Tuesday, August 20, 2013

Top Ten Smartphone Risks

The top ten information security risks for smartphone users.

Market analysts predict that smartphones will outnumber PCs by 2013, and that they will be the most common device for accessing the internet. In 2010 we published a report about smartphone security, giving an overview of risks, opportunities for smartphone users, and making recommendations.

This is the list of the top ten smartphone security risks from our report. The (level of) risk was determined in consultation with the expert group. The level is intended to convey the relative risk in relation to others, rather than an absolute probability or impact level.

No.	Title	Risk	Description
1	Data leakage resulting from device loss or theft	High	The smartphone is stolen or lost and its memory or removable media are unprotected, allowing an attacker access to the data stored on it.
2	Unintentional disclosure of data	High	The smartphone user unintentionally discloses data on the smartphone.
3	Attacks on decommissionedsmartphones	High	The smartphone is decommissioned improperly allowing an attacker access to the data on the device.
4	Phishing attacks	Medium	An attacker collects user credentials (such as passwords and credit card numbers) by means of fake apps or (SMS, email) messages that seem genuine.
5	Spyware attacks	Medium	The smartphone has spyware installed, allowing an attacker to access or infer personal data. Spyware covers untargeted collection of personal information as opposed to targeted surveillance.
6	Network Spoofing Attacks	Medium	An attacker deploys a rogue network access point (WiFi or GSM) and users connect to it. The attacker subsequently intercepts (or tampers with) the user communication to carry out further attacks such as phishing.
7	Surveillance attacks	Medium	An attacker keeps a specific user under surveillance through the target user’ssmartphone.
8	Diallerware attacks	Medium	An attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers.
9	Financial malware attacks	Medium	The smartphone is infected with malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
10	Network congestion	Low	Network resource overload due to smartphone usage leading to network unavailability for the end-user.

Risk is defined as the product of the likelihood and the impact of a threat against the information assets of an organization or an individual. Threats exploit one or more vulnerabilities. The likelihood of a threat is determined by the number of underlying vulnerabilities, the relative ease with which they can be exploited and the attractiveness for an attacker.

We used the following list of possible affected assets throughout:

Personal data
Corporate intellectual property
Classified information
Financial assets
Device and service availability and functionality
Personal and political reputation

No comments:

Cyber Security

Cyber Security - Securing Your Business

View the latest
Copy of Advance

The official publication of ADS Group

Find out More

ADS Events

Less - + More

Cyber Security - Securing Your Business

/ Security / Cyber Security - Securing Your Business

Cyber threats to your Business
Where can you go for advice and support?
CPNI - The Full Picture

Cyber threats to your Business

Why does cyber security matter to you?

The government has classed cyber attacks as one of the four most significant risks to national security. Suppliers must recognise customer concerns and take steps to address them.
Cyber insecurity poses a real risk for companies’ reputations, bottom lines and share prices. Successful attacks can disrupt business operations and production cycles, cause products to fail, result in customers losing confidence in you as a supplier, and force you to redevelop to products.
Hostile states and competitors are interested in information on mergers and acquisitions activity, joint venture intentions, strategic direction and Intellectual Property.
Apart from the theft of sensitive business information, there is also the threat that cyber-based systems can be disrupted to prevent normal service. A denial-of-service (DoS) attack could, for example, prevent customers from accessing key websites, such as those for sales. Industrial controls systems can also be disrupted.
The cost of a cyber-security breach is estimated to be between £450,000 to £850,000 for large businesses and £35,000 to £65,000 for smaller ones.
The rise in cyber crime is most noticeable for small businesses; they’re now experiencing incident levels previously only seen in larger organisations.
As Primes take steps to improve their own cyber security, attackers are targeting companies in the broader supply chain. The supply chain is only as strong as its weakest link. All companies – and government – are in this together.

The government's '10 Steps to Cyber Security' notes that:

Information is critical to today's business

Information and the techologies that are used to store and process it are vital to the success of your business. Intellectual property, confidential or sensitive data provide a competitive advantage, one in which other less scrupulous organisations would be verk keen to get hold off. At the same time, the need to access and share information more widely, using a broad range of connecting technologies is increasing the risk to the corporate information base.

Compromise of information assets can damage companies

A single successful attack could destroy a company's financial standing or reputation. Information compromise can lead to material financial loss through loss of productivity, of intellectual property, reputational damage, recovery costs, investgative time, regulatory and legal costs.

