce mobile device security risks: http://www.techrepublic.com/article/identify-and-reduce-mobiledevice-security-risks/5274902 SANS. (2010, February 6). Security Policies. Retrieved March 5, 2011, from Remote Access: http://www.sans.org/securityresources/policies/Remote_Access.pdf?portal=84bb07947a237d9eb682814030611b01 Stanton, J., Stam, K., Mastrangelo, P., & Jolton, J. (2005). Analysis of End User Security Behaviors. Computers and Security , 124-133. SunBeltSoftwarePaper. (2008, October 18). VIPRE Takes a Bite out of Bloatware. Retrieved April 4, 2011, from SunBelt Software: http://www.sunbeltsoftware.com/documents/vipre-enterprise-vipre-takes-abite-out-of-bloatware.pdf Tauschek, M. (2008, September 9). Developing and instituting corporate mobile device policies. Retrieved March 7, 2011, from SearchMobileComputing.com: http://searchmobilecomputing.techtarget.com/feature/Developing-and-instituting-corporate-mobiledevice-policies 44 | P a g e
Draft Version: An analytical Framework for Mobile Business Security Tyler, T., & Blader, S. (2005). Can Businesses Effectively Regulate Employee Conduct? Academy of Management Journal , 1143-1158. Veiga, A. D., & Eloff, J. H. (2007). An Information Security Governance Framework. Information Systems Management , 361. Warkentin, M., & Allen, J. (2008). IT Governance and Organizational Development for Security Management. In W. Merrill, & J. Allen, Information Security Policies and Practices (pp. 46-68). Armonk: M.E Sharpe. Weill, P., & Ross, J. (2004). IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Cambridge: Harvard Business School Press , 2. Whitman, M., Townsend, A., & Aalberts, R. (2001). Information Systems Security and the Need for Policy. Information Security Managment- Global Challenges in the Next Millenium , 9-18. Zhang, R. (2009, May 13). 5 Steps for Achieving Effective Mobile Security Governance. Retrieved April 3, 2011, from CSO Securtiy and Risk: http://www.csoonline.com/article/492481/5-steps-for-achievingeffective-mobile-security-governance?page=1
45 | P a g e
doc_285950472.docx
The documentation about Executive Challenges to Mobile Business Security, Smart-phone viruses, Exposure of critical information, Remote Wiretapping, Employee Compliance Challenges, Employee Risks, Technology based solutions, Handling data -encryption, Application Service Providers and Virtual Private Network, Phishing Detection, Mobile Authentication, Authenticating and protecting identity, Employee Compliance based solutions, An analytical framework for Mobile Business Security
Draft Version: An analytical Framework for Mobile Business Security
An Analytical Framework for Mobile Business Security
1|Page
Draft Version: An analytical Framework for Mobile Business Security
Contents
Executive Summary ...................................................................................................................................... 4 Chapter 1 ....................................................................................................................................................... 5 Introduction ............................................................................................................................................... 5 Chapter 2 ..................................................................................................................................................... 10 Challenges to Mobile Business Security ..................................................................................................... 10 Technology based challenges.................................................................................................................. 10 Smart-phone viruses............................................................................................................................ 11 Mobile Botnets ........................................................................................................................................ 13 Spam ................................................................................................................................................... 14 Safe Browsing Environment ............................................................................................................... 16 Difficult Patching/Update Process ...................................................................................................... 16 Exposure of critical information ......................................................................................................... 17 Remote Wiretapping ........................................................................................................................... 17 Employee Compliance Challenges ......................................................................................................... 18 Employee Risks .................................................................................................................................. 18 Employee Compliance ........................................................................................................................ 18 Governance Structure.......................................................................................................................... 21 Chapter 3 ..................................................................................................................................................... 23 Solutions for the Challenges ....................................................................................................................... 23 Technology based solutions: ................................................................................................................... 23 Handling data -encryption................................................................................................................... 23 Application Service Providers and Virtual Private Network .............................................................. 24 Mobile anti-virus ................................................................................................................................. 24 Phishing Detection .............................................................................................................................. 24 Centralized Blacklists ......................................................................................................................... 25 Mobile Authentication ............................................................................................................................ 25 Authenticating and protecting identity ................................................................................................ 25 Employee Compliance based solutions................................................................................................... 26 Employee participation and behavior ................................................................................................. 26
2|Page
Draft Version: An analytical Framework for Mobile Business Security Policies ................................................................................................................................................ 27 Training ............................................................................................................................................... 29 Governance framework ....................................................................................................................... 30 Best practices ...................................................................................................................................... 31 Chapter 4 ..................................................................................................................................................... 34 An analytical framework for Mobile Business Security ............................................................................. 34 Domains: What decisions need to be made? ........................................................................................... 35 Styles: Who has input and/or Decision Rights........................................................................................ 35 Mechanisms: How are the decisions formed and enacted ..................................................................... 37 Mobile Enterprise Architecture Framework ........................................................................................... 38 Handling Mobile Threats by Thread Modeling ...................................................................................... 40 Approach ............................................................................................................................................. 40 Conclusion .............................................................................................................................................. 42 References ................................................................................................................................................... 43
3|Page
Draft Version: An analytical Framework for Mobile Business Security
Executive Summary
The paper introduces us to the recent and continuously emerging threats from mobile devices that affect enterprises and organizations. It provides a structured approach to handle these threats. A mobile governance framework, architecture and mobile threat modeling approaches have been developed in this paper based on current Information Technology (IT) governance frameworks and design. Organizations face challenges from mobile devices which have a technological aspect and a human aspect. This paper identifies these aspects and then delves into the details of the challenges and the potential harm they can cause. The technological challenges faced by organizations are smart-phone viruses, spams, providing safe browsing environment, applying patches and updates, exposure of critical information and remote wire-trapping. Employee risks, employee compliance and governance structure are some of the compliance based challenges that are faced by organizations. This paper provides a solution to address the challenges faced by organizations. The solutions are also considered from a technological aspect and a human aspect. Handling data, configuring Application Service Providers (ASP) and setting up Virtual Private Networks (VPN), mobile anti-virus, phishing detection and centralized blacklists are the technological solutions that can be applied by organizations. Employee participation, compliance, training, policies and governance frameworks are solutions for employee compliance based solutions. Finally, an analytical framework to handle mobile business security for organizations is discussed. The framework provides guidelines for organizations to implement mobile governance and an approach to handle threats and issues that they continuously face.
