nach oben

Electronic Commerce Research

Erschienen in:

01.09.2013

Threat modeling of a mobile device management system for secure smart work

verfasst von: Keunwoo Rhee, Dongho Won, Sang-Woon Jang, Sooyoung Chae, Sangwoo Park

Erschienen in: Electronic Commerce Research | Ausgabe 3/2013

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

To enhance the security of mobile devices, enterprises are developing and adopting mobile device management systems. However, if a mobile device management system is exploited, mobile devices and the data they contain will be compromised. Therefore, it is important to perform extensive threat modeling to develop realistic and meaningful security requirements and functionalities. In this paper, we analyze some current threat modeling methodologies, propose a new threat modeling methodology and present all possible threats against a mobile device management system by analyzing and identifying threat agents, assets, and adverse actions. This work will be used for developing security requirements such as a protection profile and design a secure system.

Vorheriger Artikel IT convergence and security

Nächster Artikel Enhanced security in internet voting protocol using blind signature and dynamic ballots

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Apple Inc. (2010). iPhone in business mobile device management. http://images.apple.com/iphone/business/docs/iPhone_MDM.pdf. Accessed 29 May 2012.

Bickford, J., O’Hare, R., Baliga, A., Ganapathy, V., & Iftode, L. (2010). Rootkits on smartphones: attacks, implications and opportunities. In Proceedings of 11th workshop on mobile computing systems and applications (HotMobile’10) (pp. 49–54).

Bruns, J. (2009). Mobile application security on android. Black Hat 2009. http://www.blackhat.com/presentations/bh-usa-09/BURNS/BHUSA09-Burns-AndroidSurgery-PAPER.pdf. Accessed 29 May 2012.

CCMB (2009). Common criteria for information technology security evaluation. Part 1: Introduction and general model. Version 3.1, Revision 3, Final, CCMB-2009-07-001.

Chen, Y., Boehm, B., & Sheppard, L. (2007). Value driven security threat modeling based on attack path analysis. In Proceedings of the 40th Hawaii international conference on system sciences (HICSS’07) (pp. 280a).

Cisco Systems, Inc. (2012). Global IT survey highlights enthusiasm over tablets in the enterprise, shows customization, collaboration and virtualization as key features. http://newsroom.cisco.com/press-release-content?type=webcontent&articleId=658006. Accessed 29 May 2012.

CVSS (2012). Forum of incident response and security teams. http://www.first.org/cvss/cvss-guide.html. Accessed 29 May 2012.

C-skills blog (2012). http://c-skills.blogspot.com. Accessed 29 May 2012.

Demchenko, Y., Gommans, L., Laat, C. D., & Oudenaarde, B. (2005). Web services and grid security vulnerabilities and threats analysis and model. In Proceedings of the 6th IEEE/ACM international workshop on grid computing (pp. 262–267).

10.

Goldberg, Y. (2012). Practical threat analysis for the software industry. http://www.ptatechnologies.com. Accessed 29 May 2012.

11.

Hasan, R., Myagmar, S., Lee, A. J., & Yurcik, W. (2005). Toward a threat model for storage systems. In Proceedings of the 2005 ACM workshop on storage security and survivability (StorageSS’05) (pp. 94–102). CrossRef

12.

Håvaldsrud, T., Ligaarden, O., Myrseth, P., Refsdal, A., Stølen, K., & Ølnes, J. (2010). Experiences from using a UML-based method for trust analysis in an industrial project on electronic procurement. Electronic Commerce Research, 10(3–4), 441–467. CrossRef

13.

Herrmann, P., & Herrmann, G. (2006). Security requirement analysis of business processes. Electronic Commerce Research, 6(3–4), 305–335. CrossRef

14.

Hogben, G., & Dekker, M. (2010). Smartphone: Information security risks, opportunities and recommendations for users. European Network and Information Security Agency. http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-breaches/smartphones-information-security-risks-opportunities-and-recommendations-for-users/at_download/fullReport. Accessed 29 May 2012.

15.

International Organization for Standardization (2004). ISO/IEC TR 13335-1: information technology—security techniques—management of information and communications technology security—Part 1: Concepts and models for information and communications technology security management. http://www.iso.org/iso/iso_catalogue_tc/catalogue_detail.htm?csnumber=39066. Accessed 29 May 2012.

16.

Jeon, W., Kim, J., Lee, Y., & Won, D. (2011). A practical analysis of smartphone security. In M. J. Smith & G. Salvendy (Eds.), Lecture notes in computer science (Vol. 6771, pp. 311–320). Berlin: Springer.

17.

Layland, R., Wexler, J., Datoo, A., George, A., Rege, O., Marshall, J., Herrema, J., & Duckering, B. (2011). The 2011 mobile device management challenge—defusing mobile anarchy in the enterprise. Network World and Robin Layland present. http://solutioncenters.networkworld.com/mobile_management_challenge. Accessed 29 May 2012.

18.

Lee, K. (2011). A study on the design of secure multi function printer conforming to the Korea evaluation and certification scheme. Suwon: Sungkyunkwan University

19.

Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Murukan, A., Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., & Murukan, A. (2003). Improving web application security: threats and countermeasures. Microsoft Press. http://msdn.microsoft.com/en-us/library/ff649874.aspx. Accessed 20 July 2012.

