(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9 No. 3, March 2011
Addressing Vulnerability of Mobile Computing
A Managerial Perspective
Arben Asllani and Amjad Ali
Center for Security StudiesUniversity of Maryland University CollegeAdelphi, Maryland, USA
Abstract
— Popularity of mobile computing in organizations hasrisen significantly over the past few years. Notebooks and laptopcomputers provide the necessary computing power and mobilityfor executives, managers, and other professionals. Suchadvantages come with a price for the security of theorganizational networks: increased vulnerability. The paperdiscusses three types of mobile computing vulnerability: physical,system, and network access vulnerability. Using a managerialapproach, the paper offers a framework to deal with suchvulnerabilities. The framework suggests specific courses of actionfor two possible scenarios. When there is no present threat, aproactive approach is suggested. When one or more threats arepresent, a reactive, matrix-based approach is suggested. Bothapproaches offer a systematic methodology to address laptopvulnerabilities. A similar framework can be extended to addresssecurity vulnerabilities of other mobile computing devices inaddition to notebooks and laptop computers. A real case scenariofrom a network in a university college in the southeastern U.S. isused to illustrate the proposed framework.
Keywords - mobile computing; cybersecurity; vulnerability;managerial approach
I.
I
NTRODUCTION
Recent trends of globalization, outsourcing, off-shoring,and cloud computing have changed the structure of organizations and cyberspace. Information is no longerconfined within the walls of an organization. Today’sorganizations are constantly allowing their suppliers to accesstheir supply chain management systems, customers to retrieveproduct information from their electronic commerce systems,and their own employees to log on to the organizations’intranet. Organizations use remote access to informationsystems to streamline their business processes, becomeoperationally efficient, and to gain competitive advantage.However, the global reach of information systems has raisedconcerns over security and has made organizations morevulnerable to security threats.Organizations must pay special attention to cybersecurityvulnerabilities and ensure that their notebooks, laptops, andother mobile devices and networks are not compromised as aresult of this increase in mobility [1]. A recent study aboutsoftware vendors indicated that organizations loseapproximately 0.6 percent in stock price when a vulnerability isreported and the impact is more severe when the vulnerabilityflaws are not addressed in advance [2]. However, while mostorganizations consider vulnerability management critical totheir operations, fewer than 25 percent have vulnerability as anintegrated part of their operations [3]. This paper offers amanagerial framework to address the issues of informationsystems vulnerabilities with a special focus on laptopcomputers and their use for remote access to organizationalnetworks.The proposed framework can help system administrators toassess the vulnerabilities associated with using mobile laptopsto remotely access the local area networks (LAN) or wirelesslocal area networks (WLAN). Once an assessment is made, thenetwork administrator can address such vulnerabilities in asystematic and efficient manner. Also, the framework suggestsa step-by-step procedure to address such vulnerabilities whenthe system is under attack, or when one or more threats arepresent.The paper is organized as follows. First, a brief discussionof vulnerabilities of mobile laptops and their use for remotelyaccessing a given network is provided. The next sectiondiscusses the modeling framework and presents the practicalrecommendations for system administrators. The framework includes a proactive systematic approach to continuouslyevaluate the set of vulnerabilities and a reactive approach fordealing with vulnerabilities when one or more threats arepresent. Finally, conclusions and several practicalrecommendations are providedII.
V
ULNERABILITIES OF
M
OBILE
C
OMPUTING
During the last two decades the popularity of notebooks andlaptops has increased significantly. They have been and willcontinue to be the computers of choice for individuals andorganizations. Forrester Research recently reported that laptopsales in the U.S. overtook desktop sales 44 percent to 38percent in 2009 and 44 percent to 32 percent in 2010 [4]. Thesame report predicts that laptop sales will remain unchanged inthe 42-44 percent range for the next few years while desktopsales will gradually decline to 18 percent in 2015. Laptops havebecome popular because they allow professionals and
1 http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9 No. 3, March 2011
knowledge workers to access their networks when they aretravelling or from home offices and at the same time they offerstorage and processing capabilities similar to, or even betterthan desktops.The shift toward mobile computing is associated with a newset of vulnerabilities for information systems. Mobile laptopsare considered by most organizations as the greatest securitythreat and the most difficult to maintain [3]. A surveypublished in 2006 indicated that in 27 percent of the cases, ittook longer than 10 days to deploy critical patches to mobilelaptops [3]. A timely and efficient response to laptopvulnerabilities must be a major concern for organizations andtheir system administrators.Mobile computing vulnerabilities can be classified intothree major categories: physical vulnerability, systemvulnerability, and network access vulnerability. A brief discussion of those categories is provided below along with asuggested course of actions.
