Smart Phone Security & Privacy - NIST...Concluding Remarks BYOD trends make training critical Users have little awareness of the risks associated with smart phones Effective training

Smart Phone Security amp Privacy

What Should We Teach Our Users

hellipand How

Norman M Sadeh PhD

Professor School of Computer Science Co-Founder amp Chief Scientist Director Mobile Commerce Lab Wombat Security Technologies Carnegie Mellon University

The Smart Phone Invasion

Copyright copy 2011-2012 Norman M Sadeh FISSEA 2012 - 2

BYOD The New Frontier

48 of employees will buy their own devices ndash whether their organization approves that particular device or NOT (Forrester Research)

Blur between work life amp private life

Unrealistic policies donrsquot work ndash even if they look good

ldquoIf you canrsquot fight them join themrdquo

helliphopefully under your own termshellip


knowledgeable

accountableIs this truly possible

The Problem is thathellip

BYOD implies users who are

responsible

Do we really have a choice


Training has a Big Role to Play

hellipBut training has traditionally failed Security is a secondary task

employees are not motivated to learn

Traditional delivery methods and content have not been very compelling

Required knowledge is vast amp continues to grow

Practical strategies and tips are not always easy to articulate


Phone calls SMS camera location email apps and much more

Lack of awareness People do not think of their smart phone as a computer

Variety of devices

Mobile Security amp Privacy Training

hellipat least as complexhellip Mediates a wide range of scenarios

hellipand obviously they are mobile deviceshellip


Android Permissions An Example of the Challenges We Face

P Gage Kelley S Consolvo L Cranor J Jung N Sadeh D Wetherall ldquoA Conundrum of Permissions Installing Applications on an Android Smartphonerdquo USEC2012


of apps even though they donrsquot

Unusable security Most users do not understand Android permissions

Bad habits amp cognitive biases Most users rely on word of mouth and

star ratings

Users always proceed with the download

What Are We Up Against

Misconceptions Most users did not realize that apps were not vetted

Where Do We Start

understand the permissions


Understanding the Risks The Big Gap

copy Wombat Security Technologies 2011-2012 copy Wombat Security Technologies 2011-2012

Most people do not realize how sensitive their phones are


hellipand How Vulnerable They Arehellip

Challenge them to take quizzes

hellipor better Motivate them via mock attacks

Nothing beats showing a user how vulnerable (s)he is


Phishing as An Example

Email phishing Much worse on mobile phones Mobile users are first to arrive at

phishing websites

Mobile users 3x more likely to submit credentials than desktop users

Source Trusteer Jan 2011 ndash similar

Copyright copy 2011-2012 Norman M Sadeh

Training via Mock Attacks PhishGuru

Teach people in the context they would be attacked

If a person falls for simulated phish then pop up an intervention

Unique ldquoteachable momentrdquo


Select Target

Employees

Customize Fake

Phishing Email

Select Training

Internal Test and Approval Process

Hit Send

Monitor amp Analyze Employee Response


This really works

Reduces the chance of falling for an attack by more than 70

Actual Results

percentage

Starting with the Most Common Threats

rce for image httpwwwmalaysianwirelesscom201109advice-how-to-protect-your-smartphone

Millions of cell phones lost or stolen each year Majority of smart phone users still do not have PINs

Learning by Doing is Critical

copy Wombat Security Technologies 2011-2012

Teach people to better appreciate the risks

Create mock situations

Force them to make decisions

P id th ith f db k

adually Move Towards More Complex Tasks

Mobile Apps

Location

Social Networking

Mobile Apps

Challenge difficult to come up with full-proof rules

Train people to be suspicious amp look for possible red flags

Emphasis on Learning by doing

Feedback

Opportunities for reflection

t t

From Simple to Increasingly Realistic

copy W b S i T h l i 2011 2012

Concluding Remarks BYOD trends make training critical

Users have little awareness of the risks associated with smart phones

Effective training requires adoption of learning science principles

Creating realistic scenarios ndash including mock attacks

Interactive training - Learning by doing

Start with most common risks

Training has to be part of an employeersquos daily life ndash repetition amp variations are critical

QampA

httpmcomcscmuedu

httpwombatsecuritycom

The Smart Phone Invasion









knowledgeable




responsible












Variety of devices











star ratings




Where Do We Start














phishing websites









Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu









knowledgeable




responsible












Variety of devices











star ratings




Where Do We Start














phishing websites









Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu


knowledgeable




responsible












Variety of devices











star ratings




Where Do We Start














phishing websites









Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu











Variety of devices











star ratings




Where Do We Start














phishing websites









Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu




Variety of devices











star ratings




Where Do We Start














phishing websites









Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu








star ratings




Where Do We Start














phishing websites









Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu





star ratings




Where Do We Start














phishing websites









Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu













phishing websites









Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu









phishing websites









Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu




phishing websites









Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu







Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu


Select Target

Employees

Customize Fake

Phishing Email

Select Training


Hit Send



This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu


This really works


Actual Results

percentage









P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu










P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu







P id th ith f db k


Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu



Mobile Apps

Location

Social Networking

Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu


Mobile Apps




Feedback


t t










QampA

httpmcomcscmuedu


t t










QampA

httpmcomcscmuedu









QampA

httpmcomcscmuedu


QampA

httpmcomcscmuedu


Documents

Smart Phone Security & Privacy - NIST...Concluding Remarks BYOD trends make training critical Users have little awareness of the risks associated with smart phones Effective training