A Guide to Mobile Security Risk Assessment

Posted by SaferMobile on Jun 10, 2011
Author: 
SaferMobile
Abstract: 

You are an activist, rights defender, or journalist. You use a mobile device. And you work in sometimes risky situations in your country. This guide will help you implement mobile security practices in your work. It will help you assess the particular risks that face you and then assist you in developing a plan to mitigate those risks.

Location

safetyicon

You are an activist, rights defender, or journalist. You use a mobile device. And you work in sometimes risky situations in your country.

This guide will help you implement mobile security practices in your work. It will help you assess the particular risks that face you and then assist you in developing a plan to mitigate those risks. First, we'll cover some of basic concepts. Then, in the second part of this guide, we'll take you through developing your own risk assessment in 5 steps.

We have previously published a Mobile Risk Primer that describes general security vulnerabilities associated with mobile technology and communication. Read it!

Throughout this guide, we'll also highlight the fictitious case of Asima, a blogger and activist in Egypt. Examples of how Asima might complete the assessment worksheet and create a security plan for her work are highlighted in this guide.

Asima lives in Cairo, Egypt and is a blogger and an activist. She used to maintain a blog on Blogspot, but now mostly uses Facebook and Twitter to follow current events, to share information, and to communicate with colleagues. She tweets from her mobile phone while in traffic and at cafes and protests and from her computer when she is at work or at home.

Asima works with other activists to organize events and often sends SMS messages to them. She is aware that she is a known activist and that security services are likely tracking her by reading her tweets, looking at her Facebook postings, and possibly tracking her SMS messages. Her phone number was disabled for a few weeks following recent protests, and she has since purchased a new SIM card. She has never been arrested. While she freely expresses her opinions on Facebook and Twitter, she tries to communicate tactically sensitive information in person. If she does communicate sensitive information via phone or SMS, she speaks about it in coded ways that she and her colleagues have agreed upon.

First, two important notes about security.

The first thing to remember that security assessment and risk mitigation are resource-intensive processes. The aim of this guide is to help you formulate a realistic plan that you and your contacts can manage yourselves.

For all situations, we suggest first addressing easily-managed risks. Then focus on more resource-intensive mitigation tactics for risks that carry the highest impact and probability of happening to you.

Secondly, this guide is specific to mobile risks that you may face.

We advise that you conduct similar security and risk assessments for all of your communications - online and offline. Remember that your mobile security is only a part of the tools you use. You may find that as the functionalities of your mobile device and mobile network increase, the lines between mobile information security will become less distinct. For an excellent guide on assessing and addressing additional security needs, see this Frontline Defenders publication.

What is Risk? Understanding Risk, Vulnerability, Threat

In the context of security, risk has a particular meaning. 

  • A threat is anything that has the potential to cause harm.
  • Risk is the likelihood that a threat with a particular impact will occur that causes harm or loss.
  • A vulnerability is a weakness that could be used to endanger or cause harm.

It is not possible to identify all risks, nor is it possible to eliminate all risks. Your goal should be to understand your risks and know how to mitigate as much risk as possible.

Contributing factors in understanding risk

Based on your experience, you and your colleagues likely have a sense of the threats you face. Consider the following:

1. Your operational environment

  • Political and human rights - Are political and human rights respected in the country that you are working in? If you are working in a location that restricts civil liberties, even the smallest project could be high risk. For additional assistance considering the political and human rights context of your project, see this Freedom House map.
  • Reputation - Connections to other organizations could both provide protection and increase your risks. Among your team, are some of you more at risk than others? Are you part of a larger network? Do you have foreign partners? Does your association with these entities increase the likelihood of risk?
  • Issue and controversy - How are the issues that you work on seen by the population in which you work? Do you have support from the general population? Are the issues you work on particularly controversial?

2. Technological vulnerabilities and threat

  • Mobile networks and devices - Are you aware of the general vulnerabilities of mobile communication and whether your phone calls and messages are easily threatened? Do you know how mobile networks operate and what information your mno knows about you? See this SaferMobile Mobile Risk Primer.
  • Availability and reliability of service - Are you able to use your mobile device for communication in all locations where you will be working? Is service generally reliable or often disrupted, intentionally or unintentionally?
  • Policy and oversight - What are the policies regulating whether and how governments and other entities can intercept your communications and access your communication records?

