Risk Catalogue for Mobile Business Applications

Basel Hasan, Patrick Schäfer, Jorge Marx Gómez, Joachim Kurzhöfer

2016

Abstract

Today mobile devices, namely smartphones and tablets, are the most popular and used devices. This reality makes companies willing to support mobile devices, which in turn increase the productivity of their employees by allowing them to perform several tasks and to be always updated on the move. However, in spite of the advance in mobile technologies, security is still the primary barrier to the adoption of mobile applications within the enterprise. Some companies avoid the use of mobile business applications due to the fear of security risks. Guidelines and risk catalogues give an overview on the potential risks when using particular applications. Typically, the existing guidelines and risk catalogues target IT-professionals, but not business users who mostly do not have the required technical knowledge to understand the risks. Thus, in this paper, potential risks to companies when adopting mobile business applications are presented in a risk catalogue including the potential mobile threats along with their likelihood of occurrence and possible malicious impact on business. This catalogue will help business users in reinforcing their awareness of possible mobile security risks.

References

  1. Abura'ed, N., Otrok, H., Mizouni, R. and Bentahar, J. (2014). Mobile phishing attack for Android platform. In 10th International Conference on Innovations in Information Technology, Al Ain, United Arab Emirates, pages 18-23.
  2. Adeel, M. and Tokarchuk, L. N. (2011). Analysis of Mobile P2P Malware Detection Framework through Cabir & Commwarrior Families. In IEEE Third International Conference on Privacy, Security, Risk and Trust. Boston, MA, USA, pages 1335-1343.
  3. Andriole, S. J. and Bojanova, I. (2014). Optimizing Operational and Strategic IT. IT Professional, 16 (5):12-15.
  4. BSI (2013). IT-Grundschutz-Catalogues. Available at: https://www.bsi.bund.de/EN/Topics/ITGrundschutz/IT GrundschutzCatalogues/itgrundschutzcatalogues_no de.html, checked on May 2016.
  5. CISCO (2016). Cisco 2016 Annual Security Report. Available at: http://www.cisco.com/c/en/us/products /security/annual_security_report.html, checked on May 2016.
  6. Damopoulos, D., Kambourakis, G., Anagnostopoulos, M., Gritzalis, S. and Park, J. H. (2013). User privacy and modern mobile services. Are they on the same path?. Personal and Ubiquitous Computing, 17(7):1437-1448.
  7. Daojing He, Chan, S. and Guizani, M. (2015). Mobile application security: malware threats and defenses. Wireless Communications, IEEE, 22(1):138-144.
  8. Gartner (2014). Gartner Says 75 Percent of Mobile Security Breaches Will Be the Result of Mobile Application Misconfiguration. Available at: http://www. gartner.com/newsroom/id/2753017, checked on May 2016.
  9. Gartner (2015). Gartner Forecasts 59 Percent Mobile Data Growth Worldwide in 2015. Available at: http://www.gartner.com/newsroom/id/3098617, checked on May 2016.
  10. Gartner (2016). Gartner Says Worldwide Smartphone Sales Grew 9.7 Percent in Fourth Quarter of 2015. Available at: http://www.gartner.com/newsroom/id/ 3215217, checked on May 2016.
  11. Godber, A. and Dasgupta, P. (2002). Secure wireless gateway. In The ACM workshop. Atlanta, GA, USA, pages 41-46.
  12. Gramatica, M. de, Labunets, K., Massacci, F., Paci, F. and Tedeschi, A. (2015). The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals. In Requirements Engineering: Foundation for Software Quality, vol. 9013, Lecture Notes in Computer Science, Cham: Springer International Publishing, pages 98-114.
  13. Gröger, C., Silcher, S., Westkämper, E. and Mitschang, B. (2013). Leveraging Apps in Manufacturing. A Framework for App Technology in the Enterprise. Procedia CIRP, 7:664-669.
