The Need for BYOD Mobile Device Security Awareness and Training

Transcription

1 The Need for Awareness and Training Completed Research Paper Mark A. Harris University of South Carolina Karen Patten University of South Carolina Elizabeth Regan University of South Carolina ABSTRACT In 2013, people will purchase 1.2 billion mobile devices, surpassing PC s as the most common method for accessing the Internet. The leading two mobile device platforms, Android and ios, both have security concerns surrounding their operating systems and application markets. The popularity of Bring Your Own (BYOD), where employees use their own devices for both personal and work situations, potentially brings insecure devices into the organization. While most IT professionals agree mobile devices pose major security risks, there is a major lack of mobile device security awareness and training programs in organizations. This paper reports the results of a survey of 131 college students entering the workforce, which demonstrates a lack of security awareness and the need for mobile device security awareness and training in organizations. This paper also reviews the major security concerns with mobile devices and makes some general security recommendations. Keywords Mobile device security, BYOD, security awareness and training, Android, ios INTRODUCTION Mobile devices, including smartphones and tablets, have rapidly developed in the last 5 years to the point where they can no longer be ignored by organizations. In 2013, people will purchase 1.2 billion mobile devices, surpassing PC s as the most common method for accessing the Internet (Lookout, 2013). Bring Your Own (BYOD), where people use their own mobile devices for both personal and work related tasks, is also rapidly increasing. The SANS Institute recently reported 61 percent of respondent s organizations allowed BYOD access to resources (SANS, 2012). IT professionals dealing with the new influx of devices on their networks need to properly manage mobile device security. For many organizations today, the BYOD issue is less a matter of No, we can t do it and more a question of how do we do it? (Thomson, 2012). Managing mobile device security is no simple task and is not being handled adequately in many organizations. A recent study of IT security professionals revealed 68% of them have no way of identifying known mobile device vulnerabilities on their networks (Tenable-Security, 2012). Most of the survey respondents reported that mobile devices are a security threat to their business, however 67% reported that their companies either have no policies or controls for mobile device usage on their network or that employees ignored the existing mobile device usage policies (Tenable-Security, 2012). As of January 2013 in the United States, Android made up 52.69% of mobile device operating systems and Apple ios accounted for 34.9% (Statcounter, 2013). Although these platforms have their technical differences, they both can potentially have serious security concerns with malware, application markets, privacy, and data protection. One of the biggest threats to organizations are users who jailbreak or root their BYOD devices. Jailbreaking and rooting

2 removes many of the security restrictions originally protecting the device, allowing users more freedom when using their device, but also potentially allowing malware more access. This paper explains why organizations need mobile device security awareness and training for most employees, which involves awareness of the security problem and training to create competent security skills. To demonstrate the need, a survey of current college student s personal mobile device security is discussed. These students are about to enter the workforce, so how they secure their mobile devices is of interest to employers. The next section, mobile device insecurity, reviews the security concerns with mobile devices. The following sections discuss basic personal security recommendations and security awareness and training. The student mobile device survey and results are then discussed, followed by the paper s conclusion. MOBILE DEVICE INSECURITY This section identifies the basic security concerns with the two most popular operating systems, Google s Android and Apple s ios mobile device platforms. Also discussed are security concerns with malware, jailbreaking, rooting, and Wi-Fi. Mobile Platforms In the United States, Google s Android took the lead over Apple s ios as the most popular mobile device platform in mid-2011 (Statcounter, 2013). All other platforms, like Windows Mobile, Symbian, and BlackBerry, account for less than 2% each of the U.S. market (Statcounter, 2013). Since Android and Apple account for more than 85% of the market and Android is rapidly growing, this paper discusses only those two platforms. Because Android is an open source platform where developers can modify the software, developers can create cutting-edge applications (apps). Developers can also get applications to market quickly because of Android s available developer tools and quick vetting process. A vetting process should at least include checking the background of the developer and thoroughly inspecting the application for appropriateness, proper software development, and malicious code. However, a problem with the Google Play market is a lax vetting process (Greenberg, 2012). Google has recently attempted to better vet software developers that are known to develop malware, but the vetting process falls far short of Apple s (Greenberg, 2012). The vetting process on 3 rd party markets, where Google and Apple have little control, can be much worse. Examples are rogue markets that contain most of the malware (Arxan, 2012). However, not all Android 3 rd party markets are the same nor do they all vet developers and applications in the same manner as the Google Play market. Some are actually more stringent. For example, Amazon s Appstore for Android and Verizon s V-CAST have a more stringent vetting process than Google Play (Strohmeyer, 2011). Download sites like these use a similar vetting model to Apple s App Store model (Lookout, 2011). Android users have the availability of multiple markets with very different levels of security, which can be a major security risk without proper awareness and training. Google has also recently attempted to address malware problems with the Google Play market by scanning new applications for known malware and testing new applications in a simulated environment (Greenberg, 2012). To catch malware downloaded from 3 rd party markets, Google added malware scanning to the latest version of Android, Jelly Bean 4.2. However, the scanner does not check for modifications to the code after the initial installation, such as can occur when an app is updated. This is a problem where apps execute new code after installation, which bypasses the application screening process (Greenberg, 2012). Another problem with the Android platform is the availability of multiple carriers and vendors that do not follow a particular standard, leading to old versions of the OS still on the market (Mansfield-Devine, 2012a). As of January 2013, Jelly Bean 4.2 was the latest version of Android. However, only 1.2% of the devices on the market had this version (Platform-Versions, 2013). This means that very few Android users have the built-in app scanning feature just discussed. The previous version of Jelly Bean, 4.1, only accounted for 9% of the market. The two most popular versions on the market are Ice Cream Sandwich (29.1%) and Gingerbread (47.6%). Ice Cream Sandwich includes version numbers 4.03 and 4.04 and was publicly released in October Gingerbread includes version numbers 2.3 to and to and was released in December 2010.

3 Adding to the problem of malware vulnerability in the Android platform are the very low number of users who update their operating systems (OS) when software patches are available. Research suggests that it takes 8-10 months for half of the Android users to update their software, plus they were more likely buy a new device than update their old device s software (Mansfield-Devine, 2012a). Patches are still usually available for older operating systems, but users must install the patches to receive the security update. Unlike Android, Apple ios is a closed operating system controlled by Apple. Only one manufacturer makes devices for the platform and there is no fragmentation of the operating system (Mansfield-Devine, 2012b). Apple claimed that over 80% of iphone and ipad users had the latest ios as of June 2012 (Mansfield-Devine, 2012a). From a security point of view, this is much better than Android s 1.2% having the latest version. Adding to the security of ios is Apple s App Store market, which is controlled by Apple with a strong vetting process for developers and apps. Users must jailbreak their devices in order to access 3 rd party markets outside of the Apple App Store, which is not permitted by Apple. Jailbreaking voids the warranty on Apple devices (Kingsley- Hughes, 2013). Jailbreaking will also be discussed in more detail later. If users only use the Apple App Store for apps, they will experience reasonably secure apps. Apple also has an advantage over Android when it comes to updating the OS and patching software. The latest versions of ios can update using itunes or Over The Air (OTA) (Mansfield-Devine, 2012a). OTA allows the user to update directly to the device without having to connect to a PC. Updating through itunes and OTA are both easy and encouraged by Apple, thus part of the reason Apple devices operating systems are more current than Android devices, which means better security. Overall, the strategic plan of Google and Apple in regard to their OS platforms is the reason for the security differences. Apple is more secure because of the control they place on their devices. But, many users feel that this control is like big brother telling them what to do. Many ios users want to rebel by jailbreaking their devices, thus removing restrictions. Contrary to Apple is Google, which lets Android users have a lot of freedom in deciding how to use their devices. With freedom comes risk, thus the reason for the malware problem. This is the same risk Apple users take when they jailbreak their