3.

1 Introduction
In this modern era, the rising importance of electronic gadgets (i.e., mobile hand-held devices) –
which became an integral part of business, providing connectivity with the Internet outside the
office - brings many challenges to secure these devices from being a victim of cybercrime. In the
recent years, the use of laptops, personal digital assistants (PDAs), and mobile phones has grown
from limited user communities to widespread desktop replacement and broad deployment.
According to Quocirca Insight Report (2009), by the end of 2008 around 1.5 billion individuals
around the world had the Internet access. In November 2007, mobile phone users were numbered
3.3 billion, with a growing proportion of those mobile devices enabled for the Internet access.
The complexity of managing these devices outside the walls of the office is something that the
information technology (IT) departments in the organizations need to address. Remote
connection has extended from fixed location dial-in to wireless-on-the-move, and smart hand-
held devices such as PDAs have become networked, converging with mobile phones.
Furthermore, the maturation of the PDA and advancements in cellular phone technology have
converged into a new category of mobile phone device: the Smartphone.
Smartphone’s combine the best aspects of mobile and wireless technologies and blend them into
a useful business tool. Although IT departments of organizations as yet are not swapping
employees' company-provided.

PDAs (as the case may be) for the Smartphones, many users may bring these devices from home
and use them in the office. Research in Motion's (RIM) Blackberry Wireless Hand-held is an
alternate technology. According to Research in Motion Annual Report (2009), there are over
175,000 organizations with BlackBerry Enterprise [2] Server installed behind the corporate
firewall (i.e., corporations that use the BlackBerry enterprise server and client/server software for
data communication between corporate BlackBerry devices and other mail systems).
Thus, the larger and more diverse community of mobile users and their devices increase the
demands on the IT function to secure the device, data and connection to the network, keeping
control of the corporate assets, while at the same time supporting mobile user productivity.
Clearly, these technological developments present a new set of security challenges to the global
organizations.

3.2 Proliferation of Mobile and Wireless Devices

Today, incredible advances are being made for mobile devices. The trend is for smaller devices
and more processing power. A few years ago, the choice was between a wireless phone and a
simple PDA. Now the buyers have a choice between high-end PDAs with integrated wireless
modems and small phones with wire- less Web-browsing capabilities. A long list of options is
available to the mobile users. A simple hand-held mobile device provides enough computing
power to run small applications, play games and music, and make voice calls. A key driver for
the growth of mobile technology is the rapid growth of business solutions into hand-held
devices. Figure 3.1 shows some typical hand-held devices.

As the term "mobile device" includes many products. We first provide a clear distinction among
the key terms: mobile computing, wireless computing and hand-held devices. Figure 3.2 helps us
understand how these terms are related. Let us understand the concept of mobile computing and
the various types of devices.

1. Portable computer: It is a general-purpose computer that can be easily moved from one place
to another, but cannot be used while in transit, usually because it requires some "setting-up" and
an AC power source.
2. Tablet PC: It lacks a keyboard, is shaped like a slate or a paper notebook and has features of a
touch screen with a stylus and handwriting recognition software. Tablets may not be best suited
for appl cations requiring a physical keyboard for typing, but are otherwise capable of carrying
out mo tasks that an ordinary laptop would be able to perform.

3. Internet tablet: It is the Internet appliance in tablet form. Unlike a Tablet PC, the Internet tab
does not have much computing power and its applications suite is limited.

4. Personal digital assistant (PDA): It is a small, usually pocket-sized, computer with limited
func- tionality. It is intended to supplement and synchronize with a desktop computer, giving
access to contacts, address book, notes, E-Mail and other features.

5. Ultramobile PC: It is a full-featured, PDA-sized computer running a general-purpose operating

system (OS).

6. Smartphone: It is a PDA with an integrated cell phone functionality. Current Smartphones

have a wide range of features and installable applications.

7. Carputer: It is a computing device installed in an automobile. It operates as a wireless

computer, sound system, global positioning system (GPS) and DVD player. It also contains word
processing software and is Bluetooth compatible.

8. Fly Fusion Pentop computer: It is a computing device with the size and shape of a pen. It
functions as a writing utensil, MP3 player, language translator, digital storage device and
calculator

3.3 Trends in Mobility:

Mobile computing is moving into a new era, third generation (3G), which promises greater
variety in applications and have highly improved usability as well as speedier networking.
"iPhone" from Apple and Google-led "Android" phones are the best examples of this trend and
there are plenty of other developments that point in this direction. This smart mobile technology
is rapidly gaining popularity and the attackers hackers and crackers) are among its biggest fans.
It is worth noting the trends in mobile computing; this will help readers to realize the seriousness
of cyber security issues in the mobile computing domain.
To assess major challenges in the mobility domain, let us see the statistics found during the
surveys. 141 In one such survey, reported by Quocirca, employees working in government
departments have lost or mislaid over 1,000 laptops, lost more than 500 phones or mobile E-Mail
gadgets and lost over 700 other mobile devices (ie., probably memory sticks, cameras, etc.).
Another such survey, reported by Quocirca. of the 2,853 respondents, 29% had a broad
experience of wireless laptops, 14% had a broad experience of smart hand-helds, with around a
further 60% in each case having a more limited or unofficial experience. Findings from surveys
like these help us demystify many perceptions about mobile and wireless connectivities.
The results of surveys like these indicate that we are grappling with a "perception problem";
most people have not as yet come to terms with the fact that the hand-held devices may look
"harmless" but they can cause serious cyber security issues to the organizations.

The new technology 3G networks are not entirely built with IP data security. Moreover, IP data
world when compared to voice-centric security threats is new to mobile operators.

Popular types of attacks against 3G mobile networks are as follows:

Malwares, viruses and worms: Although many users are still in the transient process of switching
from 2G, 2.5G to 3G, it is a growing need to educate the community people and provide
awarenes of such threats that exist while using mobile devices. Here are few examples of
malware(s) specific to mobile devices: Stall Trojan: It targets Series 60 phones equipped with the
Symbian mobile OS.

Cabir Worm It is the first dedicated mobile-phone worm infects phones running on Symbian OS
and scans other mobile devices to send a copy of itself to the first vulnerable phone it finds
through Bluetooth Wireless technology.

Symbian OS, Lasco is based on Cabir's source code and replicates over Bluetooth connection.
Denial-of-service (DoS): The main objective behind this attack is to make the system
unavailable to the intended users. Virus attacks can be used to damage the system to make the
system unavailable. Presently, one of the most common cyber- security threats to wired Internet
service provider (ISPs) is a distributed denial-of-service (DDoS) attack. DDoS attacks are used
to flood the target system with the data so that the response from the target system is either
slowed or stopped. Botnets/zombies are used to create enough traffic to impose that kind of
damage. Overbilling attack: Overbilling involves an attacker hijacking a subscriber's IP address
and then using it (ie, the connection) to initiate downloads that are not "Free downloads" or
simply use it for his/her own purposes. In either case, the legitimate user is charged for the
activity which the user did not conduct or authorize to conduct.

3.4 Credit Card Frauds in Mobile and Wireless Computing Era:

E-crimes are new trends in cybercrime that are coming up with mobile computing - mobile
commerce M-Commerce) and mobile banking (M-Banking). Credit card frauds are now
becoming commonplace the ever-increasing power and the ever-reducing prices of the mobile
hand-held devices, factors Bat result in easy availability of these gadgets to almost credit card
transactions are now very common, new technologies combine low-cost mobile phone
technologies with the capabilities of a terminal.
Today belongs to "mobile computing," that is, anywhere anytime computing. The developments
in less technology have fuelled this new mode of working for white collar workers. This is true
for and it card processing too.

Wireless credit card processing is a relatively new service that will allow a person to process
credit cards electronically, virtually anywhere.
Wireless credit card processing is a very desirable system, because it allows businesses to
process transactions from mobile locations quickly, efficiently and professionally.
It is most often used by businesses that operate mainly in a mobile environment. These
businesses include mobile utility repair service businesses, locksmiths, mobile windshield repair
and others.
Some upscale restaurants are using wireless processing equipment for the security of their credit
card paying customers.

