(IJCSIS) International Journal of Computer Science and Information Security, Vol. 9 No.

3, March 2011

Addressing Vulnerability of Mobile Computing
A Managerial Perspective
Arben Asllani and Amjad Ali
Center for Security Studies University of Maryland University College Adelphi, Maryland, USA

Abstract— Popularity of mobile computing in organizations has risen significantly over the past few years. Notebooks and laptop computers provide the necessary computing power and mobility for executives, managers, and other professionals. Such advantages come with a price for the security of the organizational networks: increased vulnerability. The paper discusses three types of mobile computing vulnerability: physical, system, and network access vulnerability. Using a managerial approach, the paper offers a framework to deal with such vulnerabilities. The framework suggests specific courses of action for two possible scenarios. When there is no present threat, a proactive approach is suggested. When one or more threats are present, a reactive, matrix-based approach is suggested. Both approaches offer a systematic methodology to address laptop vulnerabilities. A similar framework can be extended to address security vulnerabilities of other mobile computing devices in addition to notebooks and laptop computers. A real case scenario from a network in a university college in the southeastern U.S. is used to illustrate the proposed framework. Keywords - mobile computing; cybersecurity; vulnerability; managerial approach

approximately 0.6 percent in stock price when a vulnerability is reported and the impact is more severe when the vulnerability flaws are not addressed in advance [2]. However, while most organizations consider vulnerability management critical to their operations, fewer than 25 percent have vulnerability as an integrated part of their operations [3]. This paper offers a managerial framework to address the issues of information systems vulnerabilities with a special focus on laptop computers and their use for remote access to organizational networks. The proposed framework can help system administrators to assess the vulnerabilities associated with using mobile laptops to remotely access the local area networks (LAN) or wireless local area networks (WLAN). Once an assessment is made, the network administrator can address such vulnerabilities in a systematic and efficient manner. Also, the framework suggests a step-by-step procedure to address such vulnerabilities when the system is under attack, or when one or more threats are present. The paper is organized as follows. First, a brief discussion of vulnerabilities of mobile laptops and their use for remotely accessing a given network is provided. The next section discusses the modeling framework and presents the practical recommendations for system administrators. The framework includes a proactive systematic approach to continuously evaluate the set of vulnerabilities and a reactive approach for dealing with vulnerabilities when one or more threats are present. Finally, conclusions and several practical recommendations are provided II. VULNERABILITIES OF MOBILE COMPUTING During the last two decades the popularity of notebooks and laptops has increased significantly. They have been and will continue to be the computers of choice for individuals and organizations. Forrester Research recently reported that laptop sales in the U.S. overtook desktop sales 44 percent to 38 percent in 2009 and 44 percent to 32 percent in 2010 [4]. The same report predicts that laptop sales will remain unchanged in the 42-44 percent range for the next few years while desktop sales will gradually decline to 18 percent in 2015. Laptops have become popular because they allow professionals and

I.

INTRODUCTION

Recent trends of globalization, outsourcing, off-shoring, and cloud computing have changed the structure of organizations and cyberspace. Information is no longer confined within the walls of an organization. Today’s organizations are constantly allowing their suppliers to access their supply chain management systems, customers to retrieve product information from their electronic commerce systems, and their own employees to log on to the organizations’ intranet. Organizations use remote access to information systems to streamline their business processes, become operationally efficient, and to gain competitive advantage. However, the global reach of information systems has raised concerns over security and has made organizations more vulnerable to security threats. Organizations must pay special attention to cybersecurity vulnerabilities and ensure that their notebooks, laptops, and other mobile devices and networks are not compromised as a result of this increase in mobility [1]. A recent study about software vendors indicated that organizations lose

