1 / 49

Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab.

Smart Phone Security & Privacy: What Should We Teach Our Users?. Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University www.cs.cmu.edu/~sadeh. Outline. Smart phone security and privacy awareness : unique challenges

lorand
Download Presentation

Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Smart Phone Security & Privacy: What Should We Teach Our Users? Norman M. Sadeh Professor, School of Computer Science Director, Mobile Commerce Lab. Carnegie Mellon University www.cs.cmu.edu/~sadeh

  2. Outline • Smart phone security and privacy awareness: unique challenges • Phishing: much worse with smart phone users • What can we do? • Mobile Apps and Social Networking • What we can we teach users? • Concluding remarks • Q&A EDUCAUSE Webinar – April 2011 - Slide 2

  3. SMART PHONE SECURITY and PRIVACY AWARENESS:UNIQUE CHALLENGES EDUCAUSE Webinar – April 2011 - Slide 3

  4. Cyber Security Training Awareness …Has been compared to trying to nail Jell-O to a wall EDUCAUSE Webinar – April 2011 - Slide 4

  5. Yet… • Filters, firewalls, IDS etc. have their limitations • Users are the last line of defense • Universities: A Dual Objective • Protect the university’s infrastructure and sensitive data • Educational mission EDUCAUSE Webinar – April 2011 - Slide 5

  6. Universities • Diversity of users • Faculty, staff, students • Diversity of cultures and environments • Fragmented administration • Diversity of needs • Research vs. education vs. admin • Diversity of devices • Some managed & some not • ...Yet the price of security breaches can be dire… EDUCAUSE Webinar – April 2011 - Slide 6

  7. Smart Phones: The New Frontier Smart Phone Adoption to Approach 50% in the US in 2011 EDUCAUSE Webinar – April 2011 - Slide 7

  8. …Along the Way… • Our cell phones are now coming with the same vulnerabilities we have on our computers… …and more… EDUCAUSE Webinar – April 2011 - Slide 8

  9. Universities at High Risk University Students… EDUCAUSE Webinar – April 2011 - Slide 9

  10. Mobile Email & Social Networking are Big EDUCAUSE Webinar – April 2011 - Slide 10

  11. Diversity of Devices & OS’s Best practices are harder to articulate EDUCAUSE Webinar – April 2011 - Slide 11

  12. The Biggest Security Risk? Millions of cell phones lost or stolen each year EDUCAUSE Webinar – April 2011 - Slide 12

  13. Lost or Stolen Phone…. • Private data & sensitive apps • e.g. contacts list, pictures, phone calls, messages, email, calendar, apps, etc • Risk of someone using your phone • Impersonating you – SMS, voice, email, social networks, etc. • Placing expensive international calls • Reselling your phone • etc. EDUCAUSE Webinar – April 2011 - Slide 13

  14. What Can We Teach? • Don’t leave your phone unattended • Goes beyond theft and loss: malware is easy to install • Use a PIN to protect your cell phone • Different options (e.g. iPhone) • Write down your IMEI number as well as phone make and model and cell phone number • Quickly report lost/stolen phone EDUCAUSE Webinar – April 2011 - Slide 14

  15. Quickly Tips Become Device-Specific Requires MobileMe Loud noise + contact info + map EDUCAUSE Webinar – April 2011 - Slide 15

  16. Remote Erase • A number of solutions… • …Hopefully you’ve backed up your data • …Some products combine both back up and “remote wipe” • Watch out for malware - read reviews and select reputable solutions… EDUCAUSE Webinar – April 2011 - Slide 16

  17. Dangers of Multi-Tasking • Phone call, SMS, email, etc. • While driving, crossing the street.. • Illegal in some places • Not wise elsewhere EDUCAUSE Webinar – April 2011 - Slide 17

  18. Understanding the risks… • Even more challenging than on a computer • Cell phones are highly personal devices with access to lots of sensitive information • …yet fewer people understand the risks • Lots of different cell phone models • Not all with the same functionality or settings… • Users need to invest time in understanding and tweaking their security settings EDUCAUSE Webinar – April 2011 - Slide 18

  19. Different Activities Lead to Different Risks • Voice • Email • SMS • Bluetooth • Browsing • WiFi • Location • App Downloads • Social networks • …and more …A rather daunting task… EDUCAUSE Webinar – April 2011 - Slide 19

  20. PHISHING: MUCH WORSE ON SMART PHONES EDUCAUSE Webinar – April 2011 - Slide 20

  21. E-Mail Phishing: Worse on Mobile Phones • Trusteer – Jan 2011: • Mobile users are first to arrive at phishing websites • Mobile users 3x more likely to submit credentials than desktop users EDUCAUSE Webinar – April 2011 - Slide 21

  22. Beyond e-mail Phishing • SMS-ishing • Vishing • IM phishing • Phishing via social networks • Phishing apps EDUCAUSE Webinar – April 2011 - Slide 22

  23. What To Do? • Better filters can help • Most spam filters rely on manually maintained blacklists that are several hours behind • Example: Wombat’s PhishPatrol • Teach people to recognize traps in phishing emails EDUCAUSE Webinar – April 2011 - Slide 23

  24. Training via Mock Attacks: PhishGuru • Teach people in the context they would be attacked • If a person falls for simulated phish, then show intervention as to what just happened • Unique “teachable moment” EDUCAUSE Webinar – April 2011 - Slide 24

  25. Select Target Employees Customize Fake Phishing Email EDUCAUSE Webinar – April 2011 - Slide 25 EDUCAUSE Webinar – April 2011 - Slide 25

  26. Select Target Employees Customize Fake Phishing Email Select Training EDUCAUSE Webinar – April 2011 - Slide 26 EDUCAUSE Webinar – April 2011 - Slide 26

  27. Select Target Employees Customize Fake Phishing Email Select Training Hit Send Internal Test and Approval Process EDUCAUSE Webinar – April 2011 - Slide 27 EDUCAUSE Webinar – April 2011 - Slide 27

  28. Select Target Employees Customize Fake Phishing Email Select Training Hit Send Monitor & Analyze Employee Response Internal Test and Approval Process EDUCAUSE Webinar – April 2011 - Slide 28 EDUCAUSE Webinar – April 2011 - Slide 28

  29. It works! Reduces the chance of falling for an attack by more than 50% ! percentage (Actual Results) EDUCAUSE Webinar – April 2011 - Slide 29

  30. Reinforce with Training Modules – Incl. Games • Traditional training doesn’t work - but people like games • Games teach users about phishing • People more willing to play games than read training • Shows higher long-term retention EDUCAUSE Webinar – April 2011 - Slide 30

  31. Teaches people to identify “red flags” in fraudulent emails EDUCAUSE Webinar – April 2011 - Slide 31

  32. Phishing is a Generic Threat • It is possible to identify device-independent tips and strategies • It is possible to teach these tips and strategies in a matter of minutes • Universities like CMU are using PhishGuru and training games (Phil and Phyllis training games) to train staff, faculty and students • A dedicated anti-phishing email filter can also make a difference (e.g. PhishPatrol) EDUCAUSE Webinar – April 2011 - Slide 32

  33. MOBILE APPS & SOCIAL NETWORKING: WHAT CAN WE TEACH USERS? EDUCAUSE Webinar – April 2011 - Slide 33

  34. Social Networking – Facebook, Twitter & Co. • Sharing is wonderful… • …until you regret you did it • Think and ask yourself whether: • You really know who you are sharing with • A week or a year from now, you’ll still be happy you did • Colleagues, friends, new acquaintances… • Beware of pictures and links that seem to come from friends…. EDUCAUSE Webinar – April 2011 - Slide 34

  35. All Those Great Apps EDUCAUSE Webinar – April 2011 - Slide 35

  36. Malicious Apps • In January of 2010, the first malicious mobile banking app was detected • Stole your banking credentials • Android doesn’t review applications • Apple does, but that’s no guarantee • Many apps collect a lot more information than they need to – e.g. location EDUCAUSE Webinar – April 2011 - Slide 36

  37. Some Recommendations • Research apps before you download them • Best to wait until enough other people have tried them • Check ratings – but do not rely entirely on them • If you are courageous, take time to review privacy provisions • Possibly create a Google alert for apps you download EDUCAUSE Webinar – April 2011 - Slide 37

  38. Location Sharing Apps. EDUCAUSE Webinar – April 2011 - Slide 38

  39. Also referred to by some as… EDUCAUSE Webinar – April 2011 - Slide 39

  40. If you are going to share your location, at least do it under conditions you control EDUCAUSE Webinar – April 2011 - Slide 40

  41. Promoting Our Own Location Sharing Platform • More expressive privacy settings • “My colleagues can only see my location when I’m on campus and only weekdays 9am-5pm” • Invisible button • Auditing functionality • Available on Android Market, iPhone client, Ovi, laptop clients • Tens of thousands of downloads over the past year www.locaccino.org EDUCAUSE Webinar – April 2011 - Slide 41

  42. EDUCAUSE Webinar – April 2011 - Slide 42

  43. EDUCAUSE Webinar – April 2011 - Slide 43

  44. EDUCAUSE Webinar – April 2011 - Slide 44

  45. EDUCAUSE Webinar – April 2011 - Slide 45

  46. CONCLUDING REMARKS EDUCAUSE Webinar – April 2011 - Slide 46

  47. Concluding Remarks • Cell phones are wonderful devices … • Most of us can’t even remember how we could operate without them • …Yet they come with many risks • …General guidelines are difficult to articulate • Diversity of cell phones and usage scenarios • Yet in some areas such as phishing, results indicate that training can make a difference • We are extending this approach to mobile security at large EDUCAUSE Webinar – April 2011 - Slide 47

  48. Q&A http://mcom.cs.cmu.edu http://wombatsecurity.com EDUCAUSE Webinar – April 2011 - Slide 48

  49. References • Scientific References • How to Foil “Phishing Scams”, Scientific American, L. Cranor • Teaching Johnny Not to Fall for PhishP. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. ACM Transactions on Internet Technology, Vol. V, No. N, September 2009, Pages 1–31. • Learning to Detect Phishing EmailsI. Fette, N. Sadeh, and A. Tomasic. In Proceedings of the 16th International Conference on World Wide Web, Banff, Alberta,  Canada, May 8-12, 2007. • Locaccino scientific publications: www.locaccino.org/science • Case Studies & White Papers • “A Multi-Pronged Approach to Combat Phishing (Carnegie Mellon University case study)” • “Empirical Evaluation of PhishGuru Embedded Training”, • “Cyber Security Training Game Teaches People to Avoid Phishing Attacks” EDUCAUSE Webinar – April 2011 - Slide 49

More Related