Destroy There is a system available from an Australian company Alacrity" called closed-loop
environment wireless (CLEW).
3.4.1 Types and Techniques of Credit Card Frauds

Traditional Techniques: The traditional and the first type of credit card fraud is paper-
based fraud-application fraud, wherein a criminal uses stolen or fake documents such as
utility bills and bank statements that can build up useful personal Identifiable Information
(PII) to open an account in someone else's name.

Application fraud can be divided into

ID theft: Where an individual pretends to be someone else.

Financial fraud: Where an individual gives false information about his or her financial
status to acquire credit.

Illegal use of lost and stolen cards is another form of traditional technique. Stealing a credit card
is either by pickpocket or from postal service before it reaches its final destination.

Modem Techniques Sophisticated techniques enable criminals to produce fake and doctored
cards. Then there are also those who use skimming to commit fraud. Skimming is where the
information held on either the magnetic strip on the back of the credit card or the data stored on
the smart chip are copied from one card to another. Site cloning and false merchant sites on the
Internet becoming a popular method of fraud and to direct the users to such bogus/fake sites is
called Phishing.
Such sites are designed to get people to hand over their credit card details without realizing that
they have been directed to a fake we blink/website (ie., they have been scammed).
1. Triangulation: It is another method of credit card fraud and works in the fashion as explained
further.
 The criminal offers the goods with heavy discounted rates through a website designed
and hosted by him, which appears to be legitimate merchandise website. The customer
registers on this website with his/her name, address, shipping address and valid credit
card details.

 The criminal orders the goods from a legitimate website with the help of stolen credit
card details and supply shipping address that have been provided by the customer while
registering on the criminal's website.

The goods are shipped to the customer and the transaction gets completed. The criminal keeps on
purchasing other goods using fraudulent credit card details of different customers till the criminal
closes existing website and starts a new one. Such websites are usually available for few
weeks/months, till the authorities track the websites through which the criminal has enticed the
individuals to reveal their personal details, which enabled the criminal to commit the transactions
by using the credit card details of these customers.
The entire investigation process for tracking and reaching these criminals is time-consuming, and
the criminals may close such fake website in between the process that may cause further
difficulty to trace the criminal.
The criminals aim to create a great deal of confusion for the authorities so that they can operate
long enough to accumulate a vast amount of goods purchased through such fraudulent
transactions.
Credit card generators: It is modern technique computer emulation software - that creates valid
credit card numbers and expiry dates.
The criminals highly rely on these generators to create valid credit cards. These are available for
free download on the Internet.

3.7 Authentication Service Security:

There are two components of security in mobile computing: security of devices and security in
networks. A secure network access involves mutual authentication between the device and the
base stations or Web servers. This is to ensure that only authenticated devices can be connected
to the network for obtaining the requested services. No Malicious Code can impersonate the
service provider to trick the device into doing something it does not mean to. Thus, the networks
also play a crucial role in security of mobile devices. some eminent kinds of attacks to which
mobile devices are subjected to are: push attacks, pull attacks and crash.

Authentication services security is important given the typical attacks on mobile devices through
wireless networks: DoS attacks, traffic analysis, eavesdropping, man-in-the-middle attacks and
session hijacking. We will continue further technical discussion on such topics in Chapter 4.
Security measures in this scenario come from Wireless Application Protocols (WAPs), use of
VPNs, media access control (MAC) address filtering and development in 802.xx standards.

3.7.1 Cryptographic Security for Mobile Devices

In this section we will discuss a technique known as cryptographically generated addresses
(CGA). CGA is Internet Protocol version 6 (IPv6) that addresses up to 64 address bits that are
generated by hashing owner's public-key address. The address the owner uses is the
corresponding private key to assert address ownership
3.8 Attacks on Mobile/Cell Phones 3.8.1 Mobile Phone Thefts:

Mobile phones have become an integral part of everybody’s life and the mobile phone has
transformed from being a luxury to a bare necessity. Increase in the purchasing power and
availability of numerous low cost handsets have also lead to an increase in mobile phone users.
Theft of mobile phones has risen dramatically over the past few years.
New playground has been cell phones, reason being the increasing usage of cell phones and
availability of Internet using cell phones. Another reason is increasing demand for Wi-Fi zones
in the metropolitans and extensive usage of cell phones in the youths with lack of
awareness/knowledge about the vulnerabilities of the technology.

