Study into the Implications of Smartphone Operating System Security

Recommendations

Info

Study into the implications of Smartphone operating system security Goode Intelligence recommends that cross-industry representatives should liaise with UK MNOs to assist them in any cross-operator initiatives to improve the process in supporting multiple versions of Smartphone operating systems. An Investigation of Smartphone vulnerabilities and how they are being managed Key Findings Security vulnerabilities exist in every example of computer software and Smartphone operating systems are not exempt from this rule. Vulnerability management is the process or lifecycle that aims to manage computer vulnerabilities. There will be many vulnerability management models but essentially the main parts of the vulnerability management process are: 1. Identification (Including Disclosure) 2. Classification 3. Remediation (fixing or mitigation) Effective Smartphone vulnerability management is essential in how effectively vulnerabilities are discovered, disclosed, fixed and patched. If security vulnerabilities are not efficiently remediated (fixed) then the risk of them being effectively exploited will increase. This increases the risk to consumers. The actual risk to Smartphone owners to these vulnerabilities will be dependent on a number of factors including: The nature and risk level of the vulnerability, e.g. will the vulnerability lead to widespread disruption, potential financial fraud or identity theft? Who knows about the vulnerability? Is knowledge of the vulnerability restricted and confined to a criminal organisation or hostile nation state? How easy it is to exploit the vulnerability and has the exploit been automated and shared throughout the security research community? The speed for the vendor that is affected by the vulnerability to initially fix (patch) and then to distribute the remediated software to Smartphone owners Quality of communication. Is news about the vulnerability efficiently distributed to those parties that are affected by it? The willingness of the Smartphone owners to download and install the revised software update Smartphone operating system vulnerabilities are being discovered either by the operating system vendor themselves, by security research companies that specialise in vulnerability discovery and by individual security researchers. Computer Emergency Response Teams (CERTs) have been an important part of the vulnerability management landscape, especially in the enterprise environment. By Goode Intelligence © 2013 P a g e | 19 www.goodeintelligence.com
Study into the implications of Smartphone operating system security communicating vulnerability information to system administrators and security professionals and by providing a searchable database of known vulnerabilities nationally managed CERTs, including the UK’s own GovCertUK, are important centres for vulnerability management. From Goode Intelligence’s research CERT’s are currently performing a limited role in the Smartphone operating system security and vulnerability management process. In discussion with a number of the UK’s mobile operators they had little involvement with CERTs including GovCertUK. Smartphones and other smart mobile devices have definitely started to turn up on the radar of CERTs. US-CERT has published a number of security publications specifically on mobile security that act as advisories. Recommendations This is a constantly evolving landscape and there is a need to reach out to industry stakeholders to ensure that they are kept informed of the latest vulnerabilities that can affect UK consumers. Goode Intelligence believes that all of the major Smartphone operating system vendors are proactive in vulnerability management. They are doing a pretty good job of discovering and remediating vulnerabilities. However, there can be problems in pushing out ‘fixed’ or patched software updates to millions of Smartphone users in an appropriate period of time. There can be instances where vulnerabilities go unpatched for many months. This can lead to Smartphone owners being exposed to exploitable vulnerabilities for an excessive period of time. This situation is more acute with Android and is a consequence of the platform’s ‘fragmentation’ issue. As national CERTs are currently playing a limited role in the Smartphone operating system vulnerability management process they may want to improve their role by taking a more proactive stance and by improving their relationships with UK MNOs. Goode Intelligence © 2013 P a g e | 20 www.goodeintelligence.com
Page 1 and 2: www.goodeintelligence.com £ Study
Page 3 and 4: Study into the implications of Smar
Page 19: Study into the implications of Smar
Page 71 and 72:
Study into the implications of Smar
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
show all

Study into the Implications of Smartphone Operating System Security

Create successful ePaper yourself

Delete template?

Save as template?