ITCC500PaperExample_withsomeminoradjustmentsneeded_.pdf

Running head: MO’ MOBILES, MO’ PROBLEMS 1

Mo’ Mobiles, Mo’ Problems

Matt Crowder

American Military University

ITCC500

Dr. Novadean Watson-Stone

MO’ MOBILES, MO’ PROBLEMS 2

Abstract

Businesses continue to grow in acceptance and utilization of Bring Your Own Device (BYOD)

policies because they can increase productivity while reducing costs; but they may be putting

themselves at risk if they fail to implement proper security policies which include Mobile Device

Management (MDM) controls. This literary review will research and identify the risks associated

with mobile computing devices; and the threats they can pose to corporate resources in the event

that they become compromised. It will review mobile computing trends, BYOD for businesses,

prevalent security threats, MDM controls, and security best practices. It will include quantitative

methods using a before-and-after approach with convenience sampling through administering of

a survey questionnaire. Data analysis will be summarized and then it will discuss ways that

businesses can implement various controls to strike an operationally feasible balance between

productivity and security.

Keywords: mobile device security, MDM, BYOD, mobile threats

MO’ MOBILES, MO’ PROBLEMS 3

The popularity and availability of mobile devices (smartphones, tablets and laptops) have

grown substantially in the last few years, mainly due to the lowered price point of these devices.

This has allowed routine consumers, with minimal technical experience, the ability to take part in

a trendsetting technological boom. The proliferation of mobile computing has not only impacted

society in a way that it breeds a culture of constant connectivity and immediate gratification; but

it has also caused the corporate sector to adjust their focus to utilizing mobile technologies to

increase productivity. Businesses have adapted to the ways that their consumers are accessing

information and content. They’re providing mobile versions of resources (applications, websites,

customer service) that their consumers can access in an effort to meet customer expectations

(Murtagh, 2014). Most employees are thoroughly familiar with their personal mobile devices and

feel comfortable taking care of routine tasks that don’t require them to be in the office. They are

also more inclined to respond to emails or texts from their smartphones, as opposed to being

logged into the network remotely.

Problem Statement

While businesses are leveraging mobile technologies to improve productivity, security

vulnerabilities in mobile devices threaten corporate resources because of the growing practice of

implementing BYOD policies with a lack of proper mobile device management controls. This

study is designed to examine the use of mobile devices in business and the prevalent security

concerns that surround them. It will also provide information relative to the prominent mobile

operating systems (Android and iOS) and the challenges they face with security.

MO’ MOBILES, MO’ PROBLEMS 4

Purpose

The purpose of this paper is to provide a clearer understanding of the vulnerabilities

associated with mobile devices and the impacts they can have on businesses. It will examine the

technical concerns of the devices as well as human-based concerns that are introduced by the

users that own the devices. It will focus on the relationship between the application of security

best practices for mobile device management and the potential for a security breach; thus leading

to the potential compromise of enterprise resources.

Research Questions

This paper will address three questions regarding mobile device security in relation to

BYOD practices. First, what levels of mobile device management controls provide the best

protection from security threats? Second, how can user awareness training help reduce the

chance of a device becoming compromised? Third, what is an acceptable level of risk in regards

to the security of network resources?

Definition of Terms

Jailbreak – actions taken to circumvent the security policies of an iOS device so that you

can install third-party applications, or alter the operational state from which the device left the

factory.

Root – actions taken to circumvent the security policies of an Android device so that you

can install third-party applications, or alter the operational state from which the device left the

factory.

MO’ MOBILES, MO’ PROBLEMS 5

Literature Review

Mobile Device Trends

Understanding mobile device trends is important because it provides the background for

the current and future capabilities of mobile device technologies; and new innovations in

technology will lead to advanced capabilities in the mobile arena. The continued development

and growth can enhance user productivity and consumer acceptance, but it will also provide

hackers with new avenues to exploit vulnerabilities. This innovation cycle continues to produce

hurdles for IT professionals and businesses as they must learn and adapt on-the-fly to ensure the

security of personally identifiable information (PII) and corporate data. Edmondson et al. (2014)

identify this trend with the mobile growth because fewer people are buying desktops, instead

laptop and tablet sales have passed those of desktops; but more importantly, the purchases of

smartphones have passed them all. They also feel that mobile boom is not over, but rather in its

beginning stages as it continues to immerse itself in business and society; and that to allow for

the delivery of future devices will require advances in infrastructure, networking and other fields

that may not exist yet. Additionally, the mobile growth trend is discussed in a 2014 study which

reveals that tablet and mobile phone worldwide shipments totaled 2 billion units in 2013, and are

expected to ship 2.3 billion units in 2015 (“Gartner says worldwide traditional PC, tablet,

ultramobile and mobile phone shipments on pace to grow 7.6 percent in 2014,” 2014).