The following factors contribute for outbreaks on mobile devices:

1. Enough target terminals: The first Palm OS virus was seen after the number of Palm OS
devices reached 15 million. The first instance of a mobile virus was observed during June 2004
when it…
A mobile virus is similar to a computer virus that targets mobile phone data or
applications/software installed in it. Virus attacks on mobile devices are no longer an exception
or proof-of-concept nowadays. In total, 40 mobile virus families and more than 300(+) mobile
viruses have been identified. First mobile virus was identified in 2004 and it was the beginning
to understand that mobile devices can act as vectors to enter the computer network.

Mobile viruses get spread through two dominant communication protocols - Bluetooth and
MMS. Bluetooth virus can easily spread within a distance of 10-30 m, through Bluetooth-
activated phones.

Bluejacking, Bluesnarfing, Blue bugging and Car Whisperer are common attacks that have
emerged as Bluetooth-specific security issues.
Bluejacking: It means Bluetooth + Jacking where Jacking is short name for hijack - act of
taking over something. Bluejacking is sending unsolicited messages over Bluetooth to Bluetooth-
enabled devices such as mobile phones, PDAs or computers (within 10-m radius), for example,
sending a visiting card which will contain a message in the name field. If the user does not
recognize/realize what the message is, he/she might allow the contact to be added to her/his
address book, and the contact can send him messages that might be automatically opened
because they are coming from a known contact.

3.9 Mobile Devices: Security Implications for Organizations:

3.9.1 Managing Diversity and Proliferation of Hand-Held Devices:

In the previous sections we have talked about the micro issues of purely technical nature in
mobile device security. In this section, we focus on the macro issues at the organizational level.
Given the threats to information systems through usage of mobile devices, the organizations need
to establish security practices at a level to their security objectives, subject to legal and other
external constraints. Some organizations will implement security procedures and tools
extensively, whereas others will place more value on cost and convenience.

Whatever approaches: an organization chooses, it is important that the policy-making effort

starts with the commitment from a Chief Executive Officer (CEO), President or Director who
takes cyber security seriously and communicates that throughout an organization. The best
security technology features will be found to be worthless if there is no organization policy or
automated enforcement to ensure that they are actually used.

In some cases, for example, senior executives have been given special access rights to the
corporate network which can circumvent standard security procedures. Cyber security is always
a primary concern; even then, at times, there is still some short sightedness. Most organizations
fail to see the long-term significance of keeping track of who owns what kind of mobile devices.
Mobile devices of employees should be registered in corporate asset register irrespective of
whether or not the devices have been provided by the organization.

In addition, employees should be encouraged to register with the IT department any devices they
use f themselves, so that access can be provisioned in a controlled manner and de-provisioned
appropriately when the employee leaves.

3.9.2 Unconventional/Stealth Storage Devices:

We have already mentioned about mobile phones and media players used by the employees. In
this section, we would like to emphasize upon widening the spectrum of mobile devices and
focus on secondary storage devices such as compact disks (CDs) and Universal Serial Bus (USB)
drives (also called zip drive, memory sticks) used by employees. As the technology is advancing,
the devices continue to decrease in size and emerge in new shapes and sizes -
unconventional/stealth storage devices available nowadays are difficult to detect and have
become a prime challenge for organizational security.

