Security Issues in Mobile Communications

By Brian Ellis, Melvin Jackson, Jessica Lobianco, James Simeon, and Daniel Francois

Abstract

Recent years have witnessed the rapid growth of mobile computing environments. One of the major concerns in such environments is security, especially in the context of wireless communications. We describe some of the important issues which need to be addressed in designing a security scheme for a mobile communications provider. These include autonomy of communicating entities, mobility of the users, and limitations of the hardware and software. We describe a scheme which addresses the above issues, and provides a correct and efficient mechanism to establish secure communications. Our scheme provides authentication of the communicating entities, location privacy, and secure messaging.

The Typical Profile of a Mobile Provider

The main purpose of a mobile communications provider is to provide cellular and data communications infrastructure for its customers. A typical provider will employee thousands of people in positions such as Customer Support Representatives, Telecommunications Technicians, and Communications Engineers. Although most clients only deal with the above mentioned representatives on a daily basis, there are numerous processes going on behind the scenes as well. Thousands of technicians support the equipment used by these organizations.

A mobile provider procures, installs, and maintains a plethora of IT Equipment. Some of this equipment includes Mobile Devices, Mobile Applications and Software, Base Stations, Cellular Towers, and even Fiber Optics Infrastructure as seen recently with Verizon FiOS. However, of all the equipment, the most important are the servers used to store all of the data that is transmitted by users.

Mobile providers have large servers that store astronomical amounts of data. Most public data from the provider is stored on non-secure web servers housed by the organization or contracted out to a third party. Private information from customers and the provider is stored on secure web servers requiring login credentials. Since there is a lot of data being sent and stored by these providers, there must be regulations in place as well regarding the transfer and storage of this data.

Most contracts between mobile providers and their clients state that user account information will only be accessible by the user and the provider’s customer support representatives.

This is clearly put in place to protect both parties and their data. On a federal level, user information is protected under the Telephone Consumer Protection Act (TCPA) and regulated by the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC). Unwanted messages are addressed under the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003. [1] Each of these acts are paramount in the regulation, management, and protection of consumer data and information.

Threats to the Provider and Customers

Many threats target mobile communications because of the sheer number of users. Some of those threats can be prevented and some must be mitigated after the fact. [3] Although there are a myriad of threats out there, some of the most common are as follows.

Information Extortion: Phishing scams use email, text messages, Facebook, and Twitter to send you links to websites that are designed to trick you into providing information like passwords or account numbers. Often these messages and sites are very different to distinguish from those of your bank or other legitimate sources. Basically the biggest defense for this type of attack, is common sense. Users must be educated in the tactics that these scammers use and must be able to recognize and delete the messages immediately. There is no software that will protect users against phishing scams.

Deliberate Attack Software: Spyware is designed to collect or use private data without your knowledge or approval. Data commonly targeted by spyware includes phone call history, text messages, user location, browser history, contact list, email, and private photos. This stolen information could be used for identity theft or financial fraud. Unfortunately, most users do not install any type of anti-virus or spy/adware blocker on their mobile devices. Therefore, each time they are surfing the internet from their device, they are susceptible to this type of spyware.

Theft: The probability of a phone/device being stolen, leading to the loss of data stored on that device as well as access into the provider’s network. If an individual was able to steal a device from a user, they would have access to all of their personal information.

This could result in identity theft or financial fraud. Fortunately many manufacturers now offer location services to track the device if it is stolen as well as the capability to remote wipe the device. Remote wipe allows the user to wipe the hard drive of the device clean from a remote location.

Technical Hardware/Software Failures or Errors:Who could forget the recent release of the new iPhone, and all the drama that was involved with its “bending phones”? With the onslaught of new technology, we see phones and mobile devices being phased in and phased out on a yearly and sometimes monthly basis. Due to the demand to keep up with the market, many manufacturers are not testing these devices as they should. This leads to failures of the hardware and software. The only cure for this is better testing of the products by the manufacturers before releasing the products. Also, manufacturers constantly update the OS’s for these devices to ensure that users are up-to-date.

