Information Security in Global Communication Enterprises - Case Study Example

Information Security Name: Institution: Table of Contents Executive summary 3 Chapter 1 4 Introduction 4 Background 5 Chapter 2 6 Consumer IT risk management 6 Risks 6 Loss risks 7 Malware risks 7 Bluetooth hijacking 9 Smartphone risk summary 10 Chapter 3 11 Solutions 11 There three major categories of dealing with the threats on CEO’s Smartphone include employee training and awareness, formulations of policies and adoption of technological barriers. 11 Policy 12 Technology 13 Bluetooth solutions 13 Authentic passwords 14 Encryption 14 Wiping of data remotely 14 Antimalware counter-measures 15 Recommendations 15 Chapter 4 16 Conclusion 16 References 16 Executive summary GCE is an Australian enterprise specialized in production of human implantable technological devices. The report presents contextual research findings on the threats and risks that can affect the Smartphone of GCE’s CEO. The background information provided the nature of the risks that included loss, theft, and hacking and malware attack. Further description provided the possible solutions that GCE’s IT department needed to implement to overcome the risks. They included encryption, password authentication, antimalware installation, and remote data wiping. The adoption and implementation of the solution means that GCE can counter the threats of information leakage about the technological breakthrough device that the enterprise needs to officially launch in a three month period. Information Security Chapter 1 Introduction Since its inception, Global Communication Enterprise (GCE) has experienced substantial growth, particularly in the past five years. As it is specialized in human implantable communication devices, its market is relatively competitive due to constant evolution of the same technology. In the past two years the enterprise has invested in the development of a technological breakthrough device which might reward the enterprise with a lifetime contract of developing brain implantable phone devices. As the device is undergoing its last tests, the technical specifications and information behind the creation of the device remains a myth to the enterprise employees and many people around the world. It is because; if the information gets in the wrong hands before the official launch of the device the enterprise may lose everything. High concerns over security however are linked to the recent research findings that show that GSM phones (Smartphones) are vulnerable to hacking and malware attack, among other insecurity factors. It is a prominent threat to GCE because many employees of the enterprise, including the CEO use Smartphones. Considering the fact that the CEO is the only person in the enterprise with full access to the information on the technological breakthrough device, it is important to identify the imminent threats to Smartphone and set up measures to counter the threats before the device’s information leaks (Want, 2006). It is the mandate of the Information Security Manager of the enterprise to research on the issue and report to the CEO for implementation of security measures. This paper presents a report on the risks that are faced by Smartphones and possible solutions to the risks. Background Research done for the past decade showed that, on daily basis, many enterprises incorporated Information Technology (IT) and Smartphones platforms in their working environment not only to adapt to the trending technological advances, but also to improve work performance, effectiveness and efficiency of employees (Androulidakis, 2012).. The introduction of Smartphones in the enterprise however poses imminent security risks to the entire enterprise and any other individual or organization involved in storing and transferring data on the Smartphones. Just like personal computers, the Smartphones face threats from drive-by-downloads and Trojans which besiege unprotected vulnerable endpoint installed software applications (Traynor, Enck, McDaniel & La Porta, 2009). Other threats identified by researchers include spywares, worms, viruses, scoundrel security software applications, botnets and phishing threats. It is important to note that once data is transferred to the employee’s Smartphone, it is difficult for the enterprise to control it. Since the use of Smartphone has grown rapidly in the recent years, it has attracted many Smartphone attackers (Çabuk, Karademirler & İnceoğlu, 2009). Moreover, increased usage of Smartphones creates multiple unsecure endpoints for the attackers to launch attacks on the Smartphones of entrepreneurial individuals. It is upon the responsibility of the IT security manager to take note that as long as the employees’ Smartphones play a dual role (business and personal roles), it is entirely upon the enterprise to protect the information or data stored by the device, because any loss of data directly leads to loss of consumer confidence, loss of shareholders and loss of enterprise reputation (Lee & Kim, 2006). In this regard, losing vital information to the wrong hands shows the incompetence of the enterprise in safeguarding its confidential data rather than being viewed as an accidental insecurity breach. Although the adoption of enterprise IT seems insecure, GCE cannot ban or limit the