Cybersecurity Module 1: Personal Use Security
.
Background
Summary:
Internet-enabled mobile devices are commonly used by people in a business environment to do business work such as communicating with clients and co-workers involved in same or similar projects.
Description:
Business issued mobile devices are commonly used by employees and business associates in performing normal business functions. It can easily happen that a person is not aware of all the security policies and procedures, or perhaps the person makes a mistake in observing these security policies. Sensitive data may be exposed, or the business employer may become vulnerable, as a result.
Sometimes a user may carry only one mobile device which is used for both business and personal use. Even if this does not violate company policy, it may involve security risks.
Risk – How Can It Happen?
There are a number of possibilities that may lead to these situations, as follows:
1. Lack of a security policy for the organization
2. Lack of awareness of existing security policies
3. Forgetfulness or other error on the part of the user
4. Complacence, and the notion that “nobody will hurt us”
5. Pressure from work schedules or from management, and the need to rush through things.
The list is not necessarily complete.
Example of Occurrence: Scenarios
1.
Bottom of Form
Helena works remotely and commonly uses the mobile device issued to her to conduct client meetings and access the customer database. She is on the go a lot, and instead of using the secure 4G network issued by the company, she often uses the open access Wi-Fi network wherever a network might be available, such as at a Starbucks.
There is no company policy against the personal use of company mobile devices. She knows it is against company policy to download applications, such as games, that have not been approved by the IT department. She has done this in violation of the policy, but she only plays the games at work.
Answer the following questions:
Question 1:
The company has issued Helena the mobile device to work remotely to interact with clients and access the database. Is this the right thing to do?
A. No, the company should require her to be at her desk inside the firewall.
B. It is acceptable to do client meetings remotely, but database access has to be secured.
C. Considering that the company has issued her this device, they expect her to use it remotely provided she follows security procedures.
D. There is no problem. There is no need to be paranoid.
Question 2:
Is it all right for Helena to use the company issued mobile device on an open access network that is not password protected?
A. Absolutely not. Even if she does not access clients and client data, she is possibly exposing the device and the data it contains to other users.
B. She could be doing personal work, just not access any secure company data.
C. It is all right if she does it quickly. Keeping the connection open a long time could be risky.
D. Some people are so paranoid. The only people in Starbucks are coffee lovers, not snoopers.
Question 3:
Is it all right for Helena to be downloading games that have not been approved by the IT department?
A. It is quite all right to download the games, but she should not be playing them at work.
B. There is nothing wrong with downloading the game as long as she is playing within the security firewall.
C. Everyone needs to relax with games. This is an example of an improper security policy.
D. It is very wrong for her to disregard the security policy and the IT department. Games can come with spyware or malware. This is the big concern, bigger than her playing games at work.
//**********************************************
Responsible Use – How can these errors be avoided?
All the answers are given in the scenario. The company has issued Helena a mobile device with a secure 4G connection. They expect her to work remotely to conduct client meetings and access the company database. She does not need to use public Wi-Fi where her device and communications are exposed to other users, who could also overhear her or look over her shoulder. Using the secure 4G she can connect from any private area, such as inside her parked car.
It is very wrong of her to ignore the company security policy and the IT department with respect to games. The company has not banned games. They only require games to be vetted by the IT department so it is free of spyware and malware that can expose sensitive information.
Answer the following questions:
Question 1:
Which of the following best represents what Helena should do at work?
A. Focus on work and not play games.
B. Bring her own phone to play games at work.
C. It doesn’t matter. One or two games will not hurt if she does not play too often.
D. Have her work phone scanned on a regular basis by the IT department.
Question 2:
Which of the following best represents what Helena should do when clients urgently request information from her when she is away from work?
A. Find a secluded location where she can use her secure 4G connection .
B. She should not answer the call.
C. She should answer and give the client a time when she can give the information.
D. She should only provide general information.
Question 1:
What can you describe about the increase in bandwidth from 3G to 4G to 4G LTE?
Question 2:
You may have noticed an increase in screen size over the years in moving to 4G LTE. What features are supported by the larger screens?
Discussion Questions
Question 1:
The original WiMAX IEEE 802.16N city-wide Internet was scrapped because there was no security and too much interference. The current 4G LTE (4th Generation Long Term Evolution) is based on IEEE 802.16e-2005 and has higher levels of security. In moving from 3G to 4G and 4G LTE it often seems that the focus is on greater bandwidth and higher speeds. Discuss the importance of security in what is essentially an open global Internet.
Question 2:
The openness of the Internet is the biggest boon for people. The openness of the Internet is the gravest danger for people. Comment on this statement in the context of cybersecurity.
