3.5 Given a scenario, implement secure mobile solutions.

Question 1

Summarize the connection methods and receivers in a secure mobile solutions

Answer 1

There are several methods that mobile devices can use to connect to networks and other devices. They include:

Question 2

Cellular

Answer 2

Smartphones (and many tablets) include the ability to connect to a cellular network, such as a third-generation (3G), long-term-evolution (LTE), fourth-generation (4G), 4G LTE, or 5G network. The type of network you connect with is dependent on your cellular provider and your device. Newer generations typically provide increased speed for digital transfers and improved voice communications.

Question 3

WI-FI

Answer 3

Mobile devices almost always have a wireless network interface that you can configure to connect to a wireless network.

Question 4

Bluetooth

Answer 4

Most mobile devices include Bluetooth support. Bluetooth is a wireless protocol commonly used with personal area networks. For example, most smartphones support the use of a Bluetooth headset for hands-free use of the phone. Additionally, some technologies use Bluetooth to connect two smartphones.

Question 5

NFC

Answer 5

(near field communication). NFC is commonly used as a payment gateway allowing you to make payments simply by waving your phone in front of an NFC reader at a retailer. You can also create a peer-to-peer network between two devices with NFC.

Question 6

Infrared

Answer 6

Infrared is a line-of-sight wireless technology used by some mobile devices. This is the same technology used by most remote controls for TVs and other audiovisual equipment. Some people add apps to their smartphones and use them as a universal remote for their equipment. It’s also possible to transfer files between smartphones using infrared, as long as both smartphones support infrared.

Question 7

USB

Answer 7

(Universal Serial Bus). Mobile devices can typically connect to a desktop PC or laptop via a USB cable. Most Apple devices have a Lightning port and can connect to PCs via a Lightning to USB cable. Many Android devices have a mini-USB cable and can connect to PCs via a mini-USB to standard USB cable.

Question 8

Point-to-point

Answer 8

A point-to-point connection is between two wireless devices, such as between two smartphones. Point-to-point connections can use technologies such as Bluetooth, NFC, and RFID.

Question 9

Point-to-multipoint

Answer 9

A point-to-multipoint connection creates an ad hoc network. In ad hoc mode, wireless devices connect to each other without an AP. For example, if you and another user have wireless laptops, you can create an ad hoc wireless network to connect your two computers. Ad hoc is Latin for “as needed,” which is a good way to think about an ad hoc wireless network. You create it as needed. In contrast, when you connect to a wireless network via an AP, you are using infrastructure mode.

Question 10

Global Positioning Systems (GPS)

Answer 10

a GPS and sensors that monitor the device’s movement, such as accelerometers and a gyroscope. A GPS can pinpoint the location of a device, even if it moves.

Question 11

RFID

Answer 11

(Radio Frequency Identification). RFID systems transmit data over the air using RF signals and some NFC systems use RFID technologies.

Question 12

Summarize mobile devices management

Answer 12

Mobile device management (MDM) includes the technologies to manage mobile devices. The goal is to ensure these devices have security controls in place to keep them secure. Some vendors sell unified endpoint management (UEM) solutions to manage mobile devices.

Question 13

Application management

Answer 13

MDM tools can restrict what applications can run on mobile devices. They often use application allow lists to control the applications and prevent unapproved applications from being installed. Mobile application management (MAM) tools are typically built into MDM tools, but some MAM tools focus only on controlling applications.

Question 14

Content management

Answer 14

After creating segmented storage spaces, it’s important to ensure that appropriate content is stored there. An MDM system can ensure that all content retrieved from an organization source (such as a server) is stored in an encrypted segment. Also, content management can force the user to authenticate again when accessing data within this encrypted segment.

Question 15

Remote wipe

Answer 15

Remote wipe capabilities are useful if the phone is lost. It sends a remote signal to the device to wipe or erase all the data. The owner can send a remote wipe signal to the phone to delete all the data on the phone. This also deletes any cached data, such as cached online banking passwords, and provides a complete sanitization of the device by removing all valuable data.

Question 16

Geofencing

Answer 16

Organizations sometimes use GPS to create a virtual fence or geographic boundary using geofencing technologies. Apps can respond when the device is within the virtual fence. As an example, an organization can configure mobile apps so that they will only run when the device is within the virtual fence. Similarly, an organization can configure a wireless network to only operate for mobile devices within the defined boundary.

Question 17

Geolocation

Answer 17

Mobile devices commonly include GPS capabilities that are used for geolocation. Applications commonly use GPS to identify the location of the device and device movement. GPS can also be used to locate a lost device.

Question 18

Screen locks

Answer 18

Most devices support the use of a passcode or password to lock the device. This is like a password-protected screen saver on desktop systems that automatically locks the device after a specified number of minutes. It prevents someone from easily accessing the device and the data it contains. This is often combined with an erase function. For example, if someone steals the phone and enters the incorrect passcode 10 times, the smartphone will automatically erase all data on the phone.

