2010:008
M A S T E R ' S T H E S I S
Enhancing the Hierarchical Framework Model of Mobile Security
Artjom Vassiljev
Luleå University of Technology C/D Master thesis
Computer and Systems Sciences
Department of Business Administration and Social Sciences
Enhancing the hierarchical framework model of mobile security
Artjom Vassiljev
June 2010
Abstract
The purpose of this study was to enhance the “Hierarchical Framework Model of Mobile Security” proposed by the researchers from the University of Oulu in order to make it more technology oriented and include information about attacks and corresponding protection.
A qualitative study was done that consisted of content analysis and three structured e-mail interviews with three security professionals. The aim of content analysis was to identify threat and safeguard domains that can be used to enhance the framework. It was done by reviewing the current research, technical whitepapers and market offers in the area of mobile security. During the interviews, respondents were asked to review the proposed enhancements.
The new framework has the same layer hierarchy, however each layer was modified to contain three additional sub-layers: threat domains, safeguard domains, and technical controls. Things that were considered not having any direct security implications on mobile phones (like multimedia copyright protection) were removed. The focus was on technical solutions leaving the higher-level mechanisms for future research.
After reviewing the new framework, all interviewees agreed that the new solution is im- proved over the original. It is easy to use, and can be applied during the risk assessment process. Several drawbacks were identified in the new version, some of which, however, were fixed after the review. This goes along with the conclusions that author draws about the framework development process. This process should include the following phases:
learning about the problem, analyzing solutions, identifying the abstraction levels, de-
signing, iterating.
Licence
This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 Sweden License. To view a copy of this license, visit http://creativecommons.
org/licenses/by-nc-sa/2.5/se/ or send a letter to Creative Commons, 171 Second
Street, Suite 300, San Francisco, California, 94105, USA.
Acknowledgements
Kudos go to Matus Korman, Ago Poolakese, Michailas Ornovskis, Dimitrios Stergiou,
John Lindstr¨om, Mats Nordlund, Patrik Frost, Martin Risvold, Sarfraz Iqbal, Dan Har-
nesk, and Hugo Quinsbert for their help with this thesis.
Contents
1 Introduction 1
1.1 Mobile computing devices . . . . 1
1.2 The need for protection . . . . 2
1.3 Aim of this study . . . . 3
1.4 Research question . . . . 4
1.5 Scope and delimitation of the study . . . . 4
1.6 Disposition of the document . . . . 5
2 Methodology 6 2.1 Research type . . . . 6
2.2 Research method . . . . 7
2.2.1 Quantitative research . . . . 7
2.2.2 Qualitative research . . . . 7
2.3 Research strategy . . . . 9
2.4 Data collection . . . . 10
2.5 Analysis . . . . 11
2.6 Validity and reliability . . . . 11
3 Framework theory 13 3.1 What a framework is . . . . 13
3.2 The need for a framework . . . . 14
Contents
4 Background of the study 16
4.1 A hierarchical framework model of mobile security . . . . 16
4.1.1 Property theory layer . . . . 16
4.1.2 Limited targets layer . . . . 17
4.1.3 Classified applications layer . . . . 18
4.2 Limitations of the framework . . . . 18
4.3 Enhancement process . . . . 19
5 Theory 21 5.1 NIST guidelines for cell phone and PDA security . . . . 21
5.1.1 Threats . . . . 21
5.2 Safeguards . . . . 24
5.2.1 Organization-oriented methods . . . . 27
5.2.2 Discussion . . . . 28
6 Literature review 29 6.1 Technical controls . . . . 29
6.1.1 Malware protection . . . . 30
6.1.2 Spam . . . . 31
6.1.3 User authentication . . . . 31
6.1.4 Communication interception and eavesdropping . . . . 36
6.1.5 Applications . . . . 37
6.1.6 Virtualization . . . . 37
6.2 Security policies . . . . 37
7 Data analysis 41 7.1 Interview with AS Stallion . . . . 41
7.1.1 Mobile threats and awareness . . . . 41
7.1.2 Review of enhancements . . . . 42
Contents
7.1.3 Analysis . . . . 42
7.2 Interview with Entraction AB . . . . 43
7.2.1 Mobile threats and awareness . . . . 43
7.2.2 Review of enhancements . . . . 44
7.2.3 Analysis . . . . 44
7.3 Interview with Tieto AB . . . . 44
7.3.1 Mobile threats and awareness . . . . 44
7.3.2 Review of enhancements . . . . 45
7.3.3 Analysis . . . . 45
7.4 Cross-case analysis . . . . 45
7.5 After-review modifications . . . . 46
8 The improved mobile security framework model 47 8.1 Framework . . . . 47
9 Validity and reliability of the study 55 10 Conclusion 57 10.1 Results . . . . 57
10.2 Conclusions . . . . 59
10.3 Future research . . . . 60
Appendix A: Interview with Stallion representative 70
Appendix B: Interview with Entraction representative 73
Appendix C: Interview with Tieto representative 77
Appendix D: Document sent to interviewees 80
List of Figures
3.1 Elements relevant to any piece of research . . . . 14
4.1 Mobile security framework . . . . 17
6.1 NICA authentication methods . . . . 35
6.2 VmWare Mobile Virtualization Platform . . . . 38
8.1 Property layer from OULU framework . . . . 48
8.2 Enhanced property layer . . . . 49
8.3 Limited targets layer from OULU framework . . . . 50
8.4 Enhanced system layer . . . . 52
8.5 Application layer from OULU framework . . . . 53
8.6 Application layer . . . . 54
1 OULU framework model . . . . 81
2 Property layer . . . . 85
3 System layer . . . . 86
4 Application layer . . . . 87
List of Tables
4.1 Framework enhancement . . . . 20
6.1 Authentication methods and corresponding attributes . . . . 31
6.2 Escalation of NICA alert level . . . . 36
6.3 Biometric techniques for mobile devices . . . . 36
Abbreviations
1G,2G,3G,4G (First, second, third and fourth generation mobile phone systems) NMT (Nordic Mobile Telephony)
DMS (Data and Messaging Service) SMS (Short Message Service)
GSM (Global System for Mobile communications) TDMA (Time Division Multiple Access)
iDEN (Integrated Digital Enhanced Network) CDMA (Code Division Multiple Access)
GPRS (General Packet Radio Service)
EDGE (Enhanced Data rate for GSM Evolution)
