Reply needed
See attached replies needed
Due Sep 18th
Reply needed 1
Most people would agree the digital age has certainly accelerated since the development of the personal computer and the introduction of the Internet. Otherwise considered the Information Age, the Cambridge Dictionary actually defines these corresponding terms with the following: the present time, in which many things are done by computer and large amounts of information are available because of computer technology. (Cambridge University Press, 2020). The digital age has also ushered in the IoT (Internet of Things) revolution, where there is a convergence of more functional technology and networks that are interconnected on a global scale allowing users to maintain a constant connection to the Internet. Simply put, This paradigm enables copious amounts of data to be stored, processed, and conferred in a proficiently interpretable form without human invention (Yang et al., 2018). While there are more and more seemingly ordinary devices now being developed with connectivity in mind, such as wearable devices and developments made for smart homes, mobile phones are arguably at the forefront. Smartphones and tablets have become widely utilized as standards continue to improve for both fixed and mobile wireless broadband communication. As these devices continue to improve in terms of performance and functionality, they are slowly beginning to replace personal computers for many individuals. This is especially true in more progressive organizations, which highlights the need for establishing mobile auditing policies and an increased focus on privacy.
To address questionnumber 3first, one must evaluate the most beneficial approach to establishing mobile auditing frameworks and methodologies to fit their environment. No two organizations are alike and one must consider the most appropriate way to implement policies and procedures to secure enterprise data and better contain risks mobile applications present. For instance, mobile users are able to access everything from internal company resources to their own personally identifiable information (PII). This presents an increasing problem for employers, third parties managing the data, and mobile application developers as the threat landscape has evolved beyond the borders in which typical security controls seek to protect. Therefore, specific guidance, or a framework, for managing the additional risks is a good starting point for organizations. One can begin developing such a framework by looking to ISACA (Information Systems Audit and Control Association) who lay out a process for building an audit program for mobile devices. Breaking the process down into steps, ISACA advocates the following:
Determine Audit Subject
Since every enterprise is unique, one must first determine what types of mobile devices are applicable.
Some examples include:
Laptops
Mobile phones or smartphones
Tablets
USB devices (Cooke, 2017).
Determine Audit Objective
Next, determining objectives for each type of device with a specific focus in scope can commence.
It is important to use a risk-based approach for establishing objectives and make sure they align with the security goals of the organization (Cooke, 2017).
Set Audit Scope
According to ISACA, The scoping process should identify the actual mobile devices that need to be audited (Cooke, 2017). This could include BYOD, specific purpose devices, or even based on what information the device has access to or contains.
Perform Pre-Audit Planning
This part of the program is essentially a risk assessment used to determine the final scope of the audit. Evaluation of risks determined in the Objective phase helps promote greater assurance considerations for the most high-risk devices (Cooke, 2017).
Determine Audit Procedures and Steps for Data Gathering
Enough information should be available to fully identify the audit strategy and begin developing the program. Cooke explains, There is enough information to decide what documents are expected to be seen, what laws and regulations apply, the criteria and whom the audit team is going to interview (2017).
It is important to develop an audit program for mobile devices that incorporates risk as a primary focal point to avoid checklist-like approaches that present unnecessary testing. This could negatively impact the results and considerations for appropriate security tools and policies.
Lastly, moving to questionnumber 4, mobile devices (including smartphones and tablets) present unique privacy for businesses and consumers alike. While the information contained on the device might vary depending upon the user and what it is being used for, security and privacy still remain a major concern. Mobile devices expand the threat landscape one must consider and that is further increased as devices connect to a plethora of different networks, from public to private. Mobile devices often present greater risks compared to traditional computers as users typically have less control over these devices. For example, an individual can access and configure security tools on a computer along with implement further security mechanisms, whereas most mobile devices have limited security features allowing for manual adjustment and are usually dependent upon vendor implementation. The FTC highlights three security risks one could exploit to harm consumers: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating safety risks (2015). The three examples noted can be viewed as blanket examples to include many different kinds of threats.
Continuing, the first security risk presented by the FTC is likely to be the focal point for consumers. Privacy and security are the cornerstones of information assurance. When it comes to these types of devices there is no shortage in the amount of data they consume. While not exhaustive, research between Northeastern University and Imperial College London identifies the baseline information that can be exposed by IoT devices within three categories:
Stored Data: including device identifiers and personally identifiable information (PII) given by the user.
Sensor data: information collected from the sensors of an IoT device, such as video and audio surveillance.
Activity data: information about user interactivity with the device and what features were used (Ren et al., 2019).
This can easily be applied to an enterprise that allows mobile devices or BYOD usage for work purposes, which shifts the primary concern from PII to proprietary information leakage. While PII is still applicable, with users accessing HR systems and benefits resources, the leadership teams are likely more concerned with what data is taken home with employees and what is brought onsite. One is likely to go to a seemingly secure network internally to a home network that might be lacking in terms of security. Continued use of mobile devices, whether for work or personal items, increases the likelihood of exposure for such data. Likewise, organizations have to be wary of what threats a user might bring into the internal network that they were exposed to offsite. For example, should the device be exploited by some form of malware the user risks further exposing private data by potentially spreading the malware when they connect again to the internal company network. There are a lot of potential risks associated with mobile devices and BYOD that need to be accounted for to help ensure private data is not leaker, but that is not to say it cannot be done (or at least helped).