Question 19

Push notifications

Answer 19

Push notification services send messages to mobile devices from apps. As an example, if Lisa installs the Facebook app on her smartphone and enables notifications, the Facebook app will send her notifications. Software developers can configure the notifications to appear even if the device is in screen lock mode and even if the app is not running. MDM apps can send notifications to remind users of security settings or let them know if their device complies with security policy requirements.

Question 20

Passwords and PINS

Answer 20

Mobile devices commonly support the use of passwords or personal identification numbers (PINs). MDM systems typically support password policies, similar to the password policies used in desktop systems. The only limitation is that some mobile devices only support PINs, while others support either passwords or PINs.

Question 21

Biometrics

Answer 21

Many mobile devices now support biometrics for authentication. For example, you can teach the device your fingerprint and then use your fingerprint to authenticate instead of entering a password or PIN.

Question 22

Context-aware authentication

Answer 22

Context-aware authentication uses multiple elements to authenticate a user and a mobile device. It can include the user’s identity, geolocation, verification that the device is within a geofence, time of day, and type of device. These elements help prevent unauthorized users from accessing apps or data.

Question 23

Containerization

Answer 23

The virtualization section earlier in this chapter discusses the use of container virtualization. Organizations can also implement containerization in mobile devices and encrypt the container to protect it without encrypting the entire device. Running an organization’s application in a container isolates and protects the application, including any of its data. This is very useful when an organization allows employees to use their own devices.

Question 24

Storage segmentation

Answer 24

In some mobile devices, it’s possible to use storage segmentation to isolate data. For example, users might be required to use external storage for any corporate data to reduce the risk of data loss if the device is lost or stolen. It’s also possible to create separate segments within the device. Users would store corporate data within an encrypted segment and personal data elsewhere on the device.

Question 25

Full device encryption

Answer 25

Encryption protects against loss of confidentiality on multiple platforms, including workstations, servers, mobile devices, and data transmissions. Encryption methods such as full device encryption provide device security, application security, and data security.

Question 26

Mobile devices

Answer 26

Mobile devices typically have the operating system stored in onboard memory, such as flash memory, which retains data even without power. Because the operating system is the software and the memory is hardware, this is commonly called firmware.

Question 27

MicroSD hardware security module (HSM)

Answer 27

A hardware security module (HSM) is a security device you can add to a system to manage, generate, and securely store cryptographic keys. A microSD HSM is a microSD card that includes an HSM. A microSD card is small at 15 mm long x 11 mm wide x 1 mm thick, or .59 inches x .43 inches x .03 inches. You can install a microSD HSM into any device that has a microSD slot. With an adapter, you can install any microSD card into an SD card slot.

Question 28

MDM/Unified Endpoint

Answer 28

UEM tools ensure systems are kept up to date with current patches, have antivirus software installed with up-to-date definitions, and are secured using standard security practices.

Question 29

Mobile application management (MAM)

Answer 29

Mobile application management (MAM) tools are typically built into MDM tools, but some MAM tools focus only on controlling applications.

Question 30

SEAndriod

Answer 30

The security-enhanced Android (SEAndroid) security model uses Security-Enhanced Linux (SELinux) to enforce access security. It operates using a default denial principle. In other words, anything not allowed by the SELinux policy is denied.

Question 31

Mobile Device Enforcement and Monitoring

Answer 31

MDM tools often manage devices differently depending on who owns them. If the organization owns the device, the MDM tool will typically download and install all required applications and ensure they are kept up to date.

If the device is employee-owned, MDM tools will monitor them for compliance and block access to the network if the device doesn’t meet minimum requirements. For example, suppose the device isn’t patched or doesn’t have up-to-date antivirus software.

Question 32

Third-part application stores

Answer 32

A third-party app store is something other than Apple’s App Store or Google Play. Apps obtained from these third-party app stores don’t undergo the same level of scrutiny as apps on the App Store or Google Play and represent a higher risk. Apple makes it very difficult to obtain apps from a third-party app store, but it is relatively easy to obtain apps from third-party stores for Android devices.

Question 33

Rooting/jail breaking

Answer 33

Jailbreaking refers to removing all software restrictions from an Apple device.

Rooting is the process of modifying an Android device to give the user root-level (or full administrator) access to the device.

Question 34

Sideloading

Answer 34

Sideloading is the process of copying an application package in the Application Packet Kit (APK) format to the device and then activating it.

Question 35

Custom firmware

Answer 35

It’s also possible to overwrite the firmware with custom firmware. Some people do this as another method of rooting Android devices. The process is typically complex and fraught with risks. However, some people find downloadable images and copy them onto their devices to overwrite the firmware.

