The Smartphone Security Awareness Information Technology Essay

The Smartphone Security Awareness Information Technology Essay Over the past decade mobile phones have become pervasive and have evolved significantly from feature phones to smartphones to fit the increasing needs of the competitive market and to meet consumers wants and needs. The purpose of this research paper is to provide insight and raise security awareness into the risks posed by unsecured smart mobile devices. Smartphones are ubiquitous devices and are comparative to the personal computer in terms of computational power, choice of operating systems, software with the same extended features and the ability to support 3rd party software. Smartphones have enabled businesses and their workforce the freedom to collaborate and access organizational data 24 hours a day, 365 days a year. What has been done to protect individuals and businesses from the ever increasing threat of mobile orientated attacks? Pervasive computing (also called ubiquitous computing) Endpoint security antivirus/malware enterprise information infrastructure mobile information security perspective security awareness training technical topics are outside the scope of this research Introduction The purpose of this document is to expose a business problem from a technological viewpoint. The subject of the business problem I have selected is on smartphone security awareness. This subject will be analysed and critically evaluated, then expanded upon further to reflect the range of possible solutions and create a comprehensive guide for the benefit of the reader. 1.1 Motivation The motivation for this project was mostly due to my vocational role as an IT consultant. During the course of my employment over the past decade within the IT industry, I have noticed a substantial gap within businesses for the need of greater smartphone security and awareness. It was obvious to me that along with the evolution and improved capabilities of cellular devices, established a greater risk for organisations. This thesis is the result of work I have personally carried out in various roles throughout my technological career between October 2004 and December 2010. 1.2 Aims and objectives The following are my aims and objectives for this project Aims Create an authoritative document with recommendations to raise awareness and inform businesses for the need of greater mobile security within the business environment. Use insight to establish a research gap. Main objectives Assess smart mobile devices currently used. Analyse security advantages and disadvantages of smart mobile devices. Establish what risks smart mobile devices are exposed to. Evaluate impact of risk exposed by unsecure mobile devices to businesses. Examine mobile security currently available. Investigate responsibility Evaluate current business policies and procedures for mobile devices and how these are enforced. Construct smartphone security guide with recommendations for businesses. 1.3 Problem Statement The problem is information and financial loss due to information theft or inaccessibility from malicious software (malware), and the detrimental impact this has upon the business. There are many types of information that can be stored on smartphones for example, personally identifiable information in the form of contact details (phone, address), email, GPS coordinatesà ¢Ã¢â€š ¬Ã‚ ¦ Information security has gained significant value within the business domain over the past decade however this value remains subjective. Users have been made aware of the risks posed by malicious software whilst using their personal computer on the internet, now assistive technology like smart mobile devices are becoming increasingly more powerful, functional and ubiquitous. Where personal computers have at least some security software in place as standard, smartphones commonly have no security software installed and are susceptible to the same threats as personal computers. Businesses, professionals and personal users now have a greater awareness for the need of personal computer security. This has been provided by media coverage, enterprise training or through personal experience. When using a personal computer or laptop for example, it is common to find a firewall and antivirus software installed showing that internet safety has now become a social normalcy. Example http://www.bloobble.com/broadband-presentations/presentations?itemid=3397 Data loss or inaccessibility due to a virus, data theft due to Smartphones are high specification mobile personal computers, and are subject to the same risks personal computers are open to. There are four to five billion mobile phones and we are approaching a billion smart phones. But remember that these devices are more powerful than supercomputers were a few years ago, and we are putting them in the hands of people whove never had anything like it before. Google CEO Eric Schmidt Businesses need IT to function, IT adds value and to compete in todays economic climate. ITs purpose is to save time, time is money. Todays organisations rely heavily upon information technology in order to allow their business to function (Khosrowpour, 2001). This is fundamentally due to how intricate information technology systems are embedded into organisations. Enterprise architecture (EA) is a communication tool between IT and business (Zachman, 2004). EA is multifaceted (Wagter et al, 2005) and for the scope of the project I will be examining how the Security Architecture (SA) facet can benefit organisations to secure the Information Technology within the business against the increasing threat that unsecured mobile devices pose. There are many different mobile operating systems for smart mobile devices requiring different security applications. I will analyse these systems and the risks associated. My intentions are to investigate what impacts smart mobile devices can have on businesses, why these problems affect the organisation, and how they are overcome. Finally I will gather insight and make recommendations that businesses can use to foresee and prevent future unnecessary costs and risk. 2 Literature review 2.1 Background The subject I have proposed to use for this project is a very real-world business and information technology problem. Because smartphone security is still in its infancy, it is currently quite a challenge to source accurate and relevant information from authoritative sources such as Emerald without resorting to web based research. However, the more this project advances smartphone security in the media is becoming omnipresent. The first documented computer virus was designed over 25years ago by two brothers named name 1 and name 2 in Pakistan, the virus was called the brain virusà ¢Ã¢â€š ¬Ã‚ ¦ Timeline evolution of the mobile telephone (Malware) Analogue Cellular Mobile History / Uses 2.2 Current status/Development of theories Information is all that needs to be secured. Malware is changing, smartphones are changing and businesses are changing. How far up the technological ladder are mobiles/feature phones/smartphones 2.3 How this project fits in with the literature review I had chosen the subject then chosen the literature review method, thus tailoring the literature review to fit the requirements of the project. 3 Research methods 3.1 Introduction: hypothesis Throughout my employment, I recognised a gap and need for smartphone security within 3.2 Epistemology http://www.learnhigher.ac.uk/analysethis/main/quantitative1.html One of the methods of analysis I will to use is the conceptual method, this has been described by Beaney as a way of breaking down or analysing concepts into their constituent parts in order to gain knowledge. Conceptual analysis consists primarily in breaking down or analysing concepts into their constituent parts in order to gain knowledge or a better understanding of a particular philosophical issue in which the concept is involved (Beaney 2003). I have interpreted this to mean the compartmentalisation and analysis of data. The proposed project will be delivered using an analytical in-depth research structure. I have chosen this project structure as it will primarily be research based on the current business problem as previously stated. I intend to analyse this problem, propose possible solutions, test and implement a well-documented solution with recommendations. Critical and creative thinking skills such as Edward.De Bono six thinking hats will be used to examine the problem domain. A review will be given on how the systems work and compare them to how they should work. I will then analyse the solution domain by examining which options are available to improve the system security along with an optimal recommendation and the benefits it would provide. 3.3 Methodology Figure research methodFor my project I will implement a triangulated, positivistic methodological approach, I have chosen this particular technique as it will provide me a balanced view of the subject area. I will incorporate both quantitative and qualitative primary research methods as recommended by Bryman (BRYMAN, 2006). However for the scope of this project I will be mostly using Quantitative based research as indicted in Fig 1 below. . Bryman advises that quantitative data can be gathered by way of a survey and qualitative research collected from journals and interviews. Initially I will undertake primary research in the form of a survey questionnaire, and furthermore I will interview professionals in the field of smartphones and security such as police personnel, security advisors and mobile phone shop staff. The survey will be available to respondents in paper form and electronically hosted so any user with internet access may access it. I will design the survey to be concise and simple to maximise the amount of respondents and gain quality information. My target survey participants are business managers, IT professionals and general smartphone users. I have chosen to target these particular users as I am trying to ascertain not only the perception of smartphone security but also what policies and procedures are put in place and how aware users are of these. I have proposed to target these users by using a popular internet based technological social news website named Reddit. Reddit has a daily turnover of over 850.000 unique users (Alexa, 2010). According to Alexa the average Redditor is male, between the age of 18 to 44, does not have children, is well educated and browses Reddit either from work or home, suggesting that the majority of Redditors are working professionals and due to being a technological social news website the average user is technologically aware (Alexa, 2010). This confirms my premise and establishes that Reddit would suit my proposed target survey participant. There are many options available for online survey software, each option has its benefits and weaknesses, I have carefully analysed these options personally and have chosen to utilise the cloud based option Survey Monkey to host my survey. The default limitations of Survey Monkey are the survey itself has been designed to be logical with closed questioning and Qualitative data has been sourced from reliable and authoritative resources. I have chosen journals from Emerald Primary research methods used Interviewing mobile phone shop staff, police, business owners I will critically analyse the results of my survey by comparing the answers given to a risk register. 