Running head: MO’ MOBILES, MO’ PROBLEMS 1
Mo’ Mobiles, Mo’ Problems
Matt Crowder
American Military University
ITCC500
Dr. Novadean Watson-Stone
MO’ MOBILES, MO’ PROBLEMS 2
Abstract
Businesses continue to grow in acceptance and utilization of Bring Your Own Device (BYOD)
policies because they can increase productivity while reducing costs; but they may be putting
themselves at risk if they fail to implement proper security policies which include Mobile Device
Management (MDM) controls. This literary review will research and identify the risks associated
with mobile computing devices; and the threats they can pose to corporate resources in the event
that they become compromised. It will review mobile computing trends, BYOD for businesses,
prevalent security threats, MDM controls, and security best practices. It will include quantitative
methods using a before-and-after approach with convenience sampling through administering of
a survey questionnaire. Data analysis will be summarized and then it will discuss ways that
businesses can implement various controls to strike an operationally feasible balance between
productivity and security.
Keywords: mobile device security, MDM, BYOD, mobile threats
MO’ MOBILES, MO’ PROBLEMS 3
The popularity and availability of mobile devices (smartphones, tablets and laptops) have
grown substantially in the last few years, mainly due to the lowered price point of these devices.
This has allowed routine consumers, with minimal technical experience, the ability to take part in
a trendsetting technological boom. The proliferation of mobile computing has not only impacted
society in a way that it breeds a culture of constant connectivity and immediate gratification; but
it has also caused the corporate sector to adjust their focus to utilizing mobile technologies to
increase productivity. Businesses have adapted to the ways that their consumers are accessing
information and content. They’re providing mobile versions of resources (applications, websites,
customer service) that their consumers can access in an effort to meet customer expectations
(Murtagh, 2014). Most employees are thoroughly familiar with their personal mobile devices and
feel comfortable taking care of routine tasks that don’t require them to be in the office. They are
also more inclined to respond to emails or texts from their smartphones, as opposed to being
logged into the network remotely.
Problem Statement
While businesses are leveraging mobile technologies to improve productivity, security
vulnerabilities in mobile devices threaten corporate resources because of the growing practice of
implementing BYOD policies with a lack of proper mobile device management controls. This
study is designed to examine the use of mobile devices in business and the prevalent security
concerns that surround them. It will also provide information relative to the prominent mobile
operating systems (Android and iOS) and the challenges they face with security.
MO’ MOBILES, MO’ PROBLEMS 4
Purpose
The purpose of this paper is to provide a clearer understanding of the vulnerabilities
associated with mobile devices and the impacts they can have on businesses. It will examine the
technical concerns of the devices as well as human-based concerns that are introduced by the
users that own the devices. It will focus on the relationship between the application of security
best practices for mobile device management and the potential for a security breach; thus leading
to the potential compromise of enterprise resources.
Research Questions
This paper will address three questions regarding mobile device security in relation to
BYOD practices. First, what levels of mobile device management controls provide the best
protection from security threats? Second, how can user awareness training help reduce the
chance of a device becoming compromised? Third, what is an acceptable level of risk in regards
to the security of network resources?
Definition of Terms
Jailbreak – actions taken to circumvent the security policies of an iOS device so that you
can install third-party applications, or alter the operational state from which the device left the
factory.
Root – actions taken to circumvent the security policies of an Android device so that you
can install third-party applications, or alter the operational state from which the device left the
factory.
MO’ MOBILES, MO’ PROBLEMS 5
Literature Review
Mobile Device Trends
Understanding mobile device trends is important because it provides the background for
the current and future capabilities of mobile device technologies; and new innovations in
technology will lead to advanced capabilities in the mobile arena. The continued development
and growth can enhance user productivity and consumer acceptance, but it will also provide
hackers with new avenues to exploit vulnerabilities. This innovation cycle continues to produce
hurdles for IT professionals and businesses as they must learn and adapt on-the-fly to ensure the
security of personally identifiable information (PII) and corporate data. Edmondson et al. (2014)
identify this trend with the mobile growth because fewer people are buying desktops, instead
laptop and tablet sales have passed those of desktops; but more importantly, the purchases of
smartphones have passed them all. They also feel that mobile boom is not over, but rather in its
beginning stages as it continues to immerse itself in business and society; and that to allow for
the delivery of future devices will require advances in infrastructure, networking and other fields
that may not exist yet. Additionally, the mobile growth trend is discussed in a 2014 study which
reveals that tablet and mobile phone worldwide shipments totaled 2 billion units in 2013, and are
expected to ship 2.3 billion units in 2015 (“Gartner says worldwide traditional PC, tablet,
ultramobile and mobile phone shipments on pace to grow 7.6 percent in 2014,” 2014).
