research-article

Managing smart phone security risks

Author:
Max Landman

Kennesaw State University, MS, Kennesaw, GA

Kennesaw State University, MS, Kennesaw, GA
View Profile

InfoSecCD '10: 2010 Information Security Curriculum Development ConferenceOctober 2010Pages 145–155https://doi.org/10.1145/1940941.1940971

Published:01 October 2010Publication History

InfoSecCD '10: 2010 Information Security Curriculum Development Conference

Pages 145–155

ABSTRACT

Smart phones, their operating systems and security characteristics have rapidly evolved as has the reliance upon them by organizations to conduct business. The unusual mix of personal and business use for smart phones as well as their unique combination of capabilities creates a number of challenges to managing their risk. This paper explores the types and nature of threats to the organization from the use of smart phones along with controls, available security software and tools. The current state of corporate smart phone security programs and policies is examined. Smart phone security policy considerations are discussed and recommendations are made for building a smart phone security program.

References

Banks, L. 2010, May 13. Mobile devices pose security dilemma for CIOs. CIO.com. Retreived June 7, 2010 from http://www.cio.com.au/article/346474/mobile_devices_pose_security_dilemma_cios/Google Scholar
Bickford, J., O'Hare, R., Baliga, A., Ganapathy, V., and Iftode, L. 2010, Rootkits on Smart Phones: Attacks, Implications and Opportunities. In Proceedings of the Eleventh Workshop on Mobile Computing Systems and Applications (Annapolis, Maryland, Feb 22--23, 2010) Hotmobile '10. ACM, New York, NY, 49--54. DOI= http://doi.acm.org/10.1145/1734583.1734596. Google ScholarDigital Library
Botha, R. A., Furnell, S. M., and Clarke, N. L. 2009. From desktop to mobile: Examining the security experience. Computers & Security, 28, 130--137.Google Scholar
Cox, J. 2009, November 9. Smartphones on Wi-Fi vulnerable to security attack. NetworkWorld Asia. Retreived June 7, 2010 from http://www.networksasia.net/content/smartphones-wi-fi-vulnerable-security-attack?src=relatedGoogle Scholar
Cox, J. 2009, March. Mobile browsers do security no favors. Network World, 26(10), 1,32.Google Scholar
Davis, A. 2006. Information security can enable mobile working. Infosecurity Today, 3(4), 42.Google ScholarCross Ref
Dreger, R., and Moerschel, G. 2008, October. Inside Smartphone Security. InformationWeek, (Oct. 6, 2008) 34, 37--39.Google Scholar
Dunning, J. P. 2010. Taming the blue beast a survey of Bluetooth based threats. IEEE Security & Privacy, 8(2), 20--27. Google ScholarDigital Library
Emm, D. 2006. Mobile malware -- new avenues. Network Security, 2006(11), 4--6. Google ScholarDigital Library
Ernest-Jones, T. 2006 Pinning down a security policy for mobile data. Network Security, 2006(6), 8--12. Google ScholarDigital Library
Friedman, J., and Hoffman, D. V. 2008. Protecting data on mobile devices: A taxonomy of security threats to mobile computing and review of applicable defenses. Information Knowledge Systems Management, 7, 159--180. Google ScholarDigital Library
Fitzgerald, J. 2009. Managing mobile devices. Computer Fraud & Security, 2009(4), 18--19.Google Scholar
Gold, S. 2010. Why WPA standards won't protect your network. Infosecurity, 7(1), 28--31. Google ScholarDigital Library
Goodchild, J. 2009, July 15. Network managers beware: more infected devices are coming to connect. NetworkWorld Asia. Retreived June 7, 2010 from http://www.networksasia.net/content/network-managers-beware-more-infected-devices-are-coming-connect?src=relatedGoogle Scholar
Goode, A. 2010. Managing mobile security: How are we doing? Network Security, 2010(2), 12--15. Google ScholarDigital Library
Jacobsson, S. 2010, June 7. iPhone security flaw: Using a PIN won't help you. NetworkWorld Asia. Retreived June 7, 2010 from http://www.networksasia.net/content/iphone-security-flaw-using-pin-wont-help-you.Google Scholar
Janson, W. and Scarfone, K. (2008). Guidelines on cellphone and PDA security: Recommendations of the National Institute of Standards and Technology NIST Special Publication 800-124. Gaithersburg, MD.Google Scholar
Messmer, E. 2010, March. Cisco outlines new plan for securing mobile, cloud apps: Cisco AnyConnect promises advancements over current VPNs. Network World (Online), Retrieved June 19, 2010, from ProQuest Computing. (Document ID: 1978009891).Google Scholar
Nemati, H. 2008. Information Security and Ethics: Concepts, Methodologies, Tools, and Applications. Information Science Reference, Hershey, PA. Google ScholarDigital Library
Oberheide, J. and Farnam, J. 2010. When Mobile is Harder Than Fixed (and Vice Versa): Demystifying Security Challenges in Mobile Environments. In Proceedings of the Eleventh Workshop on Mobile Computing Systems and Application (Annapolis, Maryland, Feb 22--23, 2010). Hotmobile '10. ACM, New York, NY, 43--48. DOI= http://doi.acm.org/10.1145/1734583.1734595. Google ScholarDigital Library
Potter, B. 2007. Mobile security risks: ever evolving. Network Security, 2007(8), 19--20. Google ScholarDigital Library
Prince, B. 2010, June 7. Malware Hidden in Windows Mobile Applications. Eweek. Retrieved June 17, 2010 from http://www.eweek.com/c/a/Security/Malware-Hidden-in-Windows-Mobile-Applications-424076/Google Scholar
Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., and Glezer, C. 2010. Google Android: A Comprehensive Security Assessment. IEEE Security & Privacy, 8(2), 35--44. Google ScholarDigital Library
Tabourin, P. 2010. Security, control and management: Mobile data in a multi-agency/jurisdiction environment. Law Enforcement Technology, 37(2), 72, 74--76.Google Scholar
Tarasewich, P., Gong, J., Fiona Fui-Hoon, N., and DeWester, D. 2008. Mobile interaction design: Integrating individual and organizational perspectives. Information Knowledge Systems Management, 7, 121--144. Google ScholarDigital Library
Viega, J. and Michael, B. 2010. Guest Editors' introduction: Mobile device security. IEEE Security & Privacy, 8(2), 11--12. Google ScholarDigital Library
Weippl, E. R. and Riedl, B. 2009. Security, Trust, and Privacy on Mobile Devices and Multimedia Applications. In I. K. Ibrahim (Ed.), Handbook of Research on Mobile Multimedia Second Edition, Information Science Reference, Hershey, PA, 115--131.Google Scholar