use of Smartphone devices due to the substantial benefits gained from their constant usage (Grech & Eronen, 2005). This calls for the immediate management of consumer IT risks especially the ones associated with Smartphones. Chapter 2 Consumer IT risk management Risks In the context of information security, risks refer to the possibility outcome and the presumed effect of a threat against organizational or individual information assets. This means that threats utilize various vulnerabilities of particular devices (Smartphones) (Hallsteinsen & Jorstad, 2007). The occurrence possibility of a threat is identified based on the available vulnerabilities. In other words, determination of a threat is assessed on the exploitation easiness and attacker attractiveness. The research conducted in GCE considered several factors to assess the threats facing the CEO’s Smartphone which included personal data, financial assets, personal and political connections, confidential information, corporate intellectual property of the enterprise and Smartphone functionality and availability (Arreymbi, 2006). The consideration was due to the fact that people still are unaware of dangers facing Smartphones. They do not think how information might easily fall in the wrong hands because they observe the devices as mere phones. Loss risks In the context of GCE, information loss may result if the CEO loses the Smartphone, if the Smartphone is stolen or if the Smartphone is hacked. Moreover, research findings revealed that movement from one area to another and the portability of the device increases the chances of misplacing the devices. In a research conducted by Check Point Software Technologies organization based in Redwood City, California, over 21,000 Smartphones were misplaced in taxis within a six-month interval in Chicago (Paik, 2010). In another study Trust Digital purchased haphazardly ten Smartphones from eBay and forwarded them to McLean engineers in Virginia. The engineers revealed that the Smartphones contained over 27,000 data pages of confidential information including enterprise-customer records, business sales notes and crucial tax information (Lee & Kim, 2006). Malware risks In addition to theft and loss risks, several scientific findings revealed that Smartphones faced a more dangerous threat of malware infection. A study conducted by California, Santa Clara-based McAfee Avert Labs revealed that the total number of Smartphone malware tallied at 450. Although the number is less compared to those of personal computers, they projected a rapid increase with increase in the production and usage of Smartphones (Matsumoto & Sakurai, 2013). Malware attacks are common in the developed countries which leave GCE vulnerable to such attacks as it is located in Australia. Moreover, in Australia mobile phone financial transactions are common which makes malware attacks on Smartphones rampant because they present an easy target to gain profits. For instance, anyone who visits online website to download any file creates high chances of downloading Smartphone viruses (Traynor, McDaniel & La Porta, 2008). The creators of viruses are profit-oriented so that when virus-scare of Smartphone increase with time people are going to purchase and download continuously different versions of antivirus software applications. For instance, recent research findings by Kaspersky Lab on Smartphone viruses discovered that mobile phone viruses including Viver Trojan’s three variants are created to generate profits. The viruses utilize the Symbian Operating System common in Australia. Once the device downloads the viruses, it sends premium-rate messages to phone numbers in Russia which directly translates to extra charges on the messages send. Although early versions of such viruses inquired for the users’ permission to send the text message, however, the findings showed that after downloading, the recent versions send texts messages automatically (Weinmann, 2012). Recent reports on such encounters revealed that Trojans associated with the viruses are transferred from one Smartphone to another via the popular software application that allows free sharing of photographs, video files and audio files. According to Kaspersky’s reports, Smartphone users downloaded one Trojan variant over 200 times before being removed by administrator of the website. Another notable malware identified by McAfee was made to hijack Smartphones until the owner paid a given ransom (Barendregt, Van Der Poel & Van De Mheen, 2006). In this regard, the malware was designed to hide all the text messages on the users Smartphone, followed by displaying a warning message that threatened to further erase everything on the Smartphone unless the user salvages the situation by paying a ransom of up to 7 dollars in a private account. Although the incidence occurred in China it is just a matter of time before it is happens in Australia based on the high expectations of GCE’s advanced technological breakthrough device. The creation of the device has caused such as a public dilemma that everyone wants a hand-on before it is officially launched. However, enterprise IT technologists are more threatened by the Snoopware that secretly installs itself in the Smartphone systems and thereafter, it silently sends the server all the information on the mobile