Many players pose a risk to information

There are many types of people who pose a risk to business information assets:

Cyber Criminals - interested in making money from fraud or from the sale of valuable information
Industrial Competitors and Foreign Intelligence Services - interested in gaining an economic advantage for their own companies or countreis
Hackers - those who find interfering with computer systems an enjoyable challenge
Hacktivists - those who wish to attack companies for political or ideological motives
Employees - or those who have legitimate access, either by accident or deliberate misuse.

Examples of the impact on business

The attached PowerPoint file gives two examples which show the real impact successful cyber attacks can have on companies, including causing a loss of revenue (by forcing a company office to close for a period of time) and loss of reputation and products (by diverting items in transit). These examples are from companies in the defence sector.

Cyber attacks - examples of the impact (102.0 KB)

Where can you go for advice and support?

1. '1O Steps to Cyber Security' Guidance

The governmemt has published guidance for companies which is available here: www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility and www.gov.uk/government/publications/cyber-security-what-small-businesses-need-to-know.

2. CPNI's Cyber Risk Management Advice and Cyber Security Guidance

The Centre for the Protection of National Infrastructure (CPNI) protects national security by providing protective security advice (covering physical, personnel and cyber security) to the UK's Critical National Infrastructure (CNI). CPNI works to raise awareness at Board level as well as at a technical level across the CNI. Cyber security advice and guidance is available on the CPNI website at: www.cpni.gov.uk, for example:

Strategic and technical: 20 critical security controls for effectivecyber defence Technology-specific advice: examples include mobile devices, SCADA security and cloud computing
Personnel security advice: security culture and awareness; employee risk management and risk assessment guidance
Threat-based: examples include distributed denial of service, spear phishing, insider misuse of IT, online reconnaissance.

3. CPNI's Cyber Risk Advisory Service

The Cyber Risk Advisory Service delivers advice to senior executives and board members of the UK’s most economically important companies and academic institutions, to inform their understanding of the impact of cyber threats, and the effect on the long-term performance and competitiveness of the organisation.The in-depth support provided assists executives in reviewing their corporate risk management strategy, helping them to interpret the cyber threat and determine the organisation’s exposure (risk). This service is only available to organisations which meet specific eligibility requirements. For more information, please email enquiries@cpni.gsi.gov.uk.

4. Certified advice and providers

CESG, the information security arm of GCHQ, works closely with the cyber security industry to enable industry to provide certified cyber security services to government and to industry. These services are provided by a variety of companies including specialist SMEs, audit houses, major consultancies, and multinational companies. Services include:

Risk management consultancy through the CESG Listed Advisor scheme (CLAS): www.cesg.gov.uk/servicecatalogue/CLAS/Pages/CLAS.aspx
Penetration testing of networks and systems to assess their ulnerability to an attacker through the CHECK scheme: www.cesg.gov.uk/servicecatalogue/CHECK/Pages/index.aspx - and the industry body's equivalent run by the Council of Registered Ethical Security Testers, CREST: www.crest-approved.org
Cyber Incident Response through a twin track approach ncompassing a broadly based CREST (Council of Registered thical Security Testers) scheme endorsed by GCHQ and CPNI, and a small, focused GCHQ and CPNI scheme designed to respond to sophisticated, targeted attacks against networks of national significance. See: www.cesg.gov.uk/servicecatalogue/cir/Pages/Cyber-Incident-Response.aspx

5. Cyber Security Information Sharing Partnership (CISP)

The CISP facilitates the sharing of information and intelligence on cyber security threats in order to make UK businesses more secure in cyberspace. The CISP includes a secure online collaboration environment where government and industry (both large and SME) partners can exchange information on threats and vulnerabilities in real time. Companies can also ask for specific advice from the government's fusion cell through CISP, free of charge. www.cisp.org.uk

6. ActionFraud

Action Fraud is the UK’s single point for reporting all fraud and online financial crime. Crime can be reported online 24 hours a day, seven days a week, and the Action Fraud call centre can also be contacted to report crimes during working hours and at the weekend. When a serious threat or new type of fraud is identified, Action Fraud will place an alert on its website which contains advice for individuals and businesses to protect themselves from becoming victims of fraud. www.actionfraud.police.uk

CPNI - The Full Picture

Produced by the CPNI, the above video provides an example of the associated risks of a SME from a cyber attack.

Last modified : January 23, 2014

Way2Security

Blog Archive

Tuesday, August 20, 2013

Top Ten Smartphone Risks

No comments: