Abstract
To enhance the security of mobile devices, enterprises are developing and adopting mobile device management systems. However, if a mobile device management system is exploited, mobile devices and the data they contain will be compromised. Therefore, it is important to perform extensive threat modeling to develop realistic and meaningful security requirements and functionalities. In this paper, we analyze some current threat modeling methodologies, propose a new threat modeling methodology and present all possible threats against a mobile device management system by analyzing and identifying threat agents, assets, and adverse actions. This work will be used for developing security requirements such as a protection profile and design a secure system.
Similar content being viewed by others
References
Apple Inc. (2010). iPhone in business mobile device management. http://images.apple.com/iphone/business/docs/iPhone_MDM.pdf. Accessed 29 May 2012.
Bickford, J., O’Hare, R., Baliga, A., Ganapathy, V., & Iftode, L. (2010). Rootkits on smartphones: attacks, implications and opportunities. In Proceedings of 11th workshop on mobile computing systems and applications (HotMobile’10) (pp. 49–54).
Bruns, J. (2009). Mobile application security on android. Black Hat 2009. http://www.blackhat.com/presentations/bh-usa-09/BURNS/BHUSA09-Burns-AndroidSurgery-PAPER.pdf. Accessed 29 May 2012.
CCMB (2009). Common criteria for information technology security evaluation. Part 1: Introduction and general model. Version 3.1, Revision 3, Final, CCMB-2009-07-001.
Chen, Y., Boehm, B., & Sheppard, L. (2007). Value driven security threat modeling based on attack path analysis. In Proceedings of the 40th Hawaii international conference on system sciences (HICSS’07) (pp. 280a).
Cisco Systems, Inc. (2012). Global IT survey highlights enthusiasm over tablets in the enterprise, shows customization, collaboration and virtualization as key features. http://newsroom.cisco.com/press-release-content?type=webcontent&articleId=658006. Accessed 29 May 2012.
CVSS (2012). Forum of incident response and security teams. http://www.first.org/cvss/cvss-guide.html. Accessed 29 May 2012.
C-skills blog (2012). http://c-skills.blogspot.com. Accessed 29 May 2012.
Demchenko, Y., Gommans, L., Laat, C. D., & Oudenaarde, B. (2005). Web services and grid security vulnerabilities and threats analysis and model. In Proceedings of the 6th IEEE/ACM international workshop on grid computing (pp. 262–267).
Goldberg, Y. (2012). Practical threat analysis for the software industry. http://www.ptatechnologies.com. Accessed 29 May 2012.
Hasan, R., Myagmar, S., Lee, A. J., & Yurcik, W. (2005). Toward a threat model for storage systems. In Proceedings of the 2005 ACM workshop on storage security and survivability (StorageSS’05) (pp. 94–102).
Håvaldsrud, T., Ligaarden, O., Myrseth, P., Refsdal, A., Stølen, K., & Ølnes, J. (2010). Experiences from using a UML-based method for trust analysis in an industrial project on electronic procurement. Electronic Commerce Research, 10(3–4), 441–467.
Herrmann, P., & Herrmann, G. (2006). Security requirement analysis of business processes. Electronic Commerce Research, 6(3–4), 305–335.
Hogben, G., & Dekker, M. (2010). Smartphone: Information security risks, opportunities and recommendations for users. European Network and Information Security Agency. http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-breaches/smartphones-information-security-risks-opportunities-and-recommendations-for-users/at_download/fullReport. Accessed 29 May 2012.
International Organization for Standardization (2004). ISO/IEC TR 13335-1: information technology—security techniques—management of information and communications technology security—Part 1: Concepts and models for information and communications technology security management. http://www.iso.org/iso/iso_catalogue_tc/catalogue_detail.htm?csnumber=39066. Accessed 29 May 2012.
Jeon, W., Kim, J., Lee, Y., & Won, D. (2011). A practical analysis of smartphone security. In M. J. Smith & G. Salvendy (Eds.), Lecture notes in computer science (Vol. 6771, pp. 311–320). Berlin: Springer.
Layland, R., Wexler, J., Datoo, A., George, A., Rege, O., Marshall, J., Herrema, J., & Duckering, B. (2011). The 2011 mobile device management challenge—defusing mobile anarchy in the enterprise. Network World and Robin Layland present. http://solutioncenters.networkworld.com/mobile_management_challenge. Accessed 29 May 2012.
Lee, K. (2011). A study on the design of secure multi function printer conforming to the Korea evaluation and certification scheme. Suwon: Sungkyunkwan University
Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Murukan, A., Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., & Murukan, A. (2003). Improving web application security: threats and countermeasures. Microsoft Press. http://msdn.microsoft.com/en-us/library/ff649874.aspx. Accessed 20 July 2012.