The trend is evident through the emergence of the operational concept of the Internet of

Things (IoT), where multiple technologies are integrated to provide a way to manage and

automate various facets of business, processes, and individual’s daily lives. The idea is based on

the capability of appliances and systems having a network interface so that they can be added to

a network or provided access through the internet. IoT can provide benefits in healthcare,

MO’ MOBILES, MO’ PROBLEMS 6

production management, transportation, logistics and various industries. But the concerns are

that the success of IoT and its acceptance on a worldwide scale will be minimal without any

standards or governance being established (Xu, He, & Li, 2014).

Some considerations for emerging and future technologies are: wearables that will

become of a Personal Area Network (PAN), new Wi-Fi standards that will overhaul current Wi-

Fi networks, and Enterprise Mobile Management (EMM) will combine aspects of MDM and

Mobile Application Management (MAM) in attempt to control mobile devices more effectively

(Jones, 2014). Mobile commerce (m-commerce) has also grown as an answer to the consumer

demand for mobile accessibility. Most banks have apps for users to complete banking

transactions and this also translates to the convenience of goods to be bought and sold online in

minimal transaction steps (Chang, Williams, & Hurlburt, 2014)

BYOD for Businesses

BYOD is the practice of companies allowing its employees to use their personal mobile

devices in the workplace instead of company provided equipment. It is a more commonplace in

Small-and-Medium Businesses (SMBs), as expected, because of the initial cost savings it

provides along with a level of employee satisfaction. However, a Cisco 2012 survey of 600 U.S.

IT leaders indicates that 89% of enterprise and medium-sized businesses support a form of

BYOD. Security is a main concern in those enterprise and medium-sized businesses, as noted in

the survey with only 50% and 41% respectively, having policies in place (Bradley, Loucks,

Macaulay, Medcalf, & Buckalew, 2012). The BYOD initiative does have two points of view on

its inception. The first being that employees wanted a way to access content of a personal nature,

like webpages and email, while at work; but access was blocked by company IT policies, so they

wanted to be able to use their personal devices to access that content. Which is nothing more

MO’ MOBILES, MO’ PROBLEMS 7

than circumventing the security measures that were in place for good reason. The second belief,

from the business point of view, is that an increase in productivity with a decrease in costs, plus

employee satisfaction, leads to an increase in profits (Caldwell, Zeltmann, & Griffin, 2012).

There are multiple reasons for a business to implement BYOD. Employees can access

their work form anywhere and it provides the flexibility to let them take care of issues in a

conference room before a meeting begins, or while on the train for their commute home. Files

and other documents can be accessed from anywhere, providing 24/7 access for teams to

collaborate while spread across physical locations; but when you start analyzing who the devices

actually belong to (employee) and who the data belongs to (company), then an entirely new

dilemma arises in the areas of security and ethics. Users feel like they have the freedom to install

whatever apps or media they want onto their device; while companies believe they reserve the

right to completely wipe the device in the event of employee termination or a lost device. These

issues are strong reasons for companies to understand the need and thoroughness of a BYOD

policy being in place before the practice is authorized. The policy should spell out exactly who is

responsible for what in a way to provide a clear understanding to all employees. It should

address what devices are allowed and supported, what apps are authorized, who to notify in the

event that a device is believed to be lost. It should also inform employees of the consequences if

they are caught with unapproved apps, or tampering with the security settings enforced by

technical controls; then have each employee sign the policy to acknowledge their understanding

and consent (Blizzard, 2014).

Security and privacy are the two biggest concerns. The security concern is that of the

companies because any infected device that is connected to the network, or plugged into a

desktop computer, could introduce a virus or malware. This would most definitely constitute a

MO’ MOBILES, MO’ PROBLEMS 8

security incident and loss of corporate data is possible. The privacy concern is that of the users

because of the personal nature of data that is also contained on a mobile device. It is possible that

personal data could be disclosed when a device is scanned by the company’s IT department

(Miller, Voas, & Hurlburt, 2012)

Security Threats

When thinking about threats to mobile devices, most people immediately think of a

hacker; while that is fair to correctly acknowledge, it must also be understood that the users and

the devices are also considered threats. In fact, in the IT industry, the end-users are still

considered the greatest internal threat. Dimensional Research published a 2014 survey of 706 IT

professionals across the world that serve a role in system security within their company. The

report indicated that 87% of the respondents believe that careless employees are their greatest

security threat; and 63% identified that employee carelessness is the likely cause of recent

breaches that included data being compromised. It also included the top five factors for the high

impact that users have on mobile security: accidentally accessing malicious sites or downloading

malicious content, lack of awareness of security policies, intentionally ignoring security policies,

lost or stolen devices, and device security updates not being current (“The Impact of Mobile

Devices on Information Security: A Survey of IT and Security,” 2014).

