This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
COMPUTER SECURITY AND RISK MANAGEMENT
In our daily life computers have become the integral part due to their vast usage, and inventions that has been taking place day by day, and also the usage of mobile devices PDA's, Smart phones have been considerably increased. These devices are used for saving business data and most of the confidential information. As per the survey done by Nokia in the year 2005 says that 21% of the US employees are using PDA's and 63% uses mobile phones for business purpose, which has incredibly increased by now. With this vast development the threats caused by them are also increasing at a same pace. To reduce these risks a proper information security policy is very much needed for all the companies, organisations shouldn't consider these policies as one-time event and they must update these policies every time with response to new threats. In this document I am going to discuss about some of the threats and mobile security policies that has to be takes by an organization.
2. Information Security
For so many decades information security has been considered as the most important task for the administrators of an organization. Where information security is mainly maintained on three major principles known as CIA triad (Confidentiality, Integrity, and Availability).
This is the process of preventing from disclosure of the information to unauthorised users or systems. This may takes place in many ways, while transferring the data from one place to another place by encrypting the data and making it visible to only authorised users. In this case an access to any confidential data that has been stored in mobile devices to eavesdroppers is considered as a breach of confidentiality.
The process of saving the data from modifying are manipulating by the unauthorised users for their personal benefits. It can be violated in many ways, by simply using a malicious code and manipulating the code, or by simply an employee knowingly or unknowingly telling wrong information to their clients.
This is the process of making the data available when it is needed. This means that the systems saving the information need to be available all the time and any viruses or hackers violating the code and freezing the systems will be considered as breach to availability.
The protection afford to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources.
Security Policy:- to ensure that CIA triad is working properly every company must and should follow some security policies. These are nothing but a set of general statements, which has to be followed by each and every individual to be considered as an authorised user.
3. CRITICAL DISCUSSION OF POSSIBLE THREATS
While mobile phones, PDA's, smart phones and many number of hand held devices are widely used as an integral part of business purpose, threats and insecurity caused by these devices are also widely increasing due to the sensitive information that has been carried by these devices. These handheld devices are not much capable of security features that a pc's are capable of, which makes them easily exposed to threats. Due to the limitations they have these devices are not even able to centrally monitored and maintain in an organisation. With the latest emerging technologies these devices are having a memory capacity equals to a computer. This makes life easier for an employee to store sensitive organisational and personal information such as passwords, email accounts, company's orders, latest price updates and companies financial statements, which results in high insecurity. Highly potential risk that these portable handheld devices made is the accessibility of these devices using wireless network.
Here are the some of the threats caused by the handheld devices, which are similar to the threats that have been found by the desktop computers.
LOST, STOLEN OR DISPOSAL:-
Due to the portability of the handheld devices they have the more chances of loss or misplacement. Chances of theft of these handheld devices are even more and due to the weak data security they have, data in these devices can be easily manipulated and stolen. In spite of the proper wireless VPN's being installed once these handheld devices are stolen by the hackers whole organisations intranet will be threatened. Hence to protect this proper security passwords must be configured to these devices. In case of disposal of the devices proper manual resetting of the devices is needed which clears all the stored data and any kind of cache information and bring the device to its original settings. This is not yet secure at because of the latest technologies all the erased data can be recovered from the flash memory of the handheld devices. According to the number of survey's across the world number of mobile devices left behind by the users in airports and taxi's and restaurants are incredibly increasing, organisations must educate their employees regarding the usage and safeguarding of their devices carrying sensitive information continuously.
The word hacker is nothing but a person who tries to accesses the devices without authorization it can be done in any form from the outside world. In spite of proper security measures has been implemented in the form of passwords and credentials there is a possibility of cracking these credentials by random guessing or knowing the personal information of the user. According to the survey of the network forensic department it is stated that most of the threats are caused because of the weak passwords like 1234, 0000...etc are using their own date of births, which are the common credentials that can be guessed by the eavesdroppers. To avoid this kind of threats employees must be given proper guidance in setting their passwords and also they need to reset passwords most often. There are also devices which provide two way access mechanism which are a basic phone lock to access the device and the other is the security code to reset the device phone lock in case if it is forgotten. In this most of the user forgot to change the security code which makes a way for the hackers to access the data. There are some of the cases that the manufacturers incorporate backdoors into device for testing the devices for the manufacturer purpose.
The most common example for the hacker's threat is, breaking down into the public telephone system by which they trap the employee's devices by which they crack the data from their handheld devices. This cannot be identified by the user and which makes a major harm to the company's data. The most common reasons for this hackers threat is
MALICIOUS CODE, VIRUSES OR MALWARE:-
It's nothing but the viruses, worms, logic bombs, Trojan horses and other kind of ads that we get on the web pages that pops up when we are at work. These kinds of threats are more prone to the devices which have Software Development Kit (SDK) then the devices which don't support Software Development Kit (SDK) as these malware's can't be developed. This can be affected in any form while synchronising mobile devices with the storage devices for the data transfer. Some of them are discussed below.
Ø Employees trying to accesses files from internet, surfing on the mobile devices, checking their mail account, accessing media sites are some of the major threats. At this time malicious codes are downloaded at the back end and they give access to the mobile data with out any interference of the user. These are known as the backdoor vulnerabilities.
Ø With emerging technology MMS (Multimedia Message Service) is widely used and most popular kind of messaging service that a mobile devices can deliver. But this is becoming the most threatening form of virus that these devices are affecting because of the kind of viruses they can cause. So users must aware of these threats and they must be careful while opening unknown messages.
