Skip to main content
SpringerLink
Log in

Threat modeling of a mobile device management system for secure smart work

  • Published:
Electronic Commerce Research Aims and scope Submit manuscript

Abstract

To enhance the security of mobile devices, enterprises are developing and adopting mobile device management systems. However, if a mobile device management system is exploited, mobile devices and the data they contain will be compromised. Therefore, it is important to perform extensive threat modeling to develop realistic and meaningful security requirements and functionalities. In this paper, we analyze some current threat modeling methodologies, propose a new threat modeling methodology and present all possible threats against a mobile device management system by analyzing and identifying threat agents, assets, and adverse actions. This work will be used for developing security requirements such as a protection profile and design a secure system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. Apple Inc. (2010). iPhone in business mobile device management. http://images.apple.com/iphone/business/docs/iPhone_MDM.pdf. Accessed 29 May 2012.

  2. Bickford, J., O’Hare, R., Baliga, A., Ganapathy, V., & Iftode, L. (2010). Rootkits on smartphones: attacks, implications and opportunities. In Proceedings of 11th workshop on mobile computing systems and applications (HotMobile’10) (pp. 49–54).

    Google Scholar 

  3. Bruns, J. (2009). Mobile application security on android. Black Hat 2009. http://www.blackhat.com/presentations/bh-usa-09/BURNS/BHUSA09-Burns-AndroidSurgery-PAPER.pdf. Accessed 29 May 2012.

  4. CCMB (2009). Common criteria for information technology security evaluation. Part 1: Introduction and general model. Version 3.1, Revision 3, Final, CCMB-2009-07-001.

  5. Chen, Y., Boehm, B., & Sheppard, L. (2007). Value driven security threat modeling based on attack path analysis. In Proceedings of the 40th Hawaii international conference on system sciences (HICSS’07) (pp. 280a).

    Google Scholar 

  6. Cisco Systems, Inc. (2012). Global IT survey highlights enthusiasm over tablets in the enterprise, shows customization, collaboration and virtualization as key features. http://newsroom.cisco.com/press-release-content?type=webcontent&articleId=658006. Accessed 29 May 2012.

  7. CVSS (2012). Forum of incident response and security teams. http://www.first.org/cvss/cvss-guide.html. Accessed 29 May 2012.

  8. C-skills blog (2012). http://c-skills.blogspot.com. Accessed 29 May 2012.

  9. Demchenko, Y., Gommans, L., Laat, C. D., & Oudenaarde, B. (2005). Web services and grid security vulnerabilities and threats analysis and model. In Proceedings of the 6th IEEE/ACM international workshop on grid computing (pp. 262–267).

    Google Scholar 

  10. Goldberg, Y. (2012). Practical threat analysis for the software industry. http://www.ptatechnologies.com. Accessed 29 May 2012.

  11. Hasan, R., Myagmar, S., Lee, A. J., & Yurcik, W. (2005). Toward a threat model for storage systems. In Proceedings of the 2005 ACM workshop on storage security and survivability (StorageSS’05) (pp. 94–102).

    Chapter  Google Scholar 

  12. Håvaldsrud, T., Ligaarden, O., Myrseth, P., Refsdal, A., Stølen, K., & Ølnes, J. (2010). Experiences from using a UML-based method for trust analysis in an industrial project on electronic procurement. Electronic Commerce Research, 10(3–4), 441–467.

    Article  Google Scholar 

  13. Herrmann, P., & Herrmann, G. (2006). Security requirement analysis of business processes. Electronic Commerce Research, 6(3–4), 305–335.

    Article  Google Scholar 

  14. Hogben, G., & Dekker, M. (2010). Smartphone: Information security risks, opportunities and recommendations for users. European Network and Information Security Agency. http://www.enisa.europa.eu/activities/identity-and-trust/risks-and-data-breaches/smartphones-information-security-risks-opportunities-and-recommendations-for-users/at_download/fullReport. Accessed 29 May 2012.

  15. International Organization for Standardization (2004). ISO/IEC TR 13335-1: information technology—security techniques—management of information and communications technology security—Part 1: Concepts and models for information and communications technology security management. http://www.iso.org/iso/iso_catalogue_tc/catalogue_detail.htm?csnumber=39066. Accessed 29 May 2012.

  16. Jeon, W., Kim, J., Lee, Y., & Won, D. (2011). A practical analysis of smartphone security. In M. J. Smith & G. Salvendy (Eds.), Lecture notes in computer science (Vol. 6771, pp. 311–320). Berlin: Springer.

    Google Scholar 

  17. Layland, R., Wexler, J., Datoo, A., George, A., Rege, O., Marshall, J., Herrema, J., & Duckering, B. (2011). The 2011 mobile device management challenge—defusing mobile anarchy in the enterprise. Network World and Robin Layland present. http://solutioncenters.networkworld.com/mobile_management_challenge. Accessed 29 May 2012.

  18. Lee, K. (2011). A study on the design of secure multi function printer conforming to the Korea evaluation and certification scheme. Suwon: Sungkyunkwan University

    Google Scholar 

  19. Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Murukan, A., Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., & Murukan, A. (2003). Improving web application security: threats and countermeasures. Microsoft Press. http://msdn.microsoft.com/en-us/library/ff649874.aspx. Accessed 20 July 2012.

    Google Scholar 

  20. Myagmar, S., Lee, A. J., & Yurcik, W. (2005). Threat modeling as a basis for security requirements. In Proceedings of the symposium on requirements engineering for information security (SREIS’05).