4|Page
Draft Version: An analytical Framework for Mobile Business Security
Chapter 1
This paper proposes a framework to address the challenges that are faced in setting up mobile business security for organizations. It discusses the threats and issues that mobile devices have brought to enterprises and organizations. The paper provides solutions to those threats and issues by breaking them down into technical and employee compliance perspectives. The threats are new and currently there are not many mobile governance frameworks that specifically handle the issues raised by mobile devices. There is a need for mobile governance which includes employee participation, training, policies and procedures and above all a framework which organizations can follow so that it can safely mitigate the risks and threats.
Introduction
Enterprise security on mobile operating systems and its installed applications is imperative. Historically, many users have migrated to mobile devices for a variety of reasons. These users include corporate users, users with limited to no access to a computer, and users wanting to connect to others for social purposes. Although all these three classes are equally important, the one major class of users where security is imperative is the enterprise user (Dwivedi, Clark, & Thiel, 2009). As mobile devices migrate from personal use to corporate use, the data it holds will be considered sensitive and confidential. Organizations are beginning to understand the possible pros and cons that mobile technology offers which will enable them to act appropriately. Smart phones, such as iPhones and BlackBerrys, USB memory sticks, net books and tablet computers are forcing a quantum change in the mobile computing paradigm (Oltsik, 2010) . The latest generation of mobile phone?s platforms is revolutionalizing the way that we access, use and store information. Modern mobile devices continue to approach the capabilities and
5|Page
Draft Version: An analytical Framework for Mobile Business Security
extensibility of standard desktop PCs. Unfortunately; these devices are also beginning to face many of the same security threats as desktops. Currently, mobile security solutions are similar to the traditional desktop model in which they run detection services on the device (Benett, 2008). This approach is complex and resource intensive in terms of computation and power. The responsibility of providing security to information and resources in organizations lies in the hands of Chief Technology Officers (CTOs) and Information Technology (IT) managers (Clark, 2005). The primary goal of any IT security manager is to establish an environment that has an adequate level of confidentiality, integrity, and availability of resource (Charles P. Pfleeger, 2003). IT managers must assess current and potential vulnerabilities, threats, countermeasures, and acceptable risk in order to promote an acceptable level of security for their mobile computing environment. Mobile devices are making employees more productive by giving them access from almost any part of the globe. This is encouraging large organizations to invest further in mobile devices and develop custom applications (Oltsik, 2010). Unfortunately, the data also indicates a growing mobile device security and management gap: mobile devices tend to be managed on an ad-hoc basis, increasing IT operations cost and complexity. Alarmingly, mobile devices remain relatively insecure even though they are used to access core applications and lots of sensitive data (Oltsik, 2010). The mobile security threat that is being faced is recent and a new challenge for many organizations. Goode Intelligence (GI) conducted a mobile security survey which included respondents from a wide cross section of sectors including finance, defense, government, healthcare, technology, telecommunications and utility. According to the survey, “just under half of the respondents (46%) did not have a specific documented security policy that covers mobile
6|Page
Draft Version: An analytical Framework for Mobile Business Security
phones. In answer to the question „how adequately do security standards and frameworks such as ISO 27001/2, COBIT and ISF Standard of Good Practice (SoGP) cover mobile? 45% said that mobile was covered slightly or not at all. Only 10% stated that the standards cover mobile security policy well (Goode, Managing Mobile Security, Goode Intelligence, 2009, p. 45).”
According to the survey conducted by the Enterprise Systems Group, the use of mobile devices has become pervasive in enterprises and in 44% of enterprise organizations, at least half of all employees use their mobile devices to get their jobs done (Oltsik, 2010). Large organizations are also spending more budget dollars on mobile devices as well as the people, processes, and technologies used to manage, support, and secure them. Eighty-two percent claim that mobile device spending is increasing and 37% of all large organizations are spending significantly more on mobile devices (Oltsik, 2010). Figure 1.1 shows the responses of 174 organizations when asked “How would you characterize the general trend with respect to your organization?s annual spending on mobile devices.”
Figure 1.1: Enterprise spending on mobile devices. Source: Enterprise Strategy Group, 2010
7|Page
Draft Version: An analytical Framework for Mobile Business Security
Enterprises also see that mobile device security goes hand-in-hand with IT operations. In fact, 80% of organizations believe it is “critical” or “important” to have integrated mobile device security and management solutions (Oltsik, 2010). Figure 1.2 shows the result of this survey and we can see how organizations are realizing the importance of mobile device security.
Figure 1.2: Mobile device security priorities. Source: Enterprise Strategy Group, 2010.
The remaining paper is organized into three more chapters. The next chapter lists the problems faced by organizations in dealing with mobile security for their organizations. It discusses the challenges that are faced by IT managers for organizations and classifies the challenges into two types, technology based challenges and employee compliance based challenges. Both can be serious threats to the proper functioning of the company and need to be given due consideration.
The third chapter of the paper provides solutions to the problems faced by organizations to provide mobile security. The solutions have also been classified as technology based solutions
8|Page
Draft Version: An analytical Framework for Mobile Business Security
and employee compliance based solutions. The mobile IT governance structure that needs to be in place is also discussed in this section.
The final chapter will develop an analytical framework based on the problems faced and the solutions provided in the earlier two chapters. The framework works towards creating a structured, organized way of handling threats and what policies and procedures needs to be followed by organizations to deal with mobile threats that surround them.
9|Page
Draft Version: An analytical Framework for Mobile Business Security
Chapter 2 Challenges to Mobile Business Security
This chapter will discuss the challenges that current business organizations face in terms of providing mobile business security. The types of challenges that are faced can be broadly classified as technology based challenges and employee compliance based challenges.
The technology based challenges are the challenges that come up when there are technical details involved. These challenges arise as a technology is developed and implemented. Since there are loop-holes in any form of technology, it can be exploited by potential hackers which can pose serious threats to organizations (Benett, 2008). The employee compliance based challenges are the human aspect of the challenges that are faced by organizations (Forge, 2007). These challenges mainly deal with what an employee understands and how he/she should comply with the policies of organizations and how employee non-compliance can become a serious security issue.
Technology based challenges
The security challenges that are faced by mobile applications are majorly similar to the ones that are faced by networked applications (Benett, 2008). Authentication of users and devices, viruses, access control and protecting data from hackers are some of the issues of the networked applications (Benett, 2008). However, the mobile world has its own set of unique issues which adds to the complexity in the security arena. The key concerns in mobile security are smartphone viruses, spam, providing a safe browsing environment, patch update and exposure of critical information. They are discussed in detail in this chapter.
