Study into the Implications of Smartphone Operating System Security

Recommendations

Info

Study into the implications of Smartphone operating system security GovCertUK state that all public-sector computer security incidents should be logged with them and offer assistance in the identification and categorisation of information security events. They have published Incident Response Guidelines, available as a downloadable PDF from its website, that educate public sector organisations on how to deal with security incidents. The guidelines do not refer specifically to Smartphone vulnerabilities and threats although most of the guidance is applicable to all computer systems and services. The guidelines include advice on classifying incidents into four categories: Critical Significant Minor Negligible Impact Goode Intelligence contacted GovCertUK to enquire about their experience of dealing with Smartphone security incidents and managing vulnerabilities. Unfortunately, they were not able to deal with the enquiry and replied with “Our engagement is restricted as to whom we can engage with, and hence we are unable to provide you with further details on our processes and relationships with other CERTs, or any work with vulnerabilities.” The role of CERTs in Smartphone operating system software security From Goode Intelligence’s research CERT’s are currently performing a limited role in the Smartphone operating system security and vulnerability management process. In discussion with a number of the UK’s MNOs they had little involvement with CERTs including GovCertUK. Smartphones and other smart mobile devices have definitely started to turn up on the radar of CERTs. US-CERT has published a number of security publications specifically on mobile security that act as advisories. The information is aimed at a wide-range of communities including IT professionals, government users, businesses and home users. They include: Technical Information Paper-TIP-10-105-01 “Cyber Threats to Mobile Devices”: Published 15 April 2010. Cyber Threats to Mobile Phones: Published 2011 In terms of receiving information about Smartphone vulnerabilities this was most likely to come directly from the operating system vendors and handset manufacturers. Other bodies that were referenced by UK MNOs for information and advice on Smartphone vulnerabilities and threats were the GSMA Mobile Malware Group (MMG) and the NIST National Vulnerability Database (NVD) (which was unfortunately offline at the time of writing this report). Goode Intelligence © 2013 P a g e | 77 www.goodeintelligence.com
Study into the implications of Smartphone operating system security The GSMA MMG is a cross-industry working group that meets to share intelligence on mobile malware. The GSMA makes this statement on the MMG; “Although mobile malware has not reached predicted epidemic levels, the GSMA is aware of the potential threats and has established a Mobile Malware Group to coordinate the operator response to identified threats. The group facilitates the prompt exchange of information between industry stakeholders and encourages best practice to manage and handle malware by producing comprehensive guidelines for its members.” 69 The GSMA MMG has been favourably cited by the MNOs that Goode Intelligence has spoken to. The MMG regularly meets and shares information. However, the nature of the group has its limitations handling emergency scenarios that require a quick reactive response. It is Goode Intelligence’s belief that it doesn’t currently offer a CERT-like early warning system that allows real-time exchange of intelligence specifically aimed at mobile malware. The UK’s Premium Rate Services (PRS) regulator PhonepayPlus has presented at this forum to discuss their research, aided by Goode Intelligence, into the threat of mobile malware to the UK’s PRS industry. Other Vulnerability Management Resources There are other government run databases for vulnerability management including the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) database. NIST NVD The National Vulnerability Database is run by the US Government’s National Institute of Standards and Technology (NIST) and is a searchable (using the Security Content Automation Protocol (SCAP)) repository of standards-based vulnerability management data. The NVD does contain Smartphone operating system vulnerabilities but it may take a while for the latest vulnerabilities to be uploaded and for them to be matched against any patch that the operating system vendor may have released. CVE The Common Vulnerabilities and Exposures is a resource run by The MITRE Corporation and is a dictionary of publically known information security vulnerabilities and exposures. It is not a vulnerability database. Each vulnerability is allocated a CVE common identifier that has become a de facto standard for identifying vulnerabilities. The CVW common identifier is used by the NVD. 69 http://www.itu.int/ITU- D/treg/Events/Seminars/GSR/GSR12/consultation/GSR12Contribution_forinfo_GSMA.pdf Goode Intelligence © 2013 P a g e | 78 www.goodeintelligence.com
Page 1 and 2:
www.goodeintelligence.com £ Study
Page 3 and 4:
Study into the implications of Smar
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15 and 16:
Page 17 and 18:
Page 19 and 20:
Page 21 and 22:
Page 23 and 24:
Page 25 and 26:
Page 27 and 28: Study into the implications of Smar
Page 77: Study into the implications of Smar
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
show all

Study into the Implications of Smartphone Operating System Security

Create successful ePaper yourself

Delete template?

Save as template?