Mobile Security : A Pocket Guide [1 ed.] 9781849280211, 9781849280204

Citation preview

Mobile Security A Pocket Guide Steven Furnell

Mobile Security

Mobile Security

STEVEN FURNELL

Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and the author cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address: IT Governance Publishing IT Governance Limited Unit 3, Clive Court Bartholomew’s Walk Cambridgeshire Business Park Ely Cambridgeshire CB7 4EH United Kingdom www.itgovernance.co.uk © Steven Furnell 2009 The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work. First published in the United Kingdom in 2009 by IT Governance Publishing. 978-1-84928-021-1

PREFACE

Mobile devices represent an increasingly important proportion of the technology market, with laptops, PDAs and smartphones all offering substantial opportunities to improve personal communications and business flexibility. In addition, removable storage, such as memory sticks, now enables enormous quantities of data to be carried around, making it available to use on demand in any location. However, such undoubted advantages can also bring considerable risks, with devices being physically vulnerable to loss, theft and damage, as well as potentially exposed to various forms of electronic attack. As such, there is a significant and growing need for protection, in order to enable us to get the best out of the kit in an otherwise dangerous digital world. The book provides a concise reference to the key security issues affecting those that deploy and use mobile technologies to support their organisations. It aims to raise awareness of the threats to which mobile devices, users and data are exposed, as well as to provide advice on how to address the problems. The key themes tackled in the chapters are as follows: x x x x x x

the importance of mobile technologies physical threats in the outside world dealing with network connectivity authenticating the user other mechanisms for protecting mobile data attacks facing mobile devices and users 5

Preface x

the potential limitations of mobile security features.

The content is essentially applicable to anyone using and deploying mobile devices, but particularly relevant to those wanting guidance on why protection is required and what should be done to achieve it (while at the same time noting that it is not a detailed how-to guide for any particular technology platform). In addition to the main discussion and evidence, each chapter concludes with a series of ‘takeaways’ that summarise the key messages, and can be used as high-level reminders of the points that we need to remember.

6

ABOUT THE AUTHOR

Prof. Steven Furnell is the head of the Centre for Information Security & Network Research at the University of Plymouth in the United Kingdom, and an Adjunct Professor with Edith Cowan University in Western Australia. He has been active in security-related research since 1992, with interests including security management, computer crime, user authentication and security usability. During his academic career to date, Prof. Furnell has authored over 190 papers in refereed international journals and conference proceedings, as well as a number of books including Cybercrime: Vandalizing the Information Society (Addison Wesley, 2001) and Computer Insecurity: Risking the System (Springer, 2005). He is also the editor-in-chief of Information Management & Computer Security, and an associate editor for other journals including Computers & Security and Security & Communication Networks. In addition, he is the co-chair of the Human Aspects of Information Security & Assurance (HAISA) symposium, and he has served as a programme committee member for over 120 other international conference events. Prof. Furnell is a Fellow and Branch Chair of the British Computer Society (BCS) and a Senior Member of the Institute of Electrical and Electronics Engineers (IEEE). He is also active as a UK representative in International Federation for Information Processing (IFIP) working groups relating to Information Security Management (of 7

About the Author which he is the current chair) and Information Security Education. Further details can www.plymouth.ac.uk/cisnr.

be

found

at

ACKNOWLEDGEMENTS

Thanks are due to Dr Nathan Clarke for his helpful feedback on the draft version of the manuscript, as well as for his contribution to some of the underlying work referenced in the guide. Thanks are also due to Sevasti Karatzouni and Reinhardt Botha for their valued collaboration on some of the related research.

8

CONTENTS

Chapter 1: Getting Mobile ..................................10 Chapter 2: Surviving Outside .............................20 Chapter 3: Getting Connected .............................28 Chapter 4: Ensuring it’s You ..............................39 Chapter 5: Safeguarding your Data.....................49 Chapter 6: Are you a Moving Target? ................61 Chapter 7: Know your Limits ..............................69 Conclusions............................................................74 ITG Resources .......................................................75

9

CHAPTER 1: GETTING MOBILE

As an introduction to the topic area, this chapter identifies the range and increasing capabilities of mobile devices, including laptops/notebooks, PDAs, mobile phones, media players and removable storage. The discussion emphasises that while mobility is an undoubted asset to the business, it does serve to open up a new range of risks through both the technology and the ways it is used. This will set the scene for the more focused chapters that follow.

Mobile technology has transformed the nature of our personal and business lives, with laptop computers, Personal Digital Assistants (PDAs), and mobile phones all having made the transition from being high-end executive items to everyday technologies in the mass market. As just one example, by 2005 mobile phones had already reached 80% penetration across the OECD area, with 14 countries having exceeded 100% (i.e. having more active mobile accounts than their total population). 1 Not only do more people have them, they can also do more with them. The same OECD report indicated that by 2005, more than 50% of mobile phone users owned a handset that was capable of handling multimedia content. Moreover, the proportion of people actually making use of their devices for e-mailing and

1 OECD. 2007. OECD Communications Outlook 2007. Information and Communications Technologies, Organisation for Economic Co-operation and Development. ISBN 978-92-64-00681-2. 10

1: Getting Mobile browsing had reached around 30% (having risen from under 20% the year before).

Figure 1: The spectrum of mobile devices

Figure 1 illustrates examples of devices from across the range of mobile technology, from the extensive capabilities of laptops at one extreme, down to the straightforward storage of memory sticks at the other. Although much of the discussion will also pertain to devices at the extremes shown in the figure, the main focus area will be around handheld devices, such as mobile phones and PDAs, which combine processing, communication and storage capabilities into a highly mobile context. Indeed, if we compare them to our desktop systems, mobile and handheld devices very often store the same data and allow access to the same services, but present a special case in terms of the protection they require and how we might go about providing it. Specifically, there are several factors that we need to consider, which collectively underpin much of the later discussion in this guide: x x

the nature of the devices themselves and their potential to hold and access sensitive information the potential threats to the device, and the risks that the devices themselves introduce 11

1: Getting Mobile x

the level of security that is available, and that which is likely to be in use.

While laptops have long been able to provide a close parallel to their desktop cousins in terms of both applications and storage, there are has been a notable revolution in the capabilities of handheld devices. To prove the point, let’s consider a few likely characteristics of your current device compared to the one that you may have owned five years ago: x x

x

It does far more, giving access to a wider range of inbuilt applications and online services. It’s far more connected, with the ability to join cellular networks, wireless LANs and personal area networks via Bluetooth. Additionally, all of these options can provide always-on connectivity. It stores lots more data, with many megabytes of internal memory and the ability to store several gigabytes via storage cards.

The first of these points is ultimately the most significant from a security perspective; the other two then add to the situation by increasing the volume of information and the routes by which the device may be at risk. Handheld devices are now commonly equipped with applications that are geared to handling many of the same sensitive files that we would have on a desktop (e.g. on the Windows Mobile® platform, devices run Word Mobile and Excel Mobile®). As such, they may easily act as a catalyst for a greater volume of sensitive content to be created on the device, or 12

1: Getting Mobile transferred to it in order to enable access on the move. Additionally, of course, our handhelds may already have been used to store other potentially sensitive data, such as contacts, tasks and schedules. So, if you’re making comprehensive use of the device, what might it be storing from a personal perspective: your contacts, mail, text messages, documents, photos? And what about sensitive personal details? A survey from credit reference agency Equifax revealed that 16% of its customers (from a sample of 608) used their mobile device to store PIN numbers, while 24% had dates of birthdays 2 (i.e. useful items of information if you wanted to impersonate those users). And aside from the data being held, what about the services that your mobile device lets you access: online banking, your social networks, online stores? If the answer to even a few of these is ‘yes’, then it starts to become clear that you are carrying something that needs some protection. Of course, mobile devices are by no means restricted to holding personal data, and it could be argued that an even greater need for protection (at least in corporate eyes) is introduced when we consider the range and volume of business-related data that they can hold. For example, according to 2005 findings from Gartner, over 80% of new and

2

Equifax. 2008. ‘Don’t part with your identity when you part with your mobile phone!’, Press release, October 2008. www.equifax.co.uk/Aboutus/Press_releases/2008/DONT_PART_WITH_YOUR_I DENTITY.html. 13

1: Getting Mobile critical data is now stored on mobile devices. 3 Meanwhile, findings from Pointsec in the same year suggested that 56% of IT professionals used their mobile devices to store corporate information, while only 22% were claiming to use protection such as passwords or encryption. 4 The latter finding is indicative of the frequent mismatch between our use of technology and our inclination to protect it. Indeed, while many organisations are readily deploying mobile technologies, there is varying appreciation of the risks involved. Taking another example, earlier findings from the Audit Commission revealed that while PDAs were already being used by 63% of respondents (with a further 12% planning to use them), only 41% considered them to be a high risk. 5 Unfortunately, these examples are not atypical, and while the Audit Commission’s survey is now some years old, there is no fundamental reason to believe that things have yet changed. Thinking a bit further about the content that a mobile device may be holding, and it is often a mishmash of business and personal data that has 3 Allen, M. 2005. ‘A Day in the Life of Mobile Data’, BCS Mobile Security, November 2005. www.bcs.org/server.php?show=ConWebDoc.2774. 4 Pointsec. 2006. ‘Companies see risk of removable media but still turn a blind eye’, Pointsec News Release, 8 June 2006, www.checkpoint.com/press/pointsec/2006/06-08.html. 5 Audit Commission. 2005. ICT Fraud and Abuse 2004 – An update to yourbusiness@risk. Audit Commission Publications, UK. June 2005 (downloadable from www.audit-commission.gov.uk). 14

1: Getting Mobile been lumped together, for no other reason than the convenience of being able to keep it readily at hand in case it is needed. If you recognise the situation from your own experience, then it’s very likely that you will also recognise that many things very often aren’t needed after all, or end up being carried around long past the point when they are relevant to current activity. As a result, all of this data is put at unnecessary additional risk. For many of us today, mobile technology has gone beyond being an option and is now something that we expect to use. This is particularly the case amongst those who have grown up with the technology and see it as a natural part of the landscape available to them. Moreover, because they are already familiar with the technology, they expect to have a say in what they will use. Evidence for this comes from a 2008 survey conducted by Accenture, which considered technology adoption amongst the ‘Millennial generation’ (defined as those aged 14 to 27). A total of 400 US students and employees were questioned, and a number of findings highlight important considerations in relation to the use of mobile devices and the workplace: 6 x

6

Over 20% of respondents were dissatisfied with employer-provided technologies, and felt that what they were given did not meet their expectations.