10 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Smart-phone viruses
Mobile viruses can be a major threat for devices that have significant computational capabilities. Smart-phones share programs and data with each other representing a fertile ground for virus writers (Asaf, Yuval, Uri, Yuval, & Shlomi, 2009). An infected smart-phone can inflict severe damages to both the users and the cellular service provider. To the users, the damage may include the loss or theft of private data, the disruption of normal phone usage and also monetary losses (example, the virus may secretly use the Short Messaging Service/ Multimedia Messaging Service services). On the cellular infrastructure side, the smart-phone viruses present a serious threat of Denial of Service. (Asaf, Yuval, Uri, Yuval, & Shlomi, 2009). The following table classifies the type of smart-phone viruses based on the medium which they spread in. The medium is referred to as the infection vector.
As can be seen from Table 2.1, there are five mediums called as the „infection vectors? through which the viruses can be spread. They are discussed in detail below. Cellular Network: Smartphone viruses can use Multi-media Messaging System (MMS) to spread within the traditionally virus-free cellular network. The most well-known virus of such a kind is CommWarrior (Cheng, Wong, & Yang, 2009). When replicating over MMS, Commwarrior
11 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
sends out MMS messages containing the infected Software Installation Script (SIS) file. On opening the MMS message, the recipient then becomes infected. Depending on the variant, Commwarrior may send an infected MMS message to all users listed in an infected phone's contact book; to anyone who sends a message to the infected user; or to anyone the infected user contacts. By the virtues of its core telephony functionalities, every smart-phone is almost always on and always connected to the cellular network, making this infection vector extremely contagious (Cheng, Wong, & Yang, 2009). Bluetooth: Bluetooth virus is innovative in that its spreading does not rely on the existence of any network infrastructure. Instead, it leverages the mobility of the mobile users and the short range wireless connectivity to directly infect nearby Bluetooth users (Cheng, Wong, & Yang, 2009). It is especially contagious in a dense environment, as demonstrated the incidents of Cabir outbreak in the World Athletics Championships (Cheng, Wong, & Yang, 2009). Cabir was released in June 2004 (Benett, 2008). This worm infects Symbian Series 60 smartphones by sending itself over Bluetooth connections. It requires the victim to open a messaging inbox file and click “Yes” when prompted by the installer. Cabir then tries to spread by searching for nearby Bluetooth devices in discoverable mode (Benett, 2008). Internet: Most smart-phones are capable of accessing the Internet (via WiFi, GPRS/EDGE or 3G network access), and run the risk of contracting viruses through file downloading from the Internet much like desktop computers. A smart-phone user can still be lured into downloading files such as Skulls and Doomboot, disguised as games, and end up getting infected by a smartphone virus (Beaver, 2009). Figure 2.1 below shows Doomboot asking permission to install.
12 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Fig 2.1: Doomboot, Masquerading as the game Doom,2, asking permission to install. Source: (Abu-Nimeh, Becher, Fogie, Morales, & Wright, 2010)
USB/ActiveSync/Docking: Frequently, smart-phones are connected to a desktop computer in order to synchronize calendar events and new contacts. A smart-phone virus could potentially penetrate the computer in the event of synchronization (Cheng, Wong, & Yang, 2009).
Mobile Botnets
"A botnet is a set of compromised computers, or bot clients, running malicious software that enables a “botherder” or “botmaster” to control these computers remotely (US-CERT, 2010).” A botherder or botmaster can design a botnet to perform certain actions, such as information stealing or launching a denial of service, and issues commands to the bot clients from a command and control (C2) server. Since mobile networks are now well integrated with the Internet, botnets are beginning to migrate to mobile devices. Due to their ability to support rich content, MMS messages have a body field where Extensible Markup Language (XML) messages can be hidden (Ruste Flo & Josang, 2009). Unlike with Internet communication, Internet Protocol (IP) addresses are not used when exchanging SMS or
13 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
MMS messages. Instead, mobile devices have an International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network Number (MSISDN). These numbers are used to authenticate, register, and identify mobile network subscriptions by mapping the device to a phone number. The IMSI is embedded in the device hardware or contained on a removable card such as a Removable-User Identity Module (R-UIM) card in Code Division Multiple Access (CDMA) networks or a Subscriber Identity Module (SIM) card in Global System for Mobile Communications (GSM) networks (Ruste Flo & Josang, 2009). The MSISDN represents a phone number and is used to route communication to the subscriber. Domain Name System (DNS) also does not exist on mobile networks, making the use of advanced networking techniques such as fast flux and multi-homing impossible in mobile networks (Ruste Flo & Josang, 2009). However, since mobile devices can have constant connections to the Internet, they can potentially be utilized like any other computer while maintaining all of their functionality within a mobile network. Compromised text messaging services can have disastrous consequences.
Spam
Spam causes disruption and drives up costs when it's targeted toward wireless devices. According to a Cloudmark-commissioned survey from Harris Interactive, nearly two thirds of mobile device owners are concerned about security (Guerre, 2009). The survey showed security concerns are preventing many users from adopting new mobile services for financial transactions and shopping. Spam is reaching more mobile users and becoming a greater nuisance (Guerre, 2009). According to a recent report from Nucleus Research, “businesses lose an average of $874 per employee, per year, due to lost productivity related to handling spam” (NucleusResearch,
14 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
2007).Spam is a threat as it effects the productivity of employees in organizations. Spam causes wastage of band-width in a network and affects the mail servers in terms of storage. Figure 2.1 shows that users' perception of security is proving to be a significant barrier to their adoption, especially for mobile financial transactions.
Figure 2.2: Mobile device activities prevented by security concerns
Source: CloudMark survey(http://www.wirelessandmobilenews.com/2009/07/mobile-security-concerns-preventing-new-trans-sayscloudmark.html
The following was the analysis and the results that are seen in Figure 2.2 (Guerre, 2009):
? ?
65 percent of all mobile device owners expressed concerns about the security of their device. Nearly half (46 percent) of these concerned device owners said that their worries about security prevented them from conducting activities on their mobile device.
?
Of the activities mobile device owners said they were prevented from doing because of their concerns, financial transactions such as paying bills (73 percent), conducting banking activities (71 percent) and shopping (56 percent) were named most often.
15 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
?
79 percent of mobile device owners said that they have never sent or received confidential information of any kind through their device, which may further illustrate their lack of confidence in security.
Safe Browsing Environment
One of the biggest exposures to a mobile device is the user's browsing behavior. Many technical issues could be addressed here, but one of the basic issues is the lack of display space on the mobile device (Dwivedi, Clark, & Thiel, 2009). For example, the inability to view an entire URL on a mobile browser or in some cases the inability to view the URL at all, makes phishing links significantly more effective. The mobile browser security model for each device will have to pay special attention to such common but burdensome issues (Dwivedi, Clark, & Thiel, 2009).