Myagmar, S., Lee, A. J., & Yurcik, W. (2005). Threat modeling as a basis for security requirements. In Proceedings of the symposium on requirements engineering for information security (SREIS’05).
National Vulnerability Database (2012). CVE-2011-1149. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1149. Accessed 29 May 2012.
Ni, J., Li, Z., Gao, Z., & Sun, J. (2007). Threat analysis and prevention for grid and web security. In Proceedings of the 8th ACIS international conference on software engineering, artificial intelligence, networking, and Parallel/Distributed computing (SNPD 2007) (pp. 526–531).
Oladimeji, E. A., Suppakkul, S., & Chung, L. (2006). Security threat modeling and analysis: a goal-oriented approach. In Proceedings of the 10th IASTED international conference on software engineering and applications (SEA 2006).
OWASP (2012). Man-in-the-middle attack. http://www.owasp.org/index.php/Man-in-the-middle_attack. Accessed 29 May 2012.
OWASP (2012). Session hijacking attack. http://www.owasp.org/index.php/Session_hijacking_attack. Accessed 29 May 2012.
OWASP (2012). SQL injection. http://www.owasp.org/index.php/SQL_Injection. Accessed 29 May 2012.
Pauli, J., & Xu, D. (2005). Threat-driven architectural design of secure information systems. In Proceedings of the 7th international conference on enterprise information systems (ICEEIS 2005).
Prasad, N. R. (2007). Threat model framework and methodology for personal networks (PNs). In Proceedings of the 2nd international conference on communication systems software and middleware (COMSWARE 2007) (pp. 1–6).
Schmidt, A. D., Schmidt, H. G., Batyuk, L., Clausen, J. H., Camtepe, S. A., & Albayrak, S. (2009). Smartphone malware evolution revisited: android next target? In Proceedings of the 4th international conference on malicious and unwanted software (pp. 1–7).
Stango, A., Prasad, N. R., & Kyriazanos, D. M. (2009). A threat analysis methodology for security evaluation and enhancement planning. In Proceedings of 2009 third international conference on emerging security information, systems and technologies (SECURWARE 2009) (pp. 262–267).
Stouffer, K. A. (2004). System protection profile-industrial control systems version 1.0. National Institute of Standards and Technology. http://www.nist.gov/customcf/get_pdf.cfm?pub_id=822602. Accessed 29 May 2012.
Swamynathan, G., & Almeroth, K. (2010). The design of a reliable reputation system. Electronic Commerce Research, 10(3–4), 239–270.
Swiderski, F., & Snyder, W. (2004). Threat modeling, redmond. Washington: Microsoft Press.
Sybase, Inc. (2011). Afaria: a technical overview. http://m.sybase.com/files/White_Papers/Afaira-Techinical-WP.pdf. Accessed 29 May 2012.
Tegrak Kernel (2012). http://pspmaster.tistory.com. Accessed 29 May 2012.
Wang, Z., & Stavrou, A. (2010). Exploiting smart-phone USB connectivity for fun and profit. In Proceedings of the 26th annual computer security applications conference (ACSAC’10) (pp. 357–366).
Wikipedia (2012). Brute-force attack. http://en.wikipedia.org/wiki/Brute-force_attack. Accessed 29 May 2012.
Wikipedia (2012). Dictionary attack. http://en.wikipedia.org/wiki/Dictionary_attack. Accessed 29 May 2012.
Wikipedia (2012). iOS jailbreaking. http://en.wikipedia.org/wiki/IOS_jailbreaking. Accessed 29 May 2012.
Wikipedia (2012). Replay attack. http://en.wikipedia.org/wiki/Replay_attack. Accessed 29 May 2012.
Wikipedia (2012). Rooting (Android OS). http://en.wikipedia.org/wiki/Rooting_(Android_OS). Accessed 29 May 2012.
You, D., & Noh, B. (2011). Android platform base Linux kernel rootkit. In Proceedings of 2011 6th international conference on malicious and unwanted software (pp. 79–87).
Zarmpou, T., Saprikis, V., Markos, A., & Vlachopoulou, M. (2012). Modeling users’ acceptance of mobile services. Electronic Commerce Research, 12(2), 225–248.
Acknowledgements
This paper is based on Keunwoo Rhee’s Ph. D. dissertation written at Sungkyunkwan University, Previous versions circulated under the title, “A Study on the Security Evaluation of a Mobile Device Management System.”
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Rhee, K., Won, D., Jang, SW. et al. Threat modeling of a mobile device management system for secure smart work. Electron Commer Res 13, 243–256 (2013). https://doi.org/10.1007/s10660-013-9121-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10660-013-9121-4