Risk Identification, Assessment, and Control

In order to control the risks involved in mobile communications, one must first identify and assess the risks. This paper will look at the two highest risks based on the above mentioned threats.

Using the chart below [1], you can find out which threats pose the greatest risk to the organization.

You can see that Mobile Devices seem to have the largest number of threats to them, and Mobile Applications and Servers are tied for second. This doesn’t necessarily mean that these items have the highest risk though. In order to truly value the risk to the asset, we must use another chart in the risk assessment portion of this research.

Using the next chart, you can see the amount of loss that each asset could incur if a threat were realized.

In this section, you can see that by looking a little deeper at the impact an attack would have on an asset that the two largest risks are to Mobile Devices and Customer Data.

Now that we have identified the threats, and assessed the risks, we need to see what controls are available to put in place to defend against the threats and thereby reduce the risk.

The following chart shows the control measures that can be put in place for each risk.

As you can see there are many controls that can be used to reduce the amount of risk to each asset.

So, as we discovered, the two highest risk assets are Mobile Devices and Customer Data. Now we must look more in-depth at the threats to these assets and what controls we can put in place to protect them.

Mobile Device Threats and Controls

Information Extortion: This would most likely be a phishing scam or possibly a shoulder surfer looking at your mobile device. [2]Control: To defend against this, common sense and being aware of one’s surroundings will go a long way. However, if information is extorted, then mitigation will be used to change the user information.

Deliberate Attack Software: This is most likely going to be a virus that you get on your mobile device from downloading something you shouldn’t have. [2]Control: Many manufacturers are now making anti-virus software for mobile devices. However, many people choose to accept the risk and download that app anyway.

Theft: Basically as it states, this is the physical theft of the mobile device. [3]Control: The main control here again is common sense. Treat a mobile device as if it were cash. However, if mitigation is required, many devices have built in LoJack to track them, and some have a remote wipe feature for the hard drive.

Technical Hardware/Software Failures: Manufacturers sometimes build defect products and programs.Control: Mitigation is really the only control here. If there is a hardware failure, replacement or redesign is the best option. A software failure can be patched through the manufacturer.

Customer Data Threats and Controls

Information Extortion: Again this could be a phishing scam or an insider at the cellular provider stealing customer data.Control: Common sense on the part of the user is the best defense against phishing scams, and physical security by the cellular provider is the best defense against and insider.

Theft: This could be someone on the inside physically stealing the information from the server or this could be associated with web applications such as SQL Injection or Cross Site Scripting.Control: Mitigation is the major control for this. If the information is stolen by an insider, the customer must be notified and changes must be made to their information. If it involves a website, the customer again must be notified, and the cellular provider should take measures to correct the vulnerabilities on the web pages.

Defense and Contingency Planning

Thus far we have identified the major threats, assessed risks, and put controls in place to protect assets. However, the controls do not just magically appear. That is where defense and contingency planning come into place. Defense incorporates three sections: Policy, Design, and Education.

Continuing with the pattern, we will now look at defense and contingency planning for the two high risk assets that we identified previously, Mobile Devices and Customer Data.

Mobile Device Defense and Contingency Planning

Policy: Since the Cellular Provider provides services for paying customers, it is hard to put restrictions on those customers and even harder to enforce them. However, we can implement a terms of use policy for the service that we provide. This policy would most likely fall under the ISSP umbrella. In this policy we would outline the terms of using us as a provider and what actions will end a customer’s contract with us. For example, if a customer uses our service as a Wi-Fi hotspot and charges others to use it, they can be cancelled as a client.

As a cellular provider, we could not regulate Wi-Fi connection activity of the customers. They will be connecting at their own risk, and as a cellular provider we will not be responsible for any unsecure activity they perform that is not on our network.

Many cellular providers are going to a contract now that allows a client to rent their phone rather than buy it. With this, we could implement a SySP [1] that protects us from having to replace a client’s device if they download some malware while using an unsecure connection.

Design:In order to prevent software attacks on clients, we could work with cell phone manufacturers to ensure the integrity of data transferred on each device. This would prevent many of the malware issues that are currently involved with mobile devices.

