14 May 2015

20 Questions to Ask Yourself to Avoid Smartphone Disasters

Author: Martin Fisch. Under Flickr CC licence

Smartphones occupy an increasingly important role in our everyday lives and security risks related to them become more serious than ever. A relevant study on defending mobile devices of high level officials and decision-makers published by the NATO Cooperative Cyber Defence Centre of Excellence sheds lights on ways of mitigating them.

Mobile devices are now widely used to handle and store sensitive information by high level officials and decision-makers, as well as other users. However, those mobile devices are fundamentally unsecurable – it is impossible to have absolutely secure systems, even if users follow security policies. In addition to carelessness and poor cyber hygiene, such as free games that use malicious advertisements or inadequate settings in social network services, mobile devices can often be compromised without the user’s knowledge.

Based on the study, our researchers Teemu Väisänen and Christian Braccini have compiled a set of 20 questions any smartphone user should ask themselves to assess and mitigate security risks in your everyday life.

Security awareness

1. Are you aware of the wide range of attacks, malware, problems, risks and threats related to your smartphone? 
2. Do you know what kinds of security controls can be used on your smartphone model?
3. Do you know what to do in case you lose your phone?
4. Do you know if there is any sensitive information stored on your phone?
5. Does your company have clear security policies related to smartphone usage?

If answer to any of these questions is no, ask your security or IT department to provide you with proper security awareness.  Information should be based on examples and results of different attacks, and security features available for your smartphone. You might also be interested to see penetration testers making an example attack against your device.

Reinforcing security policies

6. Are you able to install or remove any application, access any web page and use your smartphone from any location?
7. Can you tell your IT department to give you admin rights or ask them to install any application you want?

If the answer to any of these questions is yes, consider adding Mobile Device Management (MDM), Enterprise Mobility Management (EMM) and/or Mobile Application Management (MAM) tools to your systems and tools, using only secure app distribution services and mechanisms for enforcing security policies. Use the whitelist of applications and remove or disable unnecessary applications, services and accounts.

Strong authentication

8. Do you use usernames and passwords only or PIN codes to authenticate you to phone and web services?
9. Are you allowed to you use weak passwords or the same passwords in different services?
10. After the authentication is done correctly, can anyone use the smartphone and pretend they are you?

Combine new types of passwords, single sign-on mechanisms, CAPTCHAs, certificates, and multifactor/context-based/ implicit and adaptive authentication mechanisms. In this way, the amount and usage of passwords can be decreased, while security and usability of authentication procedures can be increased.

Monitoring accesses and behaviour of users and devices

11. Do you know what happens in case someone gets physical access to your device and starts using it?D
12. Do you know that anti-virus software is unable to detect all malware?
13. Are you aware of how sophisticated malware can be, how it can hide itself and what kind of info it looks for?
14. What would you do in case your IT support finds out that there has been malware operating in your phone?
15. Do you know if your smartphone can be remotely accessed from the Internet?

If you are unsure about potential disclosures, ask if your organization has Intrusion Detection (IDS) and Prevention Systems (IPS), and Security Information & Event Management (SIEM) running, and if it is possible to install software firewall to the phone. Applications and data can be isolated by using sandboxing, virtualisation and concealing mechanisms. Data loss prevention (DLP) should be also used. SIEMs can be configured to inspect any kind of event that deviates from the pattern of your normal behaviour. Reaction to these alerts can be, for example, starting a more detailed monitoring of the device and the user, or in the worst case, locking, wiping or destroying the device remotely.

Encrypt media and communications

16. Is it possible to lock, wipe or destroy your device remotely?
17. Has anyone ever demonstrated how your traffic can be seen in open Wi-Fi networks and how such networks can be used to attack against your device?
18. Can your calls be listened to, for instance, by using malicious cell towers?
19. What would an adversary gain by tracking you, your behaviour, location and web browsing habits?

Sensitive data can also be stored in external servers. However, in this case you need to make sure that all communications are secure. If sensitive data is stored in the smartphone, it must be properly encrypted. Keep in mind that all credentials should be handled and stored securely in key-stores, crypto-modules and secure elements or Trusted Platform Modules (TPM). As for the Internet, the phone should connect via trusted access points only. In case this is impossible, all the traffic must be end-to-end encrypted and there must be ways to prevent Man-in-the-Middle (MitM) attacks.

Disaster recovery

20. Even if your company has used all the proper security controls, do you know what shall you do when these accidents happen?

Keep in mind that there must be recovery and backup procedures also for users, not just for security and IT departments.

If you are interested in reading a more detailed analysis of security risks and further recommendations for mitigation, read the full study, which can be accessed through