Difficult Patching/Update Process
Patching and updating a mobile device is not a challenge technically but other considerations make this process a bit of a problem (Dwivedi, Clark, & Thiel, 2009). The first big hurdle is the mobile carriers. Carriers have big problems with immediate system updates and patching because they have little response time for testing (Dwivedi, Clark, & Thiel, 2009). If a mobile operating system patch breaks few applications running on top of it, the carriers will be held responsible by its users. For example, if a Motorola phone is running a Android OS and a patch needs to be releases, Motorola will be asked to coordinate with the carriers for a proper release cycle. The mobile carriers can be T-mobile, Sprint, or AT&T. If any of the carriers see that its user base is being affected negatively, it will probably want to prevent the patch from being deployed quickly, even if it poses a significant security risk. This is an issue that regular desktop operating systems never have to deal with.
16 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Exposure of critical information
Wireless LAN (WLAN) signals can travel significant distance and these signals can be tapped using a wireless sniffer. A hacker can expose critical information if sufficient security has not been implemented. The Figure 2.2, shows the vulnerable areas of LAN
Fig2.2: Vulnerabilities of WLAN. Source: http://www.tml.tkk.fi/Studies/Tik-110.300/1999/Wireless/vulnerability_4.html
In Figure 2.2, it can be seen that to attack a wireless LAN area, the hacker can gain its entry from the access points. The Man-In-The-Middle (MIM or MITM) attack is an attack that is based on this vulnerability of LAN.
Remote Wiretapping
A smart-phone hacker can passively record the conversations of its owner with others; and then stealthily report back to some spies (Guo, 2008). Such attacks could be hard to detect since recording and reporting can be two asynchronous steps; the report traffic can even be encrypted and tunneled along with other legal Internet traffic to further evade detection. It is even difficult for the smart-phone owner to notice the spying activity (Guo, 2008).
17 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Employee Compliance Challenges
Employee Risks
Employees in organization having the mobile devices carry with them certain risks. The following are the risks (Beaver, 2009):
? ?
Losing the company data and files by overload of memory in the devices. The key sales contacts stored on the mobile devices could go to prying competitors or be completely lost.
? ?
There can be a physical loss of the device. The employee?s time to recover from the loss which can be a few hours or a few days is usually worth far more than the replacement costs of the device and software.
? ?
The time the network administration team needs to replace the device and handle the loss. Introduction of viruses and malware into the company?s installed computer base, usually when synchronizing PC and handset in the office and on a home PC.
?
The use of mobile devices as means of stealing company information. Data theft can be carried using a wide variety of mobile devices, from Personal Digital Assistants (PDAs) to MP3 players.
Employee Compliance
As the focus in mobile information security shifts toward individual and organizational perspectives, employee?s compliance with information security policies (ISPs) has emerged as a key socio-organizational resource (Boss & Kirsh, 2009) because employees are often the weakest link in information security (Mitnick & Simon, 2002). Organizations create ISPs to provide employees with guidelines concerning how to ensure information security while they
18 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
utilize information systems in the course of performing their jobs (Whitman, Townsend, & Aalberts, 2001); however these are not sufficient to ensure employees? compliance with them.
The employees who are authorized to use a particular system or facility may pose a challenge to an organization because their ignorance, mistakes and deliberate acts can jeopardize information security (Lee, Lee, & Yoo, 2002, pp. 57-63).Simple existence of policies does not automatically translate into desirable behaviors because employees may not be motivated to perform the activities require to protect their organization?s information and technology resources (Stanton, Stam, Mastrangelo, & Jolton, 2005). Hence, identifying what drives employees? compliance with the roles and responsibilities stipulated in the ISP is imperative. Although rewards and punishments provide external motivations, an employee?s intrinsic desires provide external motivation to follow rules and regulations (Tyler & Blader, 2005). An employee?s attitude is influenced by benefit of compliance, cost of compliance and cost of noncompliance which are beliefs about the overall assessment of consequences of compliance or non-compliance (Stanton, Stam, Mastrangelo, & Jolton, 2005) . Security on mobile devices continues to be a major challenge as companies struggle with increased levels of attacks and as mobile devices become the preferred platform for enterprise users. It is expected that notebooks would represent 50% of enterprise PC deployments within two to three years, and more than 85% of enterprise users will deploy smart-phone devices within the same time frame. (Beaver, 2009). It is clear, then, that mobile security should be at the forefront of most enterprises? security planning. Table 2.2 lists down actual examples where sensitive information was lost or mishandled due to employee non-compliance .The table also lists what disciplinary actions had to be taken.
19 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
20 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Governance Structure
Governance differs from management in that governance is about deciding who makes decisions, whereas management is about making decisions once decision rights have been assigned (McNurlin, Sprague, & Bui, 2008, p. 73).The process of organizational design often involves making determinations between competing design forms where there may be trade-offs between efficiency, flexibility, accountability and other factors (Straub,1988). Most employees are more motivated if they have more control over their work. If they are able to react to changes in their environment without seeking approval or waiting for oversight, they can quickly satisfy customer demand or respond to competitive pressures (Warkentin & Allen, 2008). However, the lack of control may open the organization to certain risks. For example, employees that are motivated by localized priorities may take decisions that will have a positive short-term benefit on the mid-level, but a negative long-term impact on the organization. The fundamental concerns of governance are (Warkentin & Allen, 2008): 1. To ensure that conditions apply whereby a firm?s directors and managers act in the interests of the firm and its shareholders. 2. Ensure the means are in place whereby managers are held accountable to investors for use of assets.