Devices have an assortment of reasons to be considered when addressing their topic as a

threat to security. These problems include the many different types of devices which have

various hardware configurations, the several different operating systems, and various

components that have the capability to access the internet. Android and iOS are considered the

prominent players in mobile devices, and Android is recognized as the more vulnerable of the

two. This is mainly due to the difference in governance of the Google Play Store and Apple App

MO’ MOBILES, MO’ PROBLEMS 9

Store. Google allows any developers to pay a minimum fee to register which gives them access

to upload any apps they desire. Apple has a vetting process and also completes extensive testing

on apps before they are published in the App Store. Additionally, Android is based on open

source and is available in multiple flavors across multiple devices, while iOS is just on Apple

products (La Polla, 2013).

Wahid, Kirmani, and Siddiqui (2014) completed a case study to evaluate the level of

knowledge and programming required to break into various mobile device operating systems.

This study also indicated that Android is more susceptible than iOS to be compromised and this

could easily be accomplished by “average programmers that have access to the official tools and

programming libraries provided by Smartphone platforms” (Wahid et al., 2014, p. 8). This

proves how dangerous malware is to mobile devices and the caution that users should embrace

when accessing questionable content.

Lookout, a mobile security company, published their 2015 Threats report that, “analyzed

threats encountered by its global sensor network of more than 60 million Lookout-enabled

mobile devices”(“Enterprise mobile threats: 2014 year in review,” 2014). It noted the top three

trends as follows: malware attack methods are more sophisticated, threats have increased along

with the impact to companies, and GPS and contact data was siphoned from devices and tracked

to twenty different countries. A study was also completed on a U.S. federal agency which

analyzed 488 mobile devices that also had access to corporate data. It identified 29% of those

devices as containing a mobile threat; almost 8% of those as having Trojans or root enablers,

which can allow attackers to gain admin rights and circumvent security policies (“Enterprise

mobile threats: 2014 year in review,” 2014).

MO’ MOBILES, MO’ PROBLEMS 10

McAfee Labs published their threat predictions for 2015 and it stressed the evolution of

current types of attacks into those that will focus on mobile devices and ones that will become

advanced persistent threats (APT). They indicate that cyber espionage will see changes from

single swift attacks for financial gain to those where they remain hidden over time and collect

information on their target as an APT. It would provide a greater return on their attacks. They

expect attacks on IoT devices (IP webcams, home automation, and appliances) to increase

rapidly because of poor security practices coupled with an influx of connected devices. They

believe there could be an opportunity for high-value data on vulnerable devices. Finally, they

foresee malware and ransomware infections growing significantly on mobile devices; and the

evolution of attacks on cloud-based storage sites like Dropbox, Google Drive, and OneDrive.

This is due to the believed high value of data that is very personal, like personal pictures and

documents (“McAfee Labs Threats Report,” 2014)

Mobile Device Management

An MDM solution is highly recommended and can be implemented locally, through a

Software as a Service (SaaS) subscription, or as an appliance integrated into the network. The

capabilities that should be evaluated for an MDM include “password management, remote data

wipe, data encryption, jailbreak/root detection, data loss prevention, remote configuration,

remote OS and application updating, remote inventorying, and remote control” (Harris & Patten,

2014). The addition of a mobile application management (MAM) piece is also recommended

because it can set application level policies and only allow applications to be installed from the

local application stores as defined in policies by the administrators.

The same concepts of defense-in-depth apply to MDM as well, meaning that layered

security controls provide the greatest protection. Containerization is an additional layer that

MO’ MOBILES, MO’ PROBLEMS 11

should be considered. It includes an encrypted storage area for the corporate applications and

security policies, and it allows these more sensitive objects to be handled separately from the

operating system. This technique is an efficient way to address the concerns between personal

devices and corporate data because it allows users to access their personal data and applications

as they want, but it gives control of corporate data to the businesses. It allows the company to

remotely wipe all corporate data while not affecting the users’ personal data; thus achieving the

desired balance of user freedom and data security (Leavitt, 2013).

