This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Over the last few years, a number of mobile devices have been developed and had a great impact on many organizations and also on individuals in many ways. A mobile device is a pocket-sized computing device, typically comprising a small visual display screen for user output and a miniature keyboard or touch screen for user input. There are large numbers of mobile devices that available in market. Smart phones, PDA's, are some of the popular devices. Mobile devices, especially smart phones have intruded in human's lives and have made their own unique stand. Mobiles have even replaced the wristwatches people now find it easier to see the time in their mobile phones. Not only this but also accessing the internet has become mandatory in many professions. There are many smart phones that are now available in the market which are now replacing the desktop Pc's and even to some extent laptops for the usage of internet.
As mobile devices have been increased very rapidly, there is a major security threat against these devices. According to Andrea the major cause for attacks on the mobile devices is because of the mass distribution of the devices and also the wireless communication. Loss or theft, interception of data that passes over the wireless network, capture of data via blue-tooth connections and mobile viruses are some of the other threats that are associated with the mobile devices. The major reason for these growing threats against the mobile devices is because of the increased use of mobile phones or smart phones.
In this paper first we will see the security risks caused by the mobile devices and discuss how to minimize the risks caused by using mobile devices. Due to their size and portability and available wireless interfaces the security risks caused by the mobile devices are increasing.
Security challenges of mobile devices:
As mobile devices have become part of the human's live, the main concern with these devices is security. As many of them carry their devices to the work, it has become a challenge to the organizations to provide confidentiality to their data. As most of this devices can store huge amount of data in it. Apart form this most of the devices such as smart phones and laptops are provided with Wi-Fi connectivity to it and user can easily access to the internet. According to Stephen Withers and most of the other articles, the most common security risks for the mobile devices are
Loss or Theft:
According to many surveys loss or theft of a mobile device is the number one threat. The small size of mobile devices means that they have a tendency to be lost or misplaced, and are an easy target for theft. If the device does not have appropriate security measures in place or activated, then gaining access to the device can be easy, thereby exposing sensitive data on the device or accessible by it. Disposal of the used mobile devices is a concern. Deleting data before disposing the mobile devices is not helping now days; memory flasher units are capable of rewriting and restoring the memory of different mobile devices.
Mobile devices with wireless connections:
Almost all mobile devices will have wireless connection facility, due to this wireless connection facility each mobile device will connect to different wireless networks. As data can be easily intercepted when it passes over a Wi-Fi or 3G network. Through wireless networks data will be easily transmitted from one device to another device and the main risks are stealing important data or sending a virus that corrupt data in the mobile devices
Mobile devices with a wireless connection are not only a threat to the devices but also to the network which they are connected. According to a worldwide survey done by McAfee (mobile security software) with network operators, most of the networks have been infected by the threats that affect the mobile device connect to them, this in turns effects the network operator in many ways. 
Mobile devices are often subject to attack by a wide variety of malware (malicious software). Such malware ranges from that which is common to desktop computers, to that which specifically targets mobile devices. Malware can be introduced to mobile devices via communications services, synchronisation with a desktop computer or network. Generally, malware writers employ social engineering techniques to prompt users to carry out the necessary actions, enabling them to download malware on the mobile device. Sometimes by downloading a file from internet will introduce malware to mobile devices, malware can also be sent in the form of electronic mails like SMS, MMS etc. In this case user will open it and the malware will automatically install into the system. And malware can also been sending through Blue Tooth and Infrared. The consequences caused by the malware are stealing important data, destroying the data, disabling the device etc.For example if a mobile phone was infected with malware it can send messages to premium numbers and some malware can send infected messages to numbers in the contact list and some will shut down the phone etc.
According to David Champine, Senior director of product marketing, Mobile devices, as the result of their connection to communication services, are increasingly subject to spamming. In addition to the annoyance of receiving undesirable and unsolicited material, spam can cause users to unwittingly accept charges on their communication service. Further, spam can be used as an adjunct to social engineering, as a pathway for the introduction of malware, and to conduct denial-of-service attacks on a mobile device.
Mobile viruses can be a major threat, particularly with devices that have significant computational capabilities. Mobile devices, in general, are susceptible to viruses in several ways: Viruses can take advantage of security holes in applications or in the underlying operating system and cause damage; applications or applets downloaded to a mobile device can be as virus-prone as desktop applications; and, in some mobile OSs, malformed SMS messages can crash the device. For example, the 911 virus caused 13 million i-mode users to automatically place a call to Japan's emergency phone number. 911 is a small programming code, it is delivered in the form of e-mail and when opened it takes over and control the phone basic functions.