Determining who decides
Decision making can be confusing as new technology is emerging and evolving at an everincreasing rate. Certain decisions need to be made regarding the mobile governance in organizations. These decisions are similar to the framework of the IT Governance proposed by
21 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Peter Weill and Marianne Broadbent (2009). Based on the work done by them, the following are the proposed decisions that would be needed to be made in case of mobile governance: 1. What are the mobile IT principles, how will value be generated? 2. What are the mobile infrastructure strategies? 3. What is the mobile IT architecture? 4. What are the mobile business applications? 5. How much investment needs to be made for mobile technologies? After the above questions are answered, it would be required to identify who is involved in decision making and how they are involved. This is discussed in more detail in the mobile framework provided in chapter four. Thus, it can be seen that the main challenges that are seen for mobile security in organizations today is technology and compliance challenges. They can be summarized in the Table 2.3 listed below: Technology Challenges 1. Smart phone viruses 2. Spamming 3. Safe browsing environment 4. Exposure of critical information Compliance Challenges Employee action risks Employee behavior Employee non-conformity Ambiguous policies
Table 2.3: Major technology and compliance challenges faced by organizations
22 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Chapter 3 Solutions for the Challenges
This chapter discusses the solutions that can be implemented by organizations for mobile security. The solutions can be classified as technology based solutions and compliance based solutions. The section also talks about the importance of mobile authentication as this can be a critical aspect for an organization?s security. The implementation of proper authentication is also discussed in this section. Given the nature of mobile environment, unfortunately there is no single security solution that will work. This is a key issue to mobile security. Enterprises must treat mobile security as an independent task (Benett, 2008). Mobile-usage-specific security policies must be created and implemented. A comprehensive risk analysis of the potential security hazards associated with the use of mobile devices should be implemented (Benett, 2008) .
Technology based solutions:
Handling data -encryption
A good compromise between ease of use and total security is to encrypt selected confidential or sensitive data files (Benett, 2008). Even if the data does not fall into the wrong hands, loss of critical information can be costly as seen in table 2.2. Synchronizing and backing up hand-held devices and laptops at regular intervals will help to protect against this.
23 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Application Service Providers and Virtual Private Network
Hosting a mobile application with an application service provider (ASP) has inherent security and confidentiality risks (Benett, 2008). Although highly secure applications may rule out an ASP solution altogether, one way to overcome concerns is to use a virtual private network (VPN). In a VPN, the hosted infrastructure simply supports a secure tunnel between the client devices and the enterprise (Benett, 2008).
Mobile anti-virus
Mobile viruses are beginning to take shape with the release of smart-phones almost every day. The major antivirus vendors like McAfee and Symantec have products designed specifically for the mobile and wireless devices (SunBeltSoftwarePaper, 2008). Some of them are focused on protecting the mobile device; others focus on protecting the enterprise from viruses when a mobile device is synchronized. Network-level scans are the most effective, centralized way of preventing viruses and other disruptions associated with mobile devices.
Phishing Detection
“Phishing is an attempt to fraudulently acquire users? sensitive information, such as passwords or ?nancial information, by masquerading as a trustworthy entity in online transactions” (Kiagui, Park, Hsiao, Belanger, & Hiller, 2008). Just as a centralized view of the web has helped Google develop strong anti-phishing tools, a centralized view of mobile activity in the service provider can help mobile operators detect and prevent phishing attacks against their customers (Benett, 2008). A phishing detection tool can tell you whether a particular website you are entering the information is genuine or not. The phishing detection tools work by detecting fraudulent sites by observing content-related attributes and can protect the user from going to a malicious site.
24 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Centralized Blacklists
Blacklists of various communication addresses such as Bluetooth and IP may be implemented as an off-device security service (Oberheide, Veeraraghavan, Cooke, Flinn, & Jahanian, 2009). These blacklists can be maintained on a global level by a service provider for known malicious entities or on a personal user-specified level. These centralized policies may be pushed to client devices for enhanced performance (Oberheide, Veeraraghavan, Cooke, Flinn, & Jahanian, 2009).
Mobile Authentication
Authentication is the process by which a device is verified for it claims to be. Many critical breaches can be attributed to weak or absent authentication (Benett, 2008). This section describes ways in which authentication can be implemented and the best methods to protect identity.
Authenticating and protecting identity
Non-text passwords: User can be required to enter or tap symbols with a randomly generated sequence of points to determine their authenticity. Unlocking a device this way could also decrypt other credentials stored on that handheld so the authenticated user can access his company's network (Benett, 2008). Certificates: Digital certificates are fixed to an identity and link it to a public/private key pair. They are considerably stronger than passwords as long as the owner's private key is protected (Forge, 2007). Smart cards: Smart card is one step above the certificates and it stores and enters the owners? private key. A smart card is a security chip, embedded in a credit card, badge or memory. It can provide safe storage for cryptographic keys used by authentication algorithms (Benett, 2008).
25 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Hardware tokens: Many companies authenticate laptop users with hardware tokens as they generate one-time passwords. Each password is part of a series generated from a cryptographic source which is known to the network and the user and is valid for about a minute. The user typically enters his text password, followed by the string displayed in the token (Benett, 2008). Biometric: Biometrics is typically used for multi-factor authentication. Multi-factor authentication combines at least two of the following: something you know like a password, something you have, like a token and something you are, like fingerprints (Benett, 2008).
Employee Compliance based solutions
Employee participation and behavior
Organizations create Information Security Practices (ISPs) to provide employees with guidelines concerning how to ensure information security while they utilize information systems in the course of performing their jobs (Whitman, Townsend, & Aalberts, 2001); however, while creating guidelines and policies is an essential starting point, it is not enough to ensure employees? compliance with them (Bulgurcu, Cavusoglu, & Benbasat, 2010). The employees may have a valuable role in the mobile security design for an organization. Employee awareness of the risks to mobile security is widely believed to be fundamental to effective mobile security (Aytes and Connolly, 2006). Organizational behavior scholars have argued that the greatest effect of participation may be cognitive, such as information exchange and knowledge transfer (Latham ,1994). An employee?s intention to comply with the organization?s ISP is influenced by subjective norms, perceived behavioral control, and attitude toward compliance (Bulgurcu, Cavusoglu, & Benbasat, 2010). The role of information security awareness influences an employee?s outcome belief as well as attitude toward compliance.
26 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
It has been found that employees add value to mobile security risk management when they participate in the prioritization, analysis, design, implementation, testing and monitoring of userrelated security controls within business processes, which in turn contributes to more effective security control development and performance (Spears, 2010). Boss and Kirch (2007) introduced the concept of „mandatoriness?, which motivates individuals to take security precautions. While rewards have not been found to be effective in convincing individuals that security policies are mandatory, specifying policies, evaluating behaviors and computer self efficacy have been effective. Later, Boss et al. (2009) showed that mandatoriness mediates the relationship between the control element (specification, evaluation and reward) and security precautions taken. Pahnila et al. (2007) proposed a theoretical model which demonstrated that information quality had a significant effect on actual compliance, threat appraisal and facilitating conditions had a significant effect on attitude towards compliance, and sanctions and rewards did not influence intention to comply or actual compliance. Security managers can harness regulatory compliance as an opportunity to engage users, raise organizational awareness of security, and better align security measures with business objectives (Spears, 2010)
Policies
Strict access privileges on mobile users to protect sensitive information should be implemented. The purpose of the policy should be to establish an authorized method for controlling mobile computing and storage devices that contain or access information resources at the company (SANS, 2010). This pertains to all the devices connecting to the network regardless of the ownership.