Firewalls and antivirus software are no defense against the threat of open USB ports. Not only
can viruses worms and Trojans (we will discuss more in Chapter 4) get into the organization
network, but can also destroy valuable data in the organization network. Organization has to
have a policy in place to block these ports while issuing the asset to the employee. However,
sometimes the standard access controls with Windows OS do not allow the assignment of
permissions for USB ports and restricting these devices becomes next to impossible. Disgruntled
employees can connect a USB/small digital camera/MP3 player to the USB port of any
unattended computer and will be able to download confidential data or upload harmful viruses.
As the malicious attack is launched from within the organization, firewalls and antivirus software
are not alerted.
Using "Device Lock" software solution, one can have control over unauthorized access to plug
and play devices (for more details, visit http://www.devicelock.com/). The features of the
software allows system administrator to:

1. Monitor which users or groups can access USB Ports, WI-Fi and Bluetooth adapters, CD
read-only memories (CD-ROMs) and other removable devices.
2. Control the access to devices depending on the time of the day and day of the week.
3. Create the white list of USB devices which allows you to authorize only specific devices
that will not be locked regardless of any other settings.
4. Set devices in read-only mode.
5. Protect disks from accidental or intentional formatting.

3.9.3 Threats through Lost and Stolen Devices:

This is a new emerging issue for cyber security. Often mobile hand-held devices are lost
while people are on the move. Lost mobile devices are becoming even a larger security risk
to corporations. A report based on a survey of London's 24,000 licensed cab drivers quotes
that 2,900 laptops, 1,300 PDAs and over 62,000 mobile phones were left in London in cabs
in the year 2001 over the last 6-month period. Today this figure (lost mobile devices) could
be far larger given the greatly increased sales and usage of mobile devices.

The cyber security threat under this scenario is scary; owing to a general lack of security in
mobile devices it is often not the value of the hand-held device that is important but rather
the content that, if lost or stolen, can put a company at a serious risk of sabotage, exploitation
or damage to its professional integrity, as most of the times the mobile hand-held devices are
provided by the organization. Most of these lost devices have wireless access to a corporate
network and have potentially very little security, making them a weak link and a major
headache for security administrators. Even if these lost devices are personal, the issue is no
less serious given the resulting privacy exposures! Gartner Group had predicted that by 2003
there will be over one billion mobile devices in use globally. This is true going by the sales
figures quoted in annual reports published by research in motion.

3.10 Organizational Measures for Handling Mobile Devices-Related Security Issues

So far, we have discussed micro- and macro level security issues with mobile devices used for
mobile computing purposes and what individuals can do to protect their personal data on mobile
devices. In this section, we discuss what organizations can do toward safeguarding their
information systems in the mobile computing paradigm.

3.10.1 Encrypting Organizational Databases

Critical and sensitive data reside on databases (say, applications such as customer relationship
management CRM) that utilize patterns discovered through data warehousing and data mining
(DM) techniques) and with the advances in technology, access to these data is not impossible
through hand-held devices. It is clear hat to protect the organizations' data loss, such databases
need encryption. We mention here two algorithms that are typically used to implement strong
encryption of database files: Rijndael (pronounced rain-dahl or Rhine-doll), a block encryption
algorithm, chosen as the new Advanced Encryption Standard (AES) for block ciphers by the
National Institute of Standards and Technology (NIST). (See Ref. #13, Additional Useful Web
References, Further Reading). The other algorithm used to implement strong encryption of
database files is the Multi-Dimensional Space Rotation (MDS) algorithm developed by Casio.
The term "strong encryption" is used here to describe these technologies in contrast to the simple
encryption. Strong encryption means that it is much harder to break, but it also has a significant
impact on per-formance. Database file encryption technology, using either the AES or the MDS
algorithms, makes the database file inoperable without the key (password). Encrypting the
database scrambles the information contained in the main database file (i.e., all temporary files
and all transaction log files) so that it cannot be deciphered by looking at the files using a disk
utility. There is a performance impact for using strong encryption. A weaker form of encryption
is also available that has negligible performance impact.
When using strong encryption, it is important not to store the key on the mobile device: this is
equivalent to leaving a key in a locked door. However, if you lose the key, your data are
completely inaccessible. The key is case-sensitive and must be entered correctly to access your
database. The key is required whenever you want to start the database or you want to use a utility
on your database. For greater security there is an option available that instructs the database
server to display a dialog box where the user can enter the encryption key. This option is
necessary because the encryption key should not be entered on the machine in clear text.
To protect the scenario of information attack/stealing through the mobile devices connecting to
corporate databases, additional security measures are possible through enforcing a self-destruct
policy that is controlled from the server. When a device that is identified as lost or stolen
connects to the organization server, IT department can have the server send a package to destroy
privileged data on the device.