IMT-2000 (International Mobile Telecommunications-2000) UMTS (Universal Mobile Telecommunications System) DECT (Digital Enhanced Cordless Telecommunications) WiMAX (Worldwide Interoperability for Microwave Access) SSD (Shared Secret Data)
3GPP (3rd Generation Partnership Project) DoS (Denial of Service)
Mbps (Megabits per second) 3-D (Three dimensional)
PC (Personal Computer)
PIN (Personal Identification Number)
Ghz (Gigahertz)
IPv6 (Internet Protocol version 6) MCD (Mobile computing device) WiFi (Wireless Fidelity)
OS (Operating System)
List of Tables
NIST (National Institute of Standards and Technology) PDA (Personal Digital Assistant)
LCD (Liquid Crystal Display) VoIP (Voice over IP)
GPS (Global Positioning System) JTAG (Joint Action Test Group)
IMEI (International Mobile Equipment Identity) VPN (Virtual Private Network)
IPT (IP Telephony)
KDA (Keystroke dynamics-based authentication) NICA (Non-Intrusive Continuous Authentication) NFC (Near Field Communication)
IDS (Intrusion Detection System) SIM (Subscriber Identity Module) SSH (Secure shell)
FTP (File Transfer Protocol)
WWW (World Wide Web)
Life has become more complex in the overwhelming sea of information. And life, when organized into species, relies upon genes to be its memory system. So, man is an individual only because of his intangible memory... and memory cannot be defined, but it defines mankind. The advent of computers, and the subsequent accumulation of incalculable data has given rise to a new system of memory and thought parallel to your own. Humanity has underestimated the consequences of computerization.
Puppet Master, Ghost In The Shell
Chapter 1 Introduction
It is hardly possible to bring the expression of surprise on anyone’s face by showing them your mobile phone. Nowadays almost every person has at least one mobile phone, some even have several – for personal use and for business/work purposes. It is estimated by eMarketer [eMarketer.com, 2010] that today almost 45% of the world’s population uses mobile phones, and by 2014 this number will grow to 53%. United Nations’ report indicates [Division, 2008] that by 2015 there will be about 7.3 billion people on Earth which if translated into numbers gives us almost 3.7 billion mobile users.
1.1 Mobile computing devices
The history of the mobile phones (also named cell phones after the cellular network they work in) starts as early as 1947 when two Bell Labs engineers proposed hexagonal cells for mobile phones in vehicles [Ring and Young, 1947]. These were early ideas which later transformed into the first fully automatic mobile phone system developed by Ericsson in 1956. One cannot call telephone clients used there mobile in the meaning we understand now, those telephones weighted 40kg back then. One year later soviet engineer created a portable mobile phone which had a range 20-30km, battery life of 20-30 hours, and a total weight of 3kg which was later reduced to 500g. Fast-forward to the 21st century, and pocket-sized mobile phones are as common as TV, cars, or Internet in every family.
Nowadays we have reached the size limit of the telephone, and the race began for the
processing power and memory capabilities of devices. Just like with the personal comput-
ers, mobile phones are incorporating more powerful processors, 3-D graphics accelerators,
Chapter 1: Introduction
bigger screen sizes, and higher memory amounts. Today’s telephone can do everything a desktop PC could 5 years ago starting with the web browsing, to document processing, and finishing with the games. And these are not just card games but various 3-D shooters and strategies. What we have now is not just a mobile phone, but a mobile computing device (MCD
1) – a computer in the pocket with telephone functionality.
The technology now starts to blur the border between the real world and virtual. 3G networks made it available to be constantly connected to the Internet. Combined with the geographical location of a customer, and data received from telephone sensors (camera, audio) it brings new experience to the user in the form of augmented reality. Users connect their real-life with the virtual.
1.2 The need for protection
With an ever-increasing number of services used on mobile phones, there is a strong need to save more data. It is hardly now that the telephone is used only as an address book. In addition to this it has also a calendar or a professional organizer, e-mail client which can synchronize with the server, document processing software, mobile-commerce software, and many other programs that help the user live his everyday life. In 2005 a research conducted by Martin Allen [Allen, 2005] concluded that over 80% of new and critical data is stored on the phone. Thereby these devices may tell a lot about their owner. And not only tell, but also be used and thus abused to pose as the original owner.
Back in the 2001 a research conducted by the Home Office revealed that only in Eng- land and Wales there were about 700 000 reported crimes that included theft of device [Harrington and Mayhew, 2001]. In the article “Mobile phone theft is far worse than we thought” [Leyden, 2002] John Leyden cites the research by Continental Group firm stating 1.3 million Britons had their phone stolen during the 2001. Moreover 600 000 devices were accidentaly dropped into the toilet or other facility, 400 000 into the drinks, and 200 000 accidentaly were put into the washing machine. It continues stating that 1.6 million cellphones were lost. It amounts total 2.9 million handsets could be potentially abused by exploiting the information stored on the device. In 2002 F-Secure corporation estimated [F-Secure, 2002] that 10 mobile devices are lost or stolen in the world every minute. They survey [Clarke and Furnell, 2005] showed that 34% of users do not use PIN
1
For easier reading throughout this thesis the term MCD is interchangeable with the terms “mobile
phone”, “cell phone”, and “handheld device”
Chapter 1: Introduction
protection on their phones. Moreover a study by Karatzouni [Karatzouni et al., 2007] re- vealed that besides not using any protection on their phone, a lot of users believe they have no valuable information that needs protection on their devices.
