Docstoc

Addressing Vulnerability of Mobile Computing: A Managerial Perspective

Document Sample
Addressing Vulnerability of Mobile Computing: A Managerial Perspective Powered By Docstoc
					                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                 Vol. 9 No. 3, March 2011




        Addressing Vulnerability of Mobile Computing
                                                 A Managerial Perspective

                                                   Arben Asllani and Amjad Ali
                                                    Center for Security Studies
                                             University of Maryland University College
                                                      Adelphi, Maryland, USA



Abstract— Popularity of mobile computing in organizations has            approximately 0.6 percent in stock price when a vulnerability is
risen significantly over the past few years. Notebooks and laptop        reported and the impact is more severe when the vulnerability
computers provide the necessary computing power and mobility             flaws are not addressed in advance [2]. However, while most
for executives, managers, and other professionals. Such                  organizations consider vulnerability management critical to
advantages come with a price for the security of the                     their operations, fewer than 25 percent have vulnerability as an
organizational networks: increased vulnerability. The paper              integrated part of their operations [3]. This paper offers a
discusses three types of mobile computing vulnerability: physical,       managerial framework to address the issues of information
system, and network access vulnerability. Using a managerial             systems vulnerabilities with a special focus on laptop
approach, the paper offers a framework to deal with such
                                                                         computers and their use for remote access to organizational
vulnerabilities. The framework suggests specific courses of action
for two possible scenarios. When there is no present threat, a
                                                                         networks.
proactive approach is suggested. When one or more threats are                The proposed framework can help system administrators to
present, a reactive, matrix-based approach is suggested. Both            assess the vulnerabilities associated with using mobile laptops
approaches offer a systematic methodology to address laptop              to remotely access the local area networks (LAN) or wireless
vulnerabilities. A similar framework can be extended to address          local area networks (WLAN). Once an assessment is made, the
security vulnerabilities of other mobile computing devices in            network administrator can address such vulnerabilities in a
addition to notebooks and laptop computers. A real case scenario
                                                                         systematic and efficient manner. Also, the framework suggests
from a network in a university college in the southeastern U.S. is
                                                                         a step-by-step procedure to address such vulnerabilities when
used to illustrate the proposed framework.
                                                                         the system is under attack, or when one or more threats are
   Keywords - mobile computing; cybersecurity; vulnerability;            present.
managerial approach                                                          The paper is organized as follows. First, a brief discussion
                                                                         of vulnerabilities of mobile laptops and their use for remotely
                       I.    INTRODUCTION                                accessing a given network is provided. The next section
    Recent trends of globalization, outsourcing, off-shoring,            discusses the modeling framework and presents the practical
and cloud computing have changed the structure of                        recommendations for system administrators. The framework
organizations and cyberspace. Information is no longer                   includes a proactive systematic approach to continuously
confined within the walls of an organization. Today’s                    evaluate the set of vulnerabilities and a reactive approach for
organizations are constantly allowing their suppliers to access          dealing with vulnerabilities when one or more threats are
their supply chain management systems, customers to retrieve             present. Finally, conclusions and several practical
product information from their electronic commerce systems,              recommendations are provided
and their own employees to log on to the organizations’
intranet. Organizations use remote access to information                          II. VULNERABILITIES OF MOBILE COMPUTING
systems to streamline their business processes, become                       During the last two decades the popularity of notebooks and
operationally efficient, and to gain competitive advantage.              laptops has increased significantly. They have been and will
However, the global reach of information systems has raised              continue to be the computers of choice for individuals and
concerns over security and has made organizations more                   organizations. Forrester Research recently reported that laptop
vulnerable to security threats.                                          sales in the U.S. overtook desktop sales 44 percent to 38
    Organizations must pay special attention to cybersecurity            percent in 2009 and 44 percent to 32 percent in 2010 [4]. The
vulnerabilities and ensure that their notebooks, laptops, and            same report predicts that laptop sales will remain unchanged in
other mobile devices and networks are not compromised as a               the 42-44 percent range for the next few years while desktop
result of this increase in mobility [1]. A recent study about            sales will gradually decline to 18 percent in 2015. Laptops have
software vendors indicated that organizations lose                       become popular because they allow professionals and