In order to prevent phishing scams, we could route suspicious messages to a junk folder on the email server that clients use to access their email over mobile devices. This would

Education:In the case of software attacks, customers must be educated on the use of only encrypted Wi-Fi connections, and downloading suspicious applications to their mobile devices.

As for phishing, awareness is key in preventing customers from opening suspicious emails and sending their information to unauthorized personnel.

Contingency Planning:In most of the cases with mobile devices, we are going to be addressing incident response. Mobile devices are not like computers that are networked together all the time, so most issues will only affect the individual user. In this case, we will not need to address a Business Continuity Plan. Disaster recovery, however should be addressed. Not on the level of an organization, but on the level of each user. If a user’s device is attacked they could lose all of their data. In this case, the disaster recovery plan involves having the user’s data backed up to a computer hard drive, or to a cloud service. This is very popular with Apple iPhones. They back up a user’s data to their cloud service on a regular basis.

Customer Data Defense and Contingency Planning

Policy:For the customer data that is stored on the cellular provider’s servers, we must put into place a System Specific Policy and an Issue Specific Security Policy. The ISSP will direct users to addressing the servers that contain customer data. It will also regulate who has access to what on the server. The SySP will address the server itself and how the information is to be stored and encrypted on the server.

Design: In the design phase of the protection of customer data, we will use many layers of protection. First and foremost, the information must be encrypted. Secondly, we will have to put access controls in place to ensure only authorized individuals are accessing the data. Then we will create backups of all of the data. Next, we will put firewalls into the server, and out from the server. And lastly, we will monitor the systems to ensure that no unauthorized breaches have taken place.

Education:As with mobile devices, we again will have educate everyone on the proper use of the system. Most of the lower level agents will receive annual awareness training to address specific attacks and trends that hackers are using. Upper level management will be sent to training on a regular basis and will be required to get information security certifications. The highest level administrators will be required to get a Master’s degree in cyber security which will be paid for by the company.

Contingency Planning:In the contingency plan for customer data compromise, we will spend a lot of time doing Incident Response. If we put a

quarantine the suspicious messages in a separate area. Also, our email server must have a physical firewall incoming, and outgoing to protect the client from harmful attacks. [3]

monitoring system in place for the data, we can mitigate

incidents that arise on a daily basis. Disaster recovery for this will be addressing natural disasters, in which we will have to move everything to another location, as well as backups of information in case all is lost or stolen. The Business Continuity Plan will provide information on alternate locations to operate from as well as how to recover the data through backups.

Network Security Measures

Another important aspect when it comes to securing data as a mobile communications provider, is securing the network that the data travels over.

One of the biggest threats to our organization, as we have identified earlier, is the theft of customer data. In order to prevent this from happening we must put security measures in place on the network. The first diagram below is the network diagram for our organization with no security components in place. The second diagram will show the security components that we have selected as well as an explanation of those components.

As you can see above, this is a simple diagram of a typical network for a mobile communications provider. This diagram contains no security measures on the network.

The next diagram is a carbon copy of the first, but it contains numerous security measures to protect the data that is traveling over the network. Note that the measures shown in this diagram are only some of the controls that a typical mobile communication provider may use to protect its network. There are countless other protocols that can be employed as well.

Keep in mind that the security controls that we show here are incorporated using software and hardware. For example, the

In this diagram, you can see there are quite a few security measures in place. Here we will explain each component.

1. We used a Network-Based IDPS to examine packets on the network before they reach the aggregate switches and routers. This will ensure that we are alerted to suspicious activity prior to it reaching the internal network.

2. We used a firewall in front of the primary switch into the DMZ which will filter packets. This will add another layer of security to our internal components.

3. We set up a Honeypot to detour would be data thieves from actually reaching our servers. We hope that they are lured by the easy target rather than hitting valuable data.

4. We put all of our servers into a DMZ which so that we have that extra layer of defense in place to protect sensitive data.

5. Lastly, we put in an application firewall to our internal machines, and an outbound firewall which filters MAC addresses so that we know only authorized machines are sending out information.