Although theft of personal telephone may have unpleasant consequences if a corporate phone with sensitive data gets lost and the information leaks, results may be far worse. In 2005 Nokia estimated [nok, 2005] that among 650 million corporate e-mail accounts only 10 million were mobilised, this number was growing fast. In 2003 a Morgan Stanley bank employee after leaving the company sold his supposedly “dead” mobile phone on eBay for $15.50 [Zetter, 2003]. Later on the lucky bidder discovered hundreds of confidential e-mails, database with more than 1 000 names, job titles, phone numbers, and addresses of company partners and employees.
A lot of company executives are aware of the problems that come with mobile phone usage, however as the survey showed [Ernest-Jones, 2006], while four out of five companies have thought about risks that mobile devices pose, only a small part of them really started to investigate this problem. This clearly indicates the need for better awareness and protection of MCD.
1.3 Aim of this study
There are multiple comprehensive security frameworks for computers and networks like
COBIT, PCI DSS and ITIL to name the few, various standards for data protection like
BS 10012:2009 and network security like ISO/IEC 27033. There are numerous tutorials
and guides from big vendors like Microsoft (Security guides for Windows family), Cisco
(Cisco security policy builder) and governemtal organizations like NIST (SP800-123) on
how to create policies, harden servers, desktop pc’s and laptops. There do exist a lot
of antivirus and malware removal software (F-Secure, Norton, Kaspersky). Most users
are aware of computer threats, computer administrators know how to write policies in
order to protect the computers, and management allocates resources for security. But
we have had personal computers and Internet for over two decades. The problem with
telephones is that nobody considered them as a potential threat due to the very nature
of telephones – just to make calls. Only recently in the last years science has advanced
to the point when we have a personal computer in the pocket with telephone functions
as a bonus[Clarke and Furnell, 2005].
Chapter 1: Introduction
While searching for any guides and standards to use with mobile phones, only one secu- rity framework was found targeted specifically at mobile phones, whose intended audience are security researchers [Howie et al., 2001]. It is divided into three layers, and gives a hierarchical view on security problems of mobile phones. Most of the research based on the above-mentioned framework concentrate only on a specific threat from one of these layers [Wah, 2002, Pandelidis, 2002, Jin et al., 2007]. Additionally a NIST guide- line [Jansen and Scarfone, 2008] was found that gives practical hints on protection of handheld devices including mobile phones. However it does not allow one to the percieve the security as a whole, which in my personal opinion can leave many security problems unnoticed, i.e. during the policy creation. How can these two documents colorred(mobile security framework from Oulu and NIST guidelines) be combined to provide both the power of framework and the simplicity of step-by-step guideline? To find this out, I look at the works of other authors like Zachman [Zachman, 1987] and others to get the understanding, what is a framework, and why is it needed?
The aim of the study is to explore existing threats to mobile computing devices and effective ways of protecting from them. Equipped with this knowledge, I intend to enhance the “Hierarchical framework model for mobile security [Howie et al., 2001]” in order for it to be easier to use and cover the topic in more details. I want it to become useful not only for research community, but also to security professionals who could apply it during their work.
1.4 Research question
1. How can the “Hierarchical
2framework model for mobile security” be enhanced to provide deeper view on security problems and their countermeasures?
1.5 Scope and delimitation of the study
This study covers enhancements to the mobile security framework by merging it with the NIST guide and other technical safeguards identified during the literature review. This work concentrates on technical protection mechanisms (without referring to any partic- ular technology), while higher-level controls (policy, awareness, management) are left
2
Classified according to various criteria into successive levels of layers. Source: Princeton WordNet
Chapter 1: Introduction
for future research. Additionally, this reseach does not cover directly any protocol that mobile phone or application may use (i.e. VoIP, M-commerce, etc), however indirectly proposed protection mechanisms can be used to secure device against attacks exploiting weaknesses in these protocols. Although the study is conducted in Lule˚ a, Sweden, inter- views are held with professionals from other cities and countries, so structured interviews are conducted via e-mail.
1.6 Disposition of the document
Chapter 2 – describes the methodology that this study follows for conducting research.
Chapter 3 – introduces the concept of a framework. What is it? Why is it needed?
What are its goals?
Chapter 4 – gives the description and analysis of the original framework model from OULU university, and later the enhancement process is showed.
Chapter 5 – the review of literature and existing research in the area of mobile security.
Similar research is grouped into domains, which are later used for the enhancement.
Chapter 6 – literature review.
Chapter 7 – the analysis of interviews is done with the purpose of evaluating the im- provements made over the original framework.
Chapter 8 – new enhanced framework is introduced in this chapter.
Chapter 9 – discussion about the validity and reliability of study and its results.
Chapter 10 – discussion of the results, conclusion, and future research is done here.
Appendix A – interview with Michailas Ornovskis from AS Stallion Appendix B – interview with Dimitrious Stergiou from Entraction AB Appendix C – interview with Patrik Frost from Tieto Corporation Appendix D – document sent to interviewees
Appendix E – After-review modifications of the framework
Chapter 2
Methodology
This chapter describes methodologies used in the thesis. It begins with the purpose of this research, the approach being used, continues with the research strategy, data analysis methods, and concludes with the validity and reliability of theories used and proposed.
2.1 Research type
According to Williams [Williams, 1993] who refers to Sekaran [Sekaran, 2009], “there is a general agreement that research is a systematic and methodical process of inquiry and investigation that increases knowledge and/or solves particular problem”. Williams con- tinues – the research, as opposed to the process, is essentially a review and synthesis of existing knowledge, investigation of existing problems and proposal of solutions to them, exploration and analysis of more general issues, constructon and creation of new systems and procedures, explanation of phenomena and generation of new knowledge. Differ- ent types of research exist which following Kotler [Kotler et al., 2008] are exploratory, descriptive, and explanatory research.