Kilpatrick (2014) provides some insight to the issues with MDM and he acknowledges

that it just isn’t the responsibility of the IT department to protect the enterprise. He understand

the pace at which technology is deployed and the business needs that require new programs or

devices before full testing. This is most important because it provides an insight to non-technical

executives and decision makers that, “it is not possible for most IT security teams to carry the

responsibility of securing the whole business and every user singlehandedly” (Kilpatrick, 2014,

p. 13).

Security Best Practices

The application of security best practices in regards to hardware, software, policies and

business processes is not a singular magic answer. It is a roadmap that provides people and

businesses with various levels of security strategies that can be implemented based on the

technologies employed and resource availability. The National Institute of Standards and

Technology (NIST) provides publications and guidance as part of its responsibilities under the

Federal Information Security Management Act (FISMA), Public Law 107-347. They are

intended for Federal information systems, but can be used by any entity. NIST Special

Publication (SP) 800-124 addresses security of mobile devices in the enterprise; and contains

MO’ MOBILES, MO’ PROBLEMS 12

four sections that provide various considerations that can be addressed based on company needs.

They should be integrated with an MDM or existing security solution.

General policy. This is where “centralized technology can enforce enterprise security

policies on the mobile device, including (but not limited to) other policy items” (Souppaya &

Scarfone, 2013). This suggests limiting user access to hardware (GPS, camera, USB), allow user

access only to native operating system services, manage WiFi and Bluetooth connections, use an

active monitoring and reporting feature that can devices against a baseline, and prevent access to

corporate data if device is not on latest firmware or if the device has been jailbroken/rooted

(Souppaya & Scarfone, 2013).

Data Communication and Storage. Recommends strong encryption of communications

between the client and server; this is usually accomplished through the use of a VPN. The

device’s storage should also be encrypted to include any type of removable storage.

Cryptographically binding the media to a device renders the media only accessible with that

device; this prevents the media from being stolen and accessed on another device. The device

should be wiped for the following reasons: before re-issue or being recycled, lost or stolen, failed

logon attempts (Souppaya & Scarfone, 2013).

User and Device Authentication. This includes device password (lock screen),

authentication to company resources before access is granted, having password complexity

requirements, automatic lock screen (screensaver), and ability to remotely lock the device

(Souppaya & Scarfone, 2013). It is also recommended to include the practice of central

management of assets and the ability to manage devices through a cloud-based portal. Asset

management should be sole possession of the IT department and allow them to test and apply the

needed policies before the device gets to the end-user. Cloud-based administration allows IT to

MO’ MOBILES, MO’ PROBLEMS 13

perform their controls remotely so they can enroll or wipe a device from anywhere as long as

they have an internet connection (Vaidyanathan, 2014).

Applications. This covers an app store and the enforcement of approved (whitelisting)

and blocked (blacklisting) applications; while application access to system resources should be

restricted and approved applications should be updated to newer versions automatically. It is also

recommended that digital signatures be enforced to ensure applications are only installed from

trusted vendors (Souppaya & Scarfone, 2013). Virtualization is an option that can utilize server

resources to minimize the overhead on mobile devices. It provides guest operating systems to be

launched on the devices while maintaining the desired separation of business and personal data

(Chang, Pao-Chung, & Teng-Chang, 2014).

In summary, the literature provided a look into the current and expected mobile device

trends. The growth and popularity of the devices will contribute to the adaptation of the IoT in

more mainstream societies. Emerging and future technologies will play a part in the need for

standards and oversight to continue developing secure devices. BYOD for businesses supported

the increase in user productivity that also decreases company expenses, resulting in larger

profits. Employee happiness with BYOD use allows them to feel better supported by their

company and allows them to complete tasks whenever they have time and are not in the office.

Security and privacy are the key concerns because companies want their data secured while

employees’ personal data maintains its privacy.

The security threats identified lack of user understanding and careless users as the prime

concern for device and data security. Android and iOS are the prominent mobile operating

systems; and the security of their respective application stores points to Android being the more

vulnerable of the two. Malware and ransomware are expected to evolve and target mobile

MO’ MOBILES, MO’ PROBLEMS 14

devices in an effort to collect information of value off of the devices (corporate and personal).

MDM provides local and subscription based solutions that provide better advanced controls to IT

administrators. Features for separating corporate and personal data are encouraged to provide the

desired levels of security and privacy. Security best practices were highlighted by the NIST

publication that cited four main areas of general policy, data communications and storage, user

and device authentication, and applications. It is understood that there are various levels of

controls and solutions that can be implemented, but the costs of multiple controls can increase

greatly based on the characteristics of the various mobile devices in use. This will all lead to a

more granular look at the hypotheses and research design that attempts to answer the research

questions that will be addressed.