Ø One more advantage that mobile devices provide is the Bluetooth technology. This is the most cheapest and convenient way of data transferring from one device to another in a limited range. Threat caused by this service is highly vulnerable to the devices data, because of the easy access of the device by any other Bluetooth enabled device These viruses are a kind of serious threat to the data once they attack our systems they start doing their work by replicating the same data and creating multiple number of copies in our system, and viruses does their work by deleting the data and some by deactivating our accesses to the device.
Once if a device is attacked using any of this kind eavesdropper will be having full access to the device and they start copying sensitive information , deleting files, sending abusing messages, calling tool numbers like 0845 0807, they can enter in to the company's network and also disabling the device. One of this kind called 911 virus discovered in Japan effected 13million I-mode user to call Japans emergency number.
As we know that all the devices have unique identifier code which is useful to identify the device globally, if such an identifier is copied and placed for an another mobile a clone is formed which acts as an original mobile. Compared to analog devices which came early digital devices are more secured and transmits data using cryptography which is highly is highly secured to crack compared to analog devices. But still accessing the device physically may help to use the information and make a clone device of early generation.
4. CRITICAL REVIEW OF POLICY
As we had discussed usage of mobile devices is very effective and profitable in terms of cost, time and productivity. But there was a discussion for the usage of mobile phones in the work place due to the security measures they cause. Though the usage of mobile devices owned by employees are most cost effective for an organisation compared to the devices given by the company's, central administering of the employee owned devices are very difficult compared to the devices given by the company's.
A policy should meet some basic criteria before implementing them:-
Ø A policy must effectively communicate with the employees what the management is expecting them to follow.
Ø It should be able to withstand legal examination to fight back for the companies rights in case of judicial processing
If some of these policies are not met by a company before introducing some policy, then it cannot be considered as Effective. Hence the policies that have to be followed are divided in to two types User-oriented policies and organisational oriented policies.
User- Oriented Policies:-
* First and foremost step that has to be followed is the physical safety of the device. It should not be left unattended with out care.
* Offering work device to others may cause threat to the confidential data that is stored in the device and also to the other devices that are reachable using it.
* Security settings for the devices must be properly configured and also it's the duty of the security administrator to make sure that these settings are not changed by the users. This may open doors for the security threat.
* Users must be given proper guidance to report the lost of the devices as soon as it comes to their notice, to reduce the threat.
* Providing high level authentication is very much important, passwords are the basic barriers for entering a device.
* Using memorable information for setting passwords must be avoided; using same passwords for entering into different levels must be avoided.
* There must be steps to follow for the selection of passwords like the length of the passwords; it must be a mixture of characters, alphabets and numbers.
* Users must be given very strict access to gain sensitive information; any kind of wrong usage must make the device inactive.
* Changing of passwords at regular intervals must be recommended by the administrators, without using the same password again and again.
* A threshold limit must be made for the password entries, once it reaches the threshold limit device should made inactive.
* Data backup should be done in a very regular process, to avoid the lost of data in any kind of natural or physical hazard that taken place.
* Security administrators must make sure that only limited amount of user required data is stored in the device.
* Users should be given a proper guidance of synchronising the device to authenticated desktops, not to public computers.
* Other means of data backup is the memory card and one should make sure that these memory cards are placed in a secured place, so that it doesn't goes in the hands of unauthorised users
* Saving of account numbers, pins, passwords and memorable information must be avoided.
* Device users must be given a complete awareness of viruses, worms, malware and the threats that can be caused by the usage of the devices irresponsibly.
* While surfing on mobile devices unauthorised sites and mails or messages should not be opened.
* Checking unauthorised sites may download malware on to the device and it manipulates the sensitive data or copies and sends the data to eavesdroppers.
* Users should avoid accessing bank accounts, connecting to corporate networks when they are on public wifi as they are easily prone to threats.
* Usage of automatic scripts to VPN login must be avoided.
* While using devices over WLAN high level mobile encryption techniques such as IPSec and also 802.11 security standards such as EAP (extensible Authentication Protocol) WAP (Wired Encryption Privacy) must be used to avoid any kind of threats.
Organisation Oriented Policies:-
* Every organisation must have a security policy determined in usage of mobile devices. It should be explained clearly about the rules, principles.
* Policy must determine clearly weather the devices are issued by the organisation or employees can use their own ones.
* Organisations must make sure that employees are given proper training and idea about the policies.
* These policies must be reviewed for every often as they come across new threats.
* Policy should state clearly about the steps that has to be followed at the time of lost, stolen, theft or complete deleting of data when diposing the device.
* They should make sure that authentication is properly implemented and strength of passwords is maintained properly and the passwords are changed for every number of logins.
* Policies should be written in such a way that mobile devices are deactivated after limited number of wrong login attempts.
* While writing new policies organisations should consider about the latest threats and also about the threats that have been in a course of time.
From the above report we came to conclude that the Software related company must follow some policies and rules, by which the threats can be avoided to a company. These policies must be keep on changing from time to time according to the threats that are affecting to a company at that time. The awareness of the threats to the employees is compulsory.
1) This article helps me to find the information about the mobile threats that may take place. http://articles.techrepublic.com.com/5100-22_11-5274902.html
2) This article gives me the information about the usage of the mobile devices, PDA's and smart phones in the day to day life. Also about some of the security measures that have to be taken. http://csrc.nist.gov/groups/SNS/mobile_security/documents/mobile_devices/PP-UNIsecFramework-fin.pdf
1) Computer security and risk management teach mate. http://cms1.gre.ac.uk
6) Information Security - Principles & Practices by Merkow M.
7) Stealing the network by alder,brain-hatch,brain