27 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
The policies should clearly indicate what the mobile computing and storage devices include. They can be and are not limited to: laptop computers, personal digital assistants (PDAs), plugins, Universal Serial Bus (USB) port devices, Compact Discs (CDs), Digital Versatile Discs (DVDs), flash drives, modems, handheld wireless devices, wireless networking cards, and any other existing or future mobile computing or storage device, either personally owned company owned, that may connect to or access the information systems at the company (SANS, 2010). A risk analysis for each new media type should be conducted and documented prior to its use or connection to the network at the company (SANS, 2010). The policy should address handling the portable devices. Portable computing devices and portable electronic storage media that contain confidential, personal, or sensitive company information must use encryption or equally strong measures to protect the data while it is being stored (SANS, 2010). Unless written approval has been obtained from the Data Resource Manager and Chief Information Security Officer, databases or portions thereof, which reside on the network at the company, shall not be downloaded to mobile computing or storage devices (SANS, 2010).Table 3.2 provides a brief description of the policies of some of the more popular vendors
28 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Table 3.1: Application development policies of some major vendors Source: http://www.us-cert.gov/reading_room/TIP10-105-01.pdf
Training
While attaching great emphasis to the consequences of mobile device misuse, loss, or theft will give employees a greater incentive to follow corporate policy, training these users on the specifics of the policy is required (Tauschek, 2008). Among others, an enterprise mobile training plan should address the following key topics:
29 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Protecting devices: Users should be instructed to follow proper procedures for storing and transporting devices, and specifically not to leave devices unattended in vulnerable locations such as offices, airports, and hotels (Tauschek, 2008). Data encryption: A high level overview of the data safeguarding and remote management technologies currently employed by the enterprise will drive more responsible usage. Users should be made aware that breaking enterprise policy by copying sensitive server-hosted data, including confidential member information and company IP, to unencrypted local device storage can have serious repercussions for the individual (Tauschek, 2008). Password management: Users should be educated on the help desk procedures to follow or alternative requirements for changing or setting passwords for mobile devices, in accordance with an existing enterprise password policy (Tauschek, 2008).
Governance framework
Various researchers and organizations have defined the components of information security and how an organization should go about implementing them (ISO 17799, 2005; Tudor, 2000; McCarthy and Campbell, 2001; Teufel, 2003). Information security components can be described as principles that enable the implementation and maintenance of information security such as an information security policy, risk assessments, technical controls, and information security awareness (Veiga & Eloff, 2007, p. 361). These components can be encompassed in a mobile security governance framework. The mobile governance framework provides organization with an understanding of the requirements for a holistic plan for information. The mobile governance framework should identify key players in the organization and assign them a role in governance. As can be seen in Table 3.2, organizations comprise of different levels of employees. The table then explains the specific role should be played by the employees
30 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
in terms of governance. The C-level executives refer to the Chief Technology Officers (CTOs) and Chief Information Officers (CIO).
Table 3.2: Key players and the governance role. Source: Avepoint: IT Governance Whitepaper (Link:
http://www.avepoint.com/assets/pdf/sharepoint_whitepapers/IT_Governance_White_Paper.pdf
Best practices
There are certain best practices that IT managers can use to help users avoid mobile malware and avoid potential problems. They are listed below (Forge, 2007):
?
All host systems that users are syncing their devices to should be protected with current antivirus software. In many cases, the desktop system can catch infected applications before they are installed on the mobile device.
31 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
?
If the users are not using Bluetooth on their phones, PDAs, or other gadgets, have them disable the feature altogether. In addition to closing the door on some types of malware and unwanted advertising, this will improve battery life on the device.
?
If those cannot be removed then the phone or the PDA should not be set to be discoverable. While this is not a guarantee that a skilled attacker will not see the device given time and motivation, it will provide some defense against attackers of opportunity. A better practice is to instruct users to activate Bluetooth when they need it and turn it off when not in use.
?
Information kept on phones and PDAs should be stored somewhere else as well. Malware is one threat to mobile devices, but there are many others: theft, loss, damage to name a few. No matter which of these results in data loss, having a backup will make recovery ea sier.
The table 3.3 summarizes the technological challenges and solutions for mobile devices in organizations that we discussed in the previous and current chapter.
32 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Threat Mobile viruses
Challenge
Solutions specific anti-virus
Can take advantage of security Install holes in applications
or programs like McAfee and for mobile and
operating system and cause Symantec damage Phishing
wireless devices.
Fake programs can pretend to Mobile anti-phishing tools can be actual applications and be implemented by the mobile steal user information operators of the Apply Spam filtering solutions
Spam
Causes
disruption
device and drives up cost when targeted towards
wireless device. E-mail viruses E-mail viruses can disrupt Download and install mobile business working and prove to e-mail anti-virus software that be a costly fix. Lost or stolen data Critical employee are specific to the device and Have physical when locks for
organization information can devices fall in the wrong hands
un-manned.
Devices can be tracked and tagged so that the location can be determined
Table 3.3: Technological challenges and solutions for mobile threats in organizations
33 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Chapter 4 An analytical framework for Mobile Business Security
This chapter formulates an analytical framework to handle mobile business security for organizations. The framework provides guidelines for organizations to implement mobile governance. Organizations are faced with mobile threats that need to be handled in a structured manner. A threat modeling approach is developed in the last section to handle those threats. Designing a simple and clear approach to mobile governance will lead to increased effectiveness. This can be done by correlating mobile governance and IT governance as both of them have the same fundamental roots of technology. This chapter will provide an overview of mobile governance and explain why such governance is important. According to Peter Weill and Jeanne Ross, IT governance is defined as “Specifying the design rights and accountability framework to encourage desirable behavior in using IT. IT governance is not about making specific decisions—management does that – but rather determines who systematically makes and contributes to those decisions.” (Weill & Ross, 2004) A similar definition can be adopted for Mobile IT governance as well. The model of mobile governance framework proposed here is similar to the framework proposed by Weill and Ross. The mobile governance framework will include three major components: domains, styles and mechanisms. Each component poses a question related to IT. By answering these questions, organizations can evaluate the current institutional approach to governance and design a more effective decision making methodology. The three questions are:
34 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
? ? ?
Domains – what decisions need to be made? Styles – who has input and/or decision right? Mechanisms – how are the decisions formed and enacted?