devices. The next section discusses malware followed by a section on jailbreaking and rooting devices. Malware Forecasts predict that mobile device users will download 70 billion apps in 2014 (Lookout, 2013). While malware can be found in both Apple ios markets and Android markets, Android malware is growing and spreading much more rapidly. Android now exceeds PCs for malware attacks in the United States (Mansfield-Devine, 2013) and over 99% of all malware detected in 2012 was written for Android (Kaspersky, 2013). Trend Micro saw an increase of 350% of Android malware in 2012 over 2011 for a total of 350,000 new samples (Trend-Micro, 2012). It took the PC over 14 years to reach the same total of malware samples, while Android did it in just three (Trend-Micro, 2012). SMS premium text messaging is currently the biggest problem for mobile device malware (ESET, 2013; Trend- Micro, 2012). Malware of this type can send text messages in the background without the user s knowledge. Just over 78% of Lookout s 2012 malware detections fall into this category and cost the average user $9.99 a month (Lookout, 2012). These apps often disguise themselves as popular apps to trick the user into downloading and installing them, with two notable examples including Angry Birds Space and Instagram (Trend-Micro, 2012). Another problem affecting both platforms is fake applications. Fake malware applications look and work like the real thing to entice the user to download and install them, but they often also contain malicious code. Security firm Arxan reported that all of the top 100 apps for Android and 92 of the top 100 apps for ios have fake malware versions available as of mid-2012 (Arxan, 2012). Most fake malware applications are found on 3 rd party application sites, which are easy for Android users to access and more difficult for ios users to access. Since Android users are not confined to just the Google Play market, they can instead easily install from 3 rd party markets, where much of the malware resides (Arxan, 2012). For Apple ios devices, the user needs to jailbreak the device, which is discussed in the next sub-section.

4 Jailbreaking and Rooting Jailbreaking is a term mostly used with Apple devices. Jailbreaking a device is a process that removes the platform s restrictions, allowing users to install any applications from any market, install a modified operating system, and have administrative user permissions. Rooting is often referred to as a similar action performed on Android devices. Rooting a device is typically done to give the user administrative privileges, which allows them to overcome limitations placed on the device by carriers and device manufactures. Apple users that jailbreak their devices usually do so to get access to 3 rd party applications and to customize their devices. Android users that root their devices often do so to remove vendor-installed software and upgrade operating systems. Both jailbreaking and rooting are risky because the software needed to perform the operation is not available from Apple or Google, thus difficult to verify and trust. Also, if the jailbreak or rooting operation is successful and malware free, the devices are then vulnerable to app malware, especially from 3 rd party markets, because security restrictions were removed. There is a large percentage of Apple ios devices that are jailbroken because there are many people that like Apple products, but do not like being limited (Mansfield-Devine, 2012b). In addition, the problem may be getting worse. The new version of Apple ios 6.1 released in January 2013 had 7 million jailbreak downloads in the first 4 days on the market, which is more jailbreak downloads than ever before (Greenberg, 2013). Because jailbroken and rooted devices have a much higher risk of malware, the security concerns for organizations are understandably high. Jailbroken and rooted devices pose tremendous threats to any organization. Many IT security professionals have called for a ban of all jailbroken and rooted devices on corporate networks (ZDNet, 2013). Users need to be made aware of these risks through an awareness and training program. Wi-Fi Connectivity to corporate networks and the Internet typically occur either through a mobile broadband network (3G/4G) or a Wi-Fi network. As of 2012, 71% of ios users and 32% of Android users in the U.S. used both mobile and Wi-Fi networks to access the Internet (Comscore, 2012). This implies that, as with laptop connectivity to corporate networks and the Internet, smartphone and tablet users also need to be aware of Wi-Fi security protocols and risks associated with using Wi-Fi. Older Wi-Fi protection, Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA2), were easily cracked and considered insecure (Bradbury, 2011; Gold, 2011). WPA2, the current standard for protecting Wi-Fi, seemed uncrackable until recently (Gold, 2011). In 2010, Elcomsoft s Wireless Security Auditor (WSA) was released and could crack WPA2 passphrases. The company s WSA software has the ability to brute force crack as many as 103,000 WPA2 passwords per second and can also crack the older WPA (Gold, 2011). Security