6. Rules we would use are as follows: a. Any, Any, Email Server, 25, Allow (Allows only SMTP

mail to the email server)b. Any, Any, Web Server, 80, Allow (Allows all traffic to

web server)c. Any, Any, File Server, 20, Allow (Allows only FTP

transfer on file server)d. Any, Any, File Server, 21, Allow (Same as above)

As mentioned before, the components highlighted here are only a sample of the available protective components that could be and are applied to data networks throughout the various mobile provider’s infrastructures.

Physical Security

Lastly, we will look at physical security controls that can be put in place in our organization to protect our assets. Unfortunately, the subject of physical security is a vast one, and

firewalls that are put in place will most likely be done using hardware such as routers, and software installed with operating systems on the servers and each host. The Network-Based IDPS will be integrated using software and most likely a third party monitoring system. Take a look at the diagram and you can see what we mean.

we will not be able to address every aspect of those physical security controls our organization will integrate. However we will touch on some of the broader issues that need to be dissected and look at why those controls are in place.

Physical Access Controls

The first physical security issue we will look at are access controls. Since our mobile communications provider stores sensitive data in their data storage center, only authorized personnel must be admitted to this area. This can be controlled by using Identification Badges and Scanners. Each employee who is authorized to enter a specific area must scan their badge to gain entry.

In order to protect against unauthorized access, we will put Mantraps [1] in place in these sensitive areas. This will trap the unauthorized person in a corridor leading to the secure area where they will remain until security personnel can escort them out of the building. During this time the unauthorized person will have no access to the data storage area, nor will they have an exit from the corridor.

Fire Security and Safety

As with all organizations, fire is a concern and a viable threat to assets. In order to prevent fire from destroying our company, we will put fire suppression systems in place throughout the facility. These suppression systems will differ depending on the area of the building that they are in. For example, in the data storage and server areas, the fire suppression system will be a Class C system. A Class C system is used for electrical fires which will most likely be the cause in these areas. In the general office areas, we can use a Class A sprinkler system. A Class A system is for simple combustibles. The sprinkler system will automatically spray water over the area if they are activated by flames.

Mobile and Portable Systems Security

The last issue we will address with physical security is the mobile and portable systems security. There are many things that mobile users can do to protect their devices from being lost or stolen. One such thing is a GPS type software. Many manufacturers offer a type of location software on their devices. This software will allow a user to track where their phone is in the event that it is lost or stolen.

A second mobile security tool is having a passcode lock on the device itself. With a passcode lock in place, a user must input a PIN to unlock their device. Your phone will not allow a thief to see your information unless they know this PIN. [4]

The third tool is something called a remote wipe. The remote wipe feature is installed on many mobile devices and allows a user to remotely erase their device’s hard drive in the case of the device being stolen or lost. Once the hard drive is wiped, no one will have access to the data that was once on this device. [4]

Conclusion

The explosive demand for mobile communications is driving the development of wireless technology at an unprecedented pace. Unfortunately, this exceptional growth is also giving rise to a myriad of security issues at all levels—from subscriber to network operator to service provider.

Here we have addressed some of the threats to mobile communications providers. We discovered that as the technology increases, so do the threats. We also looked at how to identify, assess, and control risks that arise from those threats. It is imperative to do a complete assessment of each threat to discover the amount of damage it can cause your organization if it is realized.

Next we looked at defense and contingency planning which has four elements. Those elements are policy creation, logical and physical design, education of users, and contingency planning. The last two things we looked at were network security and physical security of the storage and transmission infrastructure of the organization.

Hopefully after reading this research paper, you have a better understanding of all of the components that are in place to protect you and your data when using wireless communications.

References

[1]Whitman, M. E., & Mattord, H. J. (2012). Principles of Information Security. Boston: Cengage Learning.

[2]Ruggiero, P., & Foote, J. (2011). Cyber Threats to Mobile Phones. Retrieved April 02, 2015, from US-CERT.

[3]Swords, T. (n.d.). The New Target for Security Threats: Your Cell Phone. Retrieved April 02, 2015, from Norton.

[4]TechTarget. (2014). Learning Guide: Mobile Device Protection. Retrieved April 02, 2015, from TechTarget.