Kotler [Kotler et al., 2008] defines exploratory research as the one to get the initial infor-
mation in order to help better define problems and suggest hypotheses. It is conducted
because a problem has not yet been clearly defined and no or too little knowledge is
available on the given topic. The goal is to accumulate as much information about the
problem as possible, gain familiarity and insights in order to further develop hypotheses
and clearly state problems. The result of such research is not always eligible to make the
decision by yourself, but can otherwise provide a significant insight into a given situa-
Chapter 2: Methodology
tion. This fits my study design well as I try to explore the ways of enhancing the mobile security framework model and offer it as a solution, which can be further tested with the quantitative study.
2.2 Research method
In social sciences two main research methods can be applied: Qualitative and Quantitative research.
2.2.1 Quantitative research
Quantitative researchers seek explanations and predictions that will generalize to other persons and places. Careful sampling strategies and experimental designs are aspects of quantitative methods aimed at produce generalizable results. In quantitative research, the researcher’s role is to observe and measure, and care is taken to keep the researhers from contaminating the data through personal in- volvement with the research subjects. Researchers objectivity is of utmost concern [Glesne and Peshkin, 1992].
Quantitative research includes extensive definitions early in the research proposal as it operates more within the deductive model methodology of fixed research objectives. Re- searchers try to define all the terms in the beginning of their study and use accepted definitions from the literature review [Creswell, 2003]. It requires the reduction of phe- nomena to numbers so that the researcher can conduct statistical analysis. While it may use verbal data in the beginning, it is later transformed into numerical data and the quantitative analysis is made [Smith, 2008].
2.2.2 Qualitative research
In his book [Thomas, 2003] Robert Murray Thomas refers to Denzin and Lincoln’s defi-
nition of qualitative research [Denzin and Lincoln, 2005] stating that it is a multimethod
in focus, involving an interpretive, naturalistic approach to its subject matter. It means
that researchers study things in their natural environment, trying to make sense of, or
interpret phenomena in term of the meanings people bring to them. This type of research
involves the studied use and collection of a variety of empirical materials – case study,
Chapter 2: Methodology
personal experience, introspective, life story, interview, observational, historical, interac- tional, and visual texts – that describe routine and problematic moments and meanings in people’s lives.
Maxwell [Maxwell, 2005] describes the qualitative research model consisting of the fol- lowing components:
1. Goals. What is the purpose of the study? Why it needs to be conducted? What issues will it clarify, and what practices will it influence?
2. Conceptual framework. What is going on with the issues, people, settings the re- search plans to study? What theories, beliefs, and prior research findings will guide the research? What literature, preliminary problem study, and personal experience will be drawn on in order to understand the people or issues being studied?
3. Research questions. What problems this study will solve? What phenomenas will it explain that were previously unknown or not understood? What questions will the research answer, and how these questions are related to each other?
4. Methods. What will be done in order to conduct the study? What approaches and techniques will be applied to gather and process the data?
5. Validity. Why should the results of the research be trusted? How might they be wrong? How can the collected data support or challenge the ideas proposed by the study?
Compared to quantative research, qualitative differs mainly within the analysis – it is textual, and not numerical. The concern is in intepreting a piece of text means rather than finding its numerical properties. Qualitative approach is generally about the exploration, description and interpretation of one’s experience [Smith, 2008].
I start my research with the analysis of existing framework and identifying problematic
places, and things that need improvements using derivative research. I then go on with
exploring current threats, safeguards, and grouping them together in order to enhance
the framework. Interviews are made with security specialists in order to analyze the
improvements of a new framework, and finally draw conclusions on the work done. This
work is about exploring. The nature of data is textual, and the analysis done is the
interpretation of this text. The natural choice is to use the qualitative research.
Chapter 2: Methodology
2.3 Research strategy
Among different qualitative research designs [Leedy and Ormrod, 2009] like ethnograph- ical, phenomenological, grounded theory, and other, content analysis and case study fit best this research.
Leavy et al. [Hesse-Biber and Leavy, 2006] describes the qualitative content analysis as follows:
In qualitative content analysis a researcher begins with a topical area which he or she starts to query from his or her embodied standpoint and epistemological position.
Quickly into the process, the topic is also examined in the relation to the research question. The researcher does not begin with preconceived codes but rather generates code categories directly from the data. These codes can range from very literal to abstract. As code categories emerge from the data the researcher doubles back to reexamine data applying the new code categories.
Weber [Weber, 1996] indicates the central idea of content analysis as classifying many words of the text into much fewer content categories. He continues saying that
Each category may consist of one, several, or many words. Words, phrases or other units of text classified in the same category are presumed to have similar meanings.
In order to find out how to identify various threats to mobile computing devices, corre- sponding countermeasures and ways of applying them, and then group everything into domains, content analysis will be applied to already existing research, different scientific papers and surveys in this area. This literature will be reviewed and analyzed by rele- vance to the study as a whole, and to a particular problem, or group of problems (i.e.
papers regarding only virus attacks on mobile phones).
Going back to the research question, this study strives at enhancing the existing frame-
work, which has a target audience. Case study will help to reach this audience in order
to find out, whether the proposed changes really improve the original work. A case study
is defined as “an in depth study of particular situation rathen than a sweeping statisti-
cal survey. It is a method used to narrow down a very broad field of research into one
easily researchable topic” [Shuttleworth, 2008]. Although it will not answer the research
question completely, it will give hints and indications, and allow further elaboration and
the creation of hypotheses on a given subject. It “excels at bringing researcher to an
Chapter 2: Methodology
understanding of a complex issue or object, and can extend experience or add strength to what is already known through previous research” [Soy, 1997]. Case studies highlight contextual analysis of a limited number of events or conditions and their relationships.