3.10.2 Including Mobile Devices in Security Strategy

The discussion so far makes a strong business case - in recognition of the fact that our mobile
workforce is on the rise, organizational IT departments will have to take the accountability for
cybersecurity threats that come through inappropriate access to organizational data from mobile-
device-user employees. Encryption of corporate databases is not the end of everything. However,
enterprises that do not want to include mobile devices in their environments often use security as
an excuse, saying they fear the loss of sensitive data that could result from a PDA being stolen or
an unsecured wireless connection being used. Their concerns are no longer viable. There are
technologies available to properly secure mobile devices. These should be good enough for most
organizations. Corporate IT departments just need to do their homework. For example, there are
ways to make devices lock or destroy the lost data by sending the machine a special message.
Also, some mobile devices have high-powered processors that will support 128-bit encryption.
Although mobile devices do pose unique challenges from a cybersecurity perspective, there are
some general steps that the users can take to address them, such as integrating security programs
for mobile and wireless systems into the overall security blueprint. A few things that enterprises
can use are:
1. Implement strong asset management, virus checking, loss prevention and other controls for
mobile systems that will prohibit unauthorized access and the entry of corrupted data.
2. Investigate alternatives that allow a secure access to the company information through a
firewall such as mobile VPNs.
3. Develop a system of more frequent and thorough security audits for mobile devices.
4. Incorporate security awareness into your mobile training and support programs so that
everyone understands just how important an issue security is within a company's overall
IT strategy.
5. Notify the appropriate law-enforcement agency and change passwords. User accounts are
closely monitored for any unusual activity for a period of time.
In the next section, our focus is on security policies relating to mobile devices.

3.11 Organizational Security Policies and Measures in Mobile Computing Era

3.11.1 Importance of Security Policies relating to Mobile Computing Devices

Proliferation of hand-held devices used makes the cyber security issue graver than what we
would tend to think. People (especially, the youth) have grown so used to their hand-helds that
they are treating them like wallets! For example, people are storing more types of confidential
information on mobile computing devices than their employers or they themselves know; they
listen to music using their hand-held. One should think about not to keep credit card and bank
account numbers, passwords, confidential E-Mails and strategic information about organization,
merger or takeover plans and also other valuable information that could impact stock values in
the mobile devices.
Imagine the business impact if an employee's USB, pluggable drive or laptop was lost or stolen,
revealing sensitive customer data such as credit reports, social security numbers (SSNs) and
contact information. Not only would this be a public relations (PR) disaster, but it could also
violate laws and regulations. One should give a deep thought about the potential legal troubles
for a public company whose sales reports, employee records or expansion plans may fall into
wrong hands.
When controls cannot be implemented to protect data in the event they are stolen, the simplest
solution is to prevent users from storing proprietary information on platforms deemed to be
insufficiently secure.
This sort of policy can be difficult to enforce, however, by increasing awareness of the user, it
can be reasonably effective. Information classification and handling policy should clearly define
what sorts of data may be stored on mobile devices. In the absence of other controls, simply not
storing confidential data on at-risk platforms will mitigate the risk of theft or loss.
A survey120) released by the Ponemon Institute, on behalf of Cellcrypt (www.cellcrypt.com),
reveals that large and medium businesses are putting themselves at risk as a result of cell phone
voice call interception.
According to this survey of 75 companies and 107 senior executives in the US, it costs US
corporations on average USS 1.3 million each time a corporate secret is revealed to unauthorized
parties. About 18% of respondents estimate such losses to occur weekly or more frequently, 61%
at least monthly and 90% at least annually.
The survey asked the participants about the likelihood of six separate scenarios involving the use
of cell phones to communicate sensitive and confidential information occurring in their
organizations. The scenarios described the following:
1. A CEO's administrative assistant uses a cell phone to arrange ground transportation that
reveals the CEO's identity and location.
2. The finance and accounting staff discusses earnings of press release and one participant
on the call is using a cell phone.
3. A conference call among senior leaders in the organization in which cell phones are
sometimes used.
4. A sales manager conducting business in Asia uses, his/her cell phone to communicate
with the home office.
5. An external lawyer asks for proprietary and confidential information while using his cell
phone.
6. A call center employee assists a customer using a cell phone to establish an account and
collects personal information (including SSN).