phone. In this particular situation, the user never recognizes the secret activities taking place on the mobile phone (Weinmann, 2012). The director of Symantec Corp, a wireless and mobile firm based in Curpetino, California stated that the modern versions of Smartphone viruses are designed to evade recognition by the user. FlexiSpy is a notable example of such software application produced and distributed openly by Vervata Company in Thailand. It functions as a key logger, however, it is capable of monitoring mobile phones’ activities remotely, and checking received and sent text messages, monitoring the contacts list, call history and other information on the Smartphones. Although users of the software application tend to recommend its significance in parental monitoring of children, malevolent uses such as spying on the CEO are imminent (Zheng & Ni, 2010). Moreover, despite that the user needs to install the software on the Smartphone, studies suggested that technological variants of the same software may be hacked and converted into volatile Trojans. Bluetooth hijacking Media and scientific reports revealed that apart from malware, theft and loss risks, Bluetooth technology is a threat to the security of information on Smartphones. In the Bluejacking process, explicit multimedia or text messages are sent to the Smartphone user in the noted blackmailing attempts (Last, 2010). On the other hand, in Bluesnarfing attackers connected their mobile phones to other users via Bluetooth and accessed, modified or siphoned vital information. Additionally, studies reveal that several Smartphone viruses are transmissible via Bluetooth technology as long as the devices have their Bluetooth discovery mode on. Other attacks aside from Bluetooth technology have involved spam-related text messages that asked people with Smartphones to download a given dubious software application or sign-up for unrecognized services (Jansen & Scarfone, 2008). Smartphone risk summary IT security research predicted that the usage of Smartphones in 2015 might outnumber the use of personal computers in accessing the internet which puts the GCE workers Smartphones in jeopardy. The 2014 research on Smartphone security concerns enlisted various threats that faced GCE’s CEO Smartphone and issued applicable recommendations as depicted in table 1. Table 1: Smartphone risks and analysis Number Subject Risk Degree Analysis I Leakage of data due to the theft or loss risk High degree The CEO loses the Smartphone or it is stolen and the information is hacked II Accidental disclose of information High degree The CEO accidentally reveals the device’s data on the phone III Attacks on disposed Smartphone High degree The CEO disposes used Smartphone haphazardly without deleting important information IV Phishing threats Medium degree The hacker obtains the CEO’s password via dubious software applications V Spyware attacks Medium degree The attacker installs a spyware on the CEO’s Smartphone to collect vital information of the device VI Spoofing network attacks Medium level A hacker uses a dubious GSM or WiFi to allow the CEO to connect on the server which allows Phishing VII Targeted attacks Medium level A hacker surveys the CEO’s Smartphone activity using a surveillance system Chapter 3 Solutions There three major categories of dealing with the threats on CEO’s Smartphone include employee training and awareness, formulations of policies and adoption of technological barriers. Employee training and awareness Due to increase in the usage of mobile phones in the modern world, it is important for GCE to consider that as much as employees’ Smartphones act as enterprise extension devices where they aid in easy access to business emails, sensitive information and documents, they risk attacks. Therefore, the first line of defence in securing the sensitive information of the breakthrough device is to train the employees on safeguarding their Smartphone devices (Zheng & Ni, 2010). Scientists report that training the employees on the safety practices of mobile phones, methods of information leakage and challenges that face entrepreneurial and personal usage of Smartphones increases prevents easy loss of information from the Smartphones. However, the success of employee training relies on policy adoption and implementation to ensure that all employees undergo mandatory training. Policy Policy approach is the best strategy to counter Smartphone security threats and risks. It is a common occurrence to see enterprises requesting employees to stop using certain software applications on their Smartphones. Therefore, by planning GCE enterprise may overcome the difficult scenarios of requesting employees to desist from using certain applications to access enterprise information. GCE needs to take initial steps of identifying the software applications used by employees on their Smartphones (Harvey, 2007). It is awkward for the IT department to be unaware of the devices or software applications used by employees in the entire enterprise. Moreover, it is an initial weakness that makes the enterprise susceptible to attacks. In the process of identifying the devices used by employees, the IT department needs to scan for the Media Access Control device addresses connected to the enterprise’s network. Additionally, the department needs to come with tools that are able to scan enterprise computers in search for synced-up devices. Also, the IT department needs to inquire from the employees if they use their Smartphone devices entirely for enterprise-related activities or for both enterprise-related and personal activities. An admirable step is whereby GCE can opt to provide all employees with Smartphones specific for execution of enterprise chores and implement policies that exempt personal devices from being used to access enterprise information (Jansen & Ayers, 2007). Alternatively, GCE may enforce policies that require employees to use enterprise-certified software applications on their personal Smartphones to access enterprise information. In this regard, the IT department focuses on administering policies centrally to lock down enterprise data at all times, save money and simplify information security. However, the success of the policies requires technology. Technology GCE’s IT department needs to employ a technology that covers encryptions, system configurations, antimalware solutions, wiping of data remotely, Bluetooth concerns and passwords (Landman, 2010). Bluetooth solutions The process of eliminating Bluetooth threats to the CEO’s Smartphone mainly involves making the device invisible. The process requires the CEO to turn on the discovery mode of the Bluetooth only when searching for a connection (Toorani & Beheshti, 2008). Also, the enterprise needs to reinforce policies that require employees to turn off their Bluetooth when not in use. Alternatively, the CEO’s Smartphone can be upgraded to Bluetooth endpoint that pops up a dialogue box which requires the CEO’s approval before a connection is made with another phone or the discovery mode of the Bluetooth stays on discovery mode temporarily (Lan, 2010). Authentic passwords The CEO needs to set passwords on the Smartphone to ensure that before any information is revealed or any downloaded software application is installed on the Smartphone the password is entered (Aloul, Zahidi & El-Hajj, 2009). Alternatively, the CEO can set the Smartphone to sleep at a given time interval thereby requiring a password for activation. Even if the CEO accidentally leaves the Smartphone in the taxi it will lock itself automatically thereby securing the vital information (Ezenezi, 2010). Encryption Research shows that attackers can bypass passwords and access vital information on the Smartphone. However, encrypting the stored information on the CEO’s Smartphones gives additional protection to the stored information (Barendregt, Van Der Poel & Van De Mheen, 2006). For instance, the BlackBerries and Palms invented an encryption AES 256-bit key that is installable on Smartphones. In this context, the encryption process requires GCE to generate encryption keys that allow the GCE servers to encrypt the CEO’s data but only allows the CEO to decrypt the data with a second key on the Smartphone. Recent versions of encryption keys automatically encrypt information on the Smartphone once it goes to sleep which can best suit the mobile nature of the CEO (Beji & El Kadhi, 2009). Wiping of data remotely The GCE’s IT department needs to set up a technological counter-measure that remotely erases the used but vital information on the CEO’s Smartphone via the MS Exchange Server (Beji & El Kadhi, 2008). In this approach, even if the CEO loses the Smartphone vital information will not fall in the wrong hands the only loss that the CEO may experience is that of the hardware (Enck, Gilbert, Chun, Cox, Jung, McDaniel & Sheth, 2014). Antimalware counter-measures In the past decade, many antimalware companies such as Kaspersky, McAfee, and Symantec have come up with Smartphone antivirus software applications that the CEO can install on the Smartphone to prevent viral attack (Agarwal, Khapra, Menezes & Uchat, 2007). The antimalware packages come in with psyched up features such as anti-spam applications and firewall features alongside the antivirus properties. If the enterprise installs such software applications on the CEO’s Smartphone there are less chances of leaking the device’s information to the public (Becher, Freiling, Hoffmann, Holz, Uellenbeck & Wolf, 2011). Recommendations Looking at the researched findings, it is clear that the CEO’s Smartphone faces an imminent danger from all sorts of risks and threats ranging from theft, deliberate loss, hacking and malware attacks. It is vital for the IT department to implement countermeasures that will eliminate such threats and risks for the period of three months before the technological breakthrough device is officially launched. The first step involves adopting and implementing policies that govern and monitor the use of Smartphone platforms by the enterprise’s workers. The second step involves adopting technology to ensure the success of the policies and secure the CEO’s Smartphone from imminent attacks. The technological tools include setting information access passwords, installing antimalware applications, and setting encryption keys on the CEO’s Smartphone. Chapter 4 Conclusion The report provides an insight on the current risks and threats that face Smartphones in the industry. In the context of GCE, the threats may result into leakage of vital information of the technological breakthrough device. Therefore, based on the