Learn the best practices for developing a security awareness training program that is engaging. Engaging awareness programs have been shown to change more users’ behavior and are seen as an asset for your organization instead of annoyance.
The ever-growing number and all-pervasive influence of the smartphone is clear.
The number of smartphone users will surpass two billion, more than a quarter of the world’s population, in 2016. More than half of all American adults now use smartphones.
As we know, smartphones have the functionality of both a mobile phone and a computer, allowing us to have a conversation, send text messages, take photographs, access email (work as well as personal), connect to the Internet, do our shopping or manage bank accounts. Applications are available to provide a further range of capabilities allowing them, for example, to read barcodes or operate as satellite navigation systems. This functionality set grows constantly with the continuing development of new smartphone apps.
Smartphones are now an essential tool for a wide range of users including senior business and government officials. They have become embedded in the IT system infrastructure for many public and private sector organisations, whether deployed under a BYOD (Bring Your Own Device), COPE (Corporately-Owned, Personally-Enabled) or other operating models.
This increasing reliance on smartphones makes it vital to be aware of the security risks, and how to mitigate them when accounting for end user security awareness.
Smartphones – like other handheld devices – can operate as network clients; have powerful processors and many gigabytes of storage. A smartphone may hold or provide a means of accessing large amounts of often very sensitive data and therefore may be attractive to an attacker whether as a target itself or as a tool to be used to launch exploits against vulnerable systems networks – handheld hacking.
As is generally the case with IT security risk, a lack of awareness on the part of the user is the main vulnerability and the greatest “bang for the buck” as regards mitigating against “handheld hacking” and other smartphone risks is security awareness.
So what do we need to make the user aware of?
We need to explain the risks, potential impacts, and the measures that need to be taken to avoid them.
The level of risk depends on how the smartphone is used and particularly by whom. Senior executives or high-level officials in business or government organizations may use their smartphone to access (and hold) very sensitive information or documents. Obviously, any compromise involving these users could potentially have more significant consequences.
Such organizations should have a clear security policy for smartphone use in place based on a specific detailed risk assessment with usage generally restricted and the smartphone functionality normally customized.
Key smartphone security risks would generally include the following:
- Loss or theft of the smartphone – with the information stored on it now available to unauthorised users.
- Unintentional disclosure of information by the user e.g. due to a phishing attack using a fake email message or app.
- Infection with spyware allowing access to sensitive information.
- Infection with malware which may have been specifically developed to collect credit card details or on-line banking credentials.
Other risks to smartphone users are presented by Network Spoofing, Surveillance or Diallerware attacks.
A Network Spoofing attacker deploys a rogue Wi-Fi or GSM access point and can then intercept or change communications from users who unwittingly connect via the spoofed address. Further attacks such as phishing can then be carried out.
Surveillance attacks can exploit smartphone sensor functionality (microphone, camera, GPS, etc.) which makes the smartphone an effective spying device – along with installed third-party software possibly – to keep a targeted user under surveillance.
A Diallerware attack uses a malicious app to enable premium rate phone calls to be made and SMS texts sent covertly resulting in high bills for the user.
The potential impact will vary depending on the information involved and the individual user should be best placed to identify fully the impact of the loss or disclosure of the information whether it be personal information or corporately owned financial data.
They should be best able to assign a classification to their information or assess any financial impact or damage to personal or business reputation arising from loss or disclosure.
Smartphone Security Measures
While as always there is no such thing as 100% security, most of the risks can be addressed by educating users to comply with the following:
- Don’t leave the smartphone unattended, turn it off when not in use and set it to lock after 3 minutes, say, when idle.
- Set a password or PIN no. for the home screen and use a different password for any key log-ins (on-line banking, email, etc.).
- Configure your phone to lock automatically after five minutes or less when your phone is idle and use the SIM password capability available on most smartphones.
- Keep your phone operating system and applications up to date and ensure patches are applied as advised by the smartphone or application provider.
- Only install apps from trusted sources.
- Do not modify the smartphone’s security settings – check what permissions are required before installing any apps and be careful that access to sensitive information is not being granted.
- Apply encryption to the internal memory card and – if possible – to any sensitive data held;
- Use anti-malware and keep it up to date.
- Exercise caution if using open Wi-Fi networks – use protected Wi-Fi or mobile wireless from a trusted network service provider to access sensitive data.
- Ensure ‘Bluetooth’ is switched off if not required.
- Think before clicking on web links or attachments in emails – are you sure they have come from a trusted source (and that the sender details have not been spoofed).
- Ensure that the smartphone is securely recycled, donated or disposed of – e.g. erase all data first, reset it to the factory settings; remove the SIM card.
- If the smartphone is lost or stolen, report this as soon as possible.
Depending on the smartphone platform or service provider, it may also be possible to deploy software to remotely lock the smartphone or wipe its data if it is lost or stolen.
Disabling any built-in GPS capability – that could be used to track the user’s location as part of a surveillance attack – should also be considered if appropriate.
We are increasingly dependent on smartphones, and they are now widely deployed as devices for connecting to corporate and other networks and accessing and storing often-sensitive information. Consequently, we need to understand the risks and potential impact of threats such as handheld hacking.
As usual, user awareness is crucial and adherence to general good practice guidance in relation to smartphones is key to preventing Handheld Hacking and other relevant threats.