experts now recommend the use of 20+ character WPA2 passphrases with upper and lower case characters along with the costly implementation of a Radius-based virtual private network (VPN) system (Gold, 2011). For personal use, personal virtual private network (VPN) software can be purchased. A personal VPN creates an encrypted tunnel over unsecure networks, protecting the data within the tunnel. Larger organizations often host their own VPN servers that employees connect to from any Internet connection. But, for individual use, personal VPN servers are hosted by 3 rd party vendors. There are many vendors of personal VPNs and the software is available for all of the popular operating systems, including smartphones and tablets. BASIC SECURITY RECOMMENDATIONS At a minimum, everyone owning a mobile device should consider the basic security recommendations listed below. Companies allowing mobile devices on their networks would also be safer if all employees followed these basic recommendations. 1. Use encryption to protect data on the device (FBI, 2012; NIST, 2012); 2. Review and understand application permissions (FBI, 2012; InfoSec, 2013); 3. Passcode or password protect the device (InfoSec, 2013; NIST, 2012); 4. Install antivirus protection (FBI, 2012; US-CERT, 2011a); 5. Install firewall protection (InfoSec, 2013); 6. Do not jailbreak or root the device (FBI, 2012; US-CERT, 2011a);

5 7. Avoid unknown wireless networks (FBI, 2012; InfoSec, 2013); 8. Use VPNs over Wi-Fi (NIST, 2012); 9. When using configurable Wi-Fi, use 20+ character passphrases with WPA2 (Gold, 2011); 10. Perform timely software updates (FBI, 2012); 11. Do not install illegal or unauthorized software (InfoSec, 2013); 12. Do not install software from untrustworthy markets (Mylonas, Kastania, & Gritzalis, 2012); 13. Back-up data (US-CERT, 2011b); 14. Avoid clicking on unknown links (FBI, 2012; Homeland-Security, 2013); 15. Setup remote data wipe if the device is lost or stolen (InfoSec, 2013); and 16. Avoid storing usernames and passwords on the device or in the browser (Coninsync, 2013). SECURITY AWARENESS AND TRAINING Learning evolves through three distinct levels: awareness, training, and education (Katsikas, 2000). Awareness is the lowest level and should not be considered a form of training. Awareness activities help individuals to become aware that there are concerns for information systems security and that they should respond accordingly (Katsikas, 2000). Katsikas (2000) defines training as going beyond awareness to building knowledge and producing competent security skills. Training takes longer than awareness and requires learners to take a more active role in the process (Katsikas, 2000). Beyond training is education, where expertise is developed for professionals working within the security discipline. Security professionals in charge of protecting information systems from mobile device threats need this top level of learning education. Security awareness and training for most employees would involve the first two levels, awareness of the security problem and training to create competent security skills. Users of mobile devices need to be aware of threats and precautions that should be taken and need to have competent skills to secure their devices. Knowing that antivirus, firewalls, and data wipe software should be installed on mobile devices is different from understanding how to install and configure them. Knowing what VPNs are and that they should be used with mobile devices over Wi-Fi is different from training someone to install and configure VPNs on mobile devices. Mobile device security awareness should be added to the broader security awareness program. Many companies do not have a security awareness program to begin with, which is a major problem (CSI, 2011). Those that do not need to create a security policy and include a mobile device component. To demonstrate the need for mobile device security awareness and training, the next sections discuss results from a survey of college students about to enter the workforce about how well they secure their mobile devices. SURVEY A survey of 131 college students was conducted in 2012 to see how well they secure their personal mobile devices based on some of the expert security recommendations listed above. This information is important for organizations because these students already have or are about to enter the workforce with their mobile devices. The 131 students that completed the survey came from three universities, two in the northeast United States and one in the southeast. Male students represented 66% of the respondents and females represented 34%. Information technology students made up 52% and non-it students accounted for the other 48%. RESULTS AND DISCUSSION The participants were asked if they owned a smartphone, tablet, or laptop/pc. Based on their response, they were asked a series of security questions specific to the devices they owned. For space reasons, only a few key results are discussed in this paper. Table 1 describes the devices owned by the participants. As expected, most students owned a laptop or PC and many owned smartphones.