3. The legality of your tactics and tools

  • Are the tactics you are using considered legal where you are working? If they are illegal, your risk increases considerably.  (For the record: We do not condone or support any illegal activities.)
  • Are the security tools that you are using legal or illegal? For example, is it legal to encrypt your communications?

Mobile Risk Assessment in 5 Steps

1. Catalog the information you store or communicate via mobile, and rate its sensitivity

Think about your most sensitive information and data. Sensitive information, unlike public content, is information that will put you or your operation at risk if it is known by people other than yourself and your trusted colleagues. Contact information of your network is probably high on that list. Photos and videos may be sensitive information.

The Rating Information Sensitivity worksheet asks you to catalog the information you store or communicate via mobile, and place it in one of three categories according to sensitivity. For example:

  • A public press release may, or a text message reminding people to vote on an election day might be low risk, if there is low expectation of violence around polling places.
  • A message informing people of an event at which you do not want people outside of your organization present - such as reporters - might be medium risk.
  • A photo or video showing the faces of people who participated in an illegal action, or an action that places them at risk of violence, might be high risk.

Asima communicates high-risk information. Outside of mobile use, she communicates tactically sensitive information in person. On her mobile, hish-risk information includes:

  • The names, numbers, photos, email, contact information, and Twitter handles of colleagues who are unknown (and who would be in danger if known as a participant in resistance activities) is high risk information.
  • The username and password for Asima's Twitter account is high-risk information. (As is the username and password for other applications or services.)
  • Photos and videos documenting events that could incriminate a party or connect individuals with activism activities is also high risk.

For other examples, see our sample worksheet, Rating Information Sensitivity for MobileActive.org

2. Understand the vulnerabilities inherent in mobile communication

Many different types of risks exist, and you may only experience a few. When conducting a security assessment it is good to think broadly about risk. The Mobile Risk Primer provides an overview of mobile communication risks.

To ensure that your list is thorough, list your uses based on the mode such as voice, SMS, MMS, email, web, photo and video capture.

Asima is using multiple mobile channels: Data (such as mobile web, apps, and Twitter), SMS, and voice. While she tries to communicate tactically sensitive information in person, she does communicate sensitive information via phone or SMS. Learning that SMS is transmitted in plain text, she decides to use a code that she and her colleagues have agreed upon any time she has to communicate sensitive information via SMS.

The categories below can be used as a checklist for different kinds of risk to mobile communications.

Threat Description
Listening A call can be listened to or transmitted data can be read.
Modifying Primarily a threat for data transmissions. The transmitted data can be modified.
Spoofing A threat when the authenticity of the user is not guaranteed.
Identifying The user identity and/or location is revealed.
Interrupting Connectivity to the network is disrupted.

Asima decides she is most concerned about these risks:

  • Since Asima uses an app to send tweets, she is worried about exposing her username and password if her phone is lost or taken.
  • She is also worried that someone could impersonate her (spoofing) and post to social networks on her behalf.
  • Asima is also concerned that the application she uses to post on social networks includes her location information and may track that information without her knowing (identifying).
  • Though she communicates mostly using coded messages on her mobile phone, Asima worries that if her device were taken, messages could be deciphered and contact info of her colleagues retrieved.
  • She is concerned about SMS messages being read, possibly by security services accessing mobile network data.
  • Lastly, she thinks about loss of service (interrupting) as networks have been unreliable in critical situations.

3. Describe your operational environment and be aware of the specific threats it involves

Your operational environment can include any factors that allow or prevent you from operating to meet your individual or organizational goals, as well as what can define those goals. Environmental factors can be anything at the national, community, or local level that affects your ability to conduct your work safely, effectively, and legally. International considerations can also become factors, but for the purpose of this exercise, have participants focus on the local/national operating environment, as most factors are based on state-based regulations, laws, and social, cultural, and political variations.

Your operational environment can change rapidly, especially with regard to technology. A service or activity that previously hasn't been a target of security forces can easily become one.