2.4 Data collection
The starting point of the study is a literature review that helps to find similar research and work based on the original framework, analyze varying points of view on the topic, find theories to build this work on. This helps me to identify main weak and strong parts of the framework by looking at other research that is based on it. This is used to guide the further search for information that is necessesary to modify and enhance the framework.
A case study is also used as another source of data in addition to literature. The need for a case study comes when one needs to understand complex social phenomena. Case study inquiry relies “on multiple sources of evidence, with data needing to converge in a triangulating fashion, and as another result benefits from the prior development of theoretical propositions to guide data collection and analysis” [Yin, 2003]. Case studies investigate phenomena in its natural context, and can provide a researcher with deeper understanding.
As the framework enhancement is targeted at security professionals (security technicians, engineers, officers and other personnel with similar tasks), I use a case study to find out how well these improvements fit their needs. What I aim at achieving by using a case study is to investigate the problem in real life, not just theoretically. What this can mean is that professionals can reflect their knowledge and experience, project the proposed solution into their work and hypothesize about the improvements made. Such feedback from this group will help to draw conclusions in the end.
Case study can be done using a variety of evidence – documents, artifacts, interviews, and observations [Yin, 2003]. Interviews can be focused, semi-structured, problem-centered, expert, and ethnographic [Flick, 2006]. Structured e-mail interviews are used with respon- dents due to their distant location (all interviewees are located outside Lule˚ a, Sweden).
While the personal semi-structured interview could bring additional valuable insights
about the area researched, structured interviews are sufficient to provide the necessary
feedback about the proposed enhancements.
Chapter 2: Methodology
Interviews were done with three professionals who all work within the information security field. The choice of these people was dictated by enhancement process, which targets this group. Interviews consist of two parts, where the first part investigates the awareness of interviewee about mobile phone security, what frameworks does one apply at work to conduct risk analysis, how the data is protected – this will help to find out how useful this framework is, and what are the important parts (for example, just policy, user awareness, technology) that people use. The second part of the interview is aimed at reviewing the proposed enhancements. Questions will help interviewee to assess the proposed solution, and later draw conclusions about the new framework.
2.5 Analysis
Creswell [Creswell, 2003] says that according to Merriam [Merriam, 1991] and Marshall [Marshall and Rossman, 2006], processes of data collection and data analysis must be simultaneous in qualitative research. Throughout the data analysis process, researchers index and put collected data into as many categories as possible. Themes and patterns are identified from participats, which are later to be attempted explained and under- stood [Creswell, 2003]. While analyzing data it will be organized both categorically and chronologically, indexed, and repeatedly reviewed.
Only data relevant to the research problem is collected, which helps to reduce the amount of information to be processed. To achieve that, a NIST guideline is used that has a list of threats and safeguards, which can guide further and deeper research on a topic. Collected data is then organized into domains for easier understanding and pattern identification.
By analyzing the existing data, a new framework is built using that analysis. After interviews are conducted, a within-interview analysis is done to identify the core points.
A cross-case analysis follows in order to group the results. Based on this analysis, the research question is answered and conclusions are drawn.
2.6 Validity and reliability
As my subjective interpretation of the problem can influence the results of the study, it
needs to be valid. Validity is defined as “the truth or accuracy of the representations and
generalizations made by the researcher; how true the claims made in the study are or how
Chapter 2: Methodology
accurate the interpretations are” by Moisander and Valtonen [Moisander and Valtonen, 2006].
Yin [Yin, 2003] defines four conditions related to design quality:
• Construct validity : establishing correct operational measures for the concepts being studies.
• Internal validity : establishing a casual relationship, whereby certain conditions are shown to lead other conditions, as distinguished from spurious relationships. It is used only for explanatory or casual studies, and not for descriptive or exploratory.
• External validity : establishing the domain to which a study’s findings can be gen- eralized.
• Reliability : demonstrating that the operations of a study – such as the data collec- tion procedures – can be repeated with the same results.
In order to improve the validity of my results, multiple sources of evidence are used. The work is based on already existing research of the topic, and also several interviews are held with experienced professionals that validate the results of the study. I also establish a chain of evidence by explaining my assumptions and providing the foundation for them.
The objective of reliability is to ensure that if the study will be conducted using same
methodology and same case study described by the investigator, the results and conclu-
sions will be the same. The goal is to reduce the amount of errors and biases. It can
be achieved by documenting all the procedures and making as many steps as operational
as possible like someone is watching behind the shoulder. All conducted interviews and
materials sent to interviewees before the actual interview are documented.
Chapter 3
Framework theory
How to enhance the framework? Where to start and how to proceed? And what is essen- tially a framework? This chapter introduces the theoretical framework that is used for the enhancement process.
For the framework to be enhanced, one needs to know what a framework is, how to develop it, and what are its goals. Having the knowledge about these things will help to proceed further with improvements.
3.1 What a framework is
There are many definitions of what a framework is, and each refers to a certain domain it operates in. For example in programming, as described by Johnson [Johnson, 1997], a framework is a reuse technique. Ideally, this technology should provide components that could easily be connected in order to make new systems. John Zackman defines framework as “a generic classification scheme for design artifacts, that is, descriptive representations of any complex object” [Zachman, 1997]. The idea behind such classifica- tion scheme is to be able to concentrate on selected properties of an object without losing the holistic perspective. If compared with the Zachman Framework for Enterprise Archi- tecture [Zachman, 1987], the definition of Johnson’s framework can be a single instance of Zachman’s framework – the level of abstaction is lower if we describe the enterprise.
However, both definitions share the same goals – represent the underlying structural members that support the realization [Martin and Robertson, 1999].