The trend is evident through the emergence of the operational concept of the Internet of
Things (IoT), where multiple technologies are integrated to provide a way to manage and
automate various facets of business, processes, and individual’s daily lives. The idea is based on
the capability of appliances and systems having a network interface so that they can be added to
a network or provided access through the internet. IoT can provide benefits in healthcare,
MO’ MOBILES, MO’ PROBLEMS 6
production management, transportation, logistics and various industries. But the concerns are
that the success of IoT and its acceptance on a worldwide scale will be minimal without any
standards or governance being established (Xu, He, & Li, 2014).
Some considerations for emerging and future technologies are: wearables that will
become of a Personal Area Network (PAN), new Wi-Fi standards that will overhaul current Wi-
Fi networks, and Enterprise Mobile Management (EMM) will combine aspects of MDM and
Mobile Application Management (MAM) in attempt to control mobile devices more effectively
(Jones, 2014). Mobile commerce (m-commerce) has also grown as an answer to the consumer
demand for mobile accessibility. Most banks have apps for users to complete banking
transactions and this also translates to the convenience of goods to be bought and sold online in
minimal transaction steps (Chang, Williams, & Hurlburt, 2014)
BYOD for Businesses
BYOD is the practice of companies allowing its employees to use their personal mobile
devices in the workplace instead of company provided equipment. It is a more commonplace in
Small-and-Medium Businesses (SMBs), as expected, because of the initial cost savings it
provides along with a level of employee satisfaction. However, a Cisco 2012 survey of 600 U.S.
IT leaders indicates that 89% of enterprise and medium-sized businesses support a form of
BYOD. Security is a main concern in those enterprise and medium-sized businesses, as noted in
the survey with only 50% and 41% respectively, having policies in place (Bradley, Loucks,
Macaulay, Medcalf, & Buckalew, 2012). The BYOD initiative does have two points of view on
its inception. The first being that employees wanted a way to access content of a personal nature,
like webpages and email, while at work; but access was blocked by company IT policies, so they
wanted to be able to use their personal devices to access that content. Which is nothing more
MO’ MOBILES, MO’ PROBLEMS 7
than circumventing the security measures that were in place for good reason. The second belief,
from the business point of view, is that an increase in productivity with a decrease in costs, plus
employee satisfaction, leads to an increase in profits (Caldwell, Zeltmann, & Griffin, 2012).
There are multiple reasons for a business to implement BYOD. Employees can access
their work form anywhere and it provides the flexibility to let them take care of issues in a
conference room before a meeting begins, or while on the train for their commute home. Files
and other documents can be accessed from anywhere, providing 24/7 access for teams to
collaborate while spread across physical locations; but when you start analyzing who the devices
actually belong to (employee) and who the data belongs to (company), then an entirely new
dilemma arises in the areas of security and ethics. Users feel like they have the freedom to install
whatever apps or media they want onto their device; while companies believe they reserve the
right to completely wipe the device in the event of employee termination or a lost device. These
issues are strong reasons for companies to understand the need and thoroughness of a BYOD
policy being in place before the practice is authorized. The policy should spell out exactly who is
responsible for what in a way to provide a clear understanding to all employees. It should
address what devices are allowed and supported, what apps are authorized, who to notify in the
event that a device is believed to be lost. It should also inform employees of the consequences if
they are caught with unapproved apps, or tampering with the security settings enforced by
technical controls; then have each employee sign the policy to acknowledge their understanding
and consent (Blizzard, 2014).
Security and privacy are the two biggest concerns. The security concern is that of the
companies because any infected device that is connected to the network, or plugged into a
desktop computer, could introduce a virus or malware. This would most definitely constitute a
MO’ MOBILES, MO’ PROBLEMS 8
security incident and loss of corporate data is possible. The privacy concern is that of the users
because of the personal nature of data that is also contained on a mobile device. It is possible that
personal data could be disclosed when a device is scanned by the company’s IT department
(Miller, Voas, & Hurlburt, 2012)
Security Threats
When thinking about threats to mobile devices, most people immediately think of a
hacker; while that is fair to correctly acknowledge, it must also be understood that the users and
the devices are also considered threats. In fact, in the IT industry, the end-users are still
considered the greatest internal threat. Dimensional Research published a 2014 survey of 706 IT
professionals across the world that serve a role in system security within their company. The
report indicated that 87% of the respondents believe that careless employees are their greatest
security threat; and 63% identified that employee carelessness is the likely cause of recent
breaches that included data being compromised. It also included the top five factors for the high
impact that users have on mobile security: accidentally accessing malicious sites or downloading
malicious content, lack of awareness of security policies, intentionally ignoring security policies,
lost or stolen devices, and device security updates not being current (“The Impact of Mobile
Devices on Information Security: A Survey of IT and Security,” 2014).