  14. Hoos, E., Gröger, C., Kramer, S. and Mitschang, B. (2015). ValueApping: An Analysis Method to Identify ValueAdding Mobile Enterprise Apps in Business Processes. In Enterprise Information Systems, Lecture Notes in Business Information Processing, vol. 227, Cham: Springer International Publishing, pages 222-243.
  15. Howard, M. and Lipner, S. (2006). The security development lifecycle: SDL, a process for developing demonstrably more secure software, Secure software development series, Microsoft Press, Redmond.
  16. IDC (2014). IDC Reveals Worldwide Mobile Enterprise Applications and Solutions Predictions for 2015. Available at: http://www.idc.com/getdoc.jsp?contain erId=prUS25350514, checked on May 2016.
  17. ISO/IEC (2013). ISO/IEC 27002, Information technologySecurity techniques-Code of practice for information security controls.
  18. Jain, S. (2014). Security Threats in Manets. A Review. International Journal on Information Theory, 3(2):37- 50.
  19. Jeon, W., Kim, J., Lee, Y. and Won, D. (2011). A Practical Analysis of Smartphone Security. In Human Interface and the Management of Information. Interacting with Information, Lecture Notes in Computer Science, vol. 6771, Springer Berlin Heidelberg, Berlin, Heidelberg, pages 311-320.
  20. Jermyn, J., Salles-Loustau, G. and Zonouz, S. (2014). An Analysis of DoS Attack Strategies Against the LTE RAN. Journal of Cyber Security and Mobility, 3(2):159-180.
  21. Kaspersky (2013). One in Every Six users suffer loss or theft of mobile devices. Available at: http://www. kaspersky.com/about/news/press/2013/one-in-everysix-users-suffer-loss-or-theft-of-mobile-devices, checked on May 2016.
  22. Kennedy, M. and Sulaiman, R. (2015). Following the WiFi breadcrumbs: Network based mobile application privacy threats. In International Conference on Electrical Engineering and Informatics (ICEEI), Denpasar, Bali, Indonesia, pages 265-270.
  23. Kizza, J. M. (2015). Mobile Systems and Corresponding Intractable Security Issues. In Guide to Computer Network Security, Computer Communications and Networks, Springer London, London, pages 491-507.
  24. Lacerda, A., Queiroz, R. de and Barbosa, M. (2015). A systematic mapping on security threats in mobile devices. In Internet Technologies and Applications (ITA), Wrexham, United Kingdom, pages 286-291.
  25. Levinson, M. (2012). 6 Ways to Defend Against Drive-by Downloads. Available at: http://www.cio.com/ article/2448967/security0/6-ways-to-defend-againstdrive-by-downloads.html, checked on May 2016.
  26. Lookout (2011). Lookout Mobile Threat Report. Available at: https://www.lookout.com/img/images/lookoutmobile-threat-report-2011.pdf, checked on May 2016.
  27. Lookout (2015). Enterprise Mobile Threat Report. The State of iOS and Android Security Threats to Enterprise Mobility [Whitepaper]. Available at: https://info.lookout.com/rs/051-ESQ-475/images/ Enterprise_MTR.pdf, checked on May 2016.
  28. Luenendonk (2014). Mobile Enterprise Review. Mehr Strategie wagen. Available at: luenendonkshop.de/out/pictures/0/mc_mobileenterprisereview_stu die_f210214(1)_fl.pdf, checked on May 2016.
  29. Maan, J. (2012). Enterprise Mobility - A Future Transformation Strategy for Organizations. In Advances in Computer Science, Engineering & Applications, Advances in Intelligent Systems and Computing, vol. 167, Springer Berlin Heidelberg, Berlin, Heidelberg, pages 559-567.
  30. Marble, J. L., Lawless, W. F., Mittu, R., Coyne, J., Abramson, M. and Sibley, C. (2015). The Human Factor in Cybersecurity: Robust & Intelligent Defense. In Cyber Warfare, Advances in Information Security, vol. 56, Springer International Publishing, Cham, pages 173-206.
  31. Markelj, B. and Bernik, I. (2015). Safe use of mobile devices arises from knowing the threats. Journal of Information Security and Applications, 20:84-89.
  32. Martin, T., Hsiao, M., Ha, D. and Krishnaswami, J. (2004). Denial-of-Service Attacks on Battery-powered Mobile Computers. In Proceedings of the Second IEEE International Conference on Pervasive Computing and Communications (PerCom'04), IEEE Computer Society, Washington, DC, USA, pages 309-318.