To achieve the balance between the holistic, contextual view, and the pragmatic, im-
Chapter 3: Framework theory
plementation view, a framework needs to have characteristics of any good classification scheme [Zachman, 1997], or in other words, it should allow for abstractions intentended to:
• simplify for understanding and communication
• focus on independent variables for analytical purposes
• maintain a disciplined awareness of contextual relationships that are significant to preserve the integrity of the object
There is not much difference whether the object is physical (i.e. mobile phone), or conceptual (i.e. department), challenges are still the same [Zachman, 1997].
3.2 The need for a framework
Zachman described [Zachman, 1987] the need for his framework was due to the increased level of complexity and the scope of design of information systems, in order to control components of the system, their interfaces and integration. The need for viewing system as a whole and thus be able to improve the decision-making was also the driving factor for Gorry and Morton during the development of their framework [Gorry and Morton, 1971].
This enabled them to see, and more important – to understand, the flow and evolution of processes and identify potential problems and benefits of using the technology in sup- porting management. Going lower to a technical level, Munindar Singh faced similar problems during his research on multiagent systems [Singh, 1994] – he needed a way to analyze, specify, design, or implement multiagent systems.
Figure 3.1: Elements relevant to any piece of research
Chapter 3: Framework theory
A framework is not an “answer” to every problem, instead – it is a tool for thinking [Zachman, 1997]. Martin et al. [Martin and Robertson, 1999] add “Frameworks are models of some underlying reality constrained by our points of view. As such, models are merely a tool employed to objectively understand that reality”. To support this idea, I refer to Checkland and Holwell’s figure describing elements of research [Checkland and Holwell, ].
It is shown in Figure 3.1. By using a framework and choosing relevant methodology one
can learn more about the area of concern.
Chapter 4
Background of the study
The chapter where mobile security framework model from the University of Oulu is intro- duced. Weak parts are discussed and the plan for enhancement process is described.
4.1 A hierarchical framework model of mobile secu- rity
A group of researchers from the University of Oulu proposed a framework for the sys- tematic research of mobile security [Sun et al., 2001]. It is a hierarchical model in which mobile security is divided into three layers: property theory, limited targets, and classi- fied applications. Figure 4.1 illustrates the framework and interconnection of its parts including topic domains.
4.1.1 Property theory layer
Authors indicate five main points to research on this layer, which are security objectives,
attacks, security mechanisms, security management, and security evaluation. Security
objectives aim at formulating and determining what kinds of security goals are going to
be achieved and to what extent. Attack research aims at analyzing and distinguishing
possible threats and offensive methods from all possible threats. Security mechanisms
try to find effective techniques to fulfill security objectives. In the security management
policies and rules are created, including user training and awareness, relevant to the
administration and maintenance of devices. Security evaluation includes identification
Chapter 4: Background of the study
Figure 4.1: Mobile security framework
of critical components and vulnerabilities, inspection of performance, and evaluation of privacy and robustness.
4.1.2 Limited targets layer
This layer specifies three main targets, which are mobile networks, mobile computing, and finally multimedia.
• Mobile networks. The focus is on the underlying infrastructure that cell phones use, like networks and supporting protocols. Topics of research include the security of 2G, 3G, and the upcoming 4G networks together with protocols like Mobile IP, the use of IPSEC in communication protocols, encryption, authentication, routing, and other problems.
• Mobile computing. Two targets are under consideration here: the problem of host
protection (the physical protection of device itself and attacks that can come from
it, like differential power analysis, side-channel attacks, and other), and software
Chapter 4: Background of the study
agent protection (the operating system).
• Mobile multimedia. Protection of multimedia content distributed using mobile de- vices.
4.1.3 Classified applications layer
Some applications that cannot be successfully implemented without the proper support of secure mobile networks, and computing and media processing environment are put into the top layer. These applications include, but are not limited to messaging (SMS, MMS, e-mail), telephone service (VoIP, IPT, video conferencing), business applications (mobile e-commerce).
4.2 Limitations of the framework
The framework model described above proposes a systematic way to conduct investigation of mobile phone security based on the hierarchy proposed by its authors. The article gives a brief explanation of how these layers are interconnected and which topics domains belong to which layer. Although it is relatively old (9 years old at the time of writing this paper), it is not bound to technology, which, as authors say themselves, “demonstrates that the framework can explicitly serve as an effective guide to systematic research of mobile security”. It may be effective (although authors do not mention any reviews), but there is always space for perfection, and it can be enhanced.
Most of the studies based on this framework concentrate on a single research domain, i.e. “Multimedia Digital Video Watermarking” [Wah, 2002] or “Security issues in mo- bile computing” [Pullela, 2002]. When it comes to identifying threats, this framework alone is not enough. In their study about security implications in mobile commerce over hotspot networks [Fourati et al., 2004], Fourati et al. apart from the mobile security framework, additionally use other sources in order to identify security vulnerabilities to mobile phones. Jin et al. [Jin et al., 2007] refer also to multiple sources to get a more holistic picture of security threats.
The framework can never be complete and cover absolutely everything, but it can be improved by introducing more layers and targets in order to make it deeper. For example,
“Mobile computing” domain is comprised of “Agent”, “OS”, and “Terminal” objects,
Chapter 4: Background of the study
whereas “OS” can contain “authentication methods”, which is composed of several types of authentication mechanisms. Without knowing these details it may be unclear, i.e. on what levels operates protection.
Framework should be easy to use and it should reduce the time spent to solving problems [Taligent, 1997] (although Taligent refers to frameworks for programming, I feel that this property can be applied here). In order to achieve the simplility of a framework, it should be clear, easy to use and to learn. At the moment, it is certainly a drawback in using the original framework model as functions of layers, targets, and their connections are difficult to follow and understand. Pictures do not help to make this task easier. To make it more understandable, the hierarchy of the new framework should be clear, connections between targets and layer must be easy to follow, and the new proposed solution should be simple to use and apply during projects.
