Wednesday, December 11, 2019
Security Management Best Practice Based
Question: Discuss about the Security Management Best Practice Based. Answer: Introduction Mobile devices are extensively used in the present day by the individual and business users. These devices comprise of a lot of information and it is this information that is the key asset for all the users and organizations and it becomes a prime topic of concern for them to effectively manage the information and data sets that are associated with them. There are various categories of information such as sensitive information, internal information, information only for office use, public information, private information and a lot more. The information sets that the organizations deal with on a routine basis are huge in terms of volume. Also, the information that is present in these sets varies in terms of the contents, type and many other factors. It is essential to develop policies and strategies for the management of information of all classes and types and the document highlights some of the mobile device security vulnerabilities, countermeasures and mitigation strategies that ma y be followed. The following research questions have been answered with the aid of the research that has been carried on the vulnerabilities and risks associated with the mobile devices. What are the common vulnerabilities and risks that are associated with the mobile devices? What is the impact of the risks and vulnerabilities on the device and on the users? What steps have the companies taken to prevent and detect the mobile device risks? What are the security features and mechanisms that have been implemented? What is the security strategy that shall be adapted to avoid the risks associated with the mobile devices? There are several methods and approaches that have been designed which can be adopted to carry out a particular research. The methodology that has been adopted in this case is exploratory research methodology in which the data that is available is analyzed and the results are then concluded on the basis of the analysis and study that is carried out. The data associated with this particular topic was collected from a number of different sources such as online journals, organizational data, customer reviews, academic papers and many more. The data that was collected was gathered together and conclusions were made on the research topic. Mobile Device and Security Risks, Threats, Vulnerabilities their Impacts Security vulnerability that is associated with the information contained in the mobile devices refers to the weaknesses that may be related to it and may result in the occurrence of a variety of security threats and attacks. Threats refer to the security occurrences that may result in a negative impact on the data and the information that may be present within a particular system. The information sets and the variety of information that a user or an organization analyzes and goes through on a per day basis along with its usage in the number of business services and operations is huge. The existence of a variety of data sources along with varied formats of the same is also a prime reason of the presence of so many security threats and vulnerabilities. Some of these security occurrences in the form of risks, threats and vulnerabilities in association with Mobile devices have been listed and explained below. There are a number of threats that are associated with the device itself that may result in the emergence of security vulnerability or threat. These threats include the following: Users often connect to the public Wi-Fi networks which are not secured and the same leads to the execution of security threats and attacks by the attackers. The information is captured by the attackers which are then misused. There are a number of Bluetooth attacks that take place in association with the mobile devices. BlueJacking and BlueSnarfing are some of the Bluetooth attacks in which anonymous messages are sent from the mobile devices of the users and the attackers gain access to the device without the knowledge of the user. Owing to limited storage potential on mobile devices such as smartphones and tablets, users tend to save that data on the web. Although the data stored on the cloud is protected, the cached data left behind is not protected however. These data is available to be exploited until the phone if factory reset or deleted by user activity. Confidential and sensitive information tend to be saved in secret keys, sensitive business logic and access tokens within the application code and all it takes for an attacker is to reverse engineer it to get them. Once the device is stolen or the like, it becomes fairly easy to reverse engineer and use the sensitive information for malicious intents. There are many a ties complete lack of encryption in terms of the transmitted data that is observed in mobile applications. Even with encryption in place, there are many times developers chose to ignore certification validation errors and fall back to plain text communication which can then be easily sniffed by man-in-the middle type attacks. New form of mobile based client side injections Apart from the typical HTML and SQL based injections that are possible on the mobile web, even mobile applications are now beginning to notice different types of attacks like abusing of phone dialer, SMS as well as in application payments. Availability attacks that are executed on the information impact the availability of the information and make it inaccessible to the users. There are many services and applications that parallel run on the organizations internal and external networks which are made available by the execution of the Denial and Distributed Denial of Service attacks on the same. These are the attacks in which the malevolent entities introduce unnecessary and garbage traffic on the network of a particular service or application to deteriorate its quality which often leads to the scenario of a breakdown. It is through this process that the services and applications become inaccessible and unavailable for the end users (Ipa, 2009). These are the attacks that take place on the information that is associated with the organization by sending false emails and messages to the users to trick them in order to retrieve important information from them. Time to time there are news of new applications being introduced in the application stores that are already compromised intentionally or unintentionally. Hence a wide range of mobile application based threats have emerged, these includes: Malware attacks on the information are a common practice that has been observed in association with the users and organization along with other systems and organizations as well. A number of different types of malware have been created such as viruses, Trojan horses, Logic Bombs, worms, ransomware, adware, spyware and many more and all of these affect mobile devices as well resulting in financial fraud or theft. Malware Attacks on Mobile Devices Application markets are bound by the guidelines and principles that are required to be followed in order to upload an app on the same. However, there is malicious software also introduced on these markets that get downloaded on the mobile device and hampers the security of the device. Manipulation of the Bootloader is done to download and install the apps outside of the app markets as well that often result in rootkits and similar malware attacks. The applications that are developed and implemented by the business and users comprise of several Application Programming Interfaces (APIs). These APIs become one of the major threat agents and lead to the successful execution of a security attack by the hackers and attackers. Attackers often make use of these APIs to give to the security attacks. Newer Forms of Mobile Device Security Attacks Apart from the security risks and attacks associated with the mobile devices that have been summarized above, there are a lot many security attacks and risks that have now been created with the enhancement in technology and increase in the use of mobile devices. Already infected mobile devices are being used by the attackers and malevolent entities to cause damage to other devices. These infected devices seek for the presence of other mobile devices on a particular network or range and the malware or infected codes are then passed on to the other devices to cause damage to them. Ransomware attacks were earlier restricted to only computer systems and applications. However, with the increase in the use of mobile devices, these attacks have now spread to the mobile devices and applications as well. Attackers capture the credentials and information of the users and lock the device or the application which can only be accessed after paying for the same. Users make use of the mobile devices for personal as well as professional activities. There are also a number of financial tasks that are carried out with the aid of mobile devices. Crypto-currency mining attacks are executed by the attackers on the mobile devices and the information that is store d in the same. Attackers make use of malware in this cause in order to infiltrate the mobile devices in search for the digital currencies. Wireless sniffers and signal jammers are also causing a lot of trouble to the users of the mobile devices. The mobile devices that lack the adequate security measures are often impacted by these entities as the information that is present in the device is exposed to the attackers. Comparison between Android and iOS Mobile Security The above diagram shows the shipment volume of Android and iOS devices from 2013 to 2016. Two of the most widely used mobile operating systems in the present times are Android and Apples iOS. There are several providers of the Android OS in the market such as Samsungs, Lenovo, Motorola and many more. The security features and mechanisms that are offered in Android and iOS vary from each other. Both of the mobile operating systems offer the traditional forms of access control installed in their mobile devices such as use of PINs and passwords for unlocking the mobile devices, ability to the users to set up patterns for unlocking the device and setting up application locks in the device. Permission based access control can be applied in Android as well as iOS devices to allow the users to enter the password or PIN to permit the entry to an application. Applications that are installed in the mobile devices that run on either Android or iOS do not have a direct access to the hardware. There are many intermediary software layers that are present in between the application and the device that is the hardware which act as a barrier between the two entities. There are many web based attacks that are common in the world of mobile devices and both of the mobile operating systems have the in-built mechanisms to deal with such forms of security attacks. Strengths and Weaknesses of Android Mobile OS and iOS Apart from the list of common security features that have been listed above, there are a lot many security mechanisms that are exclusively present in the Android operating systems. In case of the mobile applications that are installed in the Android devices, there is a static list of permissions that are present in order to enable permission based access control on the applications. Also, it is not possible to automatically install the applications on the Android devices which prevent a lot many web-based and security attacks on the information stored in the device. The figure above shows that Android is the most vulnerable platform of all Operating Systems in the world including Desktop operating systems. Android has more than 3 times the number of vulnerabilities in 2016 at 523 when compared to iOS at 161. There are also certain weaknesses that are associated with the Android devices. There are many Android phones that are being provided by the manufacturers and some of them can no longer be updated to the latest version of the OS. Such devices are exposed to a higher number of security risks and attacks. Also, the manufacturers have the ability to modify the UI of the device as and when they like which also lead to the emergence of many security attacks. Application marketplace that is Google Play Store also has a limited security implementation and there are numerous security risks and threats that get executed along with the downloading of a mobile application on a mobile device (Smedinghoff, 2016). There is an enhanced permission based access control that is installed in the iOS devices that prompt the users frequently to make choices in terms of going ahead with the usage of the application or prevention of the same. Location based services that come along with iOS devices are outclass and there are geo-tagging and geo-location capabilities that are installed that allow the users to track the device even when it is lost or stolen. iOS also allows the users to automatically delete the desired data sets and information present in the device in case of its loss. There is a lot of information that the users store in the mobile devices which may be private and sensitive in nature. Such information can be erased by the users with just a click of a button (Cengage, 2016). There are some weaknesses that are associated