Based on your experience, you and your colleagues likely have a sense of the threats you face. The Operational Environment Worksheet helps you systematize your existing knowledge about your operational environment

4. Learn about mitigating actions for mobile security risks

Various SaferMobile resources provide information about how to mitigate mobile security risks. Here are some to get you started.

As you search for tactics and tools, consider the different ways risk can be mitigated. Security tools are often an option, but sometimes changing your behaviour, switching to an alternative mode of communication, or abstaining from mobile use altogether for sensitive data is a more appropriate solution.

You may be able to mitigate a risk by... Example
Changing your behavior Not leaving your phone unattended
Using a security tool A phone feature - e.g. setting a PIN or password. OR an app - e.g. encrypted SMS
Switching to an alternative mode of communication Encrypted email or voice instead of SMS
Abstaining from a particular activity Not taking a phone with you to a sensitive meeting you don't want recorded or overheard.

5. Conduct a risk assessment and develop a mobile security policy for yourself, your organization or a campaign you work on

Fill out the Risk Assessment Worksheet for every use-case (every way you store or communicate via mobile) that involves medium or high-sensitivity data.

For an example, see our Example Risk Assessment fo MobileActive.org

Pick the low-hanging fruit. For all situations, we suggest addressing every easily-managed risk. This includes things like setting strong passwords and carrying extra batteries. Choose more resource-intensive mitigation tactics for serious risks that carry the highest probability of happening.

Low-hanging fruit for Asima includes the following:

  • She has strong passwords for her PIN, SIM, and accounts. She tries to change these passwords frequently.
  • As a backup, Asima carries extra batteries and a replacement SIM card in case of mobile network shut down. She makes sure there is plenty of credit on her phone.
  • Asima tries to use, as much as possible, a secure connection to the mobile web (such as HTTPS), especially when logging in to any online accounts.
  • She also frequently deletes browsing history and SMS messages from her mobile phone. She updates the mobile web browser to ensure she has the latest version.

After you have addressed low-hanging fruit (low and easily managed risks), choose more resource-intensive mitigation tactics for serious risks which carry the highest probability of happening. This is important as you may have a long list of mobile communication uses and risks after completing the worksheet.

Plan first for those involving information you rated high as these would be the most damaging to yourself, your organization, and your work. It makes sense to focus also on those that are most probable.  Remember that planning for high risk may be resource-intensive, you may ultimately save time and energy by protecting yourself from it.

While at protests or gatherings, Asima takes other precautions, too. This includes silencing her ringer and mobile camera flash when in public. While some protests are public gatherings, if Asima is traveling to an undisclosed location, she removes the mobile battery and avoids talking about sensitive locations with insecure methods. She also plans to scrub photos of location information and delete sensitive videos. She keeps only few contacts in her address book and the most sensitive of those are pseudonyms.

Finally, plan for loss of your device or service. For all vital communications, have a backup plan (such as a meeting point, an alternative number, or a friend you can contact) in case you lose your device or service.

What if Asima's mobile device is taken by authorities at a protest gathering? She has a backup plan in place in case this happens. This allows her to continue her work and stay in touch with colleagues. Her back-up plan includes the following:

  • Before attending events, she has a developed security policy in place with her colleagues. Her entire team is aware of an alternative mechanism for communication. This may be important, too, for network failure situations.
  • She will communicate in person with her colleagues. A code has been established to make person-to-person communication more secure.
  • She has installed SaferMobile InTheClear application. InTheClear lets her preset an emergency SMS to a set of contacts (Shout!) with a single menu click (Panic!). InTheClear also allows her to unobtrusively erase her address book from her phone (Wipe!), should it be taken from her.
  • She has also coded names in her mobile address book to better protect their anonymity.

 

AttachmentSize
Worksheet_RatingInformationSensitivity.pdf50.76 KB
Worksheet_OperationalEnvironment.pdf63.6 KB
Worksheet_RiskAssessment.pdf44.6 KB
Example_RatingInformationSensitivity_MobileActive.org_.pdf58.13 KB
Example_RiskAssessmentWorksheet_MobileActive.org_.pdf114.93 KB
A Guide to Mobile Security Risk Assessment data sheet 3623 Views
Author: 
SaferMobile
Abstract: 

You are an activist, rights defender, or journalist. You use a mobile device. And you work in sometimes risky situations in your country. This guide will help you implement mobile security practices in your work. It will help you assess the particular risks that face you and then assist you in developing a plan to mitigate those risks.

