jueves, 29 de septiembre de 2011

Reporte: Top Ten Smartphone Risks segun ENISA

The top ten information security risks for smartphone users.

Market analysts predict that smartphones will outnumber PCs by 2013, and that they will be the most common device for accessing the internet. In 2010 we published a report about smartphone security, giving an overview of risks, opportunities for smartphone users, and making recommendations.

This is the list of the top ten smartphone security risks from our report. The (level of) risk was determined in consultation with the expert group. The level is intended to convey the relative risk in relation to others, rather than an absolute probability or impact level.

  • 1 - Data leakage resulting from device loss or theft  (Risk: High)
The smartphone is stolen or lost and its memory or removable media are unprotected, allowing an attacker access to the data stored on it.

  •  2- Unintentional disclosure of data (Risk: High)
The smartphone user unintentionally discloses data on the smartphone

  • 3  -Attacks on decommissioned smartphones (Risk: High)
The smartphone is decommissioned improperly allowing an attacker access to the data on the device.

  • 4  -Phishing attacks (Risk: Medium)
An attacker collects user credentials (such as passwords and credit card numbers) by means of fake apps or (SMS, email) messages that seem genuine.

  • 5 - Spyware attacks (Risk: Medium)
The smartphone has spyware installed, allowing an attacker to access or infer personal data. Spyware covers untargeted collection of personal information as opposed to targeted surveillance.

  • 6 - Network Spoofing Attacks (Risk: Medium)
An attacker deploys a rogue network access point (WiFi or GSM) and users connect to it. The attacker subsequently intercepts (or tampers with) the user communication to carry out further attacks such as phishing.

  • 7 - Surveillance attacks (Risk: Medium)
An attacker keeps a specific user under surveillance through the target user’s smartphone.

  • 8 - Diallerware attacks (Risk: Medium)
An attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers.

  • 9  -Financial malware attacks (Risk: Medium)
The smartphone is infected with malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.

  • 10 - Network congestion (Risk: Low)
Network resource overload due to smartphone usage leading to network unavailability for the end-user.

Risk is defined as the product of the likelihood and the impact of a threat against the information assets of an organization or an individual. Threats exploit one or more vulnerabilities. The likelihood of a threat is determined by the number of underlying vulnerabilities, the relative ease with which they can be exploited and the attractiveness for an attacker.

We used the following list of possible affected assets throughout:
- Personal data
- Corporate intellectual property
-  Classified information
- Financial assets
- Device and service availability and functionality
- Personal and political reputation

No hay comentarios: