• No results found

Trustworthy Mobile Security for Smartphones, Tablets, etc. Is there an App for that?

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Trustworthy Mobile Security for Smartphones, Tablets, etc. Is there an App for that?"

Copied!
13
0
0

Loading.... (view fulltext now)

Download now ( 13 Page )

Full text

(1)

www.intimusconsulting.com  

Trustworthy Mobile Security for Smartphones, Tablets, etc. –

Is there an App for that?

Five Ways to manage the emerging Security Risks

in our increasingly mobile Life

(2)

Trustworthy Mobile Security for Smartphones, Tablets, etc. –

Is there an App for that?

Five Ways to manage the emerging Security Risks

in our increasingly mobile Life

Summary

The past ten years have witnessed a remarkable shift in the way that businesses, organisations and individuals can access computing power. The very concept of a “computer” has irrevocably changed.

In the “old days” of 2001, a computer was something that sat on a desk, with a hard drive in a nearby tower. Laptop computers were widely considered to be too expensive or unreliable for everyday use, and were often assigned only to regular business travellers or to the more valuable members of the organisation.

In 2001, smartphones existed (see the photo at right of the Kyocera QCP6035 from the year 20001), but they were mainly used by technology enthusiasts and early adopters, and were not nearly as widespread as they are today.

Most people carried “cell phones,” which were big and bulky by today’s standards, and were mainly used only to make phone calls. Simply being able to send a text message was considered the height of cell phone

communications technology.

      

1 Liane Cassavoy, “In Pictures: A history of cell phones,” PC World, May 7, 2007, published online at

http://www.pcworld.com/article/131450/in_pictures_a_history_of_cell_phones.html [cited on June 19, 2011] The first smartphone:

The IBM Simon (1992) (Source: Wikipedia)

An early Kyocera smartphone (Source: PC World)

The original iPhone (Source: Wikipedia)

(3)

Content

Introduction 4

The advantages of solid state media 6

The drawbacks of solid state media 7

Solid state media information security risks and best practices 8

Five ways to manage Information Security Risks on mobile devices 1. Automatic Locking 10 2. Check Reputation 10

3. Confidentiality 10

4. Special precautions for high ranking officials 10 5. Decommissioning 11

Conclusion 12

Company Profile 13

(4)

Introduction

What a difference ten years can make. Today, smartphone users can access their e-mail, take and share high quality digital photos and videos, listen to music, watch movies, and connect to the Internet from anywhere, allowing them to interact with their world and be productive in unprecedented ways. Even as desktop PCs and laptops/notebooks have grown in speed and power, they have also started to be eclipsed by ever smaller, ever lighter models like netbooks (popular during 2008-2009) and more recently by tablet PCs like the iPad.

According to research from Gartner, sales of tablet computers are expected to more than quadruple from 15 million units sold worldwide in 2010, to over 70 million sold during 2011.2 Total tablet computer shipments are expected to approach 250 million by 2015.3

Tablet computers enable the same kinds of constant connectivity and interactions as a smartphone, but their larger screens and easier operability make it possible to bring computing power into workplaces in new ways. With a tablet computer, the factory floor can now be easily connected to the company’s main network.

Knowledge workers can access information via tablet computers in a lighter, more portable format. Hospital workers can record patient information at the bedside using a simple touch screen Restaurant staff can take reservations and

coordinate seating with a tablet. The possibilities are limitless.

One of the biggest reasons for the differences between the fixed “computers” of 2001 and the smartphones and tablet computers of today is the rise of solid-state storage media.

      

2

Josh Halliday, “Tablet sales poised for spectacular growth, claims Gartner,” Guardian, April 11, 2011, published online at

http://www.guardian.co.uk/technology/2011/apr/11/tablet-ipad-sales-growth-gartner [cited on June 19, 2011] 3 The Economist, “Taking the tablets,” March 2, 2011, published online at

http://www.economist.com/blogs/dailychart/2011/03/tablet_computers [cited on June 19, 2011] Image source: The Economist 

(5)

Rather than relying on the moving parts of a hard disk drive, smartphones and tablets are built with sold-state drives, which enable these devices to be more portable and powerful than ever before.

“Computers” are no longer fixed objects sitting on a desk. People now have the ability to carry “computers” in their pockets in the form of smartphones (which recently surpassed PCs in total worldwide shipments).4

The dramatic increases in portability and flexibility of computer power has made possible great gains in productivity and a significant transformation in online culture as the Internet begins to infuse every aspect of daily life.