Finally, one solution that would help account for the risks presented by incorporating mobile devices in an organization is a Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) system. EMM often includes MDM in its suite of apps and tools making it a logical choice for enterprise-level organizations. This technology provides greater IT control over personal devices as they must be enrolled in the platform upon hire. As for the benefits and use case for such a solution, here are the primary features:
Tracking Mobile Devices: Asset Management inventory associated with mobile and BYOD within the organization.
Screening Apps: White/Black Listing App control can be managed by administrators limiting the use and types of apps on devices.
Keeping Data Confidential: Encryption Defining encryption policies for data on mobile and BYOD devices provides a level of protection since it is likely to be accessed off-premises. It further protects against lost or stolen devices as well.
Locking Down Devices: Controlling Device Configurations Feature protection for mobile devices providing increased control and security even when remote.
Enforcing Rules: Policy Management Policy development, enforcement, and management across all mobile and BYOD devices to include configuration and operational requirements (business.com, 2018).
While EMM is not the silver bullet meant to alleviate all risks associated with mobile devices, it is a good starting point and likely a necessary inclusion in a current security program. This is further stressed given current circumstances in society as it battles a pandemic and remote work has increased in popularity. Therefore, greater consideration needs to be given to privacy and security for mobile devices, and greater thought for how they are used and managed.
References
Business.com. (2018, October 11).Best mobile device management (MDM) solutions buying guide.https://www.business.com/categories/mobile-device-management-solutions/.
Cambridge University Press. (2020). Digital age.Cambridge Dictionary.https://dictionary.cambridge.org/us/dictionary/english/digital-age.
Cooke, I. (2017, November 1). IS audit basics: Auditing mobile devices.ISACA Journal.https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/is-audit-basics-auditing-mobile-devices#17.
Federal Trade Commission. (2015, January).Internet of things: Privacy & security in a connected world.https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.
Ren, J., Dubois, D.J., Choffnes, D.R., Mandalari, A.M., Kolcun, R., & Haddadi, H. (2019). Information exposure from consumer IoT devices: A multidimensional, network-informed measurement approach.Proceedings of the Internet Measurement Conference.https://moniotrlab.ccis.neu.edu/wp-content/uploads/2019/09/ren-imc19.pdf.
Yang, H., Lee, W., & Lee, H. (2018, May 22). IoT smart home adoption: The importance of proper level automation.Hindawi Journal of Sensors,2018.https://doi.org/10.1155/2018/6464036.
Reply 2 Needed:
Mobile phones have proved to be convenient devices for working remotely but like any technology, they have introduced additional risks to security. Due to this, it has become necessary to conduct auditing of its systems for understanding of smart device strategy, evaluating their effectiveness, and assuring the mobile device environment by assessing and identifying risk they pose and reviewing the design and effectiveness. To log or audit a mobile phone, several items need to be available on the mobile phone. Mobile device technical audit requires that mobile device management is running on the latest and approved software and patches. The alternative on the mobile device may open it to attacks and prevent their users from getting the benefit of wide security features. The mobile device client also needs to have protective features as required by the mobile device security policy. Mobile device management provides the devices with features such as password controls and local wiping that protects the device in case they get lost (Thompson, 2015). Auditing will ensure the features are available and enable them to determine security. In case they are missing, it will suggest important components for mobile security. For auditing, the mobile device has to have effective security controls that protect data from hackers and security monitoring software and processes. The devices also need to have managed devices that can be used in a network.
Mobile phone auditing is different from auditing of other devices such as laptop, desktop, or servers in the following ways. Mobile device operational audit requires evaluation of procedures in place for tracking end-user trouble tickets to prevent them from having connectivity issues. Secondly, unlike in the other devices, mobile device auditing ensures that there are appropriate security policies for compliance with standard processes to enable acting against documented violations. The auditing process in mobile phones also allows the evaluation of whether change management processes are possible to help track and provide changes to the environment which are less impact on user productivity. Additionally, should a disaster happen in mobile devices the auditing process will help in recovery.
Various tools can either be host-based, network-based, or database-based that are available to help in detecting vulnerabilities ad auditing issues in the mobile phone environment. Host-based tools identify issues in the mobile phones where it loads a mediator software onto the target system. The tools include STAT which scans multiple systems in the mobile device, Cain & Abel which is used for recovering passwords of the device by sniffing network and Metasploit which is an open-source tool used for developing, testing, exploiting code. The network-based tools work by detecting open ports and noting the unknown services running on them. The tools for identifying such vulnerabilities and audit issues include Cisco Secure Scanner, Wireshark, Nmap, and Nessus. SQL diet, Secure Auditor, and DB-scan make up the database-based vulnerability tools.