1

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 9 No. 3, March 2011

knowledge workers to access their networks when they are travelling or from home offices and at the same time they offer storage and processing capabilities similar to, or even better than desktops. The shift toward mobile computing is associated with a new set of vulnerabilities for information systems. Mobile laptops are considered by most organizations as the greatest security threat and the most difficult to maintain [3]. A survey published in 2006 indicated that in 27 percent of the cases, it took longer than 10 days to deploy critical patches to mobile laptops [3]. A timely and efficient response to laptop vulnerabilities must be a major concern for organizations and their system administrators. Mobile computing vulnerabilities can be classified into three major categories: physical vulnerability, system vulnerability, and network access vulnerability. A brief discussion of those categories is provided below along with a suggested course of actions. A. Physical Vulnerability Laptops are mobile computers and they travel with their owners or users. There is a greater chance for laptops to be lost or stolen in airports, hotels, and meeting auditoriums. Physical vulnerability is not only associated with the loss of hardware; it is also associated with the loss of valuable data and sensitive information. Another form of physical vulnerability occurs when laptops are left open and unattended, which leads to exposure to sensitive information and documents and the ability for network access. System administrators must continuously raise awareness about the importance of physical security and remind laptop users of consequences of this vulnerability. In some cases, it is necessary to secure the rooms or offices where the laptop is located and other times it is necessary to fasten the laptop to a non-movable object. B. System Vulnerability Laptop computer systems are as vulnerable as any other computer system in the organization. A recent survey on laptop vulnerability assessment indicates that the most significant type of vulnerabilities are missing security patches and updates, misapplied and outdated patches, outdated virus and spyware definition files, configuration weaknesses that create exposures, and missing or deficient security applications, topologies and processes [5]. Remote laptops can be physically accessed easier than desktops. As such, non-secure laptop systems pose greater vulnerability than desktop systems. System administrators must prepare a schedule of updates for security patches, antivirus programs, and other security programs. It is very important to follow the schedule and allow users to update their systems as soon as a new update becomes available. C. Network Access Vulnerability The need to access LAN and WLAN using mobile laptops creates the single most significant set of vulnerabilities for the organizational cyberspace. Laptops are used to provide e-mail

access, Internet access, and file transfer protocol (FTP) access. Such actions create an environment for opening potential harmful attachments, allowing potential unauthorized access to important files, potential for sniffing, session hijacking, IP address spoofing, and denial of service attacks. In general, using a laptop to access a WLAN is more susceptible to attacks because WLAN includes both the organization’s internal network and the general public network segments. For example, WLANs can be susceptible to attacks such as traffic analysis, eavesdropping, brute force attack, renegade access points, and masquerading attacks. System administrators and laptop users can address network access vulnerabilities through several courses of action. They can formulate and implement network access security policies, require periodic change of login information and enforce a policy for strong passwords, clearly define user privileges (read, write, delete) and user access, and enforce secure setting access and avoid access from open networks. III. MANAGING VULNERABILITIES OF LAPTOP COMPUTERS AND NETWORK ACCESS

The identification of physical, system, and network access vulnerabilities allows the system administrator to prepare a course of action to address these vulnerabilities. It is very important that a continuously improvement plan is in place and vulnerabilities are dealt with in a timely manner and preferably before a threat occurs. Such an approach requires that security perspective is shifted from technical to managerial. The main goal of addressing vulnerabilities will be to improve business resiliency and continuity [6]. A. Managing Vulnerabilities: No Present Threat System administrators must continuously work to reduce the number of vulnerabilities present at any time during normal business operations. Even when there is no immediate threat a systematic, process based, proactive approach must be followed. This approach has three major steps: 1. Identify present vulnerabilities in the IT security area 2. Rate vulnerabilities based on the potential damage and likelihood of attack 3. Address vulnerabilities with specific course of action 1) Identification of Vulnerabilities During normal business operations of the organizational cyberspace, when there is no threat to the system, system administrators must evaluate potential vulnerabilities of the system and among them, vulnerabilities of laptop computers and their access to the organizational network. The literature review and practical experience have identified a series of vulnerabilities for any particular information system. Reference [7] suggests a series of vulnerability categories related to network access as shown in the first column of Table I. System administrators must identify what vulnerabilities from the above list are present in his or her network. For those vulnerabilities which are present the administrator must specify

2

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 9 No. 3, March 2011

any symptom(s), rating, and required action (s). This process is illustrated with a real case scenario as described below:
TABLE I. Vulnerability Password cracking Presen t? Yes LIST OF VULNERABILITIES Symptoms Several faculty members use the same password to access several services such as Blackboard, Banner, and a shared server with sensitive research documents Rating High Action Required Send a memo with guidelines for strong passwords and request password changes.

Timothy Parker is a systems administrator at the College of Business, an AACSB accredited institution in a regional university in the southeastern U.S. The college has two computer laboratories, four computer classrooms, and many lecturing podiums equipped with workstations and projectors. The college has an inventory of 78 laptops that are distributed to faculty members for their research and teaching needs. The college has several LANs, a secure WLAN, and an open wireless network. Faculty members use their laptops to access student information, classroom information, and research files that are stored in several drives around the college’s LAN. Students also use their own laptops and mobile devices to access classroom information and other files located in the network. Mr. Parker is aware that many faculty members use the same password to access several services, including Blackboard, Banner, and servers with sensitive information. Students also use their laptops to access their records using an unsecured wireless network. Several laptops and desktops are infected due to students downloading harmful documents via the Internet. Several new programs on the faculty laptops and desktops need to be updated. Students use classroom and laboratory computers to access gaming Web sites. As Mr. Parker was walking through the building he noticed that some faculty members had left their office open or unlocked with laptops already logged onto the network. 2) Vulnerability Priority Ratings

Network and system information gathering User enumeration Backdoors, Trojans and remote controlling Gaining access to remote connections and services

Yes

Students are using their laptops to access student records using the unsecured wireless network

High

Enforce secure wired or wireless connection to sensitive data

Privilege and user escalation Spoofing Misconfigurations Denial-of-service (DoS) and buffer overflows Viruses and worms

A system’s vulnerability rating represents a combination of the potential damage a certain attack poses on the vulnerability and the attractiveness of the vulnerability in the eyes of an intruder. The following three vulnerability ratings are suggested: • High: This vulnerability is very attractive to the intruder and has high consequences if this vulnerability is exploited. Mr. Parker has rated password cracking, gaining access to remote connections, presence of viruses and worms in this category. • Moderate: This vulnerability is somewhat attractive to the intruder and consequences if this vulnerability is exploited are moderate. Mr. Parker has rated security policy violation in this category. • Low: This vulnerability is not very attractive to the intruder and has low consequences if this vulnerability is exploited. Mr. Parker has rated software specific and updates in this category. 3) Course of Actions Using the priority ratings identified in the previous step, Mr. Parker generates a working plan to address the vulnerabilities in the College of Business. Specifically, Mr. Parker must immediately send a memo with guidelines for strong passwords and request password changes, enforce secure wired or wireless connection to sensitive data, update antivirus programs, scan, and clean the infected computers,

Yes

Several laptops and desktops are infected.

High

Update antivirus programs and scan and clean the infected computers Update and install new patches to improve security Send a memo and remind students and faculty of security policies related to this vulnerability

Hardware specific Software specific and updates

Yes

Security policy violations

Yes

Several new programs need to be updated in the faculty laptops and desktops. Students use classroom and laboratory computers to access gaming websites. Some faculty members leave open laptops in unlocked offices

Low

Modera te

3

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 9 No. 3, March 2011

send a memo and remind students and faculty of relevant security policies, and update and install new patches. B. Managing Vulnerabilities: Present Threat When one or more threats are present, system administrators must change the mode of operation from proactive to reactive. When the system is under attack, a quick evaluation of the threats and quick reaction to these threats is necessary. The reaction is immediate but still systematic, and the following steps must be followed: 1. Create a vulnerability-threat matrix 2. Evaluate the severity of each threat for each vulnerability 3. Address vulnerability-threat with specific course of action 1) Create a vulnerability-threat matrix The vulnerability-threat assessments matrix can be utilized with any information system or part of it. The matrix approach is often suggested in the literature [8] [9]. The matrix is used to map the severity of a given threat with a given vulnerability and to systematically generate an emergent and effective response. Table II is an illustration of this matrix from the College of Business case.
TABLE II. Unaddressed Vulnerabilities VULNERABILITY-THREAT MATRIX Threat 2: New Virus is Spreading at a High Rate Action Required