Location

safetyicon

You are an activist, rights defender, or journalist. You use a mobile device. And you work in sometimes risky situations in your country.

This guide will help you implement mobile security practices in your work. It will help you assess the particular risks that face you and then assist you in developing a plan to mitigate those risks. First, we'll cover some of basic concepts. Then, in the second part of this guide, we'll take you through developing your own risk assessment in 5 steps.

We have previously published a Mobile Risk Primer that describes general security vulnerabilities associated with mobile technology and communication. Read it!

Throughout this guide, we'll also highlight the fictitious case of Asima, a blogger and activist in Egypt. Examples of how Asima might complete the assessment worksheet and create a security plan for her work are highlighted in this guide.

Asima lives in Cairo, Egypt and is a blogger and an activist. She used to maintain a blog on Blogspot, but now mostly uses Facebook and Twitter to follow current events, to share information, and to communicate with colleagues. She tweets from her mobile phone while in traffic and at cafes and protests and from her computer when she is at work or at home.

Asima works with other activists to organize events and often sends SMS messages to them. She is aware that she is a known activist and that security services are likely tracking her by reading her tweets, looking at her Facebook postings, and possibly tracking her SMS messages. Her phone number was disabled for a few weeks following recent protests, and she has since purchased a new SIM card. She has never been arrested. While she freely expresses her opinions on Facebook and Twitter, she tries to communicate tactically sensitive information in person. If she does communicate sensitive information via phone or SMS, she speaks about it in coded ways that she and her colleagues have agreed upon.

First, two important notes about security.

The first thing to remember that security assessment and risk mitigation are resource-intensive processes. The aim of this guide is to help you formulate a realistic plan that you and your contacts can manage yourselves.

For all situations, we suggest first addressing easily-managed risks. Then focus on more resource-intensive mitigation tactics for risks that carry the highest impact and probability of happening to you.

Secondly, this guide is specific to mobile risks that you may face.

We advise that you conduct similar security and risk assessments for all of your communications - online and offline. Remember that your mobile security is only a part of the tools you use. You may find that as the functionalities of your mobile device and mobile network increase, the lines between mobile information security will become less distinct. For an excellent guide on assessing and addressing additional security needs, see this Frontline Defenders publication.

What is Risk? Understanding Risk, Vulnerability, Threat

In the context of security, risk has a particular meaning. 

  • A threat is anything that has the potential to cause harm.
  • Risk is the likelihood that a threat with a particular impact will occur that causes harm or loss.
  • A vulnerability is a weakness that could be used to endanger or cause harm.

It is not possible to identify all risks, nor is it possible to eliminate all risks. Your goal should be to understand your risks and know how to mitigate as much risk as possible.

Contributing factors in understanding risk

Based on your experience, you and your colleagues likely have a sense of the threats you face. Consider the following:

1. Your operational environment

  • Political and human rights - Are political and human rights respected in the country that you are working in? If you are working in a location that restricts civil liberties, even the smallest project could be high risk. For additional assistance considering the political and human rights context of your project, see this Freedom House map.
  • Reputation - Connections to other organizations could both provide protection and increase your risks. Among your team, are some of you more at risk than others? Are you part of a larger network? Do you have foreign partners? Does your association with these entities increase the likelihood of risk?
  • Issue and controversy - How are the issues that you work on seen by the population in which you work? Do you have support from the general population? Are the issues you work on particularly controversial?

2. Technological vulnerabilities and threat

  • Mobile networks and devices - Are you aware of the general vulnerabilities of mobile communication and whether your phone calls and messages are easily threatened? Do you know how mobile networks operate and what information your mno knows about you? See this SaferMobile Mobile Risk Primer.
  • Availability and reliability of service - Are you able to use your mobile device for communication in all locations where you will be working? Is service generally reliable or often disrupted, intentionally or unintentionally?
  • Policy and oversight - What are the policies regulating whether and how governments and other entities can intercept your communications and access your communication records?