E-mail viruses affect PDAs in much the same way regular e-mail viruses affect PCs (i.e., causing the PDA e-mail program to send multiple e-mails). These viruses are costly to enterprises and interrupt normal business too. PalmOS/LibertyCrack is an example of a PDA e-mail virus. It's a known Trojan horse that can delete all applications on a Palm PDA.
Nobody likes others to listen their sensitive matters when there are talking in phone. Similarly, attempts to access and eavesdrop and transmitted information are another possible threat to void. In this software was installed in a device to spy other devices. It is called as electronic eavesdropping. Even some devices come with this software.
It has the capability to turn on the microphone and record the conversations in the area. For example there is spy software called Flexi spy which does electronic eavesdropping. It records all the events that are happened on the mobile device and delivers it through a web account. Flexi spy PRO-X is the software used for mobile devices with an internet connection, this software not only records the events happened on the mobile phone but also to listen to the surroundings of that particular mobile, conversations that took place on the mobile and also to know the location of the particular software.
Cloning is another major threat for the mobile devices. Cloning of mobile phones will be easily done by reprogramming it, the factory set Electronic Serial Number and the mobile identification number can be easily obtained from the mobile phones to clone it. Cloning of the mobile phone can be easily done if it is in analog network but now a day's all the networks are changing to digital except in rural areas. For example Chinese mobile phones were banned in India for security reasons as there are not coming with the factory set Electronic Serial Number.
To Minimize Security Risks:
The main concern for mobile device security is, we cannot depend on the single security solution. This is because of the wide range of mobile devices are being used today. And it is not practical to extend the current security infrastructure for mobile devices. Mainly the security of mobile devices is important for every business or enterprise, so they should treat mobile security as an independent task and by treating it as an independent task, mobile-usage-specific security policies must be created and implemented. We cannot completely eliminate the security risks for mobile devices but by following some policies we can definitely reduce the risks.
By focusing on few areas at least we can minimize the security risks of mobile devices.
If the devices only stored the data locally and only synchronized locally, the problem would be manageable and containable. But now that the devices have cellular modems, analog modems, 802.11 LAN cards, and Bluetooth LAN controllers built-in, the users expect to be able to synchronize remotely using the cell network, their home network, or an 802.11 connection in their local library or coffee shop. And in many cases, the business application requires that they be able to accomplish this synchronization during the day rather than waiting for a nightly upload or requiring the outbound employee to come back to a home base to synchronize data.
Some method should be implemented to secure data channel, which carries the
data between the mobile devices and whatever device manages the data connection.
Synchronization security is a method or strategy that allows mobile devices to send and receive data securely, so that the data cannot be traced. At a minimum, most mobile clients should support some kind of SSL connection over HTTP so that you can send and receive the data between the mobile client and a secure Web site. Using a tunnelling solution separates the synchronization logic from the application logic and lets you use industry-standard firewalls, routers, and server solutions to build and maintain your secure connections.
Encryption techniques can also be used for the secure transfer of data between sender and receiver. The conversion of plain text in to a cipher text (unreadable form) is called encryption. With the help of a key both sender and receiver can encrypt and decrypt the data.
The above diagram shows the encryption technique used in a computer and same can be applied for the mobile devices as well.
Once put on the device, the data must be secured in such a way that the casual nonauthorized user cannot easily retrieve data and passwords.
First every mobile device will require the security during the starting or booting up the device, so that the invalid user cannot access the device. This could be a password to start a device or a fingerprint reader like those that come standard on high-end devices.
Second, any security credentials stored on the device should be encrypted rather than clear text. These credentials include not only user IDs and passwords but sensitive host system information like machine names and IP addresses. Finally, whenever possible, the application data on the device should be encrypted so that it cannot easily be read and interpreted by another user. You may choose not to encrypt the data for performance reasons or because the data isn't considered valuable enough to protect. You should remember that although it may be convenient to use whatever database facilities the device provides to hold information for your application, these facilities are not normally encrypted.
Operating system security
Every mobile device will have its own operating system. As the operating system is stored on the chip it is not so easy for any viruses to affect it. But the applications or add-on installed by a user can affect the system and corrupt the operating system. If the operating system is corrupted all the important data will be lost. This is the most common problem in laptops because of the limited number of operating systems. But it was not as easy in mobile phone as there is not having many specific operating systems. This is an area that deserves continual observance by the individual responsible for OS security on mobile devices.
Authentication and authorization security
In the present day business it is important to secure corporate network because for every corporate companies it is very important to connect the corporate network to the client. So it is very important to authorize the user and device to make any changes to corporate network. And another important strategy was no data should be given to the mobile devices like PDA'S and mobiles unless the one using the device has appropriate corporate system permission. Because most of the current crop of mobile devices lacks the support for proper corporate systems authentication, many system designers fall back to simpler mechanisms like shared credentials authenticated over a clear-text channel using basic authentication on a Web server.
