Understanding and Mitigating Smartphone Risks


Nikola Blagojevic, CFE, CISA

In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."

Smartphones are more at risk in certain areas — hotels, coffee shops, airports, cars, trains, etc. And home Wi-Fi connections can be potential risk areas if users don't properly secure them. An attacker could easily access confidential personally identifiable information (PII) and data, such as:

  • Personal or professional data (emails, documents, contacts, calendar, call history, SMS, MMS).
  • User identification and passwords (to emails, social networks, etc.).
  • Mobile applications that record PII.
  • Geolocation data about the smartphone user.

Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.

So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.

Understanding and mitigating the risks

The European Union Agency for Network and Information Security (ENISA) has defined 10 major risks for smartphone users:

  1. Data leakage resulting from device loss or theft.
  2. Unintentional disclosure of data.
  3. Attacks on decommissioned smartphones.
  4. Phishing attacks.
  5. Spyware attacks.
  6. Network spoofing attacks.
  7. Surveillance attacks.
  8. Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.
  9. Financial malware attacks.
  10. Network congestion.

We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.

Here are various measures that can help reduce the risks associated with mobile devices:

  • Encrypt mobile devices.
  • Regularly update mobile devices' applications and operating systems.
  • Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence.  For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be:  "t@1rbfw@1pc."

CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)

Find even more tips on how to guard your PII in the full article on Fraud-Magazine.com.

Computer Forensics: Following the Digital Bread Crumbs


Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

During the execution of search warrants in the late 1980s and early 1990s, investigators would examine every piece of paper we could get our hands on. We would look at computers, scratch our heads and wonder, “How do we access the digital data they contained?” At the time we had no protocols or tools to retrieve and examine digitally stored data.

Computer forensics was reportedly coined in 1991 at the first training session sponsored by the International Association of Computer Investigative Specialists (IACIS). Since that time, the term has become accepted in the computer security field and the legal profession. Recent technological advances have introduced computing capabilities to all kind of new devices, like PDAs (Personal Digital Assistants), smartphones, iPads, etc. Accordingly, the term digital forensics was introduced to cover all types of digital devices that have become commonplace in our daily lives.

Even though these terms are widely recognized now, they invoke different thoughts as to what this discipline really entails. Some think that computer forensics involves the collection of digital files from computer systems in order to present them in searchable electronic databases. Others believe that they may involve a forensic review of electronic data stored in large databases. So what is computer or digital forensics?

Just like when a fingerprint examiner performs an examination of latent fingerprint impressions found at a crime scene with the goal of linking them to the known fingerprints of a suspect, a digital forensics expert examines computer and digital storage systems to identify relevant evidence that is stored on digital storage devices and which may link a suspect to the case under investigation. In particular, Computer Forensics deals with the acquisition, preservation, identification, extraction, analysis and documentation of digital evidence.

CFEs must familiarize themselves with the type of data that can be obtained from digital forensic examinations. A thorough examination of storage devices by a competent digital forensic examiner may yield evidence that is otherwise unavailable. I have been involved in a number of cases where the digital forensic examination led to finding the “smoking gun” literally in a matter of hours, whereas traditional investigative approaches would have taken months to identify the culprits, if ever.

As trial attorneys rely more and more on proving cases through the introduction of digital evidence, new litigation support technologies and services have evolved. Computer or digital forensics is one such example, where specially trained professionals use basic investigative and IT skills to find evidence that is left behind on digital storage devices. Additionally, the introduction and authentication of digital evidence in a court of law usually requires testimony by an expert witness, meaning that digital forensic examiners must also qualify as expert witnesses.

To learn more about digital forensics, go here.

Electronic Discovery, or eDiscovery, is another example of a technology that has evolved from the use of digital evidence. Want to know more about eDiscovery? Tune in next month.