3. The legality of your tactics and tools

  • Are the tactics you are using considered legal where you are working? If they are illegal, your risk increases considerably.  (For the record: We do not condone or support any illegal activities.)
  • Are the security tools that you are using legal or illegal? For example, is it legal to encrypt your communications?

Mobile Risk Assessment in 5 Steps

1. Catalog the information you store or communicate via mobile, and rate its sensitivity

Think about your most sensitive information and data. Sensitive information, unlike public content, is information that will put you or your operation at risk if it is known by people other than yourself and your trusted colleagues. Contact information of your network is probably high on that list. Photos and videos may be sensitive information.

The Rating Information Sensitivity worksheet asks you to catalog the information you store or communicate via mobile, and place it in one of three categories according to sensitivity. For example:

  • A public press release may, or a text message reminding people to vote on an election day might be low risk, if there is low expectation of violence around polling places.
  • A message informing people of an event at which you do not want people outside of your organization present - such as reporters - might be medium risk.
  • A photo or video showing the faces of people who participated in an illegal action, or an action that places them at risk of violence, might be high risk.

Asima communicates high-risk information. Outside of mobile use, she communicates tactically sensitive information in person. On her mobile, hish-risk information includes:

  • The names, numbers, photos, email, contact information, and Twitter handles of colleagues who are unknown (and who would be in danger if known as a participant in resistance activities) is high risk information.
  • The username and password for Asima's Twitter account is high-risk information. (As is the username and password for other applications or services.)
  • Photos and videos documenting events that could incriminate a party or connect individuals with activism activities is also high risk.

For other examples, see our sample worksheet, Rating Information Sensitivity for MobileActive.org

2. Understand the vulnerabilities inherent in mobile communication

Many different types of risks exist, and you may only experience a few. When conducting a security assessment it is good to think broadly about risk. The Mobile Risk Primer provides an overview of mobile communication risks.

To ensure that your list is thorough, list your uses based on the mode such as voice, SMS, MMS, email, web, photo and video capture.

Asima is using multiple mobile channels: Data (such as mobile web, apps, and Twitter), SMS, and voice. While she tries to communicate tactically sensitive information in person, she does communicate sensitive information via phone or SMS. Learning that SMS is transmitted in plain text, she decides to use a code that she and her colleagues have agreed upon any time she has to communicate sensitive information via SMS.

The categories below can be used as a checklist for different kinds of risk to mobile communications.

Threat Description
Listening A call can be listened to or transmitted data can be read.
Modifying Primarily a threat for data transmissions. The transmitted data can be modified.
Spoofing A threat when the authenticity of the user is not guaranteed.
Identifying The user identity and/or location is revealed.
Interrupting Connectivity to the network is disrupted.

Asima decides she is most concerned about these risks:

  • Since Asima uses an app to send tweets, she is worried about exposing her username and password if her phone is lost or taken.
  • She is also worried that someone could impersonate her (spoofing) and post to social networks on her behalf.
  • Asima is also concerned that the application she uses to post on social networks includes her location information and may track that information without her knowing (identifying).
  • Though she communicates mostly using coded messages on her mobile phone, Asima worries that if her device were taken, messages could be deciphered and contact info of her colleagues retrieved.
  • She is concerned about SMS messages being read, possibly by security services accessing mobile network data.
  • Lastly, she thinks about loss of service (interrupting) as networks have been unreliable in critical situations.

3. Describe your operational environment and be aware of the specific threats it involves

Your operational environment can include any factors that allow or prevent you from operating to meet your individual or organizational goals, as well as what can define those goals. Environmental factors can be anything at the national, community, or local level that affects your ability to conduct your work safely, effectively, and legally. International considerations can also become factors, but for the purpose of this exercise, have participants focus on the local/national operating environment, as most factors are based on state-based regulations, laws, and social, cultural, and political variations.

Your operational environment can change rapidly, especially with regard to technology. A service or activity that previously hasn't been a target of security forces can easily become one.