Accenture. 2008. ‘“New-Generation Workers” Want Technology Their Way, Accenture Survey Finds’, Accenture Newsroom, 5 November 2008. http://newsroom.accenture.com/article_display.cfm?artic le_id=4767. 15

1: Getting Mobile x

Many already use their personal devices for work-related activities, with 39% of 18–22year-old respondents indicating that they used their own phones without employer support.

These findings are significant in the sense that they point towards the likelihood of users actively seeking to use their own devices, and corporate data ending up on these devices without the employer’s approval (a theme that we shall explore further in Chapter 5). So, what do users themselves think? Do they recognise the sensitivity of the devices that they carry around, and do they accept a consequent need to protect them? Colleagues and I at the University of Plymouth have conducted focus groups with a variety of mobile phone users in order to explore these questions and uncover some of the associated attitudes. 7 The participants included a mixture of end-users and technologists, all of whom were regular users of mobile devices (many being conversant with the features and facilities of smartphone devices, thus giving them a first-hand appreciation of features beyond baseline talking and texting). At this stage, we can consider some of their responses to the first topic of discussion; namely, whether they recognised a need for security on their current devices: ‘I think it depends from which context you are using it in, cause the security you are going to 7

Karatzouni, S., Furnell, S.M., Clarke, N.L. and Botha, R.A. 2007. ‘Perceptions of User Authentication on Mobile Devices’, Proceedings of ISOneWorld 2007, Las Vegas, 11–13 April 2007. 16

1: Getting Mobile need in it, is going to depend on the sensitivity of the data’ ‘If you are using it from a business context, obviously you know the more important the data then the stronger security is going to be needed’ ‘For example, if I make a local call … maybe I’m not that worried … But certainly when I want to start dialling international numbers or something maybe I do want to make sure that it’s stronger’ ‘I don’t want to have strong security for texting, but I do want to have some security for mobile banking’ ‘As a general user who is only using it for personal use, there’s no data on there that I class that sensitive’ ‘I’m not sure that anybody would want to steal my information; I don’t perceive myself to be that important’ Of course, the extent to which you need security will ultimately depend upon the device and what it is used for. However, it is important to really think about this, so that the value of the data (and what someone else could do with it) has been properly recognised. For example, the last couple of quotes above suggest a rather blinkered view, with users only thinking about the risks to themselves. Aside from the possibility that their personal data might have been more useful than they thought, it’s unlikely that this was all they were carrying. A mobile device is very likely to make you the custodian of other people’s data as well. As an 17

1: Getting Mobile example of the scale to which this can extend, the UK Royal Navy found itself facing a scandal in January 2008 when it emerged that a junior officer’s laptop computer had been carrying around unencrypted personal details of more than 600,000 people, including serving staff and applicants to the armed forces. 8 The data itself included bank account details, passport numbers, National Health Service numbers, National Insurance numbers and personal addresses; which could collectively present a significant opportunity for both financial and identity-related theft. Unfortunately, this all came to light when the computer was stolen from the officer’s car … which brings us to the topic of the next chapter, and what you need to consider when you are out and about with a mobile device. Takeaways ¾ Mobile devices are highly useful (and therefore highly valuable) to both individuals and organisations. Like any valuable assets, they ought to be protected. ¾ Different mobile devices bring with them different risks; do not underestimate the significance of what they can hold or how widely they can communicate. ¾ Be aware of the value of what you are carrying around. It may be your device, but its content may be sensitive for a range other people (e.g. your family, friends, other contacts and/or your employer).

8

Evans, M. 2008. ‘Personal data of 600,000 on lost laptop’, The Times, 19 January 2008. www.timesonline.co.uk/tol/news/politics/article3213274. ece. 18

1: Getting Mobile ¾ ¾

The value of the physical device may well be secondary to the value of the data it is holding. As your use of the device evolves, be prepared for your security requirements to evolve too.

19

CHAPTER 2: SURVIVING OUTSIDE

Mobile devices give us the freedom to roam, with access to data and services at any time and in any place. While this clearly offers a benefit, one of the fundamental consequences is that by operating outside the safety of the workplace mobile devices are physically exposed to threats such as loss and theft. Evidence from reported incidents demonstrates that a combination of technical safeguards and user awareness are required to address the problem.

Chapter 1 has clearly illustrated that mobile devices are both a valuable asset and something that we need to protect. This chapter begins to provide some of the evidence of the increased risk that they introduce, and what we need to do as a consequence. With devices playing such an important role, and holding such sensitive information, it is natural to be concerned about what might happen to them once they are on the move. Organisations, in particular, will be concerned about what can happen to their data. Indeed, findings from a survey of 2,035 IT professionals published by Quocirca in 2006 revealed that the most important mobile security issues were considered to be data falling into the wrong hands through theft or loss (cited by almost 70% of respondents), and data loss through device theft or damage (cited by over 60%). 9 Meanwhile, notably fewer respondents 9

Quocirca. 2006. Mobile Security and Responsibility: Taking the right attitude to secure mobile technology. Quocirca Insight Report, Quocirca Ltd, January 2006. 20

2: Surviving Outside were concerned about more directly malicious attacks such as viruses and eavesdropping. To judge whether their concerns were warranted, we need to consider the extent of device losses and thefts in practice. And, unfortunately, there is ample evidence to support the case … Results from the 2008 CSI Computer Crime and Security Survey reveal the significant contribution that mobile devices can make to problems such as data loss. Of the 18 incident categories in the survey, two considered theft or loss of information (specifically looking at proprietary information and customer data). These were then subdivided to consider the source of the losses. Doing so revealed that mobile devices were involved in just under half of the reported cases (accounting for four per cent out of the nine per cent of respondents reporting ‘theft/loss of proprietary info’, and eight per cent of the 17% who reported against ‘theft/loss of customer data’). Meanwhile, the theft of the devices themselves was even more significant, with 42% of 433 respondents indicating that they had experienced laptop theft (making it the third most common security incident, behind viruses and insider attacks). 10 Some may find it attractive to think that carrying a device around with them means that it is safer than one they routinely leave unattended at home or at work. While this is potentially true from the perspective of being able to keep an eye on it, the advantage is rather offset by the increased 10

Richardson, R. 2008. 2008 CSI Computer Crime & Security Survey. Computer Security Institute. www.gocsi.com. 21

2: Surviving Outside potential for accidental loss and a new dimension to the risk of theft. The risk of loss is obviously going to be greater for devices on the move than for systems that rarely need to change location. Another extremely relevant factor is that loss is very likely to occur in public places, thus increasing the risk of data exposure for devices that are not properly protected. Moreover, the smaller the devices get, the more prone to being lost, misplaced and forgotten they are likely to become. Indeed, there is already ample evidence of problems already, with companies on average admitting to losing 5% of their mobile devices per year. 11 Mobile devices (particularly laptops and the latest phone handsets) have an undoubted attraction for thieves. For example, according to the British Transport Police, phone theft accounts for 45% of overall theft on the London Underground. 12 Meanwhile, Chapter 1 has already highlighted a case of laptop theft from the Royal Navy; an organisation that the layperson would instinctively expect to be well versed in security procedures. However, this is actually far from an isolated incident, reported figures showing that, on average, the Ministry of Defence (MoD) actually loses a laptop every two days! Specifically, it was revealed that 658 laptops were stolen and 89 had 11

Pointsec. 2007. ‘Survey finds companies have a dicey approach to PC disposal’, Pointsec press release, 6 February 2007. 12 British Transport Police. 2008. ‘Mobile Phone Theft’, www.btp.police.uk/passengers/issues/mobile_phone_thef t.aspx (accessed 6 February 2009). 22

2: Surviving Outside been lost between 2004 and 2008 (with only 32 ultimately being recovered later). 13 Moreover, the same period saw the loss of 121 of the MoD’s memory sticks, with 19 carrying ‘restricted’ information and three holding ‘secret’ data. 14 If you want to be mindful of theft, then it’s a good idea not to advertise what you’re carrying. Using anonymous hand-luggage is probably preferable to carrying a branded laptop bag, which would not only tell a thief that you’ve got a laptop, but also which brand they’d be grabbing. Meanwhile, carrying your phone or PDA in an inside pocket is generally going to keep it safer than walking around like a sheriff with the phone in a belt holster that everyone can see, or carrying it in a handbag that could be the natural target for thieves in any case. Aside from theft, there is significant evidence to show that we also need to be careful not to just leave our devices behind when we move from place to place. For example, findings from Pointsec in November 2006 revealed that 54,872 mobile phones, 4,718 PDAs, 3,179 laptops and 923 memory sticks had been left in London cabs in the previous six months. 15 Two years later, remarkably similar results were revealed in a survey conducted by Credant Technologies. Based 13