Domains: What decisions need to be made? Identifying decisions that must be made enables the organization to translate its institutional business principles into IT principles and provides the alignment to drive IT to effectively support the enterprise. The mobile governance framework based on the IT Governance framework proposes that an institution make five key governance decisions, captured by the following questions: ? ? Mobile IT principles – how will mobile applications create business value? Mobile IT infrastructure strategies – how will we build shared services for mobile applications? ? Mobile IT architecture – what technical guidelines and standards will we use for mobile applications? ? Mobile business applications – what applications we need to support mobility of workers? ? Mobile IT investment and prioritization – how much and where will we invest?
Styles: Who has input and/or Decision Rights Once the scope has been defined, the next step is to identify just who is involved in decision making and how they are involved. Both parameters of „who? and „how? of involvement are critical to the success of mobile governance (Clark, 2005). Different types of people and different groups will need to be involved in the various IT decisions that must be made. For each
35 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
person or group, the level of involvement must be decided, agreed upon and communicated throughout the enterprise. Each person or group may simply provide input to a decision or he/she may be involved in considering all the inputs and making a decision. The Weill and Ross model proposes that organizations consider the involvement of six groups of people (the „who?) and specify whether each has input and/or decision rights (the „how?) for each of the five „domain? IT questions listed above. The model uses six political archetypes to describe input and/or decision rights for each decision. ? ? ? ? ? Business monarchy – includes the CEO, CIO, COO, the groups of business executives Mobile IT monarchy – CIO and/or IT directors acting as individuals or a group Federal – CxOs and at least one business unit leader Feudal – business unit leader(s), key process owners or their delegates Duopoly – CIO/IT directors and at least one group (CxO or business unit or process leader) ? Anarchy – a business unit that owns a business process or an end user
Constructing a table from the questions that must be answered, combined with who has input to and /or decision rights for each of these questions, determines an institution?s IT governance (See table 4.1). Decision rights determine who will decide and be held accountable.
36 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Mechanisms: How are the decisions formed and enacted
The last component of the framework is how the organization implements a mobile governance arrangement: what decision-making structures, processes, and approaches are used. Once the decisions and the specification of input and/or decision rights are identified, the organization must decide detailed decision responsibility and accountability, how alignment will occur, and how information will be communicated throughout the institution (Clark, 2005). When these three mechanisms are properly selected, it will ensure the institution?s approach to mobile IT governance will be performed as desired. The Weill and Ross model provides three categories of mechanisms to specify how the decisions made by the identified individuals (or groups) will be enacted. ? Decision-making structures – these mechanisms clarify who is responsible and accountable for decisions. Examples of these are executive teams, committees, and business/ IT relationship managers.
37 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
?
Alignment processes – these mechanisms ensure effective input to decision makers and implementation of their decisions. Examples of these processes are architecture exception processes, service-level agreements, chargeback and metrics.
?
Communication approaches – these mechanisms disseminate governance processes and individual responsibilities to everyone who needs to know. Examples of these are advocates, channels and announcements. For each question to be answered, an institution considers which decision-making structure is involved, how the institution will ensure the decisions made will be effectively implemented, and how the decision outcome will be communicated to the organization?s constituents (Clark, 2005).
Mobile Enterprise Architecture Framework
The Federal Enterprise Architecture Framework (FEAF) defines enterprise architecture as “a strategic information asset base, which defines the mission, the information necessary to perform the mission and the technologies necessary to perform the mission, and the transitional processes for implementing new technologies in response to the changing mission needs. Enterprise architecture includes baseline architecture, target architecture, and a sequencing plan (FEAF, 2006)". Lankhorst (2004) described a layered approach to enterprise architecture that identified the following (Lankhorst, 2004): 1. Business Layer that consists of the products and services that support the business processes that provide products and services to customers.
38 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
2. Application Layer that supports the business layer with services that are utilized by mobile applications. 3. Technical Layer that provides the infrastructure support and communication services to run applications. Based on the FEAF, a mobile enterprise framework can be developed. Like the FEAF, the architecture can include business, data, applications, and technology domains that serve as a reference point to guide the efficient flow of information, common business processes and technology across the organizations. A mobile framework matrix can be developed based on these, as seen in table 4.2, which considers the various perspectives of the different users involved.
Table 4.2: Mobile Architecture Framework Matrix based on FEAF
39 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Handling Mobile Threats by Thread Modeling
Threat modeling is an engineering technique which organizations can use to identify threats, attacks, vulnerabilities, and countermeasures (Meier, Mackman, & Wastell, 2005) . This model can be applied to handle the mobile threats that are faced by organization. The mobile threat modeling activity helps an organization to: ? ? ? Identify mobile security objectives. Identify relevant mobile threats. Identify relevant mobile vulnerabilities and countermeasures.
Approach There are five major modeling steps to deal with the mobile threats which can be seen in Figure 4.1.
1. Identify Mobile Security Objectives
2.Mobile Application Overview
3. Decompose Mobile Application
5.Identify Mobile Vulnerabilities
4. Identify Mobile Threats
erative
Figure 4.1: Iterative threat modeling process (Meier, Mackman, & Wastell, 2005) 40 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
The five threat modeling steps are (Meier, Mackman, & Wastell, 2005): Step 1: Identify mobile security objectives. Clear objectives help organizations to focus the threat modeling activity and determine how much effort to spend on subsequent steps. Step 2: Create a mobile application overview. Itemizing the mobile application's important characteristics helps organizations to identify relevant threats during step 4. Step 3: Decompose your mobile application. A detailed understanding of the mechanics of the mobile application makes it easier for organizations to uncover more relevant and more detailed threats. Step 4: Identify mobile threats. Organizations can use details from steps 2 and 3 to identify threats relevant to its mobile application scenario and context. Step 5: Identify mobile vulnerabilities. Organizations should review the layers of its mobile application to identify weaknesses related to its threats. It should use vulnerability categories to help it focus on those areas where mistakes are most often made. To summarize, this chapter discussed the mobile governance framework that includes three major components of domains, styles and mechanisms and how they provide structure to the decision making process in organizations. The mobile enterprise framework architecture and the matrix framework with the layers were discussed. Finally, to deal with the threats faced by organizations the thread modeling process was discussed.
41 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
Conclusion
This paper thus proposed a framework that addresses the challenges that are faced by organizations to setup mobile security. It discussed the threats and issues that mobile devices have introduced to enterprises and organizations. The paper provided solutions to those threats and issues by breaking them down into technical and employee compliance perspectives. These threats are new and currently there are not many proper governance frameworks in place to specifically deal with mobile security issues. There is a need for mobile governance and a framework which includes employee participation, training, policies and procedures and above all a framework which organizations can follow so that it can safely mitigate the risks and threats.