Based on your experience, you and your colleagues likely have a sense of the threats you face. The Operational Environment Worksheet helps you systematize your existing knowledge about your operational environment

4. Learn about mitigating actions for mobile security risks

Various SaferMobile resources provide information about how to mitigate mobile security risks. Here are some to get you started.

As you search for tactics and tools, consider the different ways risk can be mitigated. Security tools are often an option, but sometimes changing your behaviour, switching to an alternative mode of communication, or abstaining from mobile use altogether for sensitive data is a more appropriate solution.

You may be able to mitigate a risk by... Example
Changing your behavior Not leaving your phone unattended
Using a security tool A phone feature - e.g. setting a PIN or password. OR an app - e.g. encrypted SMS
Switching to an alternative mode of communication Encrypted email or voice instead of SMS
Abstaining from a particular activity Not taking a phone with you to a sensitive meeting you don't want recorded or overheard.

5. Conduct a risk assessment and develop a mobile security policy for yourself, your organization or a campaign you work on

Fill out the Risk Assessment Worksheet for every use-case (every way you store or communicate via mobile) that involves medium or high-sensitivity data.

For an example, see our Example Risk Assessment fo MobileActive.org

Pick the low-hanging fruit. For all situations, we suggest addressing every easily-managed risk. This includes things like setting strong passwords and carrying extra batteries. Choose more resource-intensive mitigation tactics for serious risks that carry the highest probability of happening.

Low-hanging fruit for Asima includes the following:

  • She has strong passwords for her PIN, SIM, and accounts. She tries to change these passwords frequently.
  • As a backup, Asima carries extra batteries and a replacement SIM card in case of mobile network shut down. She makes sure there is plenty of credit on her phone.
  • Asima tries to use, as much as possible, a secure connection to the mobile web (such as HTTPS), especially when logging in to any online accounts.
  • She also frequently deletes browsing history and SMS messages from her mobile phone. She updates the mobile web browser to ensure she has the latest version.

After you have addressed low-hanging fruit (low and easily managed risks), choose more resource-intensive mitigation tactics for serious risks which carry the highest probability of happening. This is important as you may have a long list of mobile communication uses and risks after completing the worksheet.

Plan first for those involving information you rated high as these would be the most damaging to yourself, your organization, and your work. It makes sense to focus also on those that are most probable.  Remember that planning for high risk may be resource-intensive, you may ultimately save time and energy by protecting yourself from it.

While at protests or gatherings, Asima takes other precautions, too. This includes silencing her ringer and mobile camera flash when in public. While some protests are public gatherings, if Asima is traveling to an undisclosed location, she removes the mobile battery and avoids talking about sensitive locations with insecure methods. She also plans to scrub photos of location information and delete sensitive videos. She keeps only few contacts in her address book and the most sensitive of those are pseudonyms.

Finally, plan for loss of your device or service. For all vital communications, have a backup plan (such as a meeting point, an alternative number, or a friend you can contact) in case you lose your device or service.

What if Asima's mobile device is taken by authorities at a protest gathering? She has a backup plan in place in case this happens. This allows her to continue her work and stay in touch with colleagues. Her back-up plan includes the following:

  • Before attending events, she has a developed security policy in place with her colleagues. Her entire team is aware of an alternative mechanism for communication. This may be important, too, for network failure situations.
  • She will communicate in person with her colleagues. A code has been established to make person-to-person communication more secure.
  • She has installed SaferMobile InTheClear application. InTheClear lets her preset an emergency SMS to a set of contacts (Shout!) with a single menu click (Panic!). InTheClear also allows her to unobtrusively erase her address book from her phone (Wipe!), should it be taken from her.
  • She has also coded names in her mobile address book to better protect their anonymity.

 

AttachmentSize
Worksheet_RatingInformationSensitivity.pdf50.76 KB
Worksheet_OperationalEnvironment.pdf63.6 KB
Worksheet_RiskAssessment.pdf44.6 KB
Example_RatingInformationSensitivity_MobileActive.org_.pdf58.13 KB
Example_RiskAssessmentWorksheet_MobileActive.org_.pdf114.93 KB

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><p><br> <b><i><blockquote>
  • Lines and paragraphs break automatically.

More information about formatting options