A.
Physical Vulnerability
Laptops are mobile computers and they travel with theirowners or users. There is a greater chance for laptops to be lostor stolen in airports, hotels, and meeting auditoriums. Physicalvulnerability is not only associated with the loss of hardware; itis also associated with the loss of valuable data and sensitiveinformation. Another form of physical vulnerability occurswhen laptops are left open and unattended, which leads toexposure to sensitive information and documents and theability for network access.System administrators must continuously raise awarenessabout the importance of physical security and remind laptopusers of consequences of this vulnerability. In some cases, it isnecessary to secure the rooms or offices where the laptop islocated and other times it is necessary to fasten the laptop to anon-movable object.
B.
System Vulnerability
Laptop computer systems are as vulnerable as any othercomputer system in the organization. A recent survey on laptopvulnerability assessment indicates that the most significant typeof vulnerabilities are missing security patches and updates,misapplied and outdated patches, outdated virus and spywaredefinition files, configuration weaknesses that create exposures,and missing or deficient security applications, topologies andprocesses [5]. Remote laptops can be physically accessedeasier than desktops. As such, non-secure laptop systems posegreater vulnerability than desktop systems.System administrators must prepare a schedule of updatesfor security patches, antivirus programs, and other securityprograms. It is very important to follow the schedule and allowusers to update their systems as soon as a new update becomesavailable.
C.
Network Access Vulnerability
The need to access LAN and WLAN using mobile laptopscreates the single most significant set of vulnerabilities for theorganizational cyberspace. Laptops are used to provide e-mailaccess, Internet access, and file transfer protocol (FTP) access.Such actions create an environment for opening potentialharmful attachments, allowing potential unauthorized access toimportant files, potential for sniffing, session hijacking, IPaddress spoofing, and denial of service attacks. In general,using a laptop to access a WLAN is more susceptible to attacksbecause WLAN includes both the organization’s internalnetwork and the general public network segments. Forexample, WLANs can be susceptible to attacks such as trafficanalysis, eavesdropping, brute force attack, renegade accesspoints, and masquerading attacks.System administrators and laptop users can address network access vulnerabilities through several courses of action. Theycan formulate and implement network access security policies,require periodic change of login information and enforce apolicy for strong passwords, clearly define user privileges(read, write, delete) and user access, and enforce secure settingaccess and avoid access from open networks.III.
M
ANAGING
V
ULNERABILITIES OF
L
APTOP
C
OMPUTERSAND
N
ETWORK
A
CCESS
The identification of physical, system, and network accessvulnerabilities allows the system administrator to prepare acourse of action to address these vulnerabilities. It is veryimportant that a continuously improvement plan is in place andvulnerabilities are dealt with in a timely manner and preferablybefore a threat occurs. Such an approach requires that securityperspective is shifted from technical to managerial. The maingoal of addressing vulnerabilities will be to improve businessresiliency and continuity [6].
A.
Managing Vulnerabilities: No Present Threat
System administrators must continuously work to reducethe number of vulnerabilities present at any time during normalbusiness operations. Even when there is no immediate threat asystematic, process based, proactive approach must befollowed. This approach has three major steps:1.
Identify present vulnerabilities in the IT security area2.
Rate vulnerabilities based on the potential damage andlikelihood of attack 3.
