Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Chapter 11: Mobile Malware Mitigation Me... > Evaluating the Target - Pg. 354

354 Chapter11·MobileMalwareMitigationMeasures Introduction While smartphones and highly mobile computing devices certainly present the possibility of great gains in efficiency and flexibility, they also present considerable risk. If you have read the other chapters, by now you have likely gained an appreciation of the complexity of these devices. You have seen how this complexity translates into potential vulnerability and how malware has begun to exploit these devices. Whether the vulnerabilities are in the software, hardware, or in the humans using them, the end effect is the same: risk. Once aware of risk, the natural next step is to determine how best to eliminate or mitigate it. This chapter examines the threats from a risk and cost perspective and looks at what can be done to eliminate the risk or, at the very least, limit its possible impact. It is tempting to jump right into telling you how to configure your devices and what additional software to install to "make you safe," but such an approach would be incomplete. Since the technology can change very rapidly and users are often presented with a variety of devices, software, and environments, it helps greatly to understand the problem and its relationship to the solution. So this chapter will begin with a look at the threats from the perspective of the risk they present. Then, it will look at proactive defensive measures that can be taken. Lastly, it will examine what to do should your device suffer some attack or loss. If you're the impatient type and can't be bothered with useful information, skip ahead a few pages and you'll find what you need. Evaluating the Target In planning security, it is always constructive to begin with a use model and a threat model. The former describes how the thing we are trying to protect is used. The latter describes how the "bad guys" may attempt to attack it. In our case, we will consider mobile phones and similar devices. We begin by looking at how people use mobile phones. It sounds simple, but if you stop and think a moment, this actually presents a very complex picture. A variety of users exist. Mobile phones are used by over 3 billion people in over 200 countries, operating on 700 different networks [GSMA]. The users possess a wide range of technical skills. The devices are used almost anywhere. The hardware is produced by a fairly large variety of manufacturers. On the other hand, only a very small number of operating systems are in use. Also, due to the relatively closed models in use, there is not much variety in software running on them (at least relative to desktop computers). Of course, some of these limitations seem likely to change in the near future so we won't make many assumptions about them in our model. For simplicity's sake, let's cut our model down to a small number of very coarse divisions. When discussing mobile security, people often divide the population into smartphones and non-smartphones. For a brief period this distinction held some value. However, today when even the lowest end phones seem to have e-mail, text and picture messaging, and at least