with the mobile devices that run on iOS as their operating system. If the user chooses to jailbreak the device then there are multiple malware attacks that the device gets exposed to. These attacks can cause a lot of damage to the device and the information that is contained within the device. Also, there is a limited upgrade of the device possible on the previous version of the operating system that also leads to the emergence of a lot many security risks and attacks to the device (Saint-Germain, 2005). The above table highlights the security features available to end users that was available to a typical iOS vs Android user in 2013. Mobile Device Security Set of Goals The business processes, business operations and business activities must comply completely to the security policies, security laws and set of regulations that guard the same. The security mechanisms that are developed must ensure that the properties such as confidentiality, privacy, availability and integrity are safeguarded. There shall never be occurrences in which there is a complete breakdown in terms of business continuity (Anderson, 2016). The time required to recover the services and applications to their regular functioning shall be kept very low. Application of security mechanisms in third party dealings shall fulfill the norms of all the parties that are associated. There shall be regular up-gradation and maintenance of the security frameworks (Hostalnd, 2010) Mobile Device Security - Strategy The approach and strategy shall be developed according to the nature and type of information that may be impacted or may be put at risk. Confidentiality: The property of the information shall be maintained in all the business processes to make sure there are no violations and unauthorized entries involved. Integrity: The modifications, changes, deletions, updates and additions shall be performed in authorized manner only. Availability: Accessibility to the information shall be provided to the users at all times and from all the locations (Arcs, 2016). There is a lot of work that is being done in order to make sure that the mobile device risks and attacks are prevented and avoided. There is a rise of Internet of Things (IoT) applications along with the artificially intelligent applications that are being developed and mobile devices play a major role in both. Security of the mobile devices in association with IoT and cloud computing is required to be done to make sure that the level of security that is offered is increased and there are no risks executed. Also, in terms of the mobile operating systems, it would be essential to enhance the in-built security features such as basic and advanced security with the installation of logical and technical security controls. Such measures would make sure that the frequency of the mobile device security risks and attacks are minimized (Whitman, 2016). Users also need to be educated and made aware in terms of the mobile security risks and attacks and there shall be trainings and awareness sessions that must be executed and initiated for the purpose. Conclusion Information is the key asset for all the organizations and it becomes a prime topic of concern for the organizations to effectively manage the information and data sets that are associated with them. There are various categories of information such as sensitive information, internal information, information only for office use, public information, private information and a lot more. The information that the mobile devices that are used by the users and the organizations deal with on a daily basis includes the information associated with the applications, personal details of the users, information around the files and data that is stored in the device and a lot more. There are numerous security risks and attacks that are associated with the mobile devices in terms of security risks, threats and vulnerabilities. These can be prevented and controlled with the aid of applicable countermeasures and policies. References Alnatheer, M. (2014). A Conceptual Model to Understand Information Security Culture. [online] Available at: https://www.ijssh.org/papers/327-A00013.pdf [Accessed 25 Nov. 2016]. Anderson, R. (2016). Why Information Security is Hard. [online] Available at: https://www.acsac.org/2001/papers/110.pdf [Accessed 25 Nov. 2016]. Arcs, (2016). Information Security Policies. [online] Available at: https://www.arcs.qmul.ac.uk/policy_zone/information_security_policy.pdf [Accessed 25 Nov. 2016]. Cengage, (2016). Legal, Ethical, and Professional Issues in Information Security. [online] Available at: https://www.cengage.com/resource_uploads/downloads/1111138214_259148.pdf [Accessed 25 Nov. 2016]. Hostland, K. (2010). Information Security Policy. [online] Available at: https://services.geant.net/cbp/Knowledge_Base/Security/Documents/gn3-na3-t4-ufs126.pdf [Accessed 25 Nov. 2016]. Ipa, (2009). 10 Major Security Threats. [online] Available at: https://www.ipa.go.jp/files/000016942.pdf [Accessed 25 Nov. 2016]. Ishandbook, (2016). Types of Controls. [online] Ishandbook.bsewall.com. Available at: https://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html [Accessed 25 Nov. 2016]. Keung, Y. (2016). Information Security Controls. [online] Available at: https://www.omicsgroup.org/journals/information-security-controls-2168-9695.1000e118.php?aid=23716 [Accessed 25 Nov. 2016]. Ngoma, S. (2012). Vulnerability of IT Infrastructures: Internal and External Threats. [online] Available at: https://www.congovision.com/IT-Security-Pub.pdf [Accessed 25 Nov. 2016]. O'Neil, L. (2015). How to Implement Security Controls for an Information Security Program at CBRN Facilities. [online] Available at: https://www.pnnl.gov/main/publications/external/technical_reports/PNNL-25112.pdf [Accessed 25 Nov. 2016]. Saint-Germain, R. (2005). Information Security Management Best Practice Based on ISO/IEC 17799. [online] Available at: https://www.arma.org/bookstore/files/Saint_Germain.pdf [Accessed 25 Nov. 2016]. Smedinghoff, T. (2016). The State of Information Security Law. [online] Available at: https://resources.sei.cmu.edu/asset_files/WhitePaper/2007_019_001_52931.pdf [Accessed 25 Nov. 2016]. Whitman, M. (2016). Readings Cases in Information Security: Law Ethics. [online] Google Books. Available at: https://books.google.co.in/books?id=nTMIAAAAQBAJpg=PA272lpg=PA272dq=information+security+ethical+compliance+pdfsource=blots=flbySXXdj1sig=i6XDp71lCjObz40ugSYyDZl4AEchl=ensa=Xved=0ahUKEwi39fzQ0MDQAhWLV7wKHUeCD804ChDoAQgqMAE#v=onepageq=information%20security%20ethical%20compliance%20pdff=false [Accessed 25 Nov. 2016].
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.