Methodology

Hypotheses

The following research questions were the basis to guide this study. What levels of

mobile device management controls provide the best protection from security threats? How can

user awareness training help reduce the chance of a device becoming compromised? These

research questions allowed for the formulation of the following hypotheses. The inclusion of

multiple controls of mobile device management provides a significant level of protection from

security threats. User awareness training can greatly reduce the risk of their mobile devices

becoming compromised. These hypotheses will lead to the explanation of the research design

that is being completed solely as a hypothetical case for the purpose of this course.

Research Design

This hypothetical research is based on quantitative methods that are focused on the

number of contacts with the study population. The before-and-after study approach will provide

MO’ MOBILES, MO’ PROBLEMS 15

the opportunity to measure the current study population’s posture as it pertains to the research,

and measure the impact of changes made between the two samplings after a year’s time. It is

assumed that some of the businesses would implement additional controls that could positively

affect the data of the study. This could help to reinforce the hypotheses this study is based on.

Variables. The dependent variables for this study will be security threats, mobile

devices, and data security. The independent variables will be MDM security controls, user

awareness training, and associated levels of risk.

Sampling Plan. A non-random, non-probability sampling will be used for this study.

Based on limited funds, and accessibility within northwest Florida, a convenience sampling is

the best option at this time. The study population will include multiple businesses in the local

area that have their own dedicated IT department. The goal is to attain a sample size of 100

respondents while providing a high level of anonymity.

Data Collection. The data collection tool will be a survey questionnaire designed to

identify background information of the sampling elements as well as particular questions related

to information needed for this study. It will attempt to gather the size of the business, the type of

industry they are in, their use of mobile devices, if they have a BYOD policy, do they provide

user awareness training, and what types of MDM security controls they utilize. The

questionnaire will also be identified that the information and responses will be completely

anonymous.

Analysis of Data. The data will be manually analyzed by the researcher but computer

equipment will be the prime medium for storing, coding, and analyzing the responses. The intent

is to understand the use of mobile devices in various sizes of business, to what extent they

implement MDM security controls, and if they have experienced security breaches or data loss.

MO’ MOBILES, MO’ PROBLEMS 16

Cross-tabulations will be conducted with the mobile devices and data security in relation to the

attributes that provide company background information.

Limitations. While understanding the severity that responses could provide too much

information for an anonymous survey, it must be understood that business would not be likely to

identify any of their shortcomings within their IT infrastructure. There may be resistance by the

sampling elements to answer questions because they do not want their personal understanding of

their security posture to reflect poorly on their company. There may not be enough reliable data

provided in the intended areas of business sizes (enterprise and small-medium).

MO’ MOBILES, MO’ PROBLEMS 17

References

Blizzard, S. (2014). The BYOD Full Circle: How Advantageous Is The Phenomenon? Software

World, 45(5), 3-4.

Bradley, J., Loucks, J., Macaulay, J., Medcalf, R., & Buckalew, L. (2012). BYOD: A global

perspective. Retrieved January 25, 2015, from

http://www.cisco.com/web/about/ac79/docs/re/BYOD_Horizons-Global.pdf

Caldwell, C., Zeltmann, S., & Griffin, K. (2012). BYOD (Bring Your Own Device). Competition

Forum, 10(2), 117-121.

Chang, J. M., Pao-Chung, H., & Teng-Chang, C. (2014). Securing BYOD. IT Professional,

16(5), 9-11. doi: 10.1109/MITP.2014.76

Chang, J. M., Williams, J., & Hurlburt, G. (2014). Mobile Commerce. IT Professional, 16(3), 4-

5. doi: 10.1109/mitp.2014.36

Edmondson, J., Anderson, W., Gray, J., Loyall, J. P., Schmid, K., & White, J. (2014). Next-

Generation Mobile Computing. IEEE Software, 31(2), 44-47. doi: 10.1109/ms.2014.39

Enterprise mobile threats: 2014 year in review. (2014). Retrieved February 6, 2015, from

https://www.lookout.com/static/ee_images/Enterprise_Report_Final_1.13.pdf

Gartner says worldwide traditional PC, tablet, ultramobile and mobile phone shipments on pace

to grow 7.6 percent in 2014. (2014). Retrieved February 4, 2015, from

http://www.gartner.com/newsroom/id/2645115

Harris, M., & Patten, K. (2014). Mobile device security considerations for small and medium-

sized enterprise business mobility. Information Management & Computer Security, 22(1),

97-114. doi: 10.1108/imcs-03-2013-0019

MO’ MOBILES, …