Ashford, W. 2008. ‘MoD loses one laptop every two days’, ComputerWeekly.com, 21 July 2008. 14 Savvas, A. 2008. ‘MoD admits losing 121 memory sticks’, ComputerWeekly.com, 21 July 2008. 15 O'Neill, S. 2006. ‘Not safe in taxis, how forgetful Londoners leave the world behind’, Times Online, 28 November 2006. www.timesonline.co.uk/tol/news/uk/article652378.ece. 23

2: Surviving Outside upon responses from 300 London taxi drivers, it was estimated that almost 56,000 mobile phones and almost 6,200 other devices (including laptops) had been left in the back of cabs in the preceding six months. 16 Why are taxis so prone to it? Well, think of the context: people in a hurry to be somewhere else, perhaps getting flustered and possibly being distracted by other tasks, such as paying the fare. All of this increases the chances that something will be left behind. So what does this mean for us? Basically that we need to recognise that it’s a time we’re more likely to make a mistake, and to actively try to remember to compensate for it by taking a look around and checking that we’ve got everything before we leave. Simple and obvious, but still easier said than done. On the positive side, 80% of drivers questioned in the Credant Technologies survey claimed that the lost devices were returned to their rightful owners; which probably says more about the luck of the owners (and the honesty of London taxi drivers) than it does about the safety of the devices. Meanwhile, it is worth noting that cabs are far from the only troublesome location and phones aren’t all that we’re losing. Indeed, the following examples provide further evidence of the many and varied risks, involving both different devices and different locations: 16

Credant Technologies. 2008. ‘Credant Technologies: Almost 60,000 mobile phones have been left in London taxis in the last six months’, Global Security Mag, September 2008. www.globalsecuritymag.com/CredantTechnologies-Almost-60-000,20080916,5003. 24

2: Surviving Outside x x

A 2008 study of 106 US airports revealed that 12,000 laptops per week were being lost by passengers. 17 According to a report in January 2009, dry cleaners in London had found 9,000 memory sticks in clothes left with them over the last year. 18

The key point to take from this is that unexpected and unintentional separation from our mobile devices can happen ever so easily. Moreover, although loss, and even theft, may only involve the temporary separation of a device from its owner, simply getting it back does not necessarily mean that all is well. If the device was not protected in some way, then it is perfectly conceivable for someone to have accessed the content. As such, sensitive information may have been disclosed or changed on the device, with both eventualities having the potential for far more wide-ranging consequences than the short-term absence of the device itself. Extra vigilance will only help to protect us up to a point, and so careful attitudes need to be combined with some of the technology safeguards (e.g. authenticating the user and backing up the data) that are discussed later in order to provide more comprehensive protection.

17

Ponemon Institute. 2008. Airport Insecurity: The Case of Missing & Lost Laptops. Executive Summary, U.S. Research, 30 June 2008. 18 Credant Technologies. 2009. ‘Data hung out to dry as 9,000 USBs left in Dry Cleaners’, Press Release, 26 January 2009. www.credant.com/news-a-events/pressreleases/245-data-hung-out-to-dry-as-9000-usbs-left-indry-cleaners.html. 25

2: Surviving Outside Before getting to the technical parts, there are still a few key precautions that we can take to improve our chances if loss or theft occurs later: x

x

x

Make the owner of the device identifiable in some way. This doesn’t necessarily mean having a name emblazoned across it (indeed it may not be desirable to announce exactly who it belongs to), but some sort of property marking could aid later reporting and identification. Additionally, some devices allow you to display ‘owner information’ as part of the log-in screen, so if someone finds a lost device they can’t use it but they can still contact you to say they’ve found it. If it’s a mobile phone, take a note of the IMEI (International Mobile Equipment Identity) number, as this will enable the device to be identified if recovered (and blocked from using the network in the meantime). Consider an insurance policy so that the hardware cost can at least be recouped if the device goes astray. Mobile devices may be covered by your existing insurance, but don’t just assume this without checking.

If your device then goes missing, it ought to be reported. Depending upon the type of device, and who owns it, there are several parties whom it may be relevant to notify: x

Employer: If it’s their device, then they need to know! Moreover, they may also be able to instigate safeguards, such as a remote wipe of the data content. 26

2: Surviving Outside x

Police: Particularly relevant if the device has been stolen, but useful even in cases of loss, as devices are often likely to be handed in to the police. Such official notification may also be required in order to support an insurance claim.

x

Network operator: Particularly relevant for cellular devices, as the operator can lock your account (preventing your SIM from being used in other devices) and block the device from the network (preventing other SIMs from being used in place of yours).

If all of the suggestions in this chapter have been followed, you can start roaming around with some assurance that your device is as physically safe as it’s likely to get. However, there are still a few things that need to be done to maintain security when you’re actually using it, and consideration of these points begins in the next chapter. Takeaways ¾ Take some appropriate precautions up front, such as insuring the device and ensuring that it is identifiable as yours. ¾ Take care when carrying devices around; keep them close and don’t advertise that you’ve got them. ¾ Although someone may set out to steal your device, in doing so they will get your data too. ¾ The risks of loss and theft cannot be removed, so technical safeguards will still be required no matter how careful you are. ¾ Be sure to report loss or theft to appropriate parties in order to reduce the risk of further exposure and increase your chances of getting back your device. 27

CHAPTER 3: GETTING CONNECTED

Mobile devices offer a wealth of connectivity, delivering great opportunities if used safely. This chapter examines the security issues associated with the different levels of network access that mobile devices now permit (i.e. encompassing personal, local and wide area coverage). Particular attention is devoted to WiFi and Bluetooth contexts, where the security can depend upon the user’s discretion rather than a network operator.

You certainly need to be careful about what you’re connecting to when you’re on the move. You will often find yourself surrounded by a variety of other devices and networks, but it goes without saying that they will not all be equally trustworthy. Moreover, there is no requirement for devices to be physically connected to anything in order to be at risk, and indeed an increasing proportion of devices now support wireless connectivity at three levels: x x x

Wide area access through cellular networks such as GSM and UMTS (3G). Local area access through WiFi/WLAN connection. Personal area access via technologies, such as Bluetooth or infrared communication.

Considering each of these in turn, we find that from the cellular network perspective there is little for the user to configure or concern themselves about in terms of security. Although there may be a small set of user-configurable options (for example, GPRS security settings, allowing a 28

3: Getting Connected choice of whether PAP or CHAP authentication should be used), 19 these are typically configured by default on the device and do not need to change. Beyond this, issues such as authentication of the handset to the cellular network, and encryption of the communications are handled transparently from the user’s perspective. Once we get to local and personal levels of connectivity, however, there are rather more things to usefully be aware of … and most of them relate to exercising care and caution when using the technologies. Looking first at WiFi, one of the key risks is our own behaviour; users can get fairly promiscuous in the presence of free wireless access. Indeed, it’s common to find people in public places scanning for open access points in order to get online for their fix of e-mail or whatever. The fact that their data is then travelling over an untrusted network, and that they are effectively stealing 20 service from the network owner, seems to become secondary to the fact that they are able to get the access they want. A few years ago, unprotected wireless networks were fairly standard, and actually represented a notable risk to organisations that were operating in this manner. For example, back in 2006 it was 19

For the record, these stand for Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP), but further details are not relevant to this discussion. 20 Indeed, the unauthorised use of wireless networks is actually illegal in an increasing number of countries, and the fact the networks are open and do not prevent the access is no excuse. 29

3: Getting Connected reported that almost half of the access points around London were open to attack because they were not using data encryption. 21 Today, however, with access points being shipped with encryption enabled by default, a far greater proportion of them are secured against casual connections. As such, if you come across one that is unprotected and is not asking you to pay for connection time, then there is fairly good reason to be suspicious of it anyway. Unless it’s a legacy device that’s never been secured, then it’s one that has intentionally been left unprotected … and you would have to wonder why someone might do that. Do they, for instance, want people to stumble across it and start to use it so that they can capture the data being sent? On balance, it’s probably better to be safe than sorry! Nonetheless, given that we can find ourselves in unfamiliar surroundings, and uncertain about which networks may be legitimately available, it is important to understand what your device can tell you about the networks in the vicinity (e.g. in order to guard against inadvertent trespassing on unprotected private networks, or simply mistaken attempts to connect to the wrong networks). The main things that can typically be seen in advance are: x x

21

the name of the network (or, to give its proper name, the Service Set Identifier – SSID) whether the device offering connection is an access point or another computer

Gostev, A. 2006. ‘War-driving in England’, Viruslist.com, 23 May 2006. www.viruslist.com/analysis?pubid=187008611. 30

3: Getting Connected x

an indication of whether or not the network is encrypted (and will therefore require a key in order to connect to it).