But along with the benefits of the rise of smartphones and tablet computers, there are risks. The same features that make smartphones and tablets so beneficial can also pose damaging threats to the sensitive data of organisations.

This paper will discuss some of the information security risks posed by the emerging solid-state media, such as smartphones and tablet computers. By exercising best practices and information assurance strategies, organisations can successfully navigate the risks posed by these powerful new forms of electronic storage media.

      

4 David Goldman, “Smartphones have conquered PCs,” CNN Money, February 9, 2011, published online at

http://money.cnn.com/2011/02/09/technology/smartphones_eclipse_pcs/index.htm?iid=EL [cited on June 19, 2011] Source: CNN Money 

(6)

The advantages of solid state media

Solid state media offer several advantages that have made them the ideal foundation for the recent revolution in portable computing power.

Traditional magnetic hard disk drives (HDDs), like the ones in 2001-era computers, are made of moving parts. There is literally a spinning “disk” within the drive, and movable read/write heads. Data is recorded into memory via electromagnetism. This type of storage media worked very well for the days when computers were immovable objects sitting on desks, but in order to create a more mobile computer, solid state storage was needed.

Solid state drives (SSDs) have no moving parts, and rely on microchips and non-volatile memory chips, instead of magnetic media, to store data. SSDs are often used for external drives such as USB drives and mobile devices like smartphones and tablets. The can also be used internally as drives for laptops. The characteristics that make SSDs ideal for small, portable devices like smartphones and tablets include:

 Silent performance: SSDs do not make any sounds, like a spinning magnetic hard disk drive.

 Less susceptible to physical shock: Smartphones and tablets can be jostled or dropped, without losing data.

(7)

The drawbacks of solid state media

As the size and stability of digital storage media has exponentially grown, it has become more difficult for organisations to prevent data breaches. There is simply too much information, too easily available, too easily duplicated, and stored in too many different places. As such, organisations are challenged with having to safely dispose of their obsolete devices.

Hard disk drives (HDDs) are magnetic storage media, meaning that the recorded data can be successfully erased from the disk by using a degausser (subjecting the disk to a highly focused electromagnetic field). Another option to erase an HDD is to use the Secure Erase function built into most standard HDDs ever since 2001.

From an information security standpoint, the primary drawback of solid state media is that the solid state drives (SSDs) are not as easy to purge of data as the magnetic HDDs. Since the SSDs do not rely on magnetic media for data storage, degaussers are not effective in sanitising the data. Secure Erase does not successfully erase an SSD, either. According to recent

research from the University of California at San Diego, tests on the Apple Mac OS X showed that as much as 57% of stored data remained intact even after using the Secure Erase feature.5 So if the “old” methods of data sanitisation will not succeed on these “new” forms of solid state storage media, how are organisations supposed to protect themselves?

There are several significant risks posed by solid state media, and several key recommendations to help overcome those risks.

      

5 Dan Goodin, “Flash drives dangerously hard to purge of sensitive data,” The Register, Feb. 21, 2011, published online at

(8)

Solid state media information security risks and best practices

Many users of solid state media, especially smart phones, get lulled into a false sense of security. After all, how can such a friendly, useful device possibly pose any information security risk? Many solid state media users become almost too comfortable with their devices, and fail to protect them the same way they would treat a workplace desktop PC.

Other people see their mobile devices as an extension of themselves, and fail to uphold a proper division between work and personal use, for example, by downloading certain apps onto a work-issued smartphone or tablet, even though the apps might pose an information security risk.

Mobile solid state media devices like smartphones are more vulnerable than many people realise, with possible negative consequences including hacking, identity theft, data breach, or wrongful disclosure of financial information.

According to a 2008 CompTIA survey of more than 2,000 information security professionals, over half responded that risks related to mobile devices and remote workers were up compared to 20076. When employees work remotely or carry devices with them, especially when using their devices to access the Internet via public networks, there is a risk of theft or loss.

Organisations need to ensure that they have trained their staff on how to properly handle their tablet PCs and other portable devices – using secure passwords, data encryption, and other methods to thwart potential data thieves.