Devices have an assortment of reasons to be considered when addressing their topic as a
threat to security. These problems include the many different types of devices which have
various hardware configurations, the several different operating systems, and various
components that have the capability to access the internet. Android and iOS are considered the
prominent players in mobile devices, and Android is recognized as the more vulnerable of the
two. This is mainly due to the difference in governance of the Google Play Store and Apple App
MO’ MOBILES, MO’ PROBLEMS 9
Store. Google allows any developers to pay a minimum fee to register which gives them access
to upload any apps they desire. Apple has a vetting process and also completes extensive testing
on apps before they are published in the App Store. Additionally, Android is based on open
source and is available in multiple flavors across multiple devices, while iOS is just on Apple
products (La Polla, 2013).
Wahid, Kirmani, and Siddiqui (2014) completed a case study to evaluate the level of
knowledge and programming required to break into various mobile device operating systems.
This study also indicated that Android is more susceptible than iOS to be compromised and this
could easily be accomplished by “average programmers that have access to the official tools and
programming libraries provided by Smartphone platforms” (Wahid et al., 2014, p. 8). This
proves how dangerous malware is to mobile devices and the caution that users should embrace
when accessing questionable content.
Lookout, a mobile security company, published their 2015 Threats report that, “analyzed
threats encountered by its global sensor network of more than 60 million Lookout-enabled
mobile devices”(“Enterprise mobile threats: 2014 year in review,” 2014). It noted the top three
trends as follows: malware attack methods are more sophisticated, threats have increased along
with the impact to companies, and GPS and contact data was siphoned from devices and tracked
to twenty different countries. A study was also completed on a U.S. federal agency which
analyzed 488 mobile devices that also had access to corporate data. It identified 29% of those
devices as containing a mobile threat; almost 8% of those as having Trojans or root enablers,
which can allow attackers to gain admin rights and circumvent security policies (“Enterprise
mobile threats: 2014 year in review,” 2014).
MO’ MOBILES, MO’ PROBLEMS 10
McAfee Labs published their threat predictions for 2015 and it stressed the evolution of
current types of attacks into those that will focus on mobile devices and ones that will become
advanced persistent threats (APT). They indicate that cyber espionage will see changes from
single swift attacks for financial gain to those where they remain hidden over time and collect
information on their target as an APT. It would provide a greater return on their attacks. They
expect attacks on IoT devices (IP webcams, home automation, and appliances) to increase
rapidly because of poor security practices coupled with an influx of connected devices. They
believe there could be an opportunity for high-value data on vulnerable devices. Finally, they
foresee malware and ransomware infections growing significantly on mobile devices; and the
evolution of attacks on cloud-based storage sites like Dropbox, Google Drive, and OneDrive.
This is due to the believed high value of data that is very personal, like personal pictures and
documents (“McAfee Labs Threats Report,” 2014)
Mobile Device Management
An MDM solution is highly recommended and can be implemented locally, through a
Software as a Service (SaaS) subscription, or as an appliance integrated into the network. The
capabilities that should be evaluated for an MDM include “password management, remote data
wipe, data encryption, jailbreak/root detection, data loss prevention, remote configuration,
remote OS and application updating, remote inventorying, and remote control” (Harris & Patten,
2014). The addition of a mobile application management (MAM) piece is also recommended
because it can set application level policies and only allow applications to be installed from the
local application stores as defined in policies by the administrators.
The same concepts of defense-in-depth apply to MDM as well, meaning that layered
security controls provide the greatest protection. Containerization is an additional layer that
MO’ MOBILES, MO’ PROBLEMS 11
should be considered. It includes an encrypted storage area for the corporate applications and
security policies, and it allows these more sensitive objects to be handled separately from the
operating system. This technique is an efficient way to address the concerns between personal
devices and corporate data because it allows users to access their personal data and applications
as they want, but it gives control of corporate data to the businesses. It allows the company to
remotely wipe all corporate data while not affecting the users’ personal data; thus achieving the
desired balance of user freedom and data security (Leavitt, 2013).