                                                                     1                              http://sites.google.com/site/ijcsis/
                                                                                                    ISSN 1947-5500
                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                 Vol. 9 No. 3, March 2011
knowledge workers to access their networks when they are                 access, Internet access, and file transfer protocol (FTP) access.
travelling or from home offices and at the same time they offer          Such actions create an environment for opening potential
storage and processing capabilities similar to, or even better           harmful attachments, allowing potential unauthorized access to
than desktops.                                                           important files, potential for sniffing, session hijacking, IP
                                                                         address spoofing, and denial of service attacks. In general,
    The shift toward mobile computing is associated with a new           using a laptop to access a WLAN is more susceptible to attacks
set of vulnerabilities for information systems. Mobile laptops           because WLAN includes both the organization’s internal
are considered by most organizations as the greatest security            network and the general public network segments. For
threat and the most difficult to maintain [3]. A survey                  example, WLANs can be susceptible to attacks such as traffic
published in 2006 indicated that in 27 percent of the cases, it          analysis, eavesdropping, brute force attack, renegade access
took longer than 10 days to deploy critical patches to mobile            points, and masquerading attacks.
laptops [3]. A timely and efficient response to laptop
vulnerabilities must be a major concern for organizations and                System administrators and laptop users can address network
their system administrators.                                             access vulnerabilities through several courses of action. They
                                                                         can formulate and implement network access security policies,
    Mobile computing vulnerabilities can be classified into              require periodic change of login information and enforce a
three major categories: physical vulnerability, system                   policy for strong passwords, clearly define user privileges
vulnerability, and network access vulnerability. A brief                 (read, write, delete) and user access, and enforce secure setting
discussion of those categories is provided below along with a            access and avoid access from open networks.
suggested course of actions.

A. Physical Vulnerability                                                  III.   MANAGING VULNERABILITIES OF LAPTOP COMPUTERS
                                                                                          AND NETWORK ACCESS
    Laptops are mobile computers and they travel with their
owners or users. There is a greater chance for laptops to be lost            The identification of physical, system, and network access
or stolen in airports, hotels, and meeting auditoriums. Physical         vulnerabilities allows the system administrator to prepare a
vulnerability is not only associated with the loss of hardware; it       course of action to address these vulnerabilities. It is very
is also associated with the loss of valuable data and sensitive          important that a continuously improvement plan is in place and
information. Another form of physical vulnerability occurs               vulnerabilities are dealt with in a timely manner and preferably
when laptops are left open and unattended, which leads to                before a threat occurs. Such an approach requires that security
exposure to sensitive information and documents and the                  perspective is shifted from technical to managerial. The main
ability for network access.                                              goal of addressing vulnerabilities will be to improve business
                                                                         resiliency and continuity [6].
    System administrators must continuously raise awareness
about the importance of physical security and remind laptop              A. Managing Vulnerabilities: No Present Threat
users of consequences of this vulnerability. In some cases, it is
necessary to secure the rooms or offices where the laptop is                 System administrators must continuously work to reduce
located and other times it is necessary to fasten the laptop to a        the number of vulnerabilities present at any time during normal
non-movable object.                                                      business operations. Even when there is no immediate threat a
                                                                         systematic, process based, proactive approach must be
                                                                         followed. This approach has three major steps:
B. System Vulnerability
    Laptop computer systems are as vulnerable as any other               1. Identify present vulnerabilities in the IT security area
computer system in the organization. A recent survey on laptop           2. Rate vulnerabilities based on the potential damage and
vulnerability assessment indicates that the most significant type            likelihood of attack
of vulnerabilities are missing security patches and updates,
misapplied and outdated patches, outdated virus and spyware              3. Address vulnerabilities with specific course of action
definition files, configuration weaknesses that create exposures,
                                                                           1) Identification of Vulnerabilities
and missing or deficient security applications, topologies and
processes [5]. Remote laptops can be physically accessed
easier than desktops. As such, non-secure laptop systems pose                During normal business operations of the organizational
greater vulnerability than desktop systems.                              cyberspace, when there is no threat to the system, system
                                                                         administrators must evaluate potential vulnerabilities of the
    System administrators must prepare a schedule of updates             system and among them, vulnerabilities of laptop computers
for security patches, antivirus programs, and other security             and their access to the organizational network. The literature
programs. It is very important to follow the schedule and allow          review and practical experience have identified a series of
users to update their systems as soon as a new update becomes            vulnerabilities for any particular information system. Reference
available.                                                               [7] suggests a series of vulnerability categories related to
                                                                         network access as shown in the first column of Table I.
C. Network Access Vulnerability                                             System administrators must identify what vulnerabilities
    The need to access LAN and WLAN using mobile laptops                 from the above list are present in his or her network. For those
creates the single most significant set of vulnerabilities for the       vulnerabilities which are present the administrator must specify
organizational cyberspace. Laptops are used to provide e-mail