An additional security risk of solid state media which is often overlooked is the sheer quantity of devices that are now in use. Smartphones especially tend to have short life cycles of 2 years or less, as people constantly trade up for the newest models with the fastest performance and the fanciest technology. This means that in a few years, organisations could potentially be faced with vast numbers of obsolete solid state media devices, which are no longer needed by the business and which could pose a threat if not disposed of safely. Organisations need to start planning now to properly decommission and sanitise their solid state media devices

(smartphones, tablets, USB drives, and others) once they have gone out of service.       

6 Al Sacco, “Six essential Apple iPhone security tips,” PC World, October 12, 2008, published online at

(9)

In December 2010, ENISA (European Network and Information Security Agency) published a paper on smartphone security, outlining the top 10 risks of smartphone usage (for business and personal use) and also made several recommendations for how to counteract the risks. Many of these risks apply to tablet users as well, since the technology and usage of these devices is similar.

Some of the top risks identified in the ENISA report include:7

 Data leakage: an attacker successfully accesses the data on a lost or stolen device.  Improper decommissioning: the device is disposed of or reassigned to another user

without successfully deleting sensitive data stored on the device, allowing this information to fall into the wrong hands.

 Unintentional data disclosure: Many users are unaware of the privacy settings on the various apps that they use with their devices. Sensitive data might be transmitted via an app, without the knowledge of the user.

 Phishing: A data thief steals user credentials, passwords or credit card numbers using fake apps, text messages or e-mails that seem credible.

 Spyware: The device becomes affected by invasive software that is installed by an attacker to access sensitive data by abusing privilege requests.

 Network spoofing attacks: A data thief creates a rogue network access point to attract users, and then captures the user’s communications and sensitive information to carry out additional attacks such as phishing.

 Surveillance: Spying on a person by using that person’s smartphone or tablet device.  Diallerware: Stealing money from a person by using malware to exploit premium SMS

(text) message services.

      

7

Dr. Giles Hogben, Dr. Marnix Dekker, ENISA, “Smartphones : Information security risks, opportunities and recommendations for users," December 10, 2010, published online at http://www.enisa.europa.eu/act/it/oar/smartphones-information-security-risks-opportunities-and-recommendations-for-users [cited on June 19, 2011]

(10)

 Financial malware: Malicious software (malware) designed to steal credit card numbers, online banking credentials or subverting online banking or eCommerce transactions.

Fortunately, the ENISA report also outlines some key recommendations for how individuals and organisations can minimise the risks of solid state devices. Many of the risks can be mitigated with good security practices and training throughout the organisation. Key recommendations include:

1. Automatic locking: Configure the device so that it locks automatically after a few minutes. This will prevent the device from being easily accessed by a data thief.

2. Check reputation: Prior to installing or using any new apps or services on the smartphone or tablet, make sure to check the reputation of the app being installed. Organisations should also consider creating a “whitelist” of acceptable apps that employees have permission to install on their work-issued devices, especially if the devices are used to handle sensitive internal data, or if the organisation’s internal network is accessible to the devices.

3. Confidentiality: Use memory encryption for the device’s memory and any removable

media that accompany the device.

4. Special precautions for high ranking officials: When high ranking people within an

organisation use mobile solid state media devices, a few extra precautions are needed. The devices of high ranking individuals can be especially valuable to data thieves, as they often contain the most restricted sensitive information that can be most highly damaging to the organisation if it falls into the wrong hands. For these reasons, ENISA recommends the following precautions:

(11)

o No local data: High ranking officials should not be able to store sensitive data locally on the device. Instead, the users should only be able to access sensitive data online via the organisation’s internal network, using a non-caching app. This will limit the exposure of the organisation’s most sensitive data, keeping it

contained within the company’s network, rather than dispersed onto multiple mobile devices.

o Encryption software: Just as many organisations use e-mail encryption to send highly confidential messages, it is also possible to encrypt VOIP calls and SMS (text) messages to protect highly confidential conversations from end-to-end. o Periodic reload: Smartphones and tablets may be periodically wiped (using

secure deletion) and reloaded with a specially prepared and tested disk image. While this periodic reloading can minimise the amount of sensitive information on the device at any one time while it is being used, the only secure way to sanitise data on the device is done at the point of decommissioning.