Address vulnerabilities with specific course of action
1)
Identification of Vulnerabilities
During normal business operations of the organizationalcyberspace, when there is no threat to the system, systemadministrators must evaluate potential vulnerabilities of thesystem and among them, vulnerabilities of laptop computersand their access to the organizational network. The literaturereview and practical experience have identified a series of vulnerabilities for any particular information system. Reference[7] suggests a series of vulnerability categories related tonetwork access as shown in the first column of Table I.System administrators must identify what vulnerabilitiesfrom the above list are present in his or her network. For thosevulnerabilities which are present the administrator must specify
2 http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9 No. 3, March 2011
any symptom(s), rating, and required action (s). This process isillustrated with a real case scenario as described below:
TABLE I. L
IST OF
V
ULNERABILITIES
Vulnerability Present?Symptoms Rating ActionRequired
Password cracking Yes Several facultymembers usethe samepassword toaccess severalservices such asBlackboard,Banner, and ashared serverwith sensitiveresearchdocumentsHigh Send a memowithguidelines forstrongpasswordsand requestpasswordchanges.Network andsysteminformationgatheringUser enumerationBackdoors,Trojans andremote controllingGaining access toremoteconnections andservicesYes Students areusing theirlaptops toaccess studentrecords usingthe unsecuredwirelessnetwork High Enforcesecure wiredor wirelessconnection tosensitive dataPrivilege and userescalationSpoofingMisconfigurationsDenial-of-service(DoS) and bufferoverflowsViruses andwormsYes Several laptopsand desktopsare infected.High Updateantivirusprograms andscan andclean theinfectedcomputersHardware specificSoftware specificand updatesYes Several newprograms needto be updated inthe facultylaptops anddesktops.Low Update andinstall newpatches toimprovesecuritySecurity policyviolationsYes Students useclassroom andlaboratorycomputers toaccess gamingwebsites. Somefacultymembers leaveopen laptops inunlockedofficesModerateSend a memoand remindstudents andfaculty of securitypoliciesrelated to thisvulnerability
Timothy Parker is a systems administrator at the Collegeof Business, an AACSB accredited institution in a regionaluniversity in the southeastern U.S. The college has twocomputer laboratories, four computer classrooms, and manylecturing podiums equipped with workstations and projectors.The college has an inventory of 78 laptops that are distributed to faculty members for their research and teaching needs. Thecollege has several LANs, a secure WLAN, and an openwireless network. Faculty members use their laptops to accessstudent information, classroom information, and research filesthat are stored in several drives around the college’s LAN.Students also use their own laptops and mobile devices toaccess classroom information and other files located in thenetwork.Mr. Parker is aware that many faculty members use thesame password to access several services, includingBlackboard, Banner, and servers with sensitive information.Students also use their laptops to access their records using anunsecured wireless network. Several laptops and desktops areinfected due to students downloading harmful documents viathe Internet. Several new programs on the faculty laptops and desktops need to be updated. Students use classroom and laboratory computers to access gaming Web sites. As Mr.Parker was walking through the building he noticed that somefaculty members had left their office open or unlocked withlaptops already logged onto the network.2)
Vulnerability Priority Ratings
A system’s vulnerability rating represents a combination of the potential damage a certain attack poses on the vulnerabilityand the attractiveness of the vulnerability in the eyes of anintruder. The following three vulnerability ratings aresuggested:
•
High: This vulnerability is very attractive to the intruder andhas high consequences if this vulnerability is exploited.Mr. Parker has rated password cracking, gaining access toremote connections, presence of viruses and worms in thiscategory.
•
Moderate: This vulnerability is somewhat attractive to theintruder and consequences if this vulnerability is exploitedare moderate. Mr. Parker has rated security policyviolation in this category.
•
Low: This vulnerability is not very attractive to the intruderand has low consequences if this vulnerability is exploited.Mr. Parker has rated software specific and updates in thiscategory.
3)
Course of Actions
Using the priority ratings identified in the previous step,Mr. Parker generates a working plan to address thevulnerabilities in the College of Business. Specifically, Mr.Parker must immediately send a memo with guidelines forstrong passwords and request password changes, enforcesecure wired or wireless connection to sensitive data, updateantivirus programs, scan, and clean the infected computers,
3 http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
Addressing Vulnerability of Mobile Computing: A Managerial Perspective
Popularity of mobile computing in organizations has risen significantly over the past few years. Notebooks and laptop computers provide the necessary computing power and mobility for executives, managers, and other professionals. Such advantages come with a…
(More)
1.2K
Reads
1
Readcasts
0
Embed Views
Get Scribd Mobile
To get Scribd mobile enter your number and we'll send you a link to the Scribd app for iPhone & Android.We've sent a link to the Scribd app. If you didn't receive it, try again.
We'll never share your phone number.
More From This User
Notes
Load more