                                                                     2                                http://sites.google.com/site/ijcsis/
                                                                                                      ISSN 1947-5500
                                                                        (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                           Vol. 9 No. 3, March 2011
 any symptom(s), rating, and required action (s). This process is                     Timothy Parker is a systems administrator at the College
 illustrated with a real case scenario as described below:                        of Business, an AACSB accredited institution in a regional
                                                                                  university in the southeastern U.S. The college has two
                     TABLE I.     LIST OF VULNERABILITIES
                                                                                  computer laboratories, four computer classrooms, and many
                                                                                  lecturing podiums equipped with workstations and projectors.
  Vulnerability        Presen     Symptoms         Rating       Action            The college has an inventory of 78 laptops that are distributed
                         t?                                   Required            to faculty members for their research and teaching needs. The
Password cracking      Yes      Several faculty    High     Send a memo
                                members use                 with
                                                                                  college has several LANs, a secure WLAN, and an open
                                the same                    guidelines for        wireless network. Faculty members use their laptops to access
                                password to                 strong                student information, classroom information, and research files
                                access several              passwords             that are stored in several drives around the college’s LAN.
                                services such as            and request           Students also use their own laptops and mobile devices to
                                Blackboard,                 password              access classroom information and other files located in the
                                Banner, and a               changes.
                                shared server                                     network.
                                with sensitive
                                                                                      Mr. Parker is aware that many faculty members use the
                                research
                                documents                                         same password to access several services, including
Network and                                                                       Blackboard, Banner, and servers with sensitive information.
system                                                                            Students also use their laptops to access their records using an
information                                                                       unsecured wireless network. Several laptops and desktops are
gathering                                                                         infected due to students downloading harmful documents via
User enumeration
                                                                                  the Internet. Several new programs on the faculty laptops and
Backdoors,
Trojans and                                                                       desktops need to be updated. Students use classroom and
remote controlling                                                                laboratory computers to access gaming Web sites. As Mr.
Gaining access to      Yes      Students are       High     Enforce               Parker was walking through the building he noticed that some
remote                          using their                 secure wired          faculty members had left their office open or unlocked with
connections and                 laptops to                  or wireless           laptops already logged onto the network.
services                        access student              connection to
                                records using               sensitive data          2)   Vulnerability Priority Ratings
                                the unsecured
                                wireless
                                network                                               A system’s vulnerability rating represents a combination of
Privilege and user                                                                the potential damage a certain attack poses on the vulnerability
escalation                                                                        and the attractiveness of the vulnerability in the eyes of an
Spoofing                                                                          intruder. The following three vulnerability ratings are
Misconfigurations                                                                 suggested:
Denial-of-service
(DoS) and buffer                                                                  • High: This vulnerability is very attractive to the intruder and
overflows                                                                             has high consequences if this vulnerability is exploited.
Viruses and            Yes      Several laptops    High     Update
worms                           and desktops                antivirus
                                                                                      Mr. Parker has rated password cracking, gaining access to
                                are infected.               programs and              remote connections, presence of viruses and worms in this
                                                            scan and                  category.
                                                            clean the
                                                            infected              • Moderate: This vulnerability is somewhat attractive to the
                                                            computers                intruder and consequences if this vulnerability is exploited
Hardware specific                                                                    are moderate. Mr. Parker has rated security policy
Software specific      Yes      Several new        Low      Update and               violation in this category.
and updates                     programs need               install new
                                to be updated in            patches to            • Low: This vulnerability is not very attractive to the intruder
                                the faculty                 improve                   and has low consequences if this vulnerability is exploited.
                                laptops and                 security
                                desktops.
                                                                                      Mr. Parker has rated software specific and updates in this
Security policy        Yes      Students use       Modera   Send a memo               category.
violations                      classroom and      te       and remind
                                laboratory                  students and
                                                                                    3) Course of Actions
                                computers to                faculty of
                                access gaming               security                  Using the priority ratings identified in the previous step,
                                websites. Some              policies              Mr. Parker generates a working plan to address the
                                faculty                     related to this       vulnerabilities in the College of Business. Specifically, Mr.
                                members leave               vulnerability
                                open laptops in                                   Parker must immediately send a memo with guidelines for
                                unlocked                                          strong passwords and request password changes, enforce
                                offices                                           secure wired or wireless connection to sensitive data, update
                                                                                  antivirus programs, scan, and clean the infected computers,