Notably, SSIDs can be rather misleading (sometimes intentionally so), and should not be used as a basis for trusting the network. One good example of this is provided by the apparently ubiquitous ‘Free Public WiFi’ SSID, which seems to crop up everywhere, offering exactly what many roaming users would be looking for: a means of getting legitimate Internet access without paying for it. In reality, however, this is almost never an access point, and will instead be someone else’s mobile device (typically a Windows® laptop) operating in Ad Hoc networking mode, which has acquired the name during its own travels. 22 The process for determining what types of devices are available and whether the networks are encrypted will depend upon the operating system you are using. As an example, Figure 2 depicts the related interface from Windows Mobile® 6, and we can see that the device concerned is within range of three mobile networks (net 1, net 2 and net 3) and has previously connected to net 4, but this is now out of range. For the three available networks, it is also possible to see that while net 1 is offering open access, net 2 and net 3 are encrypted (as denoted by the padlock symbols beside their signal strength meters). At present, the device is showing details of any devices it is aware 22

For an explanation of why this SSID is so prevalent, please refer to Zaib Kaleem’s article at www.wlanbook.com/free-public-wifi-ssid. 31

3: Getting Connected of, but alternatively the ‘Networks to access’ option could be used to list only access points or only computer-to-computer networks.

Figure 2: Protected and unprotected wireless networks

The safest option is always to an encrypted network that you know and trust. However, for roaming users there will clearly be times when this is not possible. Nonetheless, there are still precautions that can be taken when operating in public places and other untrusted environments. For example, when considering a connection to a wireless LAN in a hotel or airport, be sure to know who the legitimate hotspot operators are in that area, in order to help avoid connecting to a rogue access point. A good option for providing additional assurance from the organisational perspective is to offer a means for roaming workers to connect in via a Virtual Private Network (VPN), which enables a secure connection (referred to as a tunnel) to be established between the organisation’s trusted 32

3: Getting Connected server and the remote client device. Once in VPN mode, all of the traffic is encrypted, protecting it against eavesdropping and/or unauthorised modification by an intermediate third party. From the mobile user’s perspective it should be noted this is something that has to be planned for; your organisation needs to offer a VPN service, you cannot just set up an ad hoc secure connection back to base on your own initiative. Moreover, the approach is not always guaranteed to work; some networks will not allow VPN connections to be opened (indeed, in some cases the associated ports will be explicitly blocked to prevent you from using an encrypted channel), and so it then comes back to a fundamental choice between communicating without protection or not doing it at all. Given the communication capabilities of modern mobile devices, it is probably unsurprising to discover that WiFi connectivity is not the only risk. Indeed, problems of a different nature can be posed by more localised communications offered by Bluetooth. However, making safe use of Bluetooth technology is actually very straightforward, and effectively comes down to following a few fundamental guidelines: x x x

Only switch Bluetooth on when you need to use it. Don’t routinely leave your device in ‘discoverable’ mode. Don’t pair your device with others that you don’t know.

If you’re in a room full of people or a populated public area, it’s always interesting to set your 33

3: Getting Connected device searching for other Bluetooth devices in the immediate area and see how many can be seen (bearing in mind that none typically need to be discoverable!). 23 The adoption of Bluetooth quickly led to the emergence of a number of new threats. While some of them no longer apply (having related to specific vulnerabilities in early implementations), they still provide an interesting illustration of the ways in which unprotected communications can be exploited. 24 x

23

Bluejacking: This refers to sending unsolicited, anonymous messages via Bluetooth to ‘discoverable’ devices in the vicinity. There are two variants, with different overall objectives: o Simply as a means of sending an unsolicited message. To achieve this, the perpetrator may create a new address book entry, using the contact name field to hold the text of the message that they wish to send (e.g. ‘You look cute today’). This could then be sent to nearby devices; which in some contexts could end up being disturbing for the unwitting recipient. o As a basis for tricking the victim into establishing a pairing with the attacker’s

At the time of writing, performing a scan in a train carriage heading towards Plymouth, I managed to detect 12 such devices, most of which were phones. 24 Legg. G. 2005. ‘The Bluejacking, Bluesnarfing, Bluebugging Blues: Bluetooth Faces Perception of Vulnerability’, TechOnline, 4 August 2005. 34

3: Getting Connected device. In this context, the attacker may change the name of their device to present an enticing message (e.g. instead of something like ‘Nokia Phone’ the name could be changed to ‘Prize winner! Select “yes” to receive credit’). The attacker would then try to initiate a pairing, at which point the potential victim will see the message and may be inclined to accept. Doing so then establishes a pairing, potentially leaving the victim device prone to further levels of attack such as those below. x

x

Bluesnarfing: This refers to unauthorised access to data on a device via its Bluetooth connection. The victim device must allow connection and must be paired with the attacker’s device (which may be achieved by some prior Bluejacking). If this is accomplished, content such as contacts, calendar, text messages and e-mails may be vulnerable to compromise from the device. Bluebugging: The most significant of the three listed here, this permits a complete takeover of the device by giving an attacker access to commands. They may then make calls (i.e. turning a phone into a bugging device), send and read text messages, create contacts, set up call diverts (i.e. intercept calls), and perform a variety of other activities without the legitimate user’s knowledge. Although this offers potential for significant impact, it should be noted that the threat is limited to early models of Bluetooth phones, and modern devices would not be vulnerable. 35

3: Getting Connected Given that the key to much of the vulnerability here is via ‘discoverable’ devices, most are now shipped with this mode switched off by default and some (but certainly not all) help to further reduce their vulnerability by only remaining discoverable for a short period of time even when the feature has been enabled. Another close-range technology to consider (albeit one that is becoming significantly less commonplace since the arrival of Bluetooth) is infrared (IR). IR poses somewhat less of a risk than Bluetooth, in the sense that the connection conditions require line of sight between the two devices, but is still one to watch out for (especially as it has a tendency to be default-enabled on some devices, and so you may not realise the channel is available). This point actually leads quite neatly into the wider issue of knowing what signs to look for in order to determine your connectivity status. For example, some devices will use flashing lights to signify when different communications technologies are switched on, whereas others may use on-screen icons instead (and others will use both). Sometimes, however, the behaviour of the device will be less obvious, and it will pay to refer to the manual or the Help system to understand exactly how some aspects are working. For example, personal experience using a Windows Mobile® device supporting both Bluetooth and IR functionality revealed that the only tangible configuration option for IR communication was to be found under the ‘Beam’ setting, which in turn had only one option (‘Receive all incoming beams’), which could be toggled on and off. 36

3: Getting Connected However, what was not clear from the user interface was that this setting related to both IR and Bluetooth beams, and there was no facility to configure them independently. Although another setting elsewhere on the device enabled the Bluetooth radio to be switched on or off (such that the ‘beam’ setting would then only apply to IR), there was still no means to be receptive to Bluetooth beams without IR being active at the same time. While this is not a fundamental problem, it does illustrate the advantage of knowing the basics of how your device works so that you don’t introduce unanticipated vulnerabilities. A final point to note regarding mobile communications is that the underlying technology is continuing to evolve, resulting in further increases in connectivity. For example, further wireless technologies, such as WiMAX (Worldwide Interoperability for Microwave Access) and RFID (Radio Frequency Identification), are likely to find a place in future devices. Each new approach is likely to bring its own security considerations, and as illustrated by the discussion of WiFi and Bluetooth in this chapter, the fact that they are housed within the same device does not prevent them from introducing distinct risks and security issues. In the meantime, having looked at some of the communication issues, the next chapter starts to look at some of the ways in which we can control the use of the devices themselves.

37

3: Getting Connected Takeaways ¾

¾

¾

¾

Ensure that you are able to tell whether your different connectivity options are enabled or not. Be familiar with the on-screen icons and/or indicator lights on the device. Reduce exposure to threats by switching off functionality you are not planning to use (at the very least it will conserve battery power). While cellular networks can generally be considered trustworthy, WiFi and Bluetooth networks have a higher potential to be hostile and therefore warrant caution when encountered for the first time. Always be sure of what you are connecting to, and exercise particular caution in accepting connections from other devices.

38

CHAPTER 4: ENSURING IT’S YOU

Mobile devices tend to be even more personal than personal computers, with even corporate devices holding data closely tied to their owners. With this in mind, this chapter examines the importance of giving access to the right person, by authenticating the user. Particular attention is given to the challenges posed by the current dominance of passwords and PINs, especially in the case of handheld devices that are more vulnerable to loss and theft.

Chapter 2 has already highlighted the risks facing mobile devices in terms of loss and theft while they are on the move. However, it is worth thinking what this would actually mean from the owner’s perspective, and, of course, the answer would rather depend upon the prior steps that had been taken to protect it. For example, if your device is insured and your data is backed up (both of which may admittedly be big ifs in some cases!), then it may mean that the only tangible impact from your perspective is the inconvenience of being without it for a while. However, there is another critical issue to consider; namely what would someone else be able to do if your device fell into the wrong hands? The answer would very much depend upon whether anything was in place to guard against use by impostors. Basically, is there anything there to authenticate the user? Indeed, given that many people use their mobile device as the place to note down a record of passwords and Personal Identification Numbers (PINs) for other services, it makes little sense to then leave the device itself unprotected. 39

4: Ensuring it's You Authentication provides an immediate, front-line defence for the device in the event of loss or theft, and without it anyone who gets hold of the device effectively has a free hand to browse its contents and make use of any services it can offer (unless, of course, there are some lower level safeguards, such as encryption of sensitive data or authentication requirements for specific services). This could lead to very bothersome scenarios for both individuals (e.g. identity theft) and organisations (e.g. data leakage and loss of confidentiality), and so putting some sort of check in place would ostensibly seem like a reasonable thing to do. However, as this chapter highlights, things are not always this straightforward; partly because of users’ perceptions about the protection their device may require, and partly because of the options available to them for protecting it. .