4 Results 4.1 Presentation and description of results Who took part? A survey was conducted to establish the awareness for the need of smartphone security. Users were openly invited from technological backgrounds to partake in the survey and assured of anonymity. A total of 758 people responded to the online survey from a possible 854,998 potential participants. The survey itself was open for one month during February and March 2011. The results indicated that majority share with 82% of survey responders being male as opposed to the 18% that were female both averaging at 26 years of age, this confirms part of my original hypothesis as an average smartphone user. When asked, 53% of respondents reported that they had used their smartphone solely for personal use as opposed to the 45% of partakers that reported they used their smartphone for both business and personal use, with just 2% reporting to use a smartphone solely for business use only as shown in Fig 2 combining a total of 47%.C:UsersLeeDesktopUniUniversity 2010_11MikeDissertationDocumentsDissertationSurveySurvey monkey charts8 FeaturesSM_Features_Line.png Figure Smartphone use 25% of respondents had only been using smartphones for the past six months, 17% were aware they had been using them for at least a year and a majority percentage of 59% had been using smartphones for more than one year. Only 12% of respondents opted to use the pay as you go payment facilities as opposed to the greater majority of 88% that have contracts. SMARTPHONE 34% of respondents used an Apple IPhone, 58% reported to use Android smartphones, 13% used Blackberries and 6% (46) of respondents had Nokia smartphones. (GRAPHIC) 87% of respondents had used calendar functions, 94% of respondents used email, 86% of used games, 87% of respondents used GPS features, 74% of respondents used instant messaging, 52 % of respondents used internet banking facilities, 66% of respondents used multimedia messaging service (MMS), 94% of respondents used the short messaging service (SMS) feature and 78% of respondents admitted to using social networking sites on their smartphone. A total of 756 participants responded and 2 participators chose not to answer the question. From a total of 758 respondents, 63% (476) valued the physical smartphone above the 37% (282) whom valued the information more. Applications 93% of survey partakers used 3G for mobile data communication, 59% of respondents used Bluetooth technology, only 4% of had used infrared line of sight technology, 75% of respondents admitted to connecting via universal serial bus (USB), 94% of participators had used wireless for mobile data communication. Total of 757 participators answered this question and 1 partaker chose to skip the question. Security Survey respondents considered smartphone security as beneficial but not essential as the majority answer with 64% (485), 21% (159) didnt not consider there to be a need currently for smartphone security software as opposed to 15% (114) whom considered smartphone security software as absolutely essential. A total of 758 of 758 responded to this question. 87% Of participants stated that they do not use any smartphone security software. 87% of participants reported that they did not use any form of smartphone security software such as antivirus as opposed to 13% that did. A majority of 92% (699) had not been advised of any security methods to protect them or their information from fraud, theft or malicious software. 8% (59) respondents agreed they had received adequate security advice. Everyone answered this. Malware 95% (694) of respondents were aware of Adware, 27% had known about Badware, 25% (181) of respondents were aware of Crimeware, 69% (504) had previous knowledge of Rootkits, Trojans'(95%, 696), Spyware (95%, 697), and Worm (90%, 656)were the most commonly aware terms of malware from the malicious software list, the majority being Virus (711) with 97% of respondents being aware of this type of malware. 731 respondents answered this question. 62% of survey participants reported that they did not pay attention to licence agreements and permissions when installing applications on their smartphones 34% reported they did read the licence agreements and permissions. 4% of respondents believed that this question was not applicable to them for their smartphone use. Personal Computer 81% of responders were aware for the need of security software for personal computers and 19% were not aware. All survey partakers responded to this question. 94% (713) participants have connected their smartphone to a personal computer (PC), 6% (46) stated they had not ever connected to a PC. All 758 respondents answered this question. 96% (728) respondents stated that they owned the smartphone, only 4% (30) of respondents had employer owned smartphones. All partakers responded to this question. Responsibility Out of the 758 respondents, 15% (115) were aware of policies within their place of business, with the majority of respondents 41% (309) unaware of any workplace policies or procedures particularly orientated toward smartphones. 