                                                                              3                              http://sites.google.com/site/ijcsis/
                                                                                                             ISSN 1947-5500
                                                                   (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                      Vol. 9 No. 3, March 2011
send a memo and remind students and faculty of relevant                       2) Evaluate the severity of each threat for each
security policies, and update and install new patches.                      vulnerability

B. Managing Vulnerabilities: Present Threat                                     Each cell in Table II represents the severity (or risk) of a
    When one or more threats are present, system                            given threat to a still existing vulnerability. High severity or
administrators must change the mode of operation from                       risk combinations are designated in red, moderate severity
proactive to reactive. When the system is under attack, a quick             combinations are designated in yellow and low severity
evaluation of the threats and quick reaction to these threats is            combinations in green. The interpretations of the severity
necessary. The reaction is immediate but still systematic, and              ratings are provided below:
the following steps must be followed:                                               Severity of this combination is high. The course of
1. Create a vulnerability-threat matrix                                             action     recommended      to     mitigate   these
                                                                                    threats/vulnerabilities should    be    implemented
2. Evaluate the severity of each threat for each vulnerability                      immediately.
3. Address vulnerability-threat with specific course of action                      Severity of this combination is moderate. The course of
  1) Create a vulnerability-threat matrix                                           action     recommended         to    mitigate     these
                                                                                    threats/vulnerabilities should be implemented as soon
    The vulnerability-threat assessments matrix can be utilized                     as possible.
with any information system or part of it. The matrix approach                      Severity of this combination is low. The course of
is often suggested in the literature [8] [9]. The matrix is used                    action     recommended         to    mitigate      these
to map the severity of a given threat with a given vulnerability                    threats/vulnerabilities will improve security, but is of
and to systematically generate an emergent and effective                            less urgency.
response. Table II is an illustration of this matrix from the
College of Business case.                                                       As shown in Table II, the spoofing attack is currently
                                                                            presenting a moderate level of severity with regard to gaining
                                                                            remote access to the network. In general, spoofing can be very
            TABLE II.    VULNERABILITY-THREAT MATRIX                        devastating for the organization (college) and the use of laptop
 Unaddressed      Threat 1:     Threat 2:      Action Required              computers to access the network is a weakness for the system.
Vulnerabilities   Spoofing     New Virus is                                 However, Mr. Parker is happy to see that his last memo on
                   Attack      Spreading at                                 security policy, the importance of strong passwords, and his
                               a High Rate                                  action to request password changes have transformed this
 Gaining access                                 Enforce secure
   to remote                                   wired or wireless
                                                                            potentially high risk threat-vulnerability combination into a
connections and                                 connection to               moderate level. On the other hand, the spread of new viruses is
    services                                    sensitive data              causing significant damage to the laptops and other machines
  Viruses and                                  Update antivirus             that are already infected or which do not have up-to-date
    worms                                     programs and scan             antivirus protections.
                                                 and clean the
                                              infected computers              3) Address vulnerability-threat with specific course of
  Software                                     Update and install           action
 specific and                                   new patches to
   updates                                     improve security
                                                                                 Based on the findings from the previous step, system
                                                                            administrators need to identify the immediate course of action
     Mr. Parker has addressed several vulnerabilities but is still          to address the most severe vulnerability-threat. Specifically,
working on enforcing secure connection, performing the latest               Mr. Parker must update antivirus programs and scan and clean
update to the antivirus programs, and scanning and cleaning the             all the infected laptop and desktop computers. Simultaneously,
several infected computers. Suddenly, Mr. Parker is made                    he needs to install new patches to improve security for the rest
aware of two security threats. First, a spoofing e-mail is                  of the network. Additionally, Mr. Parker must address the
circulating among the faculty members’ and students’                        moderate vulnerability-threat combination by enhancing the
electronic mailboxes. The e-mail asks recipients to login to a              security of the wired and wireless networks.
Web site and verify their login information or their e-mail
service will be interrupted. Second, several faculty members                          IV.    SUMMARY AND RECOMMENDATIONS
are reporting that many computers in the computer lab have
stopped responding due to what seems to be a Trojan attack. As                 Notebooks and laptops have become the computers of
the first step, Mr. Parker builds the vulnerability-threat matrix           choice for professionals and managers who want to access their
as shown in Table 2. Only the unaddressed vulnerabilities are               organizational networks while traveling or while working from
listed in this table along with their typical course of actions.            home. With this popularity they also offer the greatest security
                                                                            challenges for system administrators. Laptops and their use to
                                                                            access organizational networks produce three major
                                                                            vulnerability categories: physical, system, and network access.




