Computer Fraud & Security March 200916
The security challenges of mobile devices
As we can understand from reading the news headlines, we are not doing very well. We are bombarded with news of information lost, stolen or divulged, iden-tities stolen, breaches and break-ins. We do not have a comprehensive approach to this new computing architecture, which is common to the consumer and busi-ness markets, but obviously with different issues, numbers, and consequences.
Moreover, we do not even have a clear idea of where we are heading and what the scenario will be in a few years, since technologies and products are changing so rapidly that we have serious problems in catching up with them.
In this article we will consider vari-ous aspects of the latest mobile and embedded computing, discuss the challenges we face, and some of the possible approaches to at least reduce the risks.
Classical mobile computingLets start with laptops. Theyre not a novelty. I bought my first one in 1993. We should be used to them and should have learned to use them in a secure way. But in the last few years, two developments have changed the scenario of laptop security completely: the mass distribution of laptops, and wireless communication.
When laptops were more expensive than desktop personal computers, few
people had them both in the business and consumer markets. So people who had a laptop also had special needs, and usually it was possible to adopt ad hoc security policies for business users of portable PCs. Private users were often good enough to be able to deal with the security issues related to their use of the laptops by themselves.
In the last few years, two developments have changed the scenario of laptop secu-rity completely: the mass distribution of laptops, and wireless communication
Moreover, connection to the network was wired as a desktop PC, or through dialup to the company network. The main issue was the possibility for a lap-top to connect to different networks, and thus carry information and viruses from one network to the other.
Compare this situation, which at that time we already considered quite risky, to the current situation where laptops are the most common personal computers, and have automatic wire-less connection to the best available local network.
Laptops today are the main personal computing instrument, which implies that all information, both business and personal, is stored in them. It was not like this ten years ago, and this implies that the risks associated with the use of the laptops have increased just by
the increased sensitivity of the infor-mation stored in them. In practice, the main risks with the current use of laptops are loss or theft of the laptop, leak of information, and distribution of unwanted or dangerous (viral) soft-ware.
The number of laptops which are lost or stolen is unbelievable. Just check for the number of them lying at the deposits of airports and train sta-tions. Often the information stored in the lost or stolen laptops is quite sensi-tive, either for business, personal use or even national security.
If you store in your laptop all your personal information like addresses, telephone numbers, bank account numbers and PIN codes, credit card numbers and so on, it becomes extremely easy to steal your money and your identity. The same applies if your laptop stores similar information about your company, or your nation if you are a public employee.
The current approach to mitigate this risk is to encrypt the information stored on the laptops hard drive. This should prevent a third person from accessing the information stored in the PC.
The problem with encryptionIn truth, even if the cryptography used is almost always practically unbreakable, there are other issues which make this approach less secure than we expect. First of all, people often leave their PC in sleep mode. This means that even if the data is encrypted on the disk, if you are able to access the PC as administra-tor without turning it off first, you could access all the information stored in it.
Andrea Pasquinucci, PhD, CISA, CISSP
In the last couple of years we have witnessed a silent revolution in computing and in our daily lifestyle. Computing and electronics have gone mobile without us changing our security approach. Moreover, thanks to the new communica-tion standards, mostly wireless, each piece of equipment is usually able to com-municate with each other device. So how can we balance security with mobile communicating, sometimes even embedded, devices?
CFSmarch09.indd 16 24/03/2009 10:45:18
March 2009 Computer Fraud & Security17
This is often not as difficult as it could seem, since passwords are always the weakest point in ICT security. Some laptops allow authentication with fin-gerprint scanning, which in principle should give a much higher level of security, but comes with many other well-known problems.
There have been demonstrated phys-ical attacks on PCs where it has been possible to recover the key used for encrypting the hard disk by analysing the RAM. Of course these are limited, extreme and expensive techniques, but they show that disk encryption is not the bulletproof solution to the prob-lem of laptop loss and theft. Instead, its better to turn laptops off when not using them, but it is very difficult to convince users of this.
An alternative to full disk encryp-tion is to encrypt only the information which are considered sensitive in a dedicated folder, with a different pass-word than the one used to access the PC. The practical problem is that the information can be stored or copied in other areas of the PC, from temporary files used by applications, to swap files used by the operating system, to copies done by the user. This means that it is usually possible to find unencrypted copies of the information on the PC. Keeping the sensitive information encrypted in a separated area of the hard disk requires a substantial effort by the user, which is often impossible to ask, so full hard disk encryption is usually adopted.
But loss or theft of a laptop, even if dra-matic, is not the highest threat. Every day our laptops connect to many differ-ent devices and networks, and even if by now everybody has a personal firewall on the laptop, data has to be exchanged with these devices and networks.
Here you should consider not only line and wireless network connections, typically TCP/IP, but also USB and
Bluetooth connections to other devices from USB disks to cameras, tel-ephones, PDAs and whatever else.
Which data is exchanged between the laptop and these devices and net-works? Which sensitive information leaves the laptop (even just the fact that it exists) and what enters the lap-top? This is an endpoint management nightmare.