2) Evaluate the severity of each threat for each vulnerability Each cell in Table II represents the severity (or risk) of a given threat to a still existing vulnerability. High severity or risk combinations are designated in red, moderate severity combinations are designated in yellow and low severity combinations in green. The interpretations of the severity ratings are provided below: Severity of this combination is high. The course of action recommended to mitigate these threats/vulnerabilities should be implemented immediately. Severity of this combination is moderate. The course of action recommended to mitigate these threats/vulnerabilities should be implemented as soon as possible. Severity of this combination is low. The course of action recommended to mitigate these threats/vulnerabilities will improve security, but is of less urgency. As shown in Table II, the spoofing attack is currently presenting a moderate level of severity with regard to gaining remote access to the network. In general, spoofing can be very devastating for the organization (college) and the use of laptop computers to access the network is a weakness for the system. However, Mr. Parker is happy to see that his last memo on security policy, the importance of strong passwords, and his action to request password changes have transformed this potentially high risk threat-vulnerability combination into a moderate level. On the other hand, the spread of new viruses is causing significant damage to the laptops and other machines that are already infected or which do not have up-to-date antivirus protections. 3) Address vulnerability-threat with specific course of action Based on the findings from the previous step, system administrators need to identify the immediate course of action to address the most severe vulnerability-threat. Specifically, Mr. Parker must update antivirus programs and scan and clean all the infected laptop and desktop computers. Simultaneously, he needs to install new patches to improve security for the rest of the network. Additionally, Mr. Parker must address the moderate vulnerability-threat combination by enhancing the security of the wired and wireless networks. IV. SUMMARY AND RECOMMENDATIONS

Threat 1: Spoofing Attack

Gaining access to remote connections and services Viruses and worms

Enforce secure wired or wireless connection to sensitive data Update antivirus programs and scan and clean the infected computers Update and install new patches to improve security

Software specific and updates

Mr. Parker has addressed several vulnerabilities but is still working on enforcing secure connection, performing the latest update to the antivirus programs, and scanning and cleaning the several infected computers. Suddenly, Mr. Parker is made aware of two security threats. First, a spoofing e-mail is circulating among the faculty members’ and students’ electronic mailboxes. The e-mail asks recipients to login to a Web site and verify their login information or their e-mail service will be interrupted. Second, several faculty members are reporting that many computers in the computer lab have stopped responding due to what seems to be a Trojan attack. As the first step, Mr. Parker builds the vulnerability-threat matrix as shown in Table 2. Only the unaddressed vulnerabilities are listed in this table along with their typical course of actions.

Notebooks and laptops have become the computers of choice for professionals and managers who want to access their organizational networks while traveling or while working from home. With this popularity they also offer the greatest security challenges for system administrators. Laptops and their use to access organizational networks produce three major vulnerability categories: physical, system, and network access.

4

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 9 No. 3, March 2011

The paper discuses these vulnerabilities and offers a framework for addressing them.
[2]

In general, there are two scenarios under which a system administrator can address the vulnerabilities. The first scenario assumes no presence of a given threat and is designed to provide a systematic and proactive course of action to continuously improve the security of the laptops and their use to access organizational LANs or WLANs. The scenario suggests a course of action based on a vulnerability rating system. The vulnerabilities are rated based on two factors: the degree of attractiveness to a potential intruder and the consequences/impact of the vulnerability for the organization. The second scenario assumes the presence of one or more security threats. This scenario is designed to offer a reactive, but systematic course of action. A matrix is designed, and in each cell of the matrix, the severity of a vulnerability-threat combination is represented with a color coded sign. Again, a course of action is suggested starting with the most severe combinations, followed by moderate combinations, and ending with the low risk combinations. V. CONCLUSIONS

