Smartphones have grown from allowing users to simply browse the internet, check email or socialise to doing online banking, shopping and controlling home appliances (and even vehicles) when paired with other devices.

Our smartphones contain sensitive information from personal photos to business contacts and password logins. And due to people’s reliance on and wide usage of those devices, they have become an appealing target for cyber criminals. Thus, understanding how to keep smartphones safe is crucial.

Access to private data

First of all, make sure that the manufacturer (Google, Apple, etc.) hasn’t granted unnecessary access to any private data. Indeed, every time you install a new app, don’t just scroll past the permissions page and hit accept. Especially if the app is from a less well-known publisher – ask yourself whether it really needs all those permissions. In addition, you could switch off permissions such as location tracking or access to camera/microphone as these are features that you don’t need all the time.

VPNs

VPNs are another important aspect to consider when looking at mobile devices protection, because they aim to encrypt internet traffic to and from a device, in order to keep the web browsing and app usage private. Indeed, many socialising apps such as WhatsApp, Viber, Snapchat and Facebook Messenger have some level of encryption. Yet whether your messages remain private depends on how difficult it is for a hacker to reverse engineer the app or how easily the company gives into government coercion.

Passwords

With all the recent cases of IoT devices being hacked due to weak passwords, the importance of strong passwords in smartphone security is undeniable. In addition to having strong, varied passwords, you could use a password manager that encrypts and stores all passwords into a single app.

Encryption

When you’re backing up your phone data in case your phone is lost or stolen make sure all sensitive information is encrypted. Boxcryptor, Viivo and Cloudfogger all make free apps that you can use to encrypt files locally before uploading to your cloud storage. Similarly, always remember to remove your SIM card when repairing your phone, as it can be used to make purchases or sign up for accounts.

Finally, keeping the device software up to date will nullify vulnerabilities in deprecated or obsolete older versions. We recommend you stick to the latest stable release, but there’s generally no need to use beta or nightly versions that are still being tested.

Richard Patterson, Director, Comparitech

The post Cyber resilience: smartphone security appeared first on City Security Magazine.

The increasing storage capacities of mobile devices are making them a lucrative target for attackers. Traditionally, cyber criminals would look to yield confidential files by attacking computer systems.

Mobile devices, however, are a veritable treasure-trove, especially with their security being overlooked by many.

The presence of mobile apps to conduct everyday tasks allows sensitive data to be accessed. A survey conducted by IDG highlighted that over a third of respondents experienced a breach relating to vulnerabilities in mobile devices and related applications.

According to Lookout, Inc., 56% of data accessible on an individual’s computer is also accessible on their mobile phone.

These statistics illustrates the concern that should be paid to the security on mobile devices especially when the risk is spread to individuals’ personal data, but also confidential corporate data where companies have deployed mobile devices for work purposes.

Top threats to executives with mobile phones

Public Wi-Fi

There is an abundance of wireless networks allowing users to take advantage of Internet access. These locations may not be secure – data can be snooped on using publicly available tools which monitor websites a user visits. If the websites are unencrypted, they can even see a user’s keystrokes!

Any wireless network or ‘hot-spot’ can be named to whatever the initiator desires – are you sure that ‘Starbucks free Wi-Fi’, is a legitimate service or a cyber criminal trying their luck?

Using public Wi-Fi via a Virtual Private Network (VPN) will significantly assist in protecting data being transmitted over such networks. Further data on VPNs is available later in this article.

Mobile malware

Malware is software made to cause disruption to a system. It was originally written for computers, but with the use of mobile phones, combined with their increasing storage capacity, malware is now written specifically for mobiles. Malware for mobiles is more difficult to detect as attackers have embedded malware into code for legitimate applications. This allows them to run in the background on a mobile device, gathering valuable user data.

Espionage

All organisations possessing sensitive corporate data are susceptible to espionage.  Commonly, this will be through social engineering or an organisation’s computer infrastructure. The increasing prominence of mobile devices introduces another element that needs to be closely monitored for intrusions. It is essential as the network increases, its security is also brought in line with this.

Mobile security tips

Following these tips won’t make you hack-proof but will reduce the risk of being compromised.

Lock it up!

The line of defence is to lock your screen; this might sound common sense, but it’s surprising how many people don’t have passcode locks on their mobiles.

A recent survey found out that “1 in 3 devices don’t use any form of lock screen” (duo labs, January 2016).  So, at the least you should set a PIN or alpha-numeric password to secure your device and contents.

Biometric security features are being promoted by many hardware manufacturers; these commonly allow users to protect their data with their fingerprint. This method minimises unauthorised access via ‘shoulder surfing’. A common security faux pas is the utilisation of the same password for multiple services; once the password or passcode is identified from one device/account, it leaves all others vulnerable.

Use a VPN

Using a virtual private network allows a user to surf the Internet through an encrypted tunnel. So even if a hacker attempted and successfully intercepted information, they wouldn’t be able to decipher the transmitted data due to it being encrypted.