42 | P a g e
Draft Version: An analytical Framework for Mobile Business Security
References
Abu-Nimeh, S., Becher, M., Fogie, S., Morales, J., & Wright, C. (2010). Mobile Malware Attacks and Defense. Syngress Publishing. Asaf, S., Yuval, F., Uri, K., Yuval, E., & Shlomi, D. (2009, March 4). Google Android: A State-of-the-Art Review of Security Mechanisms. Beaver, K. (2009, January 6). Meritalk. Retrieved April 15, 2011, from SmartMobileComputing: http://www.meritalk.com/uploads_legacy/whitepapers/Nokia_eGuide_2.pdf Benett, C. (2008, February 3). Challenges of Mobile Security. Retrieved April 5, 2011, from Search Mobile Computing: http://searchmobilecomputing.techtarget.com/tip/Challenges-of-mobile-security Boss, S., & Kirsh, L. J. (2009). The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines. Proceedings of the 28th International Conference on Information Systems, (pp. 562). Montreal. Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information Security Policy Compliance: An empirical study of rationality-based beliefs and Information Security Awareness. MIS Quarterly , 523-545. Charles P. Pfleeger, S. L. (2003). Security in Computing. Prentice Hall PTR. Cheng, J., Wong, S., & Yang, H. (2009, April 5). SmartSiren: Virus Detection and Alert for Smartphones. Los Angeles, California, United States. Clark, J. A. (2005). IT Governance: Determining who decides. Educause Center for Applied Research , 2. Dwivedi, H., Clark, C., & Thiel, D. (2009). Mobile Application Security. In H. Dwivedi, C. Clark, & D. Thiel, Mobile Application Security (pp. 344-363). Forge, S. (2007, October 3). Mobile security, Understanding and controlling risks. Retrieved April 7, 2011, from SearchMobileComputing.com: http://searchmobilecomputing.techtarget.com/feature/Mobilesecurity-ndash-Understanding-and-controlling-risks Goode, A. (2009). Managing Mobile Security, Goode Intelligence. Goode Intelligence. Goode, A. (2009, February Monday). Managing mobile security: How are we doing? Guerre, J. d. (2009, July 13). Mobile Security Concerns Preventing New Trans. Retrieved April 21, 2011, from Wireless And Mobile News: http://www.wirelessandmobilenews.com/2009/07/mobile-securityconcerns-preventing-new-trans-says-cloudmark.html Guo, C. (2008). Smart-Phone Attack and defenses.
43 | P a g e
Draft Version: An analytical Framework for Mobile Business Security Kiagui, B., Park, J.-M., Hsiao, M. S., Belanger, F., & Hiller, J. (2008). Evaluation of Online Resources in Assisting Phishing Detection. Virginia Tech. Lankhorst, M. (2004). Enterprise Architecture modeling: The issue of integration. Advanced Engineering Informatics , 205-216. Lee, S., Lee, S., & Yoo, S. (2002). An Integrative Model of Computer Abuse based on Social Control and General Deterrence Theories. Information Management and Computer Security , 57-63. McNurlin, B., Sprague, R., & Bui, T. (2008). Information Systems Management in Practice. In B. McNurlin, R. Sprague, & T. Bui, Information Systems Management in Practice (pp. 73-75). Pearson Education. Meier, J., Mackman, A., & Wastell, B. (2005, May 4). Thread modeling Web Applications. Retrieved April 4, 2011, from Microsoft: http://msdn.microsoft.com/en-us/library/ms978516.aspx Mitnick, K., & Simon, W. (2002). The Art of Deception: Controlling the Human Element of Security. Indianapolis: Wiley Publishing Inc. NucleusResearch. (2007). Nucleus Research: Spam Costing US Businesses $712 Per Employee Each Year. Nucleus Research Report. Oberheide, J., Veeraraghavan, K., Cooke, E., Flinn, J., & Jahanian, F. (2009). Virtualized In-Cloud Security Services for Mobile Devices. Michigan. Oltsik, J. (2010). Addressing Mobile Device Security and Management Requirements in the Enterprise. Enterprise Strategy Group. Republic, T. (2004, February Tuesday). Tech Republic. Retrieved April Friday, 2011, from Identify and reduce mobile device security risks: http://www.techrepublic.com/article/identify-and-reduce-mobiledevice-security-risks/5274902 SANS. (2010, February 6). Security Policies. Retrieved March 5, 2011, from Remote Access: http://www.sans.org/securityresources/policies/Remote_Access.pdf?portal=84bb07947a237d9eb682814030611b01 Stanton, J., Stam, K., Mastrangelo, P., & Jolton, J. (2005). Analysis of End User Security Behaviors. Computers and Security , 124-133. SunBeltSoftwarePaper. (2008, October 18). VIPRE Takes a Bite out of Bloatware. Retrieved April 4, 2011, from SunBelt Software: http://www.sunbeltsoftware.com/documents/vipre-enterprise-vipre-takes-abite-out-of-bloatware.pdf Tauschek, M. (2008, September 9). Developing and instituting corporate mobile device policies. Retrieved March 7, 2011, from SearchMobileComputing.com: http://searchmobilecomputing.techtarget.com/feature/Developing-and-instituting-corporate-mobiledevice-policies 44 | P a g e
Draft Version: An analytical Framework for Mobile Business Security Tyler, T., & Blader, S. (2005). Can Businesses Effectively Regulate Employee Conduct? Academy of Management Journal , 1143-1158. Veiga, A. D., & Eloff, J. H. (2007). An Information Security Governance Framework. Information Systems Management , 361. Warkentin, M., & Allen, J. (2008). IT Governance and Organizational Development for Security Management. In W. Merrill, & J. Allen, Information Security Policies and Practices (pp. 46-68). Armonk: M.E Sharpe. Weill, P., & Ross, J. (2004). IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Cambridge: Harvard Business School Press , 2. Whitman, M., Townsend, A., & Aalberts, R. (2001). Information Systems Security and the Need for Policy. Information Security Managment- Global Challenges in the Next Millenium , 9-18. Zhang, R. (2009, May 13). 5 Steps for Achieving Effective Mobile Security Governance. Retrieved April 3, 2011, from CSO Securtiy and Risk: http://www.csoonline.com/article/492481/5-steps-for-achievingeffective-mobile-security-governance?page=1
45 | P a g e
doc_285950472.docx