20.

Myagmar, S., Lee, A. J., & Yurcik, W. (2005). Threat modeling as a basis for security requirements. In Proceedings of the symposium on requirements engineering for information security (SREIS’05).

21.

National Vulnerability Database (2012). CVE-2011-1149. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1149. Accessed 29 May 2012.

22.

Ni, J., Li, Z., Gao, Z., & Sun, J. (2007). Threat analysis and prevention for grid and web security. In Proceedings of the 8th ACIS international conference on software engineering, artificial intelligence, networking, and Parallel/Distributed computing (SNPD 2007) (pp. 526–531).

23.

Oladimeji, E. A., Suppakkul, S., & Chung, L. (2006). Security threat modeling and analysis: a goal-oriented approach. In Proceedings of the 10th IASTED international conference on software engineering and applications (SEA 2006).

24.

OWASP (2012). Man-in-the-middle attack. http://www.owasp.org/index.php/Man-in-the-middle_attack. Accessed 29 May 2012.

25.

OWASP (2012). Session hijacking attack. http://www.owasp.org/index.php/Session_hijacking_attack. Accessed 29 May 2012.

26.

OWASP (2012). SQL injection. http://www.owasp.org/index.php/SQL_Injection. Accessed 29 May 2012.

27.

Pauli, J., & Xu, D. (2005). Threat-driven architectural design of secure information systems. In Proceedings of the 7th international conference on enterprise information systems (ICEEIS 2005).

28.

Prasad, N. R. (2007). Threat model framework and methodology for personal networks (PNs). In Proceedings of the 2nd international conference on communication systems software and middleware (COMSWARE 2007) (pp. 1–6). CrossRef

29.

Schmidt, A. D., Schmidt, H. G., Batyuk, L., Clausen, J. H., Camtepe, S. A., & Albayrak, S. (2009). Smartphone malware evolution revisited: android next target? In Proceedings of the 4th international conference on malicious and unwanted software (pp. 1–7).

30.

Stango, A., Prasad, N. R., & Kyriazanos, D. M. (2009). A threat analysis methodology for security evaluation and enhancement planning. In Proceedings of 2009 third international conference on emerging security information, systems and technologies (SECURWARE 2009) (pp. 262–267). CrossRef

31.

Stouffer, K. A. (2004). System protection profile-industrial control systems version 1.0. National Institute of Standards and Technology. http://www.nist.gov/customcf/get_pdf.cfm?pub_id=822602. Accessed 29 May 2012.

32.

Swamynathan, G., & Almeroth, K. (2010). The design of a reliable reputation system. Electronic Commerce Research, 10(3–4), 239–270. CrossRef

33.

Swiderski, F., & Snyder, W. (2004). Threat modeling, redmond. Washington: Microsoft Press.

34.

Sybase, Inc. (2011). Afaria: a technical overview. http://m.sybase.com/files/White_Papers/Afaira-Techinical-WP.pdf. Accessed 29 May 2012.

35.

Tegrak Kernel (2012). http://pspmaster.tistory.com. Accessed 29 May 2012.

36.

Wang, Z., & Stavrou, A. (2010). Exploiting smart-phone USB connectivity for fun and profit. In Proceedings of the 26th annual computer security applications conference (ACSAC’10) (pp. 357–366).

37.

Wikipedia (2012). Brute-force attack. http://en.wikipedia.org/wiki/Brute-force_attack. Accessed 29 May 2012.

38.

Wikipedia (2012). Dictionary attack. http://en.wikipedia.org/wiki/Dictionary_attack. Accessed 29 May 2012.

39.

Wikipedia (2012). iOS jailbreaking. http://en.wikipedia.org/wiki/IOS_jailbreaking. Accessed 29 May 2012.

40.

Wikipedia (2012). Replay attack. http://en.wikipedia.org/wiki/Replay_attack. Accessed 29 May 2012.

41.

Wikipedia (2012). Rooting (Android OS). http://en.wikipedia.org/wiki/Rooting_(Android_OS). Accessed 29 May 2012.

42.

You, D., & Noh, B. (2011). Android platform base Linux kernel rootkit. In Proceedings of 2011 6th international conference on malicious and unwanted software (pp. 79–87). CrossRef

43.

Zarmpou, T., Saprikis, V., Markos, A., & Vlachopoulou, M. (2012). Modeling users’ acceptance of mobile services. Electronic Commerce Research, 12(2), 225–248. CrossRef

Titel: Threat modeling of a mobile device management system for secure smart work
verfasst von: Keunwoo Rhee
Dongho Won
Sang-Woon Jang
Sooyoung Chae
Sangwoo Park
Publikationsdatum: 01.09.2013
Verlag: Springer US
Erschienen in: Electronic Commerce Research / Ausgabe 3/2013
Print ISSN: 1389-5753
Elektronische ISSN: 1572-9362
DOI: https://doi.org/10.1007/s10660-013-9121-4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 3/2013

A framework for unified digital evidence management in security convergence

The security service rating design for IT convergence services

The prediction of network efficiency in the smart grid

Efficient model of Korean graphemes based on a smartphone keyboard

The RBAC model and implementation architecture in multi-domain environment

The disclosure of an Android smartphone’s digital footprint respecting the Instant Messaging utilizing Skype and MSN