With the vast number of ‘free’ Wi-Fi hotspots nowadays, malicious attackers can propagate their own networks; these can be disguised as legitimate wireless networks, not only to intercept information, but to also upload malware to their victims. Subsequently, the victim will then connect to their home or corporate network, where the malware can move laterally to steal data or disrupt a network.

This is known as a ‘man-in-the-middle’ attack: where the hacker sits in the middle using their Wi-Fi and collects information. Not only do you have to worry about your information being wiretapped over the air, but you also have to worry about the hacker.

Screening of applications installed on your device

Be wary of where you download your apps from. Always check the permissions before you press ‘install’. Some applications may ask for unnecessary permission to services. If this is suspicious, do some research because the app might be infected with malware. Only download apps from the official app store found on your phone’s operating system. Although infected applications have made their way onto the official app stores, these applications are monitored and updated as and when compromises are identified.

Install antivirus app

Finally, make sure you have an antivirus app which scans your phone on a weekly basis. Once the app is installed, it runs in the background, keeping your device safe. Also make sure you scan your device every time you install a new app, just to be safe.

Most of these apps are available for free and are made by the same companies which have been making computer antivirus software for many years.

Ceri Walsh, LGC

Business Development Manager LGC Group

www.lgcgroup.com

The post Mobile security tips: don’t be compromised appeared first on City Security Magazine.

Whether you need to understand the behaviour of terrorists or potential risks of employees in sensitive positions, the role of research and evidence in identifying and mitigating these risks is essential.

In 2015 the UK started a programme to fund and apply research to these security driven questions. The Centre for Research and Evidence on Security Threats (CREST) is funded by the UK’s security and intelligence agencies to identify and produce social science that enhances our understanding of security threats and our capacity to counter them.

Led by Lancaster University, in collaboration with the universities of Bath, Birmingham, Cranfield, Portsmouth and West England, it has established an international network of over 80 researchers, commissioned research in priority areas, and begun to tackle some of the field’s most pressing questions.

CREST security research

CREST brings together the UK’s top economic, behavioural and social scientists with partners in industry and government to break new ground in our understanding of and capacity to counter contemporary security threats. As well as conducting world-class, independent research, this work stimulates public and professional debate, connects disciplinary communities, informs security policy and practice, as well as providing training to research leaders of the future. This innovative and open partnership not only benefits the UK security and intelligence agencies through cutting edge applied research, but is also helping to build capacity in related research relevant to the UK’s large and small business sector, critical infrastructure, policy development and community organisations.

Commissioning independent research as well as synthesising the best of existing knowledge, CREST has programmes investigating a broad variety of security problems. These include: examining how extremist ideologies are transmitted and countered; exploring online behaviour and its connections to offline behaviour; developing effective ethical deception detection techniques and research into protective security and risk assessment; as well as shorter programmes including understanding terrorists’ perceptions of risk; and decision-making by the emergency services during critical incidents.

In CREST’s programme on protective security, for example, research demonstrates how security cannot be achieved through technology alone. Protective security depends on us understanding how physical, personnel and cyber vulnerabilities are exploited by hackers, criminal gangs, terrorist groups and hostile powers. Leading the protective security and risk theme of CREST, Professor Debi Ashenden’s research looks at employees who fail to follow security processes (either intentionally or inadvertently), in particular those who sit at the intersection of these two states. The research draws on findings from two recent projects that highlighted the way that language can be used to change security behaviours, and the importance of productive dialogues between security practitioners and employees in the management of risk. Future research on this will look at extending these ideas and exploring the notion that we need to move towards relationship-based security rather than relying on security provided by technology.

CREST shapes police actions

CREST research on information elicitation, which includes telling when someone is lying, is shaping the way police and other agencies interview witnesses, victims and suspects. Led by Professor Aldert Vrij, this research has informed short accessible guides to particular techniques which can be used by investigators and interviewers. These focus on communicative techniques rather than mechanical methods – interviewing can be cheaper and has a less contentious evidence base than the polygraph machine, for example. One technique is to look for the amount of checkable detail an interviewee gives. Liars know that more detail in a statement makes it look more truthful, but are hamstrung by the risk of that detail being checked and found false. So they tend to provide detail that they think can’t be checked – “I was at home reading a really interesting article about research on security threats” is a detail that can’t be verified. “I was reading an interesting vignette about deception detection on the tube – you’ll see me on the CCTV” is a detail which can be verified. Regardless of whether the investigator checks the CCTV or not, the very fact that that kind of checkable detail is given suggests that the statement (or that part of it) is truthful.

Using academic research on these techniques and topics to provide sound evidence is essential in a field where the stakes are so high. Whether we’re running a business or the country, or looking for a safe and secure home and work environment, having confidence in the tools and techniques that people use to provide that security is really important. CREST’s research sits on the frontline of that effort – pulling together global expertise from practitioners and researchers to produce evidence that people can understand and use.