    Google Scholar 

  21. National Vulnerability Database (2012). CVE-2011-1149. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1149. Accessed 29 May 2012.

  22. Ni, J., Li, Z., Gao, Z., & Sun, J. (2007). Threat analysis and prevention for grid and web security. In Proceedings of the 8th ACIS international conference on software engineering, artificial intelligence, networking, and Parallel/Distributed computing (SNPD 2007) (pp. 526–531).

    Google Scholar 

  23. Oladimeji, E. A., Suppakkul, S., & Chung, L. (2006). Security threat modeling and analysis: a goal-oriented approach. In Proceedings of the 10th IASTED international conference on software engineering and applications (SEA 2006).

    Google Scholar 

  24. OWASP (2012). Man-in-the-middle attack. http://www.owasp.org/index.php/Man-in-the-middle_attack. Accessed 29 May 2012.

  25. OWASP (2012). Session hijacking attack. http://www.owasp.org/index.php/Session_hijacking_attack. Accessed 29 May 2012.

  26. OWASP (2012). SQL injection. http://www.owasp.org/index.php/SQL_Injection. Accessed 29 May 2012.

  27. Pauli, J., & Xu, D. (2005). Threat-driven architectural design of secure information systems. In Proceedings of the 7th international conference on enterprise information systems (ICEEIS 2005).

    Google Scholar 

  28. Prasad, N. R. (2007). Threat model framework and methodology for personal networks (PNs). In Proceedings of the 2nd international conference on communication systems software and middleware (COMSWARE 2007) (pp. 1–6).

    Chapter  Google Scholar 

  29. Schmidt, A. D., Schmidt, H. G., Batyuk, L., Clausen, J. H., Camtepe, S. A., & Albayrak, S. (2009). Smartphone malware evolution revisited: android next target? In Proceedings of the 4th international conference on malicious and unwanted software (pp. 1–7).

    Google Scholar 

  30. Stango, A., Prasad, N. R., & Kyriazanos, D. M. (2009). A threat analysis methodology for security evaluation and enhancement planning. In Proceedings of 2009 third international conference on emerging security information, systems and technologies (SECURWARE 2009) (pp. 262–267).

    Chapter  Google Scholar 

  31. Stouffer, K. A. (2004). System protection profile-industrial control systems version 1.0. National Institute of Standards and Technology. http://www.nist.gov/customcf/get_pdf.cfm?pub_id=822602. Accessed 29 May 2012.

  32. Swamynathan, G., & Almeroth, K. (2010). The design of a reliable reputation system. Electronic Commerce Research, 10(3–4), 239–270.

    Article  Google Scholar 

  33. Swiderski, F., & Snyder, W. (2004). Threat modeling, redmond. Washington: Microsoft Press.

    Google Scholar 

  34. Sybase, Inc. (2011). Afaria: a technical overview. http://m.sybase.com/files/White_Papers/Afaira-Techinical-WP.pdf. Accessed 29 May 2012.

  35. Tegrak Kernel (2012). http://pspmaster.tistory.com. Accessed 29 May 2012.

  36. Wang, Z., & Stavrou, A. (2010). Exploiting smart-phone USB connectivity for fun and profit. In Proceedings of the 26th annual computer security applications conference (ACSAC’10) (pp. 357–366).

    Google Scholar 

  37. Wikipedia (2012). Brute-force attack. http://en.wikipedia.org/wiki/Brute-force_attack. Accessed 29 May 2012.

  38. Wikipedia (2012). Dictionary attack. http://en.wikipedia.org/wiki/Dictionary_attack. Accessed 29 May 2012.

  39. Wikipedia (2012). iOS jailbreaking. http://en.wikipedia.org/wiki/IOS_jailbreaking. Accessed 29 May 2012.

  40. Wikipedia (2012). Replay attack. http://en.wikipedia.org/wiki/Replay_attack. Accessed 29 May 2012.

  41. Wikipedia (2012). Rooting (Android OS). http://en.wikipedia.org/wiki/Rooting_(Android_OS). Accessed 29 May 2012.

  42. You, D., & Noh, B. (2011). Android platform base Linux kernel rootkit. In Proceedings of 2011 6th international conference on malicious and unwanted software (pp. 79–87).

    Chapter  Google Scholar 

  43. Zarmpou, T., Saprikis, V., Markos, A., & Vlachopoulou, M. (2012). Modeling users’ acceptance of mobile services. Electronic Commerce Research, 12(2), 225–248.

    Article  Google Scholar 

Download references

Acknowledgements

This paper is based on Keunwoo Rhee’s Ph. D. dissertation written at Sungkyunkwan University, Previous versions circulated under the title, “A Study on the Security Evaluation of a Mobile Device Management System.”

Author information

Authors and Affiliations

  1. The Attached Institute of ETRI, P.O. Box 1, Yuseong-gu, Daejeon, 305-600, Korea

    Keunwoo Rhee, Sang-Woon Jang, Sooyoung Chae & Sangwoo Park

  2. College of Information and Communication Engineering, Sungkyunkwan University, 2066, Seobu-ro, Jangan-gu, Suwon, Gyeonggi-do, 440-746, Korea

    Dongho Won

Authors
  1. Keunwoo Rhee
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dongho Won
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sang-Woon Jang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sooyoung Chae
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Sangwoo Park
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Keunwoo Rhee.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Rhee, K., Won, D., Jang, SW. et al. Threat modeling of a mobile device management system for secure smart work. Electron Commer Res 13, 243–256 (2013). https://doi.org/10.1007/s10660-013-9121-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10660-013-9121-4

Keywords

Search

Navigation