6 All Smartphone 81% Tablet 24% Laptop/PC 98% Table 1. Ownership Table 2 summarizes the operating system on their devices. In this survey, Apple ios held a slight edge over Google s Android with smartphones. However, there were many more ios tablets than Android tablets. It is clear Apple still has tablet dominance, as they once did with smartphones. Microsoft Windows dominated the laptop\pc devices. Operating System All Smartphone Tablet Laptop/PC ios 46% Android 44% ios 77% Android 19% Windows 82% Other 18% Table 2. Operating Systems When asked to rate their expertise in securing their equipment on a 7-item Likert scale, IT students considered themselves better at securing all devices than did non-it students, which is logical considering the nature of the IT discipline. Table 3 is a summary of student s self-reported ratings at securing their devices. As expected, all students were more comfortable with securing PCs than mobile devices. IT Non-IT Smartphone Tablet Laptop/PC Table 3. Expertise in Securing s While IT students were more comfortable with security than were non-it students, the data demonstrates both groups failed to adequately protect their devices. Table 4 summarizes the use of security safeguards. While IT students installed antivirus more than non-it students on smartphones, the opposite is true for tablets. Antivirus is not available for ios, so the numbers were adjusted to Android devices only. Overall, both groups failed to

7 adequately install antivirus, which should be alarming to organizations allowing access of these devices to corporate networks. Antivirus software is the first app that should be installed on a mobile device and there are many free versions available. Firewall installation was even lower than antivirus installation. Many software firewall products are available for free along with antivirus in a security suite. Again, firewall software is not available for ios. Safeguard IT Non-IT Smartphone Tablet Antivirus* 42% 22% Firewall* 33% 12% Authentication 69% 62% Software Updates 80% 80% Antivirus* 21% 24% Firewall* 14% 19% Authentication 64% 35% Software Updates 79% 65% * Responses relate to Android users only Table 4: Use of security safeguards Authentication credentials are considered passwords, phrases, patterns, or other mechanisms needed to access a device. The use of authentication is important to prevent unauthorized physical access to a device, especially if the device is lost or stolen. Authentication utilization, while much better than antivirus and firewall installation, is still considered poor among the groups. IT students performed only slightly better than non-it students on smartphones, but considerably better on tablets. Software updates patch vulnerabilities within operating systems and applications. It is essential to update software and applications quickly to avoid known threats. Both groups did a fair job of updating smartphone software, with 80% of both groups quickly updating when prompted. For tablets, the percentages were similar for IT students and considerably lower for non-it students. The next set of questions determined the student s risky behaviors, as summarized in Table 5. Installing software from 3 rd party markets is especially risky. Most malware and fake applications are found on 3 rd party markets. While non-it students are more risky than IT students when visiting 3 rd party markets for smartphone applications, one in five overall students downloaded 3 rd party market apps. The percentages for tablets are similar. Those visiting 3 rd party markets should take precautions to maximize protection by fully utilizing antivirus and firewall applications, as well as the other basic security precautions. Jailbroken and rooted devices are considered one of the top security threats to mobile devices. Overall, one in five students reported jailbreaking or rooting their devices, thus creating major security risks for organizations that accept these devices on their networks. Between groups, IT students are more than twice as likely to jailbreak or root a smartphone than non-it students. For tablets, IT students were nearly twice as likely to jailbreak or root.