Kilpatrick (2014) provides some insight to the issues with MDM and he acknowledges
that it just isn’t the responsibility of the IT department to protect the enterprise. He understand
the pace at which technology is deployed and the business needs that require new programs or
devices before full testing. This is most important because it provides an insight to non-technical
executives and decision makers that, “it is not possible for most IT security teams to carry the
responsibility of securing the whole business and every user singlehandedly” (Kilpatrick, 2014,
p. 13).
Security Best Practices
The application of security best practices in regards to hardware, software, policies and
business processes is not a singular magic answer. It is a roadmap that provides people and
businesses with various levels of security strategies that can be implemented based on the
technologies employed and resource availability. The National Institute of Standards and
Technology (NIST) provides publications and guidance as part of its responsibilities under the
Federal Information Security Management Act (FISMA), Public Law 107-347. They are
intended for Federal information systems, but can be used by any entity. NIST Special
Publication (SP) 800-124 addresses security of mobile devices in the enterprise; and contains
MO’ MOBILES, MO’ PROBLEMS 12
four sections that provide various considerations that can be addressed based on company needs.
They should be integrated with an MDM or existing security solution.
General policy. This is where “centralized technology can enforce enterprise security
policies on the mobile device, including (but not limited to) other policy items” (Souppaya &
Scarfone, 2013). This suggests limiting user access to hardware (GPS, camera, USB), allow user
access only to native operating system services, manage WiFi and Bluetooth connections, use an
active monitoring and reporting feature that can devices against a baseline, and prevent access to
corporate data if device is not on latest firmware or if the device has been jailbroken/rooted
(Souppaya & Scarfone, 2013).
Data Communication and Storage. Recommends strong encryption of communications
between the client and server; this is usually accomplished through the use of a VPN. The
device’s storage should also be encrypted to include any type of removable storage.
Cryptographically binding the media to a device renders the media only accessible with that
device; this prevents the media from being stolen and accessed on another device. The device
should be wiped for the following reasons: before re-issue or being recycled, lost or stolen, failed
logon attempts (Souppaya & Scarfone, 2013).
User and Device Authentication. This includes device password (lock screen),
authentication to company resources before access is granted, having password complexity
requirements, automatic lock screen (screensaver), and ability to remotely lock the device
(Souppaya & Scarfone, 2013). It is also recommended to include the practice of central
management of assets and the ability to manage devices through a cloud-based portal. Asset
management should be sole possession of the IT department and allow them to test and apply the
needed policies before the device gets to the end-user. Cloud-based administration allows IT to
MO’ MOBILES, MO’ PROBLEMS 13
perform their controls remotely so they can enroll or wipe a device from anywhere as long as
they have an internet connection (Vaidyanathan, 2014).
Applications. This covers an app store and the enforcement of approved (whitelisting)
and blocked (blacklisting) applications; while application access to system resources should be
restricted and approved applications should be updated to newer versions automatically. It is also
recommended that digital signatures be enforced to ensure applications are only installed from
trusted vendors (Souppaya & Scarfone, 2013). Virtualization is an option that can utilize server
resources to minimize the overhead on mobile devices. It provides guest operating systems to be
launched on the devices while maintaining the desired separation of business and personal data
(Chang, Pao-Chung, & Teng-Chang, 2014).
In summary, the literature provided a look into the current and expected mobile device
trends. The growth and popularity of the devices will contribute to the adaptation of the IoT in
more mainstream societies. Emerging and future technologies will play a part in the need for
standards and oversight to continue developing secure devices. BYOD for businesses supported
the increase in user productivity that also decreases company expenses, resulting in larger
profits. Employee happiness with BYOD use allows them to feel better supported by their
company and allows them to complete tasks whenever they have time and are not in the office.
Security and privacy are the key concerns because companies want their data secured while
employees’ personal data maintains its privacy.
The security threats identified lack of user understanding and careless users as the prime
concern for device and data security. Android and iOS are the prominent mobile operating
systems; and the security of their respective application stores points to Android being the more
vulnerable of the two. Malware and ransomware are expected to evolve and target mobile
MO’ MOBILES, MO’ PROBLEMS 14
devices in an effort to collect information of value off of the devices (corporate and personal).
MDM provides local and subscription based solutions that provide better advanced controls to IT
administrators. Features for separating corporate and personal data are encouraged to provide the
desired levels of security and privacy. Security best practices were highlighted by the NIST
publication that cited four main areas of general policy, data communications and storage, user
and device authentication, and applications. It is understood that there are various levels of
controls and solutions that can be implemented, but the costs of multiple controls can increase
greatly based on the characteristics of the various mobile devices in use. This will all lead to a
more granular look at the hypotheses and research design that attempts to answer the research
questions that will be addressed.
