Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
feature
Threats, Vulnerabilities and
Risk Factors Are Ubiquitous
Mobile computing devices (i.e., laptops, tablets security-specific features, and avoiding supply
and smart phones) can cause serious harm to chains that provide compromised or unsecure
Do you have
organizations and to device owners, their friends and mobile devices. something
families, because mobile devices are far less secure to say about
than desktops and laptops. The Verizon 2015 Data If a mobile device has an attachment to read credit
this article?
Breach Investigations Report1 states that there are cards, it, too, can be compromised by a technique Visit the Journal
tens of millions of mobile devices. And, according known as skimming.4 A smartphone can perform pages of the ISACA
to Statista,2 there will be 4.77 billion mobile phone surveillance via its audio, camera and Global web site (www.isaca.
users in 2017 and 1.15 billion tablets in use in Positioning System (GPS) capabilities, as well as org/journal),find the
2016.3 As the number of mobile computing devices recording call logs, contact information and Short article and click on
increases, so do mobile security concerns. There Message Service (SMS) messages. Mobile computer the Comments link to
are already many existing and new threats related to devices can cause financial problems because, share your thoughts.
mobile devices. if compromised, they can send premium SMS
messages, steal transaction authentication numbers,
This article discusses the actors, threats, allow extortion via ransomware and make expensive
vulnerabilities and risk associated with mobile calls without the device owner’s knowledge. A
computing devices and highlights the device can even be hijacked and turned into a
pervasiveness of security and privacy problems distributed denial-of-service (DDoS) bot, making it
and issues. harder for organizations to detect and prevent such
DDoS attempts.
Actors
App-based threats include malware, spyware,
The actors (aka threat vectors) include the device itself, vulnerable apps, compromised apps and data/
the applications (apps) on the device, compromised information leakage due to poor programming
web sites, wireless data connections, other users and practices. The types of app attacks include:
organizations, the organization to which the device Larry G.
user belongs, and the service providers. • Disabling or circumventing security settings Wlosinski, CISA,
CISM, CRISC, CAP,
• Unlocking or modifying device features
Mobile Computing Device Threats CBCP, CCSP, CDP,
• Apps that were obtained (free or purchased), but CISSP, ITIL v3
Newly purchased mobile devices can be configured contained malicious code Is a senior associate
insecurely. Devices can contain the original at the Veris Group LLC
and has more than 16
vulnerable operating system (OS) that has not Examples of malware capabilities include:
years of experience in
been updated to eliminate known vulnerabilities.
• Listening to actual phone calls as they happen IT security. Wlosinski
If a device does not require some type of access has been a speaker
controls such as a personal identification number • Secretly reading SMS texts, capturing call logs on a variety of IT
(PIN) or fingerprint, it is ripe for unauthorized use and emails security topics at
by anyone who has access to it. There are many US government
• Listening to the phone surroundings (device is and professional
types of malware that can provide people with
used as a remote bugging device) conferences and
malicious intent the ability to obtain sensitive data
meetings, and has
stored on a device. Protecting data can be more • Viewing the phone’s GPS location
written numerous
of a problem if one makes the mistake of loading articles for professional
• Forwarding all email correspondence to
sensitive organizational information on it. Users need magazines and
another inbox
to be aware that they are responsible for protecting newspapers.
the device, preventing physical tampering, setting • Remotely controlling all phone functions via SMS
In this age of wireless technology, many roles • Incorrect permission settings that allow access to
(e.g., doctors, medical support staff, retail and controlled functionality such as the camera or GPS
wholesale inventory personnel, registration support
• Exposed internal communications protocols that
staff) depend on mobile computing devices to
pass messages internally within the device to itself
efficiently capture and transmit data. The users of
or to other applications
these devices rely on them for their productivity
and livelihood. In many cases, the information • Potentially dangerous functionality that accesses
is sensitive to the organization and, if it is the resources or the user’s personal information
employee- or customer-related, it can be personal via internal program data calls or hard-coded
and privacy-related (i.e., personally identifiable instructions
information [PII]).
• Application collusion, where two or more
applications pass information to each other to
If one’s organization does not have a wireless
increase the capabilities of one or both applications
encryption program (i.e., virtual private network
[VPN]) in place, then mobile devices may • Obfuscation, where functionality or processing
interact with personal devices’ email and obtain capabilities are hidden or obscured from the user
Conclusion
Each day, mobile device attack vectors are
continuously undergoing dynamic changes, and it
is difficult to represent a complete set of the threats
and vulnerabilities. With the development of mobile
computing devices that can be carried in a pocket
or a duffle bag comes the responsibility to protect
those devices and the data within them. Being aware
is only the first step in the fight to protect the data.
References
• Excessive power consumption of applications Lookout, “What Is a Mobile Device Threat?,”
running continuously in the background, which drain https://www.lookout.com/resources/know-your-
the battery, thereby reducing system availability mobile/what-is-a-mobile-threat