[3]

[4]

[5]

[6]

[7]

[8]

[9]

This paper offers a managerial framework for addressing laptop physical, system, and network access vulnerabilities. The purpose of the framework is to assist system administrators to create effective action plans to deal with such vulnerabilities. A proactive approach to eliminating vulnerabilities is suggested and a step-by-step methodology is offered. When security threats are present, a matrix-based approach is suggested. The matrix can help the system administrator identify the most severe attack/vulnerability combination and mitigate the risk of such threats. The matrix based approach is a reactive approach but it is necessary to guide the system administrator when the networks or laptop computers are under attack. A real case scenario from a university college is used to illustrate the framework. The suggested framework is not limited to the use of laptop computers; it can be used by organizations to monitor vulnerabilities in other areas of organizational cyberspace. REFERENCES
[1] CDW-G (White Paper), “Mobile computing security: protecting data on devices roaming on the perimeter,” Retrieved March 7, 2011, from:

http://www.edtechmag.com/higher/docs/2008/09/mobile-computingsecurity.pdf. R. Telang, R. and S. Wattal, “An empriical analysis of the impact of software vulnerability announcement on form stock price, “ in IEEE Transactions on Software Engineering, Vol 33 (8), pp. 544-557, 2007. B. Bosen, “Vulnerability management survey” in Trusted Strategies, 2006, Retrieved February 7, from 2011. http://www.trusted strategies.com/ papers/vulnerability_management_survey.pdf. E. Schonfeld, “Forrester projects Tablets will outsell Netbooks by 2012, Desktops by 2013” June 2010, Retrived February 9, 2011 from http://techcrunch.com/2010/06/17/forrester-tablets-outsell-netbooks/ Fiberlink, “Laptop vulnerability sssesment service,” 2011, retrieved n February 8, 2011 from http://feeneywireless.com/fetchdoc.php?docID =90856300. J. Allen, J. “The art of information security governance” in Qatar information security forum, 2008, Software Engineering Institute, retrieved on February 8, 2011 from http://www.cert.org/archive/pdf/ QISF_Allen_022408.pdf. H. S. Venter, and J. H. Eloff, “Vulnerabilities categories for intrusion detection systems in Computers & Security, Vol. 21 (7), pp. 617-619, 2002. S. Goel and V. Chen, “Information security risk analysis–a matrix-based approach, 2005, retrieved on February 7, 2011 from http://www.albany.edu/~goel/publications/goelchen2005.pdf. N. A. Renfroe and J. L. Smith, “Threat/vulnerability assessments and risk analysis” November 2010, retrived on February 7, 2011 fromhttp://www.wbdg.org/resources/riskanalysis.php. AUTHORS PROFILE Arben Asllani is a Post Doctoral Fellow in Cybersecurity at the Center for Secusrity Studies at the University of Maryland University College (UMUC) and a UC Foundation Professor of Management at the University of Tennessee at Chattanooga. He has published over 24 journal articles and presented and published over twenty conference proceedings. His most recent research has been published in such journals as Omega, European Journal of Operational Research, Knowledge Management, and Computers & Industrial Engineering. Amjad Ali is the Director of the Center for Security Studies and a Professor of Cybersecurity at University of Maryland University College. He played a significant role in the design and launch of UMUC’s cybersecurity programs. He teaches graduate level courses in the area of cybersecurity and technology management. He has served as a panelist and a presenter in major conferences and seminars on the topics of cybersecurity and innovation management. He is a member of the Maryland Higher Education Commission (MHEC) Cybesecurity Advisory Council, providing advice and help on how MHEC can respond best to the higher education needs of the growing cybersecurity workforce.

5

http://sites.google.com/site/ijcsis/ ISSN 1947-5500

Sign up to vote on this title
UsefulNot useful