                                                                        4                               http://sites.google.com/site/ijcsis/
                                                                                                        ISSN 1947-5500
                                                                     (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                        Vol. 9 No. 3, March 2011
The paper discuses these vulnerabilities and offers a framework                       http://www.edtechmag.com/higher/docs/2008/09/mobile-computing-
for addressing them.                                                                  security.pdf.
                                                                                [2]   R. Telang, R. and S. Wattal, “An empriical analysis of the impact of
    In general, there are two scenarios under which a system                          software vulnerability announcement on form stock price, “ in IEEE
administrator can address the vulnerabilities. The first scenario                     Transactions on Software Engineering, Vol 33 (8), pp. 544-557, 2007.
assumes no presence of a given threat and is designed to                        [3]   B. Bosen, “Vulnerability management survey” in Trusted Strategies,
provide a systematic and proactive course of action to                                2006, Retrieved February 7, from               2011. http://www.trusted
                                                                                      strategies.com/ papers/vulnerability_management_survey.pdf.
continuously improve the security of the laptops and their use
                                                                                [4]   E. Schonfeld, “Forrester projects Tablets will outsell Netbooks by 2012,
to access organizational LANs or WLANs. The scenario                                  Desktops by 2013” June 2010, Retrived February 9, 2011 from
suggests a course of action based on a vulnerability rating                           http://techcrunch.com/2010/06/17/forrester-tablets-outsell-netbooks/
system. The vulnerabilities are rated based on two factors: the                 [5]   Fiberlink, “Laptop vulnerability sssesment service,” 2011, retrieved n
degree of attractiveness to a potential intruder and the                              February 8, 2011 from http://feeneywireless.com/fetchdoc.php?docID
consequences/impact of the vulnerability for the organization.                        =90856300.
                                                                                [6]   J. Allen, J. “The art of information security governance” in Qatar
   The second scenario assumes the presence of one or more                            information security forum, 2008, Software Engineering Institute,
security threats. This scenario is designed to offer a reactive,                      retrieved on February 8, 2011 from http://www.cert.org/archive/pdf/
but systematic course of action. A matrix is designed, and in                         QISF_Allen_022408.pdf.
each cell of the matrix, the severity of a vulnerability-threat                 [7]   H. S. Venter, and J. H. Eloff, “Vulnerabilities categories for intrusion
combination is represented with a color coded sign. Again, a                          detection systems in Computers & Security, Vol. 21 (7), pp. 617-619,
                                                                                      2002.
course of action is suggested starting with the most severe
combinations, followed by moderate combinations, and ending                     [8]   S. Goel and V. Chen, “Information security risk analysis–a matrix-based
                                                                                      approach, 2005, retrieved on February 7, 2011 from
with the low risk combinations.                                                       http://www.albany.edu/~goel/publications/goelchen2005.pdf.