Since mobile phones come equipped with cameras, GPS, and various applications, privacy needs to be catered for. Although mobile phones are known to have privacy issues such as when accessing PII, intrusion while monitoring, wiping, and removal of personal information, and the risk of third parties, there are security features that cater for the privacy issues. They have authentication that prevents unauthorized users from accessing the mobile phone. It also allows remote wipe where the administrator can wipe data and applications via a network. Hardware and software encryption that meets minimum standards to protect device privacy. The encryption can also be done on the data in transit for mobile phones supporting Transport Layer Security (Institute of Internal Audits, 2016).
Reference
Institute of Internal Audits. (2016).Auditing Smart Devices. Iia.nl. Retrieved 15 September 2020, from https://www.iia.nl/SiteFiles/Publicaties/GTAG-Auditing-Smart-Devices.pdf.
Thompson, R. (2015).10 Steps for Auditing Mobile Computing Security — Enterprise Systems. Enterprise Systems. Retrieved 15 September 2020, from https://esj.com/Articles/2011/04/12/IT-Auditing-Mobile-Security.aspx?Page=4.
Reply 3 Needed
It is important to capture and analyses computer logs to discover security, policy, fraudulent, and/or operational issues. One can use logs for auditing and forensics, investigating incidents, determining baselines, and for conducting trend analysis. (NIST, 2006) Logs of mobile devices might include call history, message data (SMS/MMS), calendar events, web history, capture of photos, downloads, and emails. (Tassone et al., 2013) In addition, mobile phones can contain logs of location data, application data and associated identifiers, and visible networks and devices. (Chernyshev et al., 2017)
Mobile hosts may suffer from intermittent or low-bandwidth connectivity, such that they may require a specially-designed log infrastructure. While their capacity to produce logs may be reduced, the logs themselves remain critical. (NIST, 2006) Data volatility is particularly egregious with mobile devices, such that it can be difficult to maintain a devices state and to not alter data on the device when seeking to take an accurate copy of the devices logs. (Kent et al., 2006)
Cooke (2017) of ISACA provides a framework from which organizations can conduct mobile device audits. Vulnerabilities which may be the focus of a mobile device audit include insecure wireless network transmissions, the capability of crossing into and out of network perimeters, discoverable bluetooth technology, storage of unencrypted data, data loss, lack of authentication, unsecured device interactions with email and sensitive documents, and the ability to install unsigned, third-party applications. Once the vulnerabilities to review are identified, one should set an audit scope, which might include the following: security policy reviews, antivirus updates on the device, device data encryption, secure data transmission (such as via VPN, IPSec or SSL) and review of wireless access points, lost and stolen device management procedures (to include removable media, remote storage, and data recovery), access controls (to include authentication and limitations on file sharing), end user awareness training, and enforced policies to reduce data exposure risk. The author notes that password controls and configuration are key in conducting the mobile device audit. (Cooke, 2017)
End user privacy can be compromised if mobile device vulnerabilities are exploited. While not perfect, I believe that in many instances privacy is in the hands of the device holder. Many of the vulnerabilities of mobile devices can be mitigated by informed choices of the end user, to include selecting secure devices, using them only on secure networks, installing and using only trusted applications from trusted sources, using multi-factor authentication, using encryption, securing devices from physical harm, and becoming aware of other security hazards to avoid.
On the flip side, I do not think that mobile device logs should be made available without warrants. The amount of personal information that mobile devices generally maintain should not be available for casual search, but rather should be held to a higher standard of court-issued approval to seize. I, for one, applauded the 2018 Supreme Court decision that made mobile device location data accessible only with a warrant. As the court characterized it, this level of tracking is akin to near perfect surveillance, as if it had attached an ankle monitor to the phones user. (Lynch, 2018)
References:
Chernyshev, M., Zeadally, S., Baig, Z., & Woodward, A. (2017). Mobile Network Forensics Advances in Digital Crime, Forensics, and Cyber Terrorism.IEEE Computer and Reliability Societies,287-308. doi:10.4018/978-1-5225-5855-2.ch008
Cooke, I. (2017, November 1). IS Audit Basics: Auditing Mobile Devices. Retrieved September 16, 2020, fromhttps://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/is-audit-basics-auditing-mobile-devices
Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006, September 1). Guide to Integrating Forensic Techniques into Incident Response. Retrieved fromhttps://csrc.nist.gov/publications/detail/sp/800-86/final
Lynch, A. (2018, June 22). Victory! Supreme Court Says Fourth Amendment Applies to Cell Phone Tracking. Retrieved September 16, 2020, fromhttps://www.eff.org/deeplinks/2018/06/victory-supreme-court-says-fourth-amendment-applies-cell-phone-tracking
NIST. (2006).Guide to Computer Security Log Management. NIST Special Publication 800-92. Retrieved from:http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
Tassone, C., Martini, B., Choo, K. R., & Slay, J. (2013, August). Mobile device forensics: A snapshot. Retrieved September 16, 2020, fromhttps://www.aic.gov.au/publications/tandi/tandi460