8 Safeguard IT Non-IT Smartphone Tablet Installing software from 3 rd party app markets Jailbreaking or rooting of mobile devices Allowing mobile apps to store authentication credentials Installing software from 3 rd party app markets Jailbreaking or rooting of mobile devices Allowing mobile apps to store authentication credentials 18% 22% 34% 16% 37% 37% 21% 24% 21% 12% 43% 53% Table 5: Potentially Risky Behaviors Allowing browsers and applications to store credentials on mobile devices is also risky. Doing so may allow others in possession of the device access to accounts. It may also allow malware to access the user s accounts. Both groups were equal (37%) in allowing smartphone browsers and applications to store credentials. On tablets, about half of all students allowed credentials to be stored. If a device is lost or stolen, data wipe software can be utilized to clear sensitive data from the device. IT students utilized data wipe on smartphones much more than did non-it students, as shown in Table 6. However, both groups poorly utilize the software and should install one of the many free versions available. For tablets, the percentages were a little better, but still poor overall. IT Non-IT Smartphone 56% 20% Tablet 57% 40% Table 6: Use of Data Wipe Software Because Wi-Fi access has major security concerns, VPNs should be utilized over all Wi-Fi connections. Personal VPNs are inexpensive and many are free to students through their universities. VPNs are especially important in public places where vulnerability is higher and on corporate networks were sensitive corporate data needs protection. Nearly 80% of students used Wi-Fi in public places on their smartphones and many use Wi-Fi at work, as seen in Table 7. The percentages were similar for tablet use of Wi-Fi in public places, with non-it students using public Wi-Fi a little more. However, fewer IT students use Wi-Fi at work with tablets and considerably more non- IT students use Wi-Fi at work with tablets. The use of VPNs over these Wi-Fi connections is alarmingly low, with more using VPNs with tablets than with smartphones. One explanation for more tablet VPN usage is that the tablets may be corporate issued and secured. Regardless, VPN usage is poor for both groups.

9 Safeguard IT Non-IT Smartphone Tablet Use Wi-Fi on public networks 77% 79% Use Wi-Fi at work 64% 39% Utilized VPNs 16% 16% Use Wi-Fi on public networks 71% 82% Use Wi-Fi at work 56% 75% Utilized VPNs 29% 29% Table 7: Use of Wi-Fi In other interesting results, one in four IT students (26%) and just over one in five non-it students (22%) had their smartphone lost or stolen. Lost or stolen devices can be vulnerable if passcodes and data wipe software are not utilized. Of those that lost or had their smartphones stolen, one in four did not have a passcode to prevent access to the device. Only half of them had software installed to wipe personal data. Even more interesting is the result that only 27% of those who jailbroke or rooted their devices had antivirus installed. Jailbreaking or rooting a device removes security and makes the device even more vulnerable to malware, thus antivirus is even more critical. In addition, only 33% of those that installed apps from 3 rd party markets had antivirus installed. Third party markets are the primary source of malware and fake applications. At the time of this survey, 87% of IT students and 69% of non-it students used their smartphones for work purposes. This should be alarming to organizations since many of the devices these students are using are inadequately secured, as demonstrated by the survey results. Regarding security, 76% believe it is the employer s responsibility to provide security software for BYOD equipment. Overall, surveyed students poorly secured their mobile devices. Between groups, IT students were no better at securing their devices than non-it students and may actually be considered more risky because they are twice as likely to jailbreak or root a device. Organizations need to anticipate these university students entering their workforce and take the necessary precautions to secure these devices. This paper suggests organizations start with mobile device security awareness and training. One can only speculate as to why students do not install antivirus or firewall software or why they jailbreak or root their devices. Since much of the expert suggested protection is free, the reason should not be financial. This paper postulates the reason is lack of awareness and training. A mobile device security awareness and training program will teach users the danger of mobile device malware and teach them how to best protect their devices. Because these devices are connecting to corporate networks, organizations need to consider them a part of their network. Security awareness and training needs to cover mobile devices just as it covers PCs and other security threats to the organization. CONCLUSION This paper discusses threats from mobile devices, including smartphones and tablets. Mobile devices now outnumber PCs for Internet access. Accordingly, malware attacking these devices now outnumbers PC malware as well. The popularity of mobile devices has grown so rapidly that many people do not understand how to properly secure such devices, evident from surveyed university students. Part of the solution is for organizations to create mobile device security awareness and training and give it to all new and current employees on a minimum annual basis. Such training would make users aware of antivirus, firewall, and data wipe software, all available for free or inexpensively. Users would also be made aware of malware and 3 rd party markets. They would understand the implications of jailbreaking or rooting their devices and how their actions affect their personal data as well as company data. While mobile device security awareness and training is only one part of maximizing information security, it has become an essential part that cannot be ignored.