44% (334) responded that the question was not applicable to them. All participants answered this question. 4.2 Discussion and interpretation of the results Awareness and concern Compare phones and age to security awareness Bb were the most security aware group Internet banking is true by smartphone antivirus is false and user is aware of computer antivirus need. Harris Interactive: Tablet users more likely to transfer sensitive data than smartphone users Serendipity, sagacity 5 Smartphones A mobile phone is a portable electronic device used to make and receive telephone calls. The mobile phone was first revealed by Dr Martin Cooper from the company Motorola in 1973, it was not until ten years after Dr Coopers demonstration that Motorola released its flagship mobile phone the DynaTAC, this was the worlds first commercially viable mobile phone (Motorola, 2009). Originally these devices were commercially targeted at businesses and upper class individuals as the cost of the device was very high and the actual usage was severely restricted, due to the technology limitations at this time battery weight was 2kg (Motorola, 2009) and the battery duration would last a maximum of 30 minutes thus making the device impractical and available only to businesses and professional consumers. According to Moores Law, the number of transistors on a chip roughly doubles every two years. (Intel, 2005) As Moore stated over thirty five years ago, due to the advancement of processors, battery technologies and overall reduced power consumption, mobile phones have become lighter, smaller, more powerful and longer lasting. Due to these fundamental technological advancements mobile phones have been able to incorporate additional existing technologies such as camera units, sensors, speakers and often take advantage of JAVA based applications and features, thus coining the term Feature phone. Feature phones are more advanced technologically than mobile phones. Smartphone The term smartphone is ambiguous and many experts fail to agree on a suitable definition. Most smartphone features are not exclusive to a particular category, this project does not intend to make that definition, however for the scope of this project I have listed combined definitions and compared current smartphone features as listed in Figure 3 below. Most vendorsà ¢Ã¢â€š ¬Ã‚ ¦ type more Gartner, a world leading authority in information technology research define smartphones as A large-screen, voice-centric handheld device designed to offer complete phone functions while simultaneously functioning as a personal digital assistant.'(Gartner, 2010) Feature phones can have several of the characteristics as listed below in figure 3, however smartphones have the capability of providing all the capabilities. As a result, any mobile device meeting all conditions of each function in figure 3 can be considered a smartphone under this definition. Figure Smartphone characteristics Function Characteristic Phone size Device is compact and easily transported. Operating System Operating system that allows third party applications. Connectivity Device provides multiple methods (wired and wireless) of connecting to both the internet and other devices and networks. Input The device contains keyboard, or touchscreen keyboard. Storage capacity The device has a large and expandable storage facility. Office functionality The device provides the ability to perform basic office tasks such as email, take notes and word processing. Calendar The device includes a digital organiser and calendar. Synchronisation The device supports synchronisation of information with fixed desktop or laptop devices, or online web services. Phone Features The mobile device executes voice, text and multimedia message functions. Sensors Acceloratormeter, light, sound and movement sensors. A model to measure the maturity of smartphone security at softwareà ¢Ã¢â€š ¬Ã‚ ¦ Under this definition of smartphones or Smart Mobile Device (SMD) the following mobile platforms were included: Apple iOS Blackberry Google Android Symbian Windows Mobile These mobile platforms were reported to be the top 5 mobile platforms used in 2010 Figure (?) Storage expansion cards Smartphones currently reside in the top tier of mobile communication technology. Third party operating system As previously stated there are many smartphone platforms available, each platform and brand bringing different benefits and functionality. These platforms or operating systems create opportunities for both businesses and personal users. For businesses this increased functionality provides the facility for added employee productivity. These opportunities exist not just for business and personal users as the opportunity extends to the bad guys too, I will continue to explain further in the document. Smartphone Definition A smartphone is defined as A cellular telephone with built-in applications and Internet access (PCMAG, 2010) describes a smartphone as a à ¢Ã¢â€š ¬Ã‚ ¦ andà ¢Ã¢â€š ¬Ã‚ ¦ describes it asà ¢Ã¢â€š ¬Ã‚ ¦I have interpreted these descriptions and define smartphones as not feature phones basically. All smartphones have generalised functionality, such as input devices (keys, touchscreen) I will go into greater detail regarding the operating features Botha, et al (2009) point out that early generations of cell phones and PDAs had relatively little storage capability. Johnson (2009) indicates that todays generation of devices can be quickly and easily upgraded by adding additional storage cards. http://mobileopportunity.blogspot.com/2007/01/shape-of-smartphone-and-mobile-data.html 5.1 Apple The Apple Iphone was the original smartphone (), first released in June 2007. Popular, perceived security (apple store, scans for malware?) Simplistic design Limitations: NO support for flash 5.2 Android Open source, will be biggest 5.3 Blackberry (RIM) Security architecture built upon military specification, perceived most secure as email encryption (tunnelled) through Canada Banned in UAE 5.4 Symbian Owned by Finnish giant Nokia open sourcing the software opens up the availability of the Source Code to programmers, who can then develop, modify and distribute as they see fit meaning a richer and hopefully what becomes a considerably improved OS very quickly thanks to developer input. http://blog.mobiles.co.uk/mobile-news/symbian-os-goes-open-source/ http://blog.mobiles.co.uk/wp-content/uploads/2010/02/symbian.jpg Most popular globally, acquired by Microsoft? 5.5 Windows mobile Newest player, least perceived secure device 6 Smartphone role within business environment 6.1 Email 7 Malware defined Continuously evolving, changing creative Virology Malware encompasses Define Malware (Family) Malware, short for  malicious software http://en.wikipedia.org/wiki/Malware Grimes (2001) defines malware as any software program designed to move from computer to computer and network to network to intentionally modify computer systems without the consent of the owner or operator. Etsebeth, V. (2007) Sensory malware soundminer, a stealthly Trojan with innocuous permissions that can sense the context of its audible surroundings to target and extract a very small amount of HIGH-VALUE DATA. Give example 7.1 Badware Give example 7.2 Crimeware Collecting company secrets for profit Crimeware is malicious software that is covertly installed on computers. Most crimeware progams are in fact Trojans. There are many types of Trojans designed to do different things. For example, some are used to log every key you type (keyloggers), some capture screenshots when you are using banking websites, some download other malicious code, and others let a remote hacker access your system. What they each have in common is the ability to steal your confidential information such as passwords and PINs and send it back to the criminal. Armed with this information, the cybercriminal is then able to steal your money. http://www.kaspersky.com/crimeware Give example 7.3 Greyware Adware spyware Give example 7.4 Riskware Give example 7.5 Rootkits iPad and smartphone rootkits demod by boffins http://www.theregister.co.uk/2010/02/23/smartphone_rootkits_demoed/ Give example 7.4 Scareware Give example 7.5 Trojan Give example 7.6 Virus Give example 8 Define Risk to business or individual Mobile banking 8.1 Define Legal implications http://www.oucs.ox.ac.uk/its3/seminar-notes/2005-05-18-DataSecurityLaw.pdf Computer related crime Dishonestly obtaining electronic communication service Section 125 of the Communications Act 2003 creates an offence in relation to dishonestly obtaining use of an electronic communication service with intent to avoid payment of the charge applicable to that service. This offence reflects the continual advancement of technology, thus covering all the diverse types of services available Theft of information Oxford v Moss (1979) Unauthorised use of a computer: theft of services Theft Act 1968, s. 13 dishonestly uses without due authority, or dishonestly causes to be wasted or diverted, any electricityà ¢Ã¢â€š ¬Ã‚ ¦ Criminal damage à ¢Ã¢â€š ¬Ã‚ ¢ Intangible (Computer Misuse Act 1990, s.3) unauthorised modification: to impair the operation, prevent or hinder access or reliability denial of service: The Caffrey problem à ¢Ã¢â€š ¬Ã‚ ¢ Case law insiders à ¢Ã¢â€š ¬Ã‚ ¢ Whitaker (1993) à ¢Ã¢â€š ¬Ã‚ ¢ Lindesay (2000) virus writers à ¢Ã¢â€š ¬Ã‚ ¢ e.g. Pile (1995), Vallor (2003) 8.2 Responsibility Examine who is responsible Define Solutions Effects and results of infected device on company with each malware type 9 Security Security doesnt exist in products and verbiage alone; it requires a process, people, policies, education, and technologies working together. http://www.informationweek.com/news/showArticle.jhtml?articleID=6502997 9.1 ISO27002 9.2 COBIT 5 Schedule to release in 2011, COBIT 5 will consolidate and integrate the  COBIT 4.1, Val IT 2.0 and Risk IT frameworks and also draw significantly from the Business Model for Information Security (BMIS) and ITAF. http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx Security updates? 9.3 Smartphone security solutions http://www.networkworld.com/news/2011/020911-ibm-juniper-mobile-security.html 10 Conclusions Moores Law http://venturebeat.com/2010/08/13/moore%E2%80%99s-law-hits-a-wall-trouble-for-mobile-growth/#disqus_thread 10.1 Summary 10.2 Future work Mobile wallets customers will be able to transfer funds from their bank account/paypal using their phones via text message (http://www.cs.virginia.edu/~robins/Malware_Goes_Mobile.pdf) http://en.wikipedia.org/wiki/NirvanaPhone future smartphone symbiant acquisitioned by Microsoft (biggest os for pcs) newest player to smartphone market. As Sensor-rich smartphones become more ubiquitous, sensory malware has the potential to breach the privacy of individuals at mass scales. https://www.cs.indiana.edu/~kapadia/papers/soundminer-ndss11.pdf 11 Glossary PC Personal computer PDA Personal digital assistant Prosumer Professional + consumer = advanced consumer (Cisco, 2008) http://www.cisco.com/web/about/ac79/docs/wp/Prosumer_VS2_POV_0404_FINAL.pdf