research findings, the report characterized the imminent threats and risks that may affect and leak information on the Smartphone of GCE’s CEO. Furthermore, it provided solutions such as encryption, password authentication and antimalware softwares as the best remedies for the threats. Finally, the report recommended the appropriate strategy that the IT security of GCE needed to employ to secure the CEO’s Smartphone for three months References Androulidakis, I. I. (2012). Introduction: Confidentiality, Integrity, and Availability Threats in Mobile Phones. In Mobile Phone Security and Forensics (pp. 1-11). Springer US. Arreymbi, J. (2006). Modelling to Enhance GSM Network Security. In Security and Management (pp. 252-260). Barendregt, C., Van Der Poel, A., & Van De Mheen, D. (2006). The rise of the mobile phone in the hard drug scene of Rotterdam. Journal of psychoactive drugs, 38(1), 77-87. Becher, M., Freiling, F. C., Hoffmann, J., Holz, T., Uellenbeck, S., & Wolf, C. (2011, May). Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In Security and Privacy (SP), 2011 IEEE Symposium on (pp. 96-111). IEEE. Çabuk, A., Karademirler, S. N., & İnceoğlu, H. U. M. (2009). GIS and RS Based Location Determination for GSM Transmitters to Minimize the Negative Effects of Electromagnetic Pollution for Improving Quality of Urban Places. International Journal of Natural and Engineering Sciences, 3(3), 63-71. Ezenezi, R. E. (2010). Impact of Cellphone Technology on Users: The Wireless Technology Madness-Global System for Mobile Communications (Gsm). Bloomington, IN: Xlibris Corporation. Harvey, P. (2007). Remittances during crises: implications for humanitarian response. K. Savage (Ed.). London: Overseas Development Institute. Jansen, W., & Ayers, R. (2007). Guidelines on cell phone forensics. NIST Special Publication, 800, 101. Jansen, W., & Scarfone, K. (2008). Guidelines on cell phone and PDA security. NIST Special Publication, 800, 124. Lan, T. (2010). New Approaches to Information Security. Contemporary International Relations, 20(3), 41-49. Last, D. (2010). GNSS: The present imperfect. Inside GNSS, 5(3), 60-64. Traynor, P., Enck, W., McDaniel, P., & La Porta, T. (2009). Mitigating attacks on open functionality in SMS-capable cellular networks. Networking, IEEE/ACM Transactions on, 17(1), 40-53. Traynor, P., McDaniel, P., & La Porta, T. (2008). Vulnerabilities in the Short Messaging Service (SMS). In Security for Telecommunications Networks (pp. 65-108). Springer US. Want, R. (2006). An introduction to RFID technology. Pervasive Computing, IEEE, 5(1), 25-33. Zheng, P., & Ni, L. (2010). Smart phone and next generation mobile computing. San Francisco, CA: Morgan Kaufmann. Enck, W., Gilbert, P., Chun, B. G., Cox, L. P., Jung, J., McDaniel, P., & Sheth, A. N. (2014). TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones. Communications of the ACM, 57(3), 99-106. Grech, S., & Eronen, P. (2005, September). Implications of unlicensed mobile access (UMA) for GSM security. In Security and Privacy for Emerging Areas in Communications Networks, 2005. SecureComm 2005. First International Conference on (pp. 3-12). IEEE. Lee, H., & Kim, J. (2006, April). Privacy threats and issues in mobile RFID. In Availability, Reliability and Security, 2006. ARES 2006. The First International Conference on (pp. 5-pp). IEEE. Hallsteinsen, S., & Jorstad, I. (2007, August). Using the mobile phone as a security token for unified authentication. In Systems and Networks Communications, 2007. ICSNC 2007. Second International Conference on (pp. 68-68). IEEE. Agarwal, S., Khapra, M., Menezes, B., & Uchat, N. (2007, December). Security issues in mobile payment systems. In Proceedings of ICEG 2007: The 5th International Conference on E-Governance (pp. 142-152). Beji, S., & El Kadhi, N. (2008, July). An overview of mobile applications architecture and the associated technologies. In Wireless and Mobile Communications, 2008. ICWMC'08. The Fourth International Conference on (pp. 77-83). IEEE. Toorani, M., & Beheshti, A. (2008, September). Solutions to the GSM security weaknesses. In Next Generation Mobile Applications, Services and Technologies, 2008. NGMAST'08. The Second International Conference on (pp. 576-581). IEEE. Aloul, F., Zahidi, S., & El-Hajj, W. (2009, May). Two factor authentication using mobile phones. In Computer Systems and Applications, 2009. AICCSA 2009. IEEE/ACS International Conference on (pp. 641-644). IEEE. Beji, S., & El Kadhi, N. (2009, May). Security ontology proposal for mobile applications. In Mobile Data Management: Systems, Services and Middleware, 2009. MDM'09. Tenth International Conference on (pp. 580-587). IEEE. Paik, M. (2010, February). Stragglers of the herd get eaten: security concerns for GSM mobile banking applications. In Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications (pp. 54-59). ACM. Landman, M. (2010, October). Managing smart phone security risks. In 2010 Information Security Curriculum Development Conference (pp. 145-155). ACM. Weinmann, R. P. (2012, August). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. In WOOT (pp. 12-21). Matsumoto, S., & Sakurai, K. (2013, January). A proposal for the privacy leakage verification tool for Android application developers. In Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication (p. 54). ACM. Read More