3.11.2 Operating Guidelines for Implementing Mobile Device Security Policies:

In situations such as those described above, the ideal solution would be to prohibit all
confidential data from being stored on mobile devices, but this may not always be practical.
Organizations can, however, reduce the risk that confidential information will be accessed from
lost or stolen mobile devices through the following
steps:
1. Determine whether the employees in the organization need to use mobile computing
devices at all, based on their risks and benefits within the organization, industry and
regulatory environment.
2. Implement additional security technologies, as appropriate to fit both the organization
and the types of devices used. Most (and perhaps all) mobile computing devices will need
to have their native security augmented with such tools as strong encryption, device
passwords and physical locks.
Biometrics techniques (retinal scans, iris scans, etc.) can be used for authentication and
encryption and have great potential to eliminate the challenges associated with
passwords.
3. Standardize the mobile computing devices and the associated security tools being used
with them.
As a matter of fundamental principle, security deteriorates quickly as the tools and
devices used become increasingly disparate.
4. Develop a specific framework for using mobile computing devices, including guidelines
for data-syncing, the use of firewalls and anti-malware software and the types of
information that can be stored on them.
5. Centralize management of your mobile computing devices. Maintain an inventory so that
you know who is using what kinds of devices.
 6. Establish patching procedures for software on mobile devices. This can often be
simplified by integrating patching with syncing or patch management with the centralized
inventory database.
7. Label the devices and register them with a suitable service that helps return recovered
devices to the
owners.
8. Establish procedures to disable remote access for any mobile devices reported as lost or
stolen. Many devices allow the users to store usernames and passwords for website
portals, which could allow a thief to access even more information than on the device
itself.
9. Remove data from computing devices that are not in use or before re-assigning those
devices to new owners (in case of company-provided mobile devices to employees). This
is to preclude incidents through which people obtain "old" computing devices that still
had confidential company data.
10. Provide education and awareness training to personnel using mobile devices. People
cannot be expected to appropriately secure their information if they have not been told
how.

3.12 Laptops

As the price of computing technology is steadily decreasing, usage of devices such as the
laptops is becoming more common. Although laptops, like other mobile devices, enhance
the business functions owing to their mobile access to information anytime and
anywhere, they also pose a large threat as they are portable.

. 3.12.1 Physical Security Countermeasures

Organizations are heavily dependent upon a mobile workforce with access to information, no
matter where they travel. However, this mobility is putting organizations at risk of having a data
breach if a laptop containing sensitive information is lost or stolen. Hence, physical security
countermeasures are becoming very vital to protect the information on the employees laptops
and to reduce the likelihood that employees will lose laptops. Management also has to take care
of creating awareness among the employees about physical security countermeasures by
continuous training and stringent monitoring of organizational policies and procedures about
these physical security countermeasures.

1. Cables and hardwired locks: The most cost-efficient and ideal solution to safeguard any
mobile device is securing with cables and locks, specially designed for laptops. These
cables are made of aircraft-grade steel and Kevlar brand fiber, thus making these cables
40% stronger than any other conventional security cables. One end of the security cable
 is fit into the universal security slot of the laptop and the other end is locked around any
fixed furniture or item, thus making a loop.
2. Laptop safes: Safes made of polycarbonate + the same material that is used in
bulletproof windows, police riot shields and bank security screens - can be used to carry
and safeguard the laptops. The advantage of safes over security cables is that they protect
the whole laptop and its devices such as CD-ROM bays, PCMCIA cards and HDD bays
which can be easily removed in the case of laptops protected by security cables.
3. Motion sensors and alarms: Even though alarms and motion sensors are annoying
owing to their false alarms and loud sound level, these devices are very efficient in
securing laptops. Once these devices are activated, they can be used to track missing
laptops in crowded places. Also owing to
 Figure 3.14
(a) Kensington cable locks for laptops. (b) Closer view of cable locks for laptops.