                                                                                [9]   N. A. Renfroe and J. L. Smith, “Threat/vulnerability assessments and
                          V.     CONCLUSIONS                                          risk analysis” November 2010, retrived on February 7, 2011
                                                                                      fromhttp://www.wbdg.org/resources/riskanalysis.php.
    This paper offers a managerial framework for addressing
laptop physical, system, and network access vulnerabilities.                                                AUTHORS PROFILE
The purpose of the framework is to assist system administrators
                                                                                      Arben Asllani is a Post Doctoral Fellow in Cybersecurity at the Center
to create effective action plans to deal with such vulnerabilities.                   for Secusrity Studies at the University of Maryland University College
A proactive approach to eliminating vulnerabilities is suggested                      (UMUC) and a UC Foundation Professor of Management at the
and a step-by-step methodology is offered. When security                              University of Tennessee at Chattanooga. He has published over 24
threats are present, a matrix-based approach is suggested. The                        journal articles and presented and published over twenty conference
                                                                                      proceedings. His most recent research has been published in such
matrix can help the system administrator identify the most                            journals as Omega, European Journal of Operational Research,
severe attack/vulnerability combination and mitigate the risk of                      Knowledge Management, and Computers & Industrial Engineering.
such threats. The matrix based approach is a reactive approach
but it is necessary to guide the system administrator when the                        Amjad Ali is the Director of the Center for Security Studies and a
networks or laptop computers are under attack. A real case                            Professor of Cybersecurity at University of Maryland University
scenario from a university college is used to illustrate the                          College. He played a significant role in the design and launch of
framework. The suggested framework is not limited to the use                          UMUC’s cybersecurity programs. He teaches graduate level courses in
of laptop computers; it can be used by organizations to monitor                       the area of cybersecurity and technology management. He has served as
                                                                                      a panelist and a presenter in major conferences and seminars on the
vulnerabilities in other areas of organizational cyberspace.                          topics of cybersecurity and innovation management. He is a member of
                                                                                      the Maryland Higher Education Commission (MHEC) Cybesecurity
                               REFERENCES                                             Advisory Council, providing advice and help on how MHEC can
                                                                                      respond best to the higher education needs of the growing cybersecurity
[1]   CDW-G (White Paper), “Mobile computing security: protecting data on             workforce.
      devices roaming on the perimeter,” Retrieved March 7, 2011, from:




                                                                            5                                    http://sites.google.com/site/ijcsis/
                                                                                                                 ISSN 1947-5500