When we look at what is typically available to users, it is interesting to note that while the devices have passed through several generations of technology and functionality, the predominant authentication mechanism is essentially the same, with PINs or passwords remaining the most widely used approaches. However, a fundamental difference on the mobile device is that the user can find multiple settings, in order to lock different aspects of functionality. For example, mobile phones support distinct authentication mechanisms to protect the device and the user’s Subscriber Identity Module (SIM) card. The device-level authentication provides the front-line protection when the handset is switched on, and therefore regulates access to applications and the majority of the user’s stored data (the exception being any data, such as contact details, which the user may 40

4: Ensuring it's You have stored on the SIM). The SIM-level authentication safeguards against the unauthorised use of the user’s cellular network account, recognising that the card could otherwise simply be removed from a protected device and used in an unprotected one. If enabled, the SIM-level PIN effectively governs the ability to make voice calls and use network services via cellular data connections. Additionally, there may also be a further level of protection, referred to as PIN2, which is able to safeguard against unauthorised modification of network settings, such as fixed dialling or call barring. In order for these options to be effective, users need to be aware that they are carrying two distinct assets requiring protection (i.e. the SIM and the device). However, many are unlikely to appreciate this by default, and may find the whole situation confusing without a clear explanation. Further confusion can be introduced by the fact that the mechanisms vary in style. While the SIM protection takes the form of a four to eight digit PIN number, the style of the device-level authentication will depend upon the device hardware and operating system in use (e.g. a standard Windows Mobile® platform offers PIN or password options). Figure 3 depicts the differences.

41

4: Ensuring it's You

(a) Setting the device password

(b) Setting the SIM PIN

Figure 3: Device and SIM authentication options

As part of my own team’s research, we conducted a survey amongst mobile phone users to assess their use of authentication on current devices. A total of 297 responses were received via an online questionnaire, enabling a number of insights into the respondents’ use of authentication and wider issues of security. 25 The focus here is directed to the authentication aspect, and the main finding was that despite making significant use of their devices, a third (34%) of the respondents did not use any PIN protection. The main reasons for this were that 30% considered the PIN to be inconvenient, and only 25% were actually confident in the protection it provided. Additionally, a significant proportion had 25

Clarke, N.L. and Furnell, S.M. 2005. ‘Authentication of users on mobile telephones – A survey of attitudes and practices’. Computers & Security, vol. 24, no. 7, pp.519– 527. 42

4: Ensuring it's You experienced problems with the technique, with over a third (38%) having had at least one occasion to obtain a Personal Unblocking Key (PUK) from their network operator as a result of incorrectly entering their PIN too many times and locking themselves out. Unfortunately, even those using the PIN were not necessarily doing so properly. For example: x

x

x

45% had never changed their code, meaning that it would present no barrier to anyone familiar with the handset’s default PIN (which could typically be determined quite easily via an online search) 36% were using the same PIN as they used for other services, thus giving an attacker more routes to acquire it (and increasing the breadth of what may be compromised as a result) 26% had shared their PIN with someone else.

Given the apparent challenges, it was also interesting to determine whether the respondents had experienced any problems that might have been mitigated by protection. Presented with four possible categories of unauthorised use (handset borrowed and tampered with; borrowed and calls made; stolen; and stolen and calls made), it was determined that 28% had experienced one or more of them. Additionally, 67% of this abuse had occurred on handsets that had the PIN facility enabled, and while one would never expect the presence of a PIN to prevent theft, it might reasonably be expected to provide a safeguard against the other three scenarios. The fact that it did not could be indicative of some of the earlier weaknesses (e.g. victims may have already shared 43

4: Ensuring it's You their PIN with the person who borrowed their handset), or the fact that some handsets only demand a PIN when they are initially switched on and so the user effectively remains ‘logged in’ from that point. Whatever the cause, the findings demonstrate that PIN protection certainly cannot be considered as a guarantee of security (and indeed points towards the need for the further mechanisms discussed in the next chapter). In spite of the negative views and experience, 42% of respondents thought the PIN provided adequate security. At the same time, with handset technology advancing and additional services becoming available, 85% were still in favour of additional security being provided. This view was also mirrored in some of the focus groups’ discussions introduced earlier: ‘When you start becoming more aware about stuff [dangers/threats] like that, you start realising what you are doing with the phone as well. I think then you realise, actually I like the idea of providing higher security’ At this point, you may be reading this and thinking that while you know the risks and want to protect the device, you are less than satisfied with the options available for doing so. Indeed, PIN and password-based approaches have long-established drawbacks. These are most clearly documented in relation to passwords, with bad practices including the selection of weak (guessable) strings, as well as sharing details with other people, writing them down and never changing them. However, in a mobile device context there is also a significant 44

4: Ensuring it's You consideration in terms of convenience of the methods.

the

underlying

Although using a password is more likely to parallel the authentication mechanism used on the desktop (allowing data to be afforded equivalent protection in both locations), it could be less convenient in a mobile context. So, while a sevencharacter password (incorporating at least three different types of characters, from uppercase, lowercase, numerals and/or punctuation) would make for stronger authentication than a four-digit PIN (these two being the default alternatives available on a Windows Mobile® device), it would be awkward to type on a mobile keypad. Moreover, if you only want to make quick use of the device and then slip it back in your pocket, entering the password might even take longer than the task itself. As such, there is a possible dilemma in terms of compromising convenience or sacrificing security, and an informed choice should be made in order to ensure that security does not become frustrating. There are options beyond PINs and passwords, but they are by no means standard across all devices. For example, a small subset of laptops, PDAs, phones and memory sticks offer fingerprint readers, which then provide a much stronger level of authentication that is specifically tied to the legitimate user. Over time, it is very likely that other biometrics will also become commonplace, and devices with inbuilt microphones and cameras may find themselves capable of supporting authentication via voice and facial verification. Indeed, some mobile devices could already support a whole host of biometrics from their 45

4: Ensuring it's You standard hardware; it’s just that the accompanying software is not available or deployed on the devices to capitalise upon these features. However, such things have already happened in research labs, and so have every chance of becoming more widely available in the future. As an example, Figure 4 summarises the features that we were able to integrate within a prototype implementation at the University of Plymouth, with the additional advantage that multiple techniques could operate non-intrusively from the user perspective (hence increasing security without adding inconvenience). 26

Figure 4: Potential biometric authentication options on a mobile device 26

Clarke, N.L., Furnell, S.M. and Karatzouni, S. 2008. ‘Authentication Framework Evaluation’, Deliverable 4, Flexible and Non-Intrusive User Authentication for Mobile Devices, Eduserv Foundation, August 2008. 46

4: Ensuring it's You As a final point to note, some might still argue that they don’t need to worry too much about authentication on the handset because the webbased services they’re accessing each require their own authentication anyway. However, here again we may find a difference between the mobile and desktop environments; because it’s fiddly to enter user IDs and passwords via the mobile keypad or touchscreen, users may opt to get the browser to remember their details. Thus, the fact that the services require secondary authentication becomes redundant, because whoever is using the device (be they the owner or an impostor) is effectively pre-authenticated each time they visit the site. Unfortunately, device-level safeguards do not end with authentication. Even a device using strong biometrics could end up carrying data that ought not to be there, or that warrants additional protection. As such, a series of further considerations and safeguards are examined in the next chapter. Takeaways ¾ If authentication is available, try to make use of it. ¾ Be aware of the options that are available and relevant to use (e.g. on a mobile phone, the use of device- and SIM-level authentication may be appropriate). ¾ Don’t choose settings that will make your life unnecessarily difficult (e.g. having a 15character password that is requested every time the device has been unused for a couple of minutes will frustrate you).

47

4: Ensuring it's You ¾

¾

Follow the same good practice in choosing and using passwords and PINs for mobile devices as you would for other systems (e.g. avoid the obvious and don’t share them). Avoid the temptation to get the system to remember passwords for your online services unless you are very confident in the front-line authentication on the device itself.

48

CHAPTER 5: SAFEGUARDING YOUR DATA

Having considered the threats in a number of other contexts, this chapter stresses that the true value of mobile devices often comes from the data that they hold or that can be accessed through them. This leads to the need for measures such as encryption and back-up, which organisations should consider in order to properly safeguard against the threats.