Dr Matthew Francis

Researcher at Lancaster University and CREST’s Communications Director.

www.crestresearch.ac.uk

Twitter:  @crest_research

The post CREST: UK centre leads security research appeared first on City Security Magazine.

Today’s employees are increasingly carrying smartphones or wearables with them at all times. In fact, Gartner recently predicted that worldwide mobile phone shipments could exceed 2.5 billion units by 2016, and UK communications regulator Ofcom has observed that 66 per cent of adults in the UK now own a smartphone.

The physical access control industry has witnessed some major technological developments in recent years, with a shift from being product-centric to developing comprehensive solutions for end users. In the light of increased interest in cloud-based solutions and mobile-enabled platforms, more and more security managers are considering the possibilities that a mobile access system can provide for their physical security. Rarely misplaced and consistently in hand, the mobile device has become the most valued technology we own.

However, as a recent trend report by IFSEC Global revealed, almost 80% of security managers surveyed feared that integrating mobile access solutions into their physical access control architecture might actually increase system vulnerability.

So what are the major concerns for security managers? There are multiple aspects for them to consider, such as, is the digital credential as safe as a physical badge? Can it be copied easily or could an employee manipulate the data on their private phone within a BYOD strategy? How secure is the wireless transmission of the keys? Can the communication path between a phone and reader be captured and used for fraudulent purposes? Security managers rightfully ask these questions, as they would like to know how protected their buildings and on-site premises will be if they opt for mobile access? The overarching question is whether we are sacrificing security for convenience?

This article addresses these questions, demonstrating that mobile access systems are more often than not more secure than legacy building access cards, so concerns over whether mobile access is secure are unfounded.

Mobile credentials are based on the latest technology advancements

It is paramount that encryption methods have met stringent security criteria. A secure mobile access system will typically have security protocols that are certified by credible independent institutions. For example, Suite B Cryptography algorithms, Advanced Encryption Standards (AES), namely, AES-128 and Secure Hash Algorithm (SHA) by the National Institute of Science and Technology (NIST). A mobile access system that is standards-based and complies with these rigid security protocols, incorporating secure messaging and a strong authentication, will result in providing peace of mind to security managers that their employees’ data will remain confidential.

Mobile IDs cannot be manipulated

Mobile identities must be signed and encrypted to prevent manipulation. All mobile identities and user information should therefore be protected in a secure vault provided by hardware security modules, where all encryption keys are stored and used in cryptographic operations. Looking at mobile IDs, they are stored in the app operating sandbox, an area within the device, which has been designed for the storage of sensitive information. The information that is stored is encrypted, so it cannot be cloned or stolen via unauthorised access to the phone. Mobile IDs are not transferrable, but specific to the device they have been issued to. All cryptographic keys are device diversified so no master keys are stored on device. Each Mobile ID is unique per device.

Transmission between a mobile device and the access control reader

When access is granted to an employee to enter a building or an on-site premises the transaction between the mobile app on the mobile device and the access control reader is independent of the communication protocol in use. Transmission over-the-air via NFC or Bluetooth Smart to issue the key is protected by the latest technology and cannot be stolen when authorising access over-the-air. The device and reader both use high-security cryptographic communication techniques to prove to the other that it is trustworthy.  Furthermore, no Bluetooth pairing is required between reader and device, as only eligible devices can interact. Each slot in the vault is protected by an authentication key and none of the slots rely on NFC or Bluetooth Smart security. In fact, the mobile access app can be configured so that the Mobile ID is only active when the screen is unlocked to prevent relay attacks.

Mobile access control systems also create a culture of security even if your employees do not realise it. With a card or token access to buildings and on-site premises, staff are effectively burdened with the responsibility of constantly carrying an additional item, one they would not carry normally. As such, if their card is lost or stolen they are less likely to notice it and hence slower to report it. This leaves your physical infrastructure vulnerable, with a valid card potentially falling into the wrong hands. Conversely, an employee instantly feels more attached to their mobile devices, so if a phone is lost or stolen, it is reported right away and the mobile ID can be immediately revoked, thus preventing unauthorised access.

Mobile architectural access technologies have significant scope for development and expansion. One such advantage of mobile devices is the ability to dynamically update the security software, whereas updating data on cards takes more time and involves additional costs. As a consequence, the mobile environment allows quick response to security issues.

Furthermore, mobile handset providers are increasingly offering advanced security technology such as biometrics – fingerprint recognition, facial recognition and even voice recognition, resulting in more robust security of mobile devices. Hence a stolen phone is useless for gaining unauthorised access as the application is secured via protective software on the phone, making the phone even more secure than physical credentials.

As demonstrated, while security managers are right to question the security of mobile access systems, this technology has proven itself very capable of standing up to security threats to buildings. Being able to offer multiple security layers, dynamically responding to security issues, inspiring employees to better protect physical architecture and being on the cusp of new security developments, mobile access is a secure choice for any business’s building access control system.

Jaroslav Barton

Segment Director Physical Access Control, EMEA, HID Global www.hidglobal.com

The post How secure are mobile access solutions? appeared first on City Security Magazine.