Indeed, some companies have decid-ed that the management and security issues associated with laptops are at the moment too risky and expensive, and they limit the adoption and use of the laptop within the company as much as possible.
Removable devices and storageThanks to the standardisation and use of cheap off-the-shelf components, we can store information on most electronic devices, even heavy duty or micro hand-held devices for construc-tion, gas, electricity, measurements and so on. So from a security point of view, we should assume that every pos-sible electronic device is equivalent for example to a USB (wired) or Bluetooth (wireless) disk.
What happens when we lose a USB disk or it is stolen? Usually, they are not encrypted, so all information con-tained can be easily retrieved by who-ever has the disk.
Some companies have decided that the manage-ment and security issues associated with laptops are at the moment too risky and expensive
Encryption of the USB disk can be mandated in some situations, but it often makes the disk unusable since its main purpose is to transfer data from one device to another, and encryption prevents that.
Protecting information at the application levelSome companies are trying to protect information at the application level. There are tools to introduce granular ad hoc policies for document con-trol, from no access at all, to read-only access, to write access subject to approval, to full access.
Apart from the complexity of intro-ducing and using such infrastructures and applications, the main issue is that often they do not solve the security problem because users can cheat easily. A document might first be written in draft form as a normal, non-protected file, and only when almost finished might it be uploaded to the secure application. The final version of the document is protected, but its earlier drafts are unprotected and there have been many cases of such leaks.
Similarly, it is very difficult to pre-vent an authorised user from extracting a document from the system to work on it offline, which would again defeat application security.
There are other approaches to pro-tecting documents. For example, there are systems which protect information by checking that it does not leave the perimeter of the company.
These systems usually work as fol-lows: there is a central database in which the security manager records all documents which have to be protected, and should not leave the perimeter of the company. Then components are installed on all firewalls, email servers, web servers and other egress points that check all data leaving the network.
This also means that all company desktops, laptops, telephones, PDAs and other devices must be managed in this way. In todays business world, this is usually almost impossible both tech-nically and practically.
We also have to remember that information is not only stored in documents, but is more often stored in emails, internal web servers, and data-
CFSmarch09.indd 17 24/03/2009 10:45:18
Computer Fraud & Security March 200918
Businesses are composed of various cat-egories of employees. There are certainly honest employees who have a positive outlook on their companies and some degree of attachment to them. There are also employees who start out honest but may be led astray by circumstantial events, and other factors relating to their hierarchical and economic status within the company. Companies that ignore
disequilibrium among these factors do so at their own peril.
Insider fraud is a continually shifting target
Insider fraud is a continually shifting target. Many companies think they are safe just because they have already dealt with an instance of insider fraud, failing
to understand that it is an ongoing and shifting phenomenon that evolves along with trends in violations. A one-shot crackdown, even if carried out with grand style, is not going to do the trick.
The top-down response is still lim-ited. There has been much talk recently about getting top management involved in security issues. A recently published investigation by Carnegie Mellon
Can a fraud prevention plan be really effective?Dario Forte, CISM, CFE, founder and CEO, DFLabs, Italy
Why do insiders commit fraud? While there is no one answer to this question, we can make a few high-level observations that will help us get a grasp on the source of the problem.
bases. There are many different ways, often individual to each company, in which it can be accessed.
Up to here we have mostly con-sidered mobile devices as a means of obtaining information, but they can also be a means of inserting unwanted data. They can store viruses as well as legitimate files, enabling us to infect a companys entire network. Since we cannot prevent the use of mobile devices, we should understand how, when and what can be used and which protective measures should be imple-mented.
Intrinsic security of mobile devicesOur main problem is that the few security measures we can apply to laptops cannot usually be applied to mobile devices. Consider for exam-
ple smart-phones, one of the biggest nightmares of a security manager. Features outweigh security. Different protocols and network automatic connectivities are big pluses, but this means that the user cannot even be sure which network they are connected to at a certain moment, and which protocol is being used.
Encrypting data on the hard disk is often difficult, as is the possibility of limiting functions depending on the network to which the phone is connected
We need to be able to deploy our security policies on all IT devices, mobile and fixed, but it is difficult to see how it could be possible in the near future. We have too many different objects which interact and
which we should manage in different ways. The only way out probably is to rationalise, adopt some standards, and restrict access to devices which are authenticated and which satisfy our security policies.
Encrypting data on the hard disk is often difficult, as is the possibility of limiting functions depending on the net-work to which the phone is connected. On the other side, being mini-computers these devices are liable to bugs, which makes them open to compromise.
Ultimately, today it is up to the user to protect data coming in and out of mobile devices. But we cannot expect everyone to be an ICT security expert, so we face some hard times. Technology and security solutions will catch up but for the moment the big-gest burden unfortunately remains not just on the security managers, but also on the final users.
CFSmarch09.indd 18 24/03/2009 10:45:18
The security challenges of mobile devicesClassical mobile computingThe problem with encryptionConnectivity concernsRemovable devices and storageProtecting information at the application levelIntrinsic security of mobile devices