Although much of the earlier discussion has referred to the protection of the device, this is ultimately just a means to an end. It’s actually not the device that we need to protect; it’s the data. Although the device has a financial value, it is ultimately replaceable. Meanwhile, the data may not be, and having it fall into the wrong hands may be far more costly than the loss of the device. And with even pocket-sized devices having the capacity to store gigabytes of content, that’s ample space to store a wealth of commercially sensitive and proprietary material that could be exposed if the device was lost. Before considering the protection that we can provide, it is worth asking a more fundamental question: does the data need to travel in the first place? If it’s personal data, then this is clearly a question for the individual. If it’s business data, then the organisation has the opportunity to set the agenda via policy and technical controls to regulate what staff are permitted to copy onto mobile devices. However, a potential complication from an employer’s perspective is the lack of control that they may have over the use of mobile 49

5: Safeguarding your Data technologies, especially given that the data and the device may have different owners. Specifically, unless controls prevent otherwise, we can find personal data populating corporate devices, and corporate data slipping onto personal devices. From the end-user perspective this makes clear sense, as it enables them to simply view the device as a personal tool, without worrying too much about the distinctions between their business and private lives. However, the consequence is that work-related artefacts come to exist on personal devices (e.g. in the form of tasks, schedules, contacts and files) and vice versa, and from the employer perspective both scenarios may have undesirable implications that need to be understood. Let’s consider each in turn: x

x

Corporate data on personal device: Even if it does not issue its staff with mobile devices, an organisation may still find that they are using their own devices for work-related purposes. The clear risk here is of corporate data being held on a device that the organisation cannot directly control or configure, and which may not be receiving the level of protection that the organisation would normally expect to apply to it. Personal data on corporate device: Depending upon what they choose to do with it, the user’s personal data may not sit easily alongside their association with their employer. For example, a lost or stolen device revealing that a user works for XYZ organisation and regularly visits dubious websites could still have repercussions for XYZ’s reputation if disclosed. From a 50

5: Safeguarding your Data different perspective, individuals may actually be less than comfortable with the idea of their personal data ending up within the organisation (e.g. their personal appointments being synchronised into company schedules, and their personal files being copied as part of corporate back-ups). There is no single ‘right’ answer here; for some organisations the best solution is an outright ban on the use of personal devices, potentially extending as far as prohibiting them from the workplace altogether. At the other extreme, some organisations may prefer to support their staff in using personal devices more securely. Both scenarios have pros and cons. The hard-line ban reduces the direct risk, but could work against the interests of the business, because users will be denied the opportunity to use their devices for a valid purpose. Meanwhile, the idea of supporting personal devices can present practical difficulties. For example, users may collectively own all manner of devices and operating system (OS) versions, making it difficult for the organisation to deploy software solutions (e.g. anti-virus), or indeed to provide general advice and guidance due to the breadth of expertise it could require. A potential middle ground could, of course, be for users that need a mobile device for work to be provided with one, and to keep this distinct from any personal device they may own. However, this introduces the potentially unrealistic (or at least unhelpful) expectation that the user will be happy to carry two devices around with them. Some will at the very least regard this as an imposition, whereas others will still be actively looking for 51

5: Safeguarding your Data ways to make their lives easier by getting everything onto just one of the devices if possible. Whatever the chosen stance, the potential conflict between personal and business uses is one that must be recognised. Most employees will now have their own mobile devices, and so the risk is present regardless of whether the organisation has explicitly acknowledged it. As such, there is no question of whether we should tackle the issue; it is just a question of how. If the data does need to travel, the next question is what we can do to protect it. We have already seen one of the most significant safeguards in the form of authentication, but this is certainly not the end of the story, not least because data will often be held on removable media such as SD cards rather than in the device’s onboard memory. Thus, unless further protection is used, this could simply be removed from the device that is requesting authentication and read using another device instead. As such, a core safeguard is to encrypt the data, so that unauthorised parties cannot read it. However, this raises questions about what level of protection is appropriate in which context. While the answers will depend upon individual circumstances, they will primarily relate to the sensitivity of the data concerned, but will potentially be limited by what devices can support. Judging the sensitivity of the data will very much depend upon its value to the organisation or individual concerned, and may be conducted to varying degrees of rigour. Similarly, the resulting protection may be specified at several levels, depending upon the view of the organisation 52

5: Safeguarding your Data concerned. Broadly speaking, however, we could see three levels in relation to data in a mobile context: that which can be held in plaintext; that which can only be stored if encrypted; and that which should not be transferred to a mobile device under any circumstances. After the data, the other dimension to consider is what the device can actually support. Laptops are likely to be the only context in which you get a significant degree of choice. Meanwhile, although phones and PDAs may support encryption, the extent may be limited (e.g. users get no choice about the type or level of encryption, and simply get to decide whether their data is encrypted or not). For example, Windows Mobile® 6 only offers encryption for data on storage cards (see Figure 5), and requires that the entire card be encrypted (rather than allowing decisions on a per file basis). Moreover, there is no option over the type or strength of encryption to be used, and the card can then only be read in the device on which it was encrypted. Having said this, it may be possible to expand the capabilities through additional utilities. A similar comment applies to devices like memory sticks, the contents of which can be encrypted using a variety of third party programs, allowing users to set up secure and public partitions. For the highest levels of protection, devices can be purchased that offer hardware-based encryption, with the functionality being an integral part of the device rather than an add-on.

53

5: Safeguarding your Data

Figure 5: Storage card encryption feature in ® Windows Mobile 6

A vital caveat is that simply having encrypted data is not a sufficient indication of security. You also need to be aware of the type of encryption being used, and to be sure that reliance is not being placed on an unknown, proprietary, or potentially untested algorithm. Users seeking proper assurance should look for the use of an established technology, such as the Advanced Encryption Standard (AES), which is internationally recognised and has been exposed to significant public scrutiny to assure its robustness. Specific details of the methods are outside the scope of this guide, but readers interested in further information are referred to the range of other books, websites and vendors dedicated to this topic. Depending upon the device, another safeguard that may be available in cases of loss and theft is to remotely lock the device or wipe its data. For example, these features are available for 54

5: Safeguarding your Data BlackBerry devices using the BlackBerry Enterprise Server, as well as for Windows Mobile® devices running through an Exchange server. However, even if an option to wipe the device is available, it would be best regarded as a belt and braces approach rather than as a substitute for other safeguards, as there could well be a time lag between the device being lost and a wipe being issued. As with any technology, there can come a point when mobile devices fail, need to be redeployed to a new user, or simply reach the end of their useful life. At this stage, it is very important to ensure that they are not passed on with data still in situ, and careful consideration needs to be given to ensuring that sensitive information cannot be recovered later. Despite numerous media reports of devices being resold or disposed of with data still intact, many users and organisations seem to be unaware of what they ought to do in order to dispose of things safely. Simply deleting files or reformatting the device will not prevent data from being recovered (indeed, in many cases all this does is leave the data there but effectively remove the index entry to it; thus unless it’s actually overwritten it can still be read back). This applies to hard disks, removable media, and the memory storage inside phones and PDAs, with a variety of digital forensics tools now available in all cases. So how to do it? Depending upon the type of device and the sensitivity of the data it has been holding, several options are available: x

Overwriting: This involves low-level reformatting to wipe the original data, 55

5: Safeguarding your Data

x

x

followed by multiple iterations of overwriting the whole disk with random data. This serves to make the original information difficult (but not impossible) to recover. Degaussing: This approach is only relevant for data stored on hard drives, and relates to the fact that they are based upon magnetic media. Degaussing demagnetises the disk using alternating electric currents, thus wiping the data stored on it. Destruction: To be absolutely sure of preventing data recovery, a device or disk should be completely destroyed. It should be noted that this is not the same as simply rendering it inoperable; smashing a disk or snapping a memory stick may well prevent it from being used but might not stop a determined attacker from reading the data. The most effective method here is incineration.

The decision on what approach to pursue will often be a value judgement on the part of the organisation concerned. Having said that, there are related standards in the domain 27 and there may be a consequent requirement upon some organisations to demonstrate compliance. Whatever the selected approach, it is another issue that needs to be emphasised in internal policy and staff awareness in order to avoid mistakes.

27

For example, the US Department of Defense offers standard DoD 5220.22-M in relation to the clearing and sanitization on media, while the National Institute of Standards and Technology offers Guidelines for Media Sanitization in NIST Special Publication 800-88. 56

5: Safeguarding your Data It is also important to recognise threats beyond unauthorised access and potential breaches of confidentiality. In this context, another significant safeguard is to make a back-up of the data on the device. In many cases this may be happening automatically if the device is synchronised with a desktop PC, or may be a feature offered by the network operator, but it will be important to determine exactly which aspects are involved (e.g. is the device simply syncing the contacts and calendar, or are files being included as well?). Having a back-up will help in a variety of cases, including the loss, theft, and hardware or software failure of the device. In addition to protecting the devices themselves, we also need to safeguard the systems that they come into contact with. Controls are required in both directions (i.e. from the host system to the mobile device, and from the device into the system or network). In the first case, the control aims to regulate the transfer of sensitive data out of the system, whereas in the latter we are protecting against threats introduced by visitors or employees’ devices coming in from outside (e.g. devices infected with malware). The point is that even if it’s a known mobile device, we may not know where it’s been or what it’s been exposed to while it’s been away from base, and so it needs to be treated with caution. A variety of techniques can be used to increase the control over mobile devices and harden the protection against the risks they may introduce:

57

5: Safeguarding your Data x x

x

Disable autorun features on memory sticks, which may otherwise enable malware to activate. Ensure that anti-virus protection is configured to check removable media in addition to local drives. Employ safeguards to ‘police the ports’ and prevent data from being transferred to and from mobile devices and removable media without authorisation.