  33. McAfee Labs (2014). McAfee Labs Threats Report. Available at: http://www.mcafee.com/us/resources/ reports/rp-quarterly-threat-q2-2014.pdf, checked on May 2016.
  34. Michaelis, P. (2012). Enterprise Mobility - A Balancing Act between Security and Usability. In ISSE 2012 Securing Electronic Business Processes, Springer Fachmedien Wiesbaden, Wiesbaden, pages 75-79.
  35. Moonsamy, V. and Batten, L. (2014). Mitigating man-inthe-middle attacks on smartphones - a discussion of SSL Pinning and DNSSec. In The 12th Australian Information Security Management Conference, pages 5-13.
  36. Nikbakhsh, S., Manaf, A. B. A., Zamani, M. and Janbeglou, M. (2012). A Novel Approach for Rogue Access Point Detection on the Client-Side. In 2012 IEEE Workshops of International Conference on Advanced Information Networking and Applications (WAINA), Fukuoka, Japan, pages 684-687.
  37. NIST (2013). Recommended Security Controls for Federal Information Systems, SP. 800-53.
  38. PCI DSS (2012). PCI DSS Risk Assessment Guidelines.
  39. Pu, S., Chen, Z., Huang, C., Liu, Y. and Zen, B. (2014). Threat analysis of smart mobile device. In General Assembly and Scientific Symposium (URSI GASS), 2014 XXXIth URSI. Beijing, China, pages 1-3.
  40. Ramu, S. (2012). Mobile Malware Evolution, Detection and Defense. In EECE 571B, Term Survey Paper.
  41. Rao, U. H. and Nayak, U. (2014). Malicious Software and Anti-Virus Software. In The InfoSec Handbook, Apress, Berkeley, CA, pages 141-161.
  42. Rhee, K., Won, D., Jang, S.-W., Chae, S. and Park, S. (2013). Threat modeling of a mobile device management system for secure smart work. Electronic Commerce Research, 13(3):243-256.
  43. Srinivasan, A. and Wu, J. (2012). SafeCode - Safeguarding Security and Privacy of User Data on Stolen iOS Devices. In Cyberspace Safety and Security, Lecture Notes in Computer Science, vol. 7672, Springer Berlin Heidelberg, Berlin, Heidelberg, pages 11-20.
  44. Suvda Myagmar, Adam J Lee and William Yurcik (2005). Threat Modeling as a Basis for Security Requirements. In Symposium on Requirements Engineering for Information Security (SREIS), pages 1-8.
  45. Symantec (2014). Fraud Alert: Phishing - The Latest Fraud Alert: Phishing - The Latest Tactics and Potential Business Impacts - Phishing [White Paper]. Available at: http://www.symantec.com/content/en/us/ enterprise/white_papers/b-fraud-alert-phishing-wp .pdf, checked on May 2016.
  46. v Do, T., Lyche, F. B., Lytskjold, J. H. and van Thuan, D. (2015). Threat Assessment Model for Mobile Malware. In Information Science and Applications, Lecture Notes in Electrical Engineering, vol. 339, Springer Berlin Heidelberg, Berlin, Heidelberg, pages 467-474.
  47. Venkatesan, D. (2016). Android ransomware variants created directly on mobile devices. Available at: http://www.symantec.com/connect/blogs/androidransomware-variants-created-directly-mobile-devices, checked on May 2016.
Download


Paper Citation


in Harvard Style

Hasan B., Schäfer P., Gómez J. and Kurzhöfer J. (2016). Risk Catalogue for Mobile Business Applications . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 2: ICE-B, (ICETE 2016) ISBN 978-989-758-196-0, pages 43-53. DOI: 10.5220/0005968900430053


in Bibtex Style

@conference{ice-b16,
author={Basel Hasan and Patrick Schäfer and Jorge Marx Gómez and Joachim Kurzhöfer},
title={Risk Catalogue for Mobile Business Applications},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 2: ICE-B, (ICETE 2016)},
year={2016},
pages={43-53},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005968900430053},
isbn={978-989-758-196-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 2: ICE-B, (ICETE 2016)
TI - Risk Catalogue for Mobile Business Applications
SN - 978-989-758-196-0
AU - Hasan B.
AU - Schäfer P.
AU - Gómez J.
AU - Kurzhöfer J.
PY - 2016
SP - 43
EP - 53
DO - 10.5220/0005968900430053