Question 36

Carrier unlocking

Answer 36

If Lisa purchased her phone under a two-year contract and fulfilled all the terms of her plan, she can unlock her phone (also called carrier unlocking) and use it with another carrier.

Question 37

Firmware-over-the-air (OTA) updates

Answer 37

Firmware OTA updates keep the device up to date. It’s also possible to overwrite the firmware with custom firmware.

Question 38

Camera use

Answer 38

Its main function is to transmit pictures over the Internet. It is popularly used with instant messaging services and for recording images.

Question 39

SMS/ messaging service (mms)/ Rich communication services (RCS)

Answer 39

Rich communication services (RCS) is a newer communication protocol designed to replace SMS for text messaging. Similar to MMS, RCS can transmit multimedia, but it has additional features. If a user sends an RCS message, but the network doesn’t support RCS, it will default to MMS or SMS.

Question 40

External media

Answer 40

Mobile devices commonly have one or more ports where you can plug in a cable. Apple devices have a Lightning port, and Android devices typically have a micro-USB or mini-USB. In some cases, it’s possible to connect external media (such as an external drive) to the device. Organizations might want to prevent this because the media presents additional risks. It could contain malware. It might also allow a malicious insider to copy a massive amount of data.

Question 41

USB on- the-Go(USB OTG)

Answer 41

USB OTG cables allow you to connect just about any device to your mobile device, including another mobile device. This includes a mouse, keyboard, Musical Instrument Digital Interface (MIDI) keyboard, and external media.

Question 42

Recording microphone

Answer 42

A recording microphone is a device that picks up audio waves in the air and converts them to electrical signals that are identical.

Question 43

GPS tagging

Answer 43

GPS tagging (also called geotagging) adds geographical information to files such as pictures when posting them to social media websites. For example, when you take a picture with a smartphone with GPS features enabled, the picture application adds latitude and longitude coordinates to the picture. Thinking of friends and family, this is a neat feature. However, thinking of thieves and criminals, they can exploit this data. For example, if Lisa frequently posts pictures of friends and family at her house, these pictures identify her address. If she later starts posting pictures from a vacation location, thieves can realize she’s gone and burglarize her home.

Question 44

Wi-Fi Direct/ad hoc

Answer 44

Wi-Fi Direct, a standard that allows devices to connect without a wireless access point or wireless router. This is similar to a wireless ad hoc network, allowing devices to connect together without a wireless access point or wireless router.

The difference is that Wi-Fi Direct uses single radio hop communication. In other words, none of the devices in a Wi-Fi Direct network can share an Internet connection. In contrast, systems in a wireless ad hoc network use multihop wireless communications and can share an Internet connection.

Question 45

Tethering

Answer 45

Most smartphones support tethering, which allows you to share one device’s Internet connection with other devices. For example, you can connect your smartphone to the Internet and then share this Internet connection with a laptop, a tablet, or any device with a wireless connection.

Question 46

Hotspot

Answer 46

Similarly, many carrier companies sell mobile hotspots. These connect to the Internet and allow multiple systems to access the Internet via the hotspot. If employees bring these to work, they can bypass network controls just as if they were using tethering.

Question 47

Payment methods

Answer 47

Some organizations restrict the use of payment methods on COPE devices. This can reduce risks for the devices owned by the organization. However, an organization is unlikely to restrict payment methods on devices owned by employees.

Question 48

Bring your own device (BYOD)

Answer 48

Some organizations allow employees to bring their own mobile devices to work and attach them to the network. Employees are responsible for selecting and supporting the device, and they typically must comply with a BYOD policy when connecting their device to the network. While this is simple for the employees, it is sometimes referred to as bring your own disaster among IT professionals. Because employees can have any possible device, the IT department is now responsible for supporting, monitoring, and managing any possible device owned by employees.

Question 49

Corporate owned personally enabled (COPE)

Answer 49

COPE is similar to the traditional corporate-owned model, but the primary difference is that the employees are free to use the device as if it was their personally owned device. This allows employees to use the devices for personal activities in addition to connecting them to the organization’s network. Because the organization owns the devices, it makes it easier to manage them.

Question 50

Choose your own device (CYOD)

Answer 50

To avoid some of the challenges related to supporting any possible mobile devices, some organizations create a list of acceptable devices and publish the list in a BYOD policy. Employees can purchase devices on the list and bring them to work. This gives the IT department a specific list of devices to support, monitor, and manage. Some people confuse CYOD with COPE. In the COPE model, the organization purchases the device and may give the employees a choice of different devices. In the CYOD model, the employee purchases the device.

Question 51

Corporate owned

Answer 51

In this traditional deployment model, the organization purchases devices and issues them to employees.

Question 52

Virtual desktop infrastructure (VDI)

Answer 52

A virtual desktop infrastructure (VDI) hosts a user’s desktop operating system on a server. While traditional computers typically access VDIs within a network, it’s also possible to deploy a VDI that users can access with their mobile device.