10 REFERENCES 1. Arxan. (2012) State of Security in the App Economy: Mobile Apps Under Attack. Retrieved 02/09/2013, from 2. Bradbury, D. (2011) Hacking wifi the easy way, Network Security, 2, 9-12, doi: /s (11) Comscore. (2012) iphones Have Significantly Higher Rates of Wi-Fi Utilization than Android Phones in the U.S. and U.K. Retrieved 02/17/2013, from Wi-Fi_Utilization. 4. Coninsync. (2013) Why You Should Avoid Saving Passwords on Your Smartphone? Retrieved 02/17/2013, from 5. CSI. (2011) 2010/2011Computer Crime and Security Survey. Retrieved , from 6. ESET. (2013) Trends for Retrieved 03/07/2013, from 7. FBI. (2012) Smartphone Users Should be Aware of Malware Targeting Mobile s and the Safety Measures to Help Avoid Compromise. Retrieved 02/11/13, from 8. Gold, S. (2011) Cracking wireless networks, Network Security, 11, 14-18, doi: /s (11) Greenberg, A. (2012) Google gets serious about android ssecurity, Now auto-scans app market for malware, Forbes, February 2, Retrieved 02/11/13, from Greenberg, A. (2013) Evasi0n is the most popular jailbreak ever: Nearly seven million ios devices hacked in four days, Forbes, February 8, Retrieved 02/12/13, from Homeland-Security. (2013) Cybersecurity Tips. Retrieved 05/02/2013, from InfoSec. (2013) Protecting Mobile s. Retrieved 02/17/2013, from Kaspersky. (2013) Find and Call: Leak and Spam. Retrieved 02/11/13, from Katsikas, S. K. (2000) Health care management and information systems security: awareness, training or education? International Journal of Medical Informatics, 60, Kingsley-Hughes, A. (2012) 'Should I jailbreak my iphone?' And other jailbreaking questions answered, Forbes, May 28, Retrieved 02/17/2013, from Lookout. (2011) Lookout MobileThreatReport Retrieved , from Lookout. (2012) State of Mobile Security Retrieved 01/13/2013, from Lookout. (2013) Mobile Threat Predictions. Retrieved 02/11/13, from

11 19. Mansfield-Devine, S. (2012a) Android architecture: attacking the weak points, Network Security, 10, 5-12, doi: Mansfield-Devine, S. (2012b) Paranoid Android: just how insecure is the most popular mobile platform? Network Security, 9, 5-10, doi: Mansfield-Devine, S. (2013) Security review: the past year, Computer Fraud & Security, 1, 5-11, doi: Mylonas, A., Kastania, A., and Gritzalis, D. (2012) Delegate the smartphone user? Security awareness in smartphone platforms, Computers & Security, 0, doi: NIST. (2012) Guidelines for Managing and Securing Mobile s in the Enterprise (Draft). Retrieved 5/2/2013, from Platform-Versions. (2013) Platform Versions. Retrieved 02/05/2013, from SANS. (2012). Mobility/BYOD Security Survey. Retrieved 02/11/2013, from Statcounter. (2013) Top 8 Mobile Operating Systems in the United States from Jan 2012 to Jan 2013, StatCounter Global Stats. Retrieved 02/12/13, from Strohmeyer, R. (2011) Why I get apps from amazon, not google, PCWorld, August 31, Retrieved 02/11/13, from Tenable-Security. (2012) Mobile Vulnerability Management Flagged as Top Concern for Security Professionals in Retrieved 02/12/13, from Thomson, G. (2012) BYOD: enabling the chaos, Network Security, 2, 5-8, doi: /s (12) Trend-Micro. (2012) Repeating History. Retrieved from US-CERT. (2011a) Cyber Threats to Mobile Phones. Retrieved 5/2/2013, from US-CERT. (2011b) Protecting Portable s: Physical Security. Retrieved 5/2/2013, from ZDNet. (2013) Does Jailbreaking or Rooting s and BYOD Mix? Retrieved 02/12/13, from