5. Decommissioning: Before decommissioning, disposing of or recycling an obsolete or unneeded smartphone or tablet device, apply a thorough memory wipe procedure to the device. One of the most reliable methods to sanitise data from a solid state drive,

according to recent research8, is to fully encrypt the drive’s contents, and then delete the corresponding encryption keys from the key store. This results in putting the drive’s contents into a permanent mode of encryption, unable to be deciphered or recovered by anyone. The drive can then be physically destroyed using a disintegrator. The biggest challenge of safely decommissioning solid state media devices is that even after an SSD has received a wiping procedure, a certain amount of information from the device can still be restored (with some effort) even without the encryption keys. Encryption keys are also do not provide failsafe security. Many encryption keys have been cracked by

hackers, and other encryption keys have “back doors” that are vulnerable to exploitation.

      

8 Dan Goodin, “Flash drives dangerously hard to purge of sensitive data,” The Register, Feb. 21, 2011, published online at

(12)

Conclusion

Solid state media such as smartphones and tablets are becoming an ever-increasing presence in the daily operations of organisations. With over 100 million smartphones shipping worldwide in 2010, and over 200 million tablets per year expected to ship during 2014, more organisations will need to adapt their security protocols to handle the unique risks of these powerful, portable media.

In addition to the security risks posed by such highly portable, versatile devices, one of the principal challenges of these new media is that they are so difficult to securely erase. The traditional methods of securely erasing a hard disk drive (HDD) do not apply to the microchip-based solid state drives (SSDs) that power smartphones, tablets and many laptops.

Along with ensuring good security practices while the devices are in use, many organisations will need to re-evaluate their decommissioning and disposal methods. Otherwise, the

(13)

Company Profile

Data protection was something unheard of when the first shredders were introduced in the 1960’s. Starting with the "electronic wastepaper basket" INTIMUS Simplex in 1965 the product range nowadays meets all the requirements imposed with regard to information assurance. It does not only contain devices for the shredding of classical data media, such as print outs, computer lists or even complete folders, but also features machines to destroy information on modern endpoint devices like CDs, floppy disks, Hard Disk Drives and Solid State Media.

intimus Security Consulting is a concept to assist organisations worldwide to define,

implement and monitor procedures for information security beyond the endpoint. More information is available under www.intimusconsulting.com.

The MARTIN YALE GROUP was formed in 2003 by the former individual organisations

MARTIN YALE Industries (North America) and Schleicher International (Germany). Today the Group has got an extensive worldwide distribution network with 7 branch offices and over 150 distributors.

Contact Details

MARTIN YALE GROUP Bergheimer Strasse 6-12 88677 Markdorf / Germany Tel. 0049 / (0) 75 44 / 60-235 Fax 0049 / (0) 75 44 / 60-248 mailto: strunz@martinyale.de www.martinyale.de

References

Download now ( PDF - 13 Page - 142.24 KB )

Related documents

The maternal hyperlactation syndrome

If breastfeeding by itself doesn’t effectively remove the thickened inspissated milk, then manual expression of the milk, or the use of an efficient breast pump after feeds will

IBM Redbooks Product Guide

The following table lists hard drive options for internal disk storage of x3550 M3 server... * Note: The Advanced Feature Key and Performance Accelerator Key cannot be used at the

(2E)-3-(3-Bromo-4-meth­­oxy­phen­yl)-1-(4-methyl­phen­yl)prop-2-en-1-one

In the absence of potential good hydrogen bond donors - as it is the case of the molecule described here - the crystal structure might be determined by other interactions and

Management culture and mobbing in a social organisation: whether a special status provides a guarantee of safety

In order to achieve this aim, the following objectives of the research have been set: (1) to adapt the mobbing diagnosis instrument of the employees’ relations; (2) to conduct surveys

Walks in Appleton Parish

3. Walk down Green Lane [BR26] and take the path [FP19] to your R shortly past the road gate. You may be able to get between the stile and the tree to avoid the stile. Walk to

v o l u m e t h i r t e e n e n t e r p r i s e s u r v e y s

Drake’s Enterprise Survey solution makes the design and development of survey questions efficient, effective and specific for your company. 9 :: return

We’re Both Your Librarian: A Course Collaboration Between an Academic Library and a Health Sciences Library

Ard, Stephanie Evers, "We’re Both Your Librarian: A Course Collaboration Between an Academic Library and a Health Sciences Library" (2020).. Georgia International Conference

Sample Policy For Employees

Favor you leave and sample policy employees use their job application for absence may take family and produce emails waste company it discusses email etiquette Deviation from