Additionally, Zachman [Zachman, 1997] in his article mentions the neutrality of the frame- work, which he explains as being independent of tools and methodologies. Although frameworks are diffirent in nature, the property of being neutral also suits technical framework – it should not be bound to any particular technology, which will make it more flexible and easy to apply in various situations. While the original framework is already neutral, it is important to note that the new version will keep its neutrality.
4.3 Enhancement process
Table 4.1 shows the mobile security framework described using Zachman framework.
According to the framework authors [Sun et al., 2001], the purpose of their research is to provide guidance for conducting systematic research, so their target audience is re- searchers. This can be mapped to the first level – the “Scope” (highlighted with yellow).
Looking back at the scope and delimitation of my study, the targets for improvement can be placed on the table – these are the “Scope” (yellow), and additionally “System model” and “Technology model” layers (highlighted with green).
The aim of describing it using Zachman framework is to indicate what will be enhanced
and not to describe precisely how the enterprise would operate on each level. That is the
reason why the Table 4.1 does not describe things thoroughly in regards to the enterprise
model, but rather briefly so that it can be visually seen what will be done.
C h a p t e r 4 : B a c k g r o u n d o f t h e s t u d y
Framework 1. What 2. How 3. Where 4. Who 5. When 6. Why
1. Scope Solutions to problems
Provide guid- ance
Mobile world Researchers Research project
Challenge, fame
2. Business model
Security safe- guards
Security tech- nology
Research do- main
Phone and secu- rity vendors
Market needs Money
3. System
model
Enterprise poli- cies
Phone usage procedures
Within the en- terprise
CIO/CISO Policy creation Resistance to threats
4. Technology model
Suitable device according to policy
Encryption, au- thentication
Available func- tions
Security engi- neer, manager
Risk analysis re- sults
Avoid security breaches
5. Detailed rep- resentation
Phone specs (OS, model)
HTC, IPhone, Blackberry
Blackberry auth. server
Technician Technology availability
Work with new technology 6. Real system Mobile phone Calls, internet
browsing
Phone device Company em- ployees
Phone usage Doing business
Table 4.1: Framework enhancement
20
Chapter 5 Theory
This chapter describes the theoretical framework that is used to further guide the research.
NIST guideline is used for this purpose.
5.1 NIST guidelines for cell phone and PDA security
National Institute of Standards and Technology on October 2008 released a special pub- lication numbered 800-124 and called “Guidelines on Cell Phone and PDA Security. Rec-
ommendations of the National Institute of Standards and Technology” [Jansen and Scarfone, 2008].
This document describes mobile devices like cell phones and PDAs in use today and gives recommendations on security treatment of such technology. Threats and technology risks and available safeguards are detailed in the report.
5.1.1 Threats
Many of the threats to MCD are those found for personal computers. Essentially, threat list for cell phones is a superset of the profile for desktop computers. Additional threats are related to the size and portability of devices, and their available wireless interfaces and associated services.
• Loss, Theft, or Disposal. Due to their small size, mobile phones can easily be lost,
misplaced or stolen. Without proper security measures applied to the device, it
may become straightforward to gain access to sensitive information that resides on
the phone or is accessible from it. Manually resetting a device to factory defaults
Chapter 5: Theory
before selling it or donating, it does not necessarily physically deletes data, but the place may be rather marked as unused. Like in desktop computers where hard drive sectors with deleted data are marked by filesystem as unused, but the data is still retained there until overwritten. Besides the compromise of information that may happen during the theft, a cell phone with active service can be used to place international calls, impersonate user, and use it for service authorization.
• Unauthorized access. Lack of or weaknesses in authentication process may help attackers gain access to the sensitive information. Clarke et al. showed in the survey [Clarke and Furnell, 2005] that many phone users either use very simple PINs or passwords, or not use them at all. For example, before trying other ways, forensics investigators try default PINs like 1234 or 0000 assigned by operators. Some devices may have a backdoor access like reserve or master password, which allows full phone access. Software and hardware forensics tools exist on the market that make it easier to bypass built-in security mechanisms and recover the contents of telephone.
Many manufacters follow JTAG standard to make it easier diagnose problems with processor, memory, and other semiconductor chips. Various equipment can be used to communicate with JTAG-compliant component in order to image the contents of locked device. Acquired memory image may contain a lot of sensitive information like account passwords, contacts, and other data.
• Malware. There are numerous ways to infect phone with malware: internet down- loads, when a user downloads infected file directly from the Internet, messaging service like SMS [Mulliner and Miller, 2009], MMS, or via instant messaging pro- gram like Skype or MSN. Bluetooth of memory card is also a popular way to spread infection and get infected by yourself. Although spread easily and fast, usually users have to run the installer by themsleves in order for the malware to infect device.
This is achieved by different means, most often using various social engineering techniques. Malware attacks have been divided into the following categories:
– Spoofing: Malware provides false information to the user in order for him to perform needed action
– Data interception: Malware is able to intercept or access data
– Data theft: Malware is able to collect and send data to the attacker
– Backdoor : Malware allows the attacker to gain access to the device at will
Chapter 5: Theory
– Service abuse: Resident malware can perform actions that will force user to pay higher fees
– Availability: Malware impacts the integrity and/or availability of the device itself or data stored in it
– Network access: Resident malware can use the device to perform unauthorized network activities (i.e. part of a botnet)
– Wormable: Malware can use technology to propagate itself to other devices
• Spam. SMS, MMS, voice messages, e-mail, and instant messages are channels for spreading spam. Spam messages may just advertise some goods, or convince users to call or send message to chargeable service numbers, persuade user to reveal account passwords or other information, or download and install malware.
• Electronic eavesdropping. Most people know that when the discussing sensitive information on the phone it is important to go a place where nobody can hear you speaking, however there exist numerous ways to eavesdrop on the conversa- tion. Most direct and obvious way to do it is install spyware on a device to for- ward conversation or other information to other phone or server. Researchers also found weaknesses in CDMA and GSM protocol families which enable them to moni- tor systems and eavesdrop conversations [Ryu and Jang, 2006, Barkan et al., 2003].