Methodology
Hypotheses
The following research questions were the basis to guide this study. What levels of
mobile device management controls provide the best protection from security threats? How can
user awareness training help reduce the chance of a device becoming compromised? These
research questions allowed for the formulation of the following hypotheses. The inclusion of
multiple controls of mobile device management provides a significant level of protection from
security threats. User awareness training can greatly reduce the risk of their mobile devices
becoming compromised. These hypotheses will lead to the explanation of the research design
that is being completed solely as a hypothetical case for the purpose of this course.
Research Design
This hypothetical research is based on quantitative methods that are focused on the
number of contacts with the study population. The before-and-after study approach will provide
MO’ MOBILES, MO’ PROBLEMS 15
the opportunity to measure the current study population’s posture as it pertains to the research,
and measure the impact of changes made between the two samplings after a year’s time. It is
assumed that some of the businesses would implement additional controls that could positively
affect the data of the study. This could help to reinforce the hypotheses this study is based on.
Variables. The dependent variables for this study will be security threats, mobile
devices, and data security. The independent variables will be MDM security controls, user
awareness training, and associated levels of risk.
Sampling Plan. A non-random, non-probability sampling will be used for this study.
Based on limited funds, and accessibility within northwest Florida, a convenience sampling is
the best option at this time. The study population will include multiple businesses in the local
area that have their own dedicated IT department. The goal is to attain a sample size of 100
respondents while providing a high level of anonymity.
Data Collection. The data collection tool will be a survey questionnaire designed to
identify background information of the sampling elements as well as particular questions related
to information needed for this study. It will attempt to gather the size of the business, the type of
industry they are in, their use of mobile devices, if they have a BYOD policy, do they provide
user awareness training, and what types of MDM security controls they utilize. The
questionnaire will also be identified that the information and responses will be completely
anonymous.
Analysis of Data. The data will be manually analyzed by the researcher but computer
equipment will be the prime medium for storing, coding, and analyzing the responses. The intent
is to understand the use of mobile devices in various sizes of business, to what extent they
implement MDM security controls, and if they have experienced security breaches or data loss.
MO’ MOBILES, MO’ PROBLEMS 16
Cross-tabulations will be conducted with the mobile devices and data security in relation to the
attributes that provide company background information.
Limitations. While understanding the severity that responses could provide too much
information for an anonymous survey, it must be understood that business would not be likely to
identify any of their shortcomings within their IT infrastructure. There may be resistance by the
sampling elements to answer questions because they do not want their personal understanding of
their security posture to reflect poorly on their company. There may not be enough reliable data
provided in the intended areas of business sizes (enterprise and small-medium).
MO’ MOBILES, MO’ PROBLEMS 17
References
Blizzard, S. (2014). The BYOD Full Circle: How Advantageous Is The Phenomenon? Software
World, 45(5), 3-4.
Bradley, J., Loucks, J., Macaulay, J., Medcalf, R., & Buckalew, L. (2012). BYOD: A global
perspective. Retrieved January 25, 2015, from
http://www.cisco.com/web/about/ac79/docs/re/BYOD_Horizons-Global.pdf
Caldwell, C., Zeltmann, S., & Griffin, K. (2012). BYOD (Bring Your Own Device). Competition
Forum, 10(2), 117-121.
Chang, J. M., Pao-Chung, H., & Teng-Chang, C. (2014). Securing BYOD. IT Professional,
16(5), 9-11. doi: 10.1109/MITP.2014.76
Chang, J. M., Williams, J., & Hurlburt, G. (2014). Mobile Commerce. IT Professional, 16(3), 4-
5. doi: 10.1109/mitp.2014.36
Edmondson, J., Anderson, W., Gray, J., Loyall, J. P., Schmid, K., & White, J. (2014). Next-
Generation Mobile Computing. IEEE Software, 31(2), 44-47. doi: 10.1109/ms.2014.39
Enterprise mobile threats: 2014 year in review. (2014). Retrieved February 6, 2015, from
https://www.lookout.com/static/ee_images/Enterprise_Report_Final_1.13.pdf
Gartner says worldwide traditional PC, tablet, ultramobile and mobile phone shipments on pace
to grow 7.6 percent in 2014. (2014). Retrieved February 4, 2015, from
http://www.gartner.com/newsroom/id/2645115
Harris, M., & Patten, K. (2014). Mobile device security considerations for small and medium-
sized enterprise business mobility. Information Management & Computer Security, 22(1),
97-114. doi: 10.1108/imcs-03-2013-0019
MO’ MOBILES, …
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more