However, it must be recognised that technology will never provide the complete solution. For example, while port control software will prevent a user from copying a sensitive file to memory stick, it will not prevent them from creating their own sensitive content and storing it on the stick directly. As such, clear policy and raising of awareness are still required to supplement and support the technical controls. Having identified a range of things that should be done, it is worth noting that at the time of writing, the reality is that many businesses take no precautions at all. For example, when asked what they do in order to prevent data leakage on removable media devices (including memory sticks, portable hard drives and MP3 players), 67% of UK businesses indicated that no steps were taken at all. 28 Meanwhile, 20% indicated that their staff were told not to use such devices, and 11% took the more active step of configuring PCs to 28

BERR. 2008. 2008 Information Security Breaches Survey – Technical Report. Department for Business Enterprise & Regulatory Reform. April 2008. URN 08/788. 58

5: Safeguarding your Data prevent the devices being used (or restrict the use to authorised devices only). Finally, a mere nine per cent indicated that passwords and/or encryption were used to protect any confidential data that such devices might be carrying. Meanwhile in the United States, findings from the CSI’s Computer Crime and Security Survey tell a similarly discouraging tale. Chapter 2 already flagged the significant levels of device theft and consequent data exposure reported in this survey, and with these findings in mind it is disappointing to discover that only half of the respondents (53%) were using encryption to protect stored data. Although this answer was across the board (rather than referring specifically to the use in mobile contexts), it is still likely that many of those without protection were referring to laptop and handheld devices. Ultimately, if we are to consider sending out devices without protection, then it is worth remembering the risks to which they will be exposed. For example, going back to the type of issue already flagged in Chapter 2, a survey of 100 law firms conducted by Credant Technologies revealed that 24% had misplaced at least one mobile device containing confidential documents such as client details, case notes and contracts. 29 If the devices were unprotected, then the potential impact is far more than the replacement cost of the devices. The discussion up to this point has essentially considered the risks arising from devices and data 29

Williams, I. 2008. ‘Quarter of law firms admit to losing confidential data’, vnunet.com, 28 October 2008. 59

5: Safeguarding your Data falling into the wrong hands. Unfortunately, however, the threat landscape also includes targeted attacks, and the next chapter considers how mobile devices may be exposed to malware and other types of unwanted attention. Takeaways ¾ Even if measures have been taken to protect the device, data-level safeguards should be used where available. ¾ Establish and promote clear policy about storing corporate data on personal devices, and about the general use of personal devices within the workplace. ¾ Clearly identify what data can be held on mobile devices and under what circumstances. Apply technical controls to restrict data transfer to and from devices, and to protect it against exposure. ¾ Recognise that any devices arriving from outside are untrustworthy and should be scanned for malware upon connection to other systems. ¾ Back up your data in order to ensure that you don’t lose it if the device is lost, stolen or fails. ¾ If you are planning to sell, recycle or give away a device, ensure that data is properly wiped off it first. ¾ Disposal of a device should only occur once sensitive data has been removed. If the device has failed, and cannot be wiped, then it should be destroyed to prevent data recovery.

60

CHAPTER 6: ARE YOU A MOVING TARGET?

This chapter examines attacks that specifically target mobile devices. Although worms and viruses have yet to appear in volume on current devices (aside from laptops, which inherit the problem directly from desktop PCs), the rich processing and communication capabilities are likely to see mobile platforms affected in the future. In addition, there are a number of established attacks from other domains that are finding new opportunities by targeting mobile users.

When considering attacks against mobile devices, a key concern is the slow but steady growth of malware (e.g. worms, viruses and Trojan horses) on mobile platforms. Given over two decades of difficulty in the desktop domain, the prospect of malware appearing on mobiles was almost inevitable as they became more advanced. Indeed, malware is the principal threat invited by the richer capabilities offered by smartphones and PDAs, as this has brought them closer to the environment already provided by fully fledged PCs. While early discussions were accompanied by claims that doom-mongers and anti-virus companies were exaggerating the threat, it is now an undeniable reality, and there is a clear potential for the platforms to be targeted. Moreover, as we’ve seen with PCs, it is a problem that is unlikely to disappear now that it’s started, and so we need to be aware of it. The nature and scale of the threat is very much tied to the type of mobile device in use. While 61

6: Are you a Moving Target? laptops will essentially be as prone to the threat as their OS platform would be on a desktop (i.e. at greater risk if running Windows® than if using Mac OS® X or Linux), handheld devices have not exactly been overrun with malware. Indeed, it is currently a threat that far more people have heard about than have actually experienced at first hand. For example, according to findings from McAfee in 2008 (based upon a sample of 2,000 users in the UK, US and Japan), 30 11.6% of users had heard of someone else being affected by mobile malware, but only 2.1% had personal experience of such a problem. Meanwhile, 86.3% of users had no knowledge of any such incidents. Part of the reason for this has been the relatively restricted size of the target user base. Although mobile phones have enjoyed immense popularity, it is only in more recent years that the devices themselves have started to sport operating systems that offered the ability to install and run new programs. By contrast, while such operating systems have been running on PDAs for years, there were not enough users out there to divert the attentions of malware writers away from their established targets on PCs. Today, however, the more advanced capabilities have converged with the mass-market devices, and as they become the norm for new and upgrading customers, attackers will have a more substantial and attractive target to aim for. In the meantime, while they have not caused widespread incidents, there have already been several notable cases of malware on mobile 30

McAfee. 2008. McAfee Mobile Security Report 2008. McAfee, Inc. www.mcafee.com. 62

6: Are you a Moving Target? platforms (which, if nothing else, certainly prove that a risk exists and may be poised to grow): x

x

31

The first genuine worm threat to appear on mobile phones was Cabir in June 2004, spreading via Bluetooth communication on Symbian Series 60-compatible devices. 31 Although widely reported the threat was limited by several factors. Firstly, Cabir was only able to spread to devices within Bluetooth range of the infected device (i.e. ten metres). Secondly, such devices needed to be in discoverable mode. Thirdly, the worm required the user to explicitly accept it and allow it to run before it could infect the device. If it managed to pass all of these hurdles, the worm had a benign payload (simply displaying the word ‘Caribe’ on the screen), but would repeatedly scan to find other Bluetooth devices to propagate to, thus depleting the battery on the infected device. Moving beyond the range limitations of Bluetooth, another key development was witnessed in March 2005, with the arrival of the Commwarrior worm, 32 which (in addition to Bluetooth) spread via the Multimedia Messaging Service (MMS) and could therefore exploit the true geographic reach that mobile

Symantec. 2004. ‘SymbOS.Cabir’, Symantec Security Response, 14 June 2004. www.symantec.com/avcenter/venc/data/symbos.cabir.ht ml. 32 Symantec. 2005. ‘SymbOS.Commwarrior.A’, Symantec Security Response, 7 March 2005. www.symantec.com/avcenter/venc/data/symbos.commw arrior.a.html. 63

6: Are you a Moving Target? phones can offer. MMS victims were randomly selected from amongst other mobile numbers in the device’s phonebook, and then sent one of 23 possible messages, with titles and content that attempted to trick and encourage the recipients into opening them (with four such examples being shown in Figure 6). If the user accepted to install the worm, its payload was set to activate and reboot the phone during the first hour after midnight on the 14th day of the month.

Figure 6: Examples of messages from the Commwarrior worm

x

33

A more recent example is the Beselo worm, which appeared in late 2007 and targeted Symbian S60 smartphones, spreading via MMS messages and Bluetooth using the filenames beauty.jpg, love.rm or sex.mp3. 33 Once a device has been infected, Beselo attempts to use MMS and Bluetooth channels to spread to other targets, as well as infecting any MMC cards inserted into the device (from

F-Secure. 2007. ‘Worm:SymbOS/Beselo.B’, F-Secure Security Lab, 21 December 2007. www.f-secure.com/vdescs/worm_symbos_beselo_b.shtml. 64

6: Are you a Moving Target? which it could then copy itself to other devices later). The MMS messages were sent at oneminute intervals, using contact numbers from the victim’s phonebook or to internally generated numbers. In addition, any SMS messages received on the device would automatically cause a Beselo-infected MMS message to be sent back in return. Meanwhile, the Bluetooth propagation again used oneminute intervals, targeting one device at a time. While it did not harm any data, the repeated messaging could drain the battery, and the use of MMS was likely to incur costs from the cellular network. However, removing the worm from an infected device required it to be reformatted, thus losing any data in the process. Although they all received coverage in the technology media, none of these posed a major concern for the public at large. Indeed, despite such examples, the malware threat to handheld devices is currently far less than that faced by traditional PCs. For example, while figures from F-Secure in 2008 suggested that there were more than 400 mobile viruses in circulation, 34 hundreds of thousands could be identified in the PC domain at the same point in time. Nonetheless, there is now an established level of activity in the mobile domain that goes beyond mere ‘proof-of-concept’ releases, which in turn provides an indication of attackers’ increasing interest in mobile platforms.

34

F-Secure. 2008. ‘Mobile Users Do Not Take Security Precautions’, F-Secure Press Release, 4 March 2008. 65

6: Are you a Moving Target? As a consequence, providing some level of antivirus (AV) protection for handheld devices is increasingly recommended. While the relatively limited extent of the threat may not yet warrant running AV software on the device, having up-todate anti-virus software on a desktop PC and allowing it to scan the device when connected would be strongly advisable. Indeed, the configuring of other PCs to scan mobile devices and removable media is an advisable precaution in any case, as it will safeguard against malware being introduced onto the PC via this route (i.e. even if the malware does not run on the mobile device, the device can still be used to transport it). The other solution is to control what is permitted to run on the device in the first place. For example, the risk of malware infection on iPhones is reduced by the approach that Apple has adopted for distributing software via its App Store, which includes a formal submission and checking process before code is approved to run on the devices. By controlling the distribution channel in this manner, Apple significantly reduces the potential for malicious code to find its way into widespread circulation. Having said all this, malware is far from the only style of attack that mobile users should be aware of. Devices also have the potential to fall victim to denial-of-service attacks. As an example, an exploit dubbed the ‘Curse of Silence’ was publicised at the end of 2008, which could crash the SMS functionality on a range of Symbianbased smartphones and prevent them from sending