There are also cases known when cell phone switches were modified with malicious intents [Prevalakis and Spinellis, 2007]. If device uses Internet to communicate, rouge access point may be used to perform man in the middle attack and hijack communications.
• Electronic tracking. For a long time there existed a way to track users of mobile phones by means of triangulation using cell stations that mobile phone is connected to. Recent advancements to technology like GPS, Google Latitude, and others make it easier to find the owner of device. These services may be used by employees to find their way or by employer to track its workers, or may be abused by attackers to spy on people. There have been case when this service was abused [Pamplin, 2005].
• Cloning. Having reprogrammed several unique identifiers built into mobile phone
into another device, a clone will be created that can act as the original. Monitoring
radio wave transmissions of analog mobile phones made it possible to easily obtain
Mobile Identification and Electronic Serial Numbers that are used to create clones.
Chapter 5: Theory
While analog telephones are not in wide use today, SIM card cloning can achieve similar results, and can be performed by people with basic computer knowledge.
• Server-resident data. Service providers have a lot of services to help their clients with various things, like phone and data backup, online address books, enabling and disabling services, e-mail exchange, social networking, and many others. Even without a modern smart-phone one can make use of these services. However a lot of data is stored on external services that employer or telephone users have no direct access. Vulnerabilities in provider infrastructure or its services, or misuse of official duties by rogue employees can lead to data exposure.
5.2 Safeguards
One of the main problems that mobile devices pose to organization is distinguishing be- tween employee-owned and company-issued equipment. Allowing employee-owned mobile communication devices may seem like a cost-effective solution for a company, however it is only an illusion. The ability to manage and control such devices is a hard to achieve task, especially trying to apply security policies and corporate software. Below are briefly described security mechanisms that will reduce associated risks if applied.
User-oriented methods
Without user participation it is nearly impossible to maintain high level of security of devices. Employees should follow procedures and take precautions when using company devices.
• Physical control. Today a mobile phone can be compared with a credit card – a lot of problem will occur in case it is lost. While the cost of stolen hardware may be minimal to organization, problems that may happen due to the blocked accounts or leaked data a far much worse. Even lending a device can have security implications like misuse, data manipulation, impersonation, and malware installation. Security settings of device can also be weakend to allow further access.
• User authentication. User authentication mechanisms like PIN and password are
the first barrier toward deterring unauthorized access to cell phone. Reading and
understanding device documentation may be an essential step as there may exist
Chapter 5: Theory
master passwords or other backdoors to remove the phone protection mechanisms or restor forgotten passwords. Company policy for length and complexity of passwords in use must be followed. Also the use of same password on handheld devices and computer accounts should be forbidden. Some devices also include a timeout after several unsuccessful login attempt, which locks telephone for a certain period of time. Following modes of authentication are most popular:
– Proof by knowledge – passwords and PINs.
– Proof by posession – tokens, such as smart cards.
– Proof by property – retina scan, fingerprints, voice recognition.
• Data backup. Smartphones can now hold a considerable amount of data which is only limited by the size of memory card. Using the device as the only repository for important information may be dangerous in case of a disaster. In order to preserve valuable data it must be regularly backed up to other storage media, for example to a central backup device, or synchronized with the desktop computer.
• Reduce data exposure. Keeping passwords, data records, account information, and other sensitive information on a high-risk device like cellular phone should be avoided unless it is really needed. In that case all the data should be stored en- crypted. Some memory cards can also have hardware password protection, which can reduce risk of data exposure. If available the advantage of encryption should be taken in communication protocols in order to protect data in transit. At the end of device life cycle data on the phone should be erased by overwriting it several times.
• Shun questionable actions. Most mobile malware needs user interaction in order to install itself. Content received by SMS, MMS, via e-mail attachment or using unknown Bluetooth connection may all contain malicious software. Users should be aware of security threats and ways of mitigating them.
• Wireless interfaces. An easy solution to protect from malware is simply turn off wireless interfaces like Bluetooth, infrared, and Wi-Fi until they become needed.
Majority of virus programs for mobile phones spread using Bluetooth channel. Al-
though the Bluetooth protocol has no public vulnerabilities, problems may arise
from improper vendor implementation.
Chapter 5: Theory
• Deactivate compromised devices. In order to prevent further spread of viruses and worms, like with a personal computer it is advised to isolate it from others until the source of problem is removed. In case the device is lost or stolen, disabling service, locking it, or otherwise completely erasing phone data are all useful actions that need to be applied. Some corporate class devices have the ability to wipe data upon received special message. A phone can also be disabled from using any cellular service upon registering its IMEI code in a special provider database.
• Minimize functionality. Telephone vendors provide numerous functions that may be helpful, however increased number of features and capabilities often opens door to insecurities. Reducing them will achieve the opposite effect. Same process of hardening
1computer systems can be applied to mobile devices.
• Security software. Due to similar threats with computer systems, handheld devices need antivirus software to protect them from malware and viruses, firewalls, intru- sion detection/prevention systems, antispam solutions, device content and memory card encryption and wiping software, user authentication alternatives, including biometric and token-based mechanisms, and virtual private network software. In the corporate environment centralized approach to security is often needed. The following device functions are common examples of what is essential:
– Device registration
– Installation of client software, policy rules, and control settings
– Controls over password length and composition, number of entry attempts – Remote password reset
– Remote erasure or locking of device
– Controls to restrict application downloads, access, and use – Controls over wireless interfaces
– Controls to restrict camera, microphone, and removable media usage – Controls over device content and removable media use
– Controls over VPN, firewall, antivirus, intrusion detection, and antispam com- ponents
– Remote update of client software, policy rules, and control settings
1
