Once you make the decision to install a mobile capability for your corporate users, you have to understand that you have just opened the door to your enterprise. Mobile access points, for example, are easily found, and easily penetrated, if you don't install the proper security safeguards.
But before you do that, you have to understand the threat. And a threat there is. This tip, excerpted from
Requires Free Membership to View
SearchMobileComputing.com members gain immediate and unlimited access to expert guides for mobile deployment, management and security, industry trends, and more-- all at no cost. Join me on SearchMobileComputing.com today!
Kate Gerwig, Editorial Director
InformIT,
identifies several kinds of malicious users who can, and will, infiltrate and sabotage your
corporate activities. Knowing who is likely to mess up your security is the first step to
strengthening it.
The term malicious [user] is used liberally. What we are referring to is an individual or group who has the knowledge, skills, or access to compromise a system's security. Malicious user is a generic category encompassing a variety of roles that deserve additional discussion. A malicious user can be any of the following.
Organized crime (financial motivation)
These malicious users are capable, motivated, well organized, and well funded. They are intent on
operations such as cloning cell phones or other wireless devices and stealing money, goods, and
services. Organized crime is the most capable category of attackers. Their ability stems from
having the resources available to obtain the necessary hardware, software, and knowledge to mount
sophisticated attacks quickly if the potential financial benefits justify the effort.
Hackers (nonfinancial motivation)
These malicious users are also capable, motivated, and well organized and may be well funded.
Although hacker interest in wireless systems may initially be sparked by the financial or
proprietary information the system protects, their attacks are generally focused on achieving
notoriety. Attacks that can be expected of hackers include small-scale and wide-scale disruption of
operations and the collection and release of sensitive information.
Malicious Programmers (financial or brand damage)
These malicious users vary in their technical ability and are usually highly motivated by personal
greed, grievance, or grudge. They are usually not well organized but may possess significant
knowledge of the wireless system and access to internal processes. Malicious programmers can
originate from various sources: a disgruntled employee at a wireless manufacturer; an application
programming contractor; operations and support personnel; a knowledgeable programmer who feels
wronged by someone associated with the manufacture, distribution, or management of a wireless
system or device; a programmer who feels wronged by an individual or a company using wireless
systems or devices. Also in this group we consider attackers with nonmalicious intent whose actions
can incur security issues, either inadvertently or because of an interest in improving the system's
security. The information and vulnerabilities generated by nonmalicious attackers are capitalized
on by malicious attackers if not immediately addressed by the affected wireless component or
system.
Academics and security researchers
These attackers are capable, motivated, well organized, and often well funded. Academics and
security researchers can analyze the security of a wireless component or system from an
intellectual standpoint to determine how the system is designed or whether and how potential
vulnerabilities have been addressed. They look at both the theoretical and practical implementation
of the system, focusing primarily on issues in their area of expertise for the purposes of
advancing the field, or their standing in the field. Although this group does not have malicious
intent, malicious attackers can use their findings before mitigation or corrections are in place.
This group is more likely to inform the vendor when a vulnerability is detected, before publishing
their results, although this is not guaranteed.
Inexperienced programmers and designers
Although they do not fit most standard definitions of a malicious user, inexperienced programmers
and designers can inadvertently create security issues and are considered malicious for this
analysis. These inexperienced personnel are motivated to perform a specific task to support a
wireless system, but they do not possess the skill or experience necessary to execute the task
properly. The mistakes and oversights made by these personnel affect the operation of wireless
components and can adversely affect the security of the wireless system. Other attackers exploit
the vulnerabilities generated by inexperienced personnel.
To read the entire article from which this tip comes, click over to InformIT. You have to register there, but the registration is free.
This was first published in May 2003