Index Terms

Managing smart phone security risks

Recommendations

What's on Users' Minds? Toward a Usable Smart Phone Security Model

Smart phones pose new challenges to usable security. Current means of specifying security policies or preferences for resource sharing are either woefully inadequate or too hard to use. This article presents a policy model approach toward usable ...
Read More
The Smart Phone: A Ubiquitous Input Device

Smart phones provide a rich set of tools that let users control and interact with their environments. Because these feature-packed mobile phones are pervasive, they might become the default physical interface for ubiquitous computing applications, ...
Read More
Smart phone use by non-mobile business users
MobileHCI '11: Proceedings of the 13th International Conference on Human Computer Interaction with Mobile Devices and Services

The rapid increase in smart phone capabilities has introduced new opportunities for mobile information access and computing. However, smart phone use may still be constrained by both device affordances and work environments. To understand how current ...
Read More

Reviews

Reviewer: Brad D. Reid

This excellent paper provides a wake-up call to managers and security professionals. Smartphones are handheld computers with unique security challenges. As the author notes, "The greatest danger lies in inappropriate user behavior fed by the mixing of personal and business use." For this reason, managers and security professionals must educate as well as regulate. Smartphones are becoming more powerful and adaptable. Consequently, they are increasingly at risk of being targeted by hackers and malware. This paper gives several examples of attacking viruses, including Cabir and Duts. Smartphones can be compromised in a variety of ways, including direct hacker attacks, communications interception, theft, and loss. In a six-month period in 2010, over 31,000 smartphones were left in New York City taxis. In addition, careless or intentional employee behavior compromises smartphones. A brief but well-written overview of controlling access to smartphones reviews the major protocols for preventing intrusion or data compromise. For example, sandboxing applications restrict the code's access to system files and services rather than verifying the code's integrity. The overview of securing communications defines and briefly reviews major encryption and privacy methodologies. This paper defines these well in a very brief treatment. The paper also reviews the state of mobility security planning and the 2008 recommended National Institute of Standards (NIST) recommendations for mobile handheld device security. It provides a very good discussion of the security characteristics of smartphones, and outlines the steps for building a smartphone security program. These steps include risk assessment and analysis, documenting policies and training end users, adopting a smartphone management system, setting base-level security software requirements, and giving special consideration to those phones at highest risk. Developing a smartphone security program begins with changing attitudes. This is a fine introduction, with references to additional papers that address this unfolding issue. The paper is an excellent tool to raise awareness and inspire smartphone security consideration. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
InfoSecCD '10: 2010 Information Security Curriculum Development Conference
October 2010
187 pages
ISBN:9781450302029
DOI:10.1145/1940941
Conference Chairs:
Mike Whitman,
Herb Mattord
Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 October 2010
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
security policies
smart phones
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate18of23submissions,78%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 25
  Total Citations
  View Citations
- 4,500
  Total Downloads
- Downloads (Last 12 months)31
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Managing smart phone security risks

InfoSecCD '10: 2010 Information Security Curriculum Development Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

What's on Users' Minds? Toward a Usable Smart Phone Security Model

The Smart Phone: A Ubiquitous Input Device

Smart phone use by non-mobile business users

Reviews

Access critical reviews of Computing literature here