66

6: Are you a Moving Target? and receiving text messages. 35 Although the chances of falling victim to such an attack were fairly slim (an attacker would need to know your mobile number and have the capability to craft the necessary messages), it still serves to prove that threats can be made to leverage the specific technology of the mobile device. The mobile environment also offers the opportunity for a variety of other established threats to pop up in new (and potentially unexpected) guises. Examples here include spam and phishing, both of which may harness text messaging rather than the more expected e-mail route. So, for example, an SMS-based phishing exploit (so-called SMSishing) would try to convince a user to click on a link in a text message, which would then take them to a fake website to phish their personal details. Ultimately, it’s still phishing, but the route to the victim and their route to the fraudster’s site are different. As with the attacks facing traditional PCs, care and vigilance will go a long way towards reducing the exposure of mobile devices. At the same time, any manufacturer-recommended features should be used, and additional options should be evaluated as they become available (on the basis that availability and prominence of safeguards will tend to mirror the prevalence and significance of the emerging threats). As things currently stand, however, unless you’re using a laptop, the range of defences is likely to be more limited than you are 35

F-Secure. 2008. ‘Curse of Silence, a Symbian S60 SMS Exploit’, F-Secure Weblog, 30 December 2008. www.f-secure.com/weblog/archives/00001569.html. 67

6: Are you a Moving Target? used to on a standard PC. Indeed, this applies to mobile security features more widely, and this issue forms the basis of the final chapter. Takeaways ¾ The malware threat on handheld devices is rare, but not non-existent. As such, caution is warranted and AV protection is likely to be increasingly necessary. ¾ Exercise the same caution with unsolicited communications on a mobile device as you would on a normal PC. ¾ Attackers will often capitalise on the fact that your mobile device is a less expected source of threats than your PC. ¾ The potential attacks will change and increase over time. Try to maintain awareness of new and emerging threats (e.g. via manufacturer, network operator and security websites).

68

CHAPTER 7: KNOW YOUR LIMITS

Although mobile devices offer security, the level and flexibility of the protection is often somewhat less than in a full PC context. Users and organisations need to be aware of this in order to make informed decisions about whether data ought to find its way onto a device in the first place, and the approaches that can be used to stop it.

With all of the earlier chapters having emphasised the need to ensure that our devices are protected, this one now presents a caveat by highlighting that some things may not be possible. Although much of the access that we can achieve through mobile devices is comparable to our desktop systems, the security provisions are sometimes less mature. Indeed, if you are a regular user of security on a desktop system, you may find that some of it cannot be directly paralleled on your mobile device. In some cases this is due to mechanisms being presented in a different way, whereas in others it is because related functionality is absent altogether. Either way, you may need to be prepared for a bit of a learning curve rather than expecting to transfer security skills directly from the desktop. 36 As with some other aspects of the discussion, the main comments here apply to handheld devices rather than laptops. Indeed, not only is the need to 36

Botha, R.A., Furnell, S.M. and Clarke, N.L.. 2009. ‘From desktop to mobile: Examining the security experience’, Computers & Security, vol. 28, no. 3–4, pp. 130–137. 69

7: Know your Limits protect laptops more readily recognised than the requirement to protect smaller devices, it is often more feasible to do so as well; while laptops typically run a full version of the operating system, handhelds offer cut-down and customised versions that often fail to mirror the desktop features. In order to illustrate the potential differences and limitations that can be encountered, let’s look at a couple of examples from the Windows Mobile® platform when compared to its desktop counterpart. A good starting point is the web browser, and if we compare Internet Explorer® 7 from desktop Windows® with the version of IE that comes on the Windows Mobile® 6 platform, it is quickly apparent that the more limited nature of the browsing experience has implications from the security perspective. So, whereas Internet Explorer® 7 includes over 45 configurable options in the ‘custom’ security settings (see Figure 7a), the mobile browser offers only three related settings (see Figure 7b). Of course, much of the explanation for this relates to the fact that the mobile browser itself does not support many of the features that would otherwise introduce security risks (e.g. scripting and ActiveX), but users may not be aware of this by default and may simply consider themselves less protected.

70

7: Know your Limits

(a) Desktop

(b) Mobile Figure 7: Contrasting the security options in desktop and mobile browsers

In other cases, however, there is a lack of support for features that would still be relevant in the new context. A good example here is Word Mobile, which allows documents to be taken from the desktop and then viewed (and to some extent manipulated) on the mobile device. From a 71

7: Know your Limits security perspective, a notable constraint of the mobile application is its lack of support for password-protected documents, with any attempt to open such a document from the desktop version of Word yielding the message shown in Figure 8. Consequently, this element of good practice cannot be transferred from the desktop to the mobile. Furthermore, if access to the content is genuinely needed on the mobile device, then users are obliged to remove the protection first (resulting in sensitive data being stored with less security in a more vulnerable location). The lack of document-level protection effectively means that access to private information must rely solely upon the device-level authentication process to provide a front-line safeguard against unauthorised access.

Figure 8: An attempt to open a passwordprotected document using Word Mobile

The potential limitations of the devices ought to prompt questions. If the security features are not available, then data will be receiving less protection in a fundamentally more vulnerable 72

7: Know your Limits location. As such, should it be placed there at all? Can alternative mechanisms be used to provide sufficient protection? For example, if you cannot protect individual documents, how about encrypting the entirety of the device’s contents? It is also relevant to set the limits on the use of devices in some contexts. For example, it is vital that organisations incorporate consideration of mobile devices into their security policies (your organisation does have a security policy, doesn’t it?). There needs to be a clear statement on the acceptable use of mobile devices, and staff need to be aware of it. Notably, this applies even if the organisation doesn’t issue any mobile devices to its staff; they will have their own personal devices in any case, and in the absence of mechanisms and policies to prevent it, they will happily populate these with company data alongside their own content. As such, there need to be clear rules about using personal devices within the workplace and whether it is permitted to use them to store company data or not. Takeaways ¾ Be aware of the security features available to you, and particularly any differences to how you may be using them on desktop systems. ¾ If you cannot protect data to the same extent on a mobile device as you can on the desktop, then you ought to at least question whether the data ought to be copied there. ¾ Organisations should have a clear policy on the acceptable use of mobile devices. If yours doesn’t, then raise the issue.

73

CONCLUSIONS

The discussion throughout the preceding chapters has clearly illustrated the power and flexibility offered by mobile devices, and the significance of the data that they can store and access as a result. Their clear benefits mean that such devices are already an inescapable part of many people’s personal and professional lives. Moreover, we can guarantee that their capability will increase as time goes on, and we will consequently be carrying an ever-more important asset that most definitely demands protection. As with many aspects of security, it is possible to protect our mobile devices and data, but it does not happen by itself. It requires a combination of factors including technical safeguards, corporate policy and personal vigilance. The chapters have provided evidence of what can be done ... as well as indications of what can happen if you don’t. Assuming you have accepted the evidence, the most significant thing you can do is to consider the takeaways. These have drawn out the key points for each topic, providing reminders of the main issues and broad guidance on what to do about them. Although some may require you to seek additional input and support, following the takeaways will help to ensure that you are able to embrace the opportunities of mobility without sacrificing the ability to operate as safely and securely as possible.

74

ITG RESOURCES IT Governance Ltd. sources, creates and delivers products and services to meet the real-world, evolving IT governance needs of today’s organisations, directors, managers and practitioners. The ITG website (www.itgovernance.co.uk) is the international one-stopshop for corporate and IT governance information, advice, guidance, books, tools, training and consultancy. www.itgovernance.co.uk/keep-safe-online.aspx is information page for security awareness resources.

the

Other Websites Books and tools published by IT Governance Publishing (ITGP) are available from all business booksellers and are also immediately available from the following websites: www.itgovernance.co.uk/catalog/355 provides information and online purchasing facilities for every currently available book published by ITGP. www.itgovernanceusa.com is a US$-based website that delivers the full range of IT Governance products to North America, and ships from within the continental US. www.itgovernanceasia.com provides a selected range of ITGP products specifically for customers in South Asia. www.27001.com is the IT Governance Ltd. website that deals specifically with information security management, and ships from within the continental US. Pocket Guides For full details of the entire range of pocket guides, simply follow the links at www.itgovernance.co.uk/publishing.aspx. 75

ITG Resources Toolkits ITG’s unique range of toolkits includes the IT Governance Framework Toolkit, which contains all the tools and guidance that you will need in order to develop and implement an appropriate IT governance framework for your organisation. Full details can be found at www.itgovernance.co.uk/ products/519. For a free paper on how to use the proprietary CalderMoir IT Governance Framework, and for a free trial version of the toolkit, see www.itgovernance.co.uk/calder_moir.aspx. There is also a wide range of toolkits to simplify implementation of management systems, such as an ISO/IEC 27001 ISMS or a BS25999 BCMS, and these can all be viewed and purchased online at: http://www.itgovernance.co.uk/catalog/1. Best Practice Reports ITG’s range of Best Practice Reports is now at www.itgovernance.co.uk/best-practice-reports.aspx. These offer you essential, pertinent, expertly researched information on an increasing number of key issues including Web 2.0 and Green IT. Training and Consultancy IT Governance also offers training and consultancy services across the entire spectrum of disciplines in the information governance arena. Details of training courses can be accessed at www.itgovernance.co.uk/training.aspx and descriptions of our consultancy services can be found at http://www.itgovernance.co.uk/consulting.aspx. Why not contact us to see how we could help you and your organisation?

76

ITG Resources Newsletter IT governance is one of the hottest topics in business today, not least because it is also the fastest moving, so what better way to keep up than by subscribing to ITG’s free monthly newsletter Sentinel? It provides monthly updates and resources across the whole spectrum of IT governance subject matter, including risk management, information security, ITIL and IT service management, project governance, compliance and so much more. Subscribe for your free copy at: www.itgovernance.co.uk/newsletter.aspx.

77