Always try to improve the existing internal standards and never compromise on your internal systems. Always use devices that allow NTLM authentication and authorization protocols if you are a Microsoft active shop and if you are a mixed shop or UNIX shop, require that devices use Kerberois. If the data is valuable enough to give to the user when he or she is inside the building, the same authentication and authorization standards should apply when the user wants to take the data out of the building or use the mobile client to update corporate data remotely.
Managing mobile devices:
Most of the organizations store important data on desktops and laptops; they can afford to lose this data or to get stolen as this data is very important. According to research firm IDC, a five step theory has been suggested by him to secure the data.
To protect password:
It is always important to have a strong password and also necessary to change the password frequently. The password should be a combination of alphabetic and numeric characters. Never activate password saving features.
To develop a multilevel approach to security:
It is always important to have a strong anti-virus, anti spyware and firewall etc in the mobile devices especially when they are connected to an external network. Be conscious about malware and hackers when visiting uncertified websites and opening suspicious mails.
To have virtual private networks (VPN):
Virtual private networks are important for an organization, when accessing a corporate network from a remote area it is necessary to transmit the data through virtual private network. Transfer of data through VPN's is a secure way. All the important data must in the encrypted form.
The wired connection is built to be more secure than a wireless connection. In a wireless connection where the data is sent over air without being encrypted can very easily be hacked. But, wireless systems can be made secure by using a few software applications that are made for this purpose. Also, never allow your device to automatically connect to signals which are in its detectable range because it may connect to a hacker's device.
Always be ready for the worst case scenario. Never save useful information like bank account details, passwords and pins in your mobile. They may be misused if you lose your mobile. Also have your mobile screen pass word protected. Also make use of administrative device wiping so that a trained IT administrator can destroy the data once the mobile is lost.
Mobile devices in an organization:
Technology is a double edged sword. It has both its pros and cons. Mobiles which are meant to take the mode of communication to a new level may also be misused. While using a mobile inside the organisation, be aware that they can be used for mal-practise. Many new generation mobile devices are capable of storing a fair amount of confidential data which belongs to the company. Also the virus and malware can be spread by the mobile equipped with Bluetooth. In spite of all this, it is not fair to blindly prevent the employees from using their mobiles in the company because using the mobiles and its applications actually make the employees more productive. Actually, any technology invented is there to be used. A lot depends on the ethical behaviour of the employee. Also there are many new generation mobile devices with good software features that prevent the perpetuators from sneaking out the information. After all, it is the responsibility of the companies to provide their data with good security. Following actions can be taken by the organisations to prevent the usage of mobile devices for fraud.
The mobile security can be organised in three steps.
Responsibility and education
The mobile security should not be addressed only with physical aspect of it but with data aspect of it. The data should be protected. Policy making should be made to protect data at rest and data in flight.
Protecting data at rest:
'Data at rest' means data that is stored on the mobile device. The corporate data that is stored on a mobile device should be encrypted irrespective of the type of device, be it a notebook computer, PDA, a mobile phone or a USB drives. Often there is a perception that the law cannot be enforced on devices that are owned by the employees. But special laws must be enforced, if the mobile devices contain any corporate data and the laws should be strictly implemented.
Protecting data in flight:
'Data in flight means' the data in a device that is connected to several networks outside the organisation, that are not controlled by enterprise IT department. So it is very important to enforce policies regarding the connectivity of mobile devices. The policy should be in such a way that it enforces the employees to use an encrypted network connection at all times. They can be any networks like VPN, WPA2 secured WLAN etc.
2. Responsibility and education:
As mentioned earlier security should be one of the primary issues of corporate entrepreneurs. It is also important to define the responsibilities of the enterprise and the users to ensure that the employees are fully aware of the corporate mobile policy.
The policy should be clear regarding some of the issues
The mobile devices the IT department supports.
Will the enterprise provide the mobile device or the employee can use his own?
Whether the company will bear the costs of connectivity or the employees have to bear their expenses?
Who will be responsible if the mobile is lost or the data in the mobile is lost?
Whether the company has the means to encrypt the data at rest and in flight in the mobile devices etc.
Also the employees should be educated regarding the methods of encrypting the data, the devices to be used, password management etc.
The previous sections define only the policies of security and the training aspects of the users. But they are of no use unless they are imposed or enforced systematically. Policies should be made to enforce the staff to follow methods like
Forcing secure connectivity
Restricting the access
Forcing the data encryption
Enforcing usage limitations etc