3.5 Secure mobile Solutions

Question 1

• One-to-one connection
– Conversation between two devices
• Connections between buildings
– Point-to-point network links
• Wi-Fi repeaters
– Extend the length of an existing network

Answer 1

Point-to-point

Question 2

• One of the most popular communication methods
802.11 wireless
• Does not imply full connectivity between nodes

Answer 2

Point-to-multipoint

Question 3

• Mobile devices
– “Cell” phones
• Separate land into “cells”
– Antenna coverages a cell with certain frequencies
• Security concerns
– Traffic monitoring
– Location tracking
– Worldwide access to a mobile device

Answer 3

Cellular networks

Question 4

• Local network access
– Local security problems
• Same security concerns as other Wi-Fi devices
• Data capture
– Encrypt your data!
• On-path attack
– Modify and/or monitor data
• Denial of service
– Frequency interference

Answer 4

Wi-Fi

Question 5

• High speed communication over short distances
– PAN (Personal Area Network)
• Connects our mobile devices
– Smartphones, tethering, headsets and
headphones, health monitors, automobile and
phone integration, smartwatches,
external speakers

Answer 5

Bluetooth

Question 6

• It’s everywhere
– Access badges
– Inventory/Assembly line tracking
– Pet/Animal identification
– Anything that needs to be tracked
• Radar technology
– Radio energy transmitted to the tag
– RF powers the tag, ID is transmitted back
– Bidirectional communication
– Some tag formats can be active/powered

Answer 6

RFID (Radio-frequency identification)

Question 7

• Two-way wireless communication
– Builds on RFID
• Payment systems
– Google wallet, Apple Pay
• Bootstrap for other wireless
– NFC helps with Bluetooth pairing
• Access token, identity “card”
– Short range with encryption support

Answer 7

Near field communication (NFC)

Question 8

• Remote capture
– It’s a wireless network
– 10 meters for active devices
• Frequency jamming - Denial of service
• Relay / Replay attack - Man in the middle
• Loss of RFC device control - Stolen/lost phone

Answer 8

NFC security concerns

Question 9

• Included on many smartphones, tablets, and smartwatches
– Not really used much for printing
• Control your entertainment center
– Almost exclusively IR
• File transfers are possible
• Other phones can be used to control your IR devices

Answer 9

IR (Infrared)

Question 10

• Physical connectivity to your mobile device
– USB to your computer
– USB, Lightning, or proprietary on your phone
• Physical access is always a concern
– May be easier to gain access than over a remote
connection
• A locked device is relatively secure
– Always auto-lock
• Mobile phones can also exfiltrate
– Phone can appear to be a USB storage device

Answer 10

USB (Universal Serial Bus)

Question 11

• Created by the U.S. Department of Defense
– Over 30 satellites currently in orbit
• Precise navigation
– Need to see at least 4 satellites
• Determines location based on timing differences
– Longitude, latitude, altitude
• Mobile device location services and geotracking
– Maps, directions
– Determine physical location based on GPS,
– WiFi, and cellular towers

Answer 11

Global Positioning System (GPS)

Question 12

• Manage company-owned and user-owned mobile devices
– BYOD - Bring Your Own Device
• Centralized management of the mobile devices
– Specialized functionality
• Set policies on apps, data, camera, etc.
– Control the remote device
– The entire device or a “partition”
• Manage access control
– Force screen locks and PINs on these single user devices

Answer 12

Mobile Device Management (MDM)

Question 13

• Managing mobile apps are a challenge
– Mobile devices install apps constantly
• Not all applications are secure
– And some are malicious
– Android malware is a rapidly growing security concern
• Manage application use through allow lists
– Only approved applications can be installed
– Managed through the MDM
• A management challenge
– New applications must be checked and added

Answer 13

Application management

Question 14

• Mobile Content Management (MCM)
– Secure access to data, protect data from outsiders
• File sharing and viewing
– On-site content (Microsoft Sharepoint, file servers)
– Cloud-based storage (Box, Office 365)
• Data sent from the mobile device
– DLP (Data Loss Prevention) prevents copy/paste of
sensitive data
– Ensure data is encrypted on the mobile device
• Managed from the mobile device manager (MDM)

Answer 14

Content management

Question 15

• Remove all data from your mobile device
– Even if you have no idea where it is
– Often managed from the MDM
• Connect and wipe from the web
– Nuke it from anywhere
• Need to plan for this
– Configure your mobile device now
• Always have a backup
– Your data can be removed at any time
– As you are walking out the door

Answer 15

Remote wipe

Question 16

• Precise tracking details - Tracks within feet
• Can be used for good (or bad)
– Find your phone, find you
• Most phones provide an option to disable
– Limits functionality of the phones
• May be managed by the MDM

Answer 16

Geolocation

Question 17

• Some MDMs allow for geofencing
– Restrict or allow features when the device is in a
particular area
• Cameras
– Might only work when outside the office
• Authentication
– Only allow logins when the device is located in a
particular area

Answer 17

Geofencing

Question 18

• All mobile devices can be locked
– Keep people out of your data
• Simple passcode or strong passcode
– Numbers vs. Alphanumeric
• Fail too many times?
– Erase the phone
• Define a lockout policy
– Create aggressive lockout timers
– Completely lock the phone

Answer 18

Screen lock

Question 19

• Information appears on the mobile device screen
– The notification is “pushed” to your device
• No user intervention
– Receive notifications from one app when using a
completely different app
• Control of displayed notifications can be
managed from the MDM
– Or notifications can be pushed from the MDM

Answer 19

Push notification services

Question 20

• The universal help desk call
– I need to reset my password
• Mobile devices use multiple authentication methods
– Password/passphrase, PINs, patterns
• Recovery process can be initiated from the MDM
– Password reset option is provided on the
mobile device
– “What is the name of your favorite car maiden
cat’s color?”
• MDM also has full control
– Completely remove all security controls
– Not the default or best practice

Answer 20

Passwords and PINs

Question 21

• You are the authentication factor
– Fingerprint, face
• May not be the most secure authentication factor
– Useful in some environments
– Completely forbidden in others
• Availability is managed through the MDM
– Organization determines the security of the device
• Can be managed per-app
– Some apps require additional biometric
authentication

Answer 21

Biometrics

Question 22

• Who needs 2FA?
– The attackers can get around anything
• Authentication can be contextual
– If it walks like a duck…
• Combine multiple contexts
– Where you normally login (IP address
– Where you normally frequent (GPS information)
– Other devices that may be
paired (Bluetooth, etc.)
• And others
– An emerging technology
– Another way to keep data safe

Answer 22

Context-aware authentication

Question 23

• Difficult to separate personal from business
– Especially when the device is BYOD
– Owned by the employee
• Separate enterprise mobile apps and data
– Create a virtual “container” for company data
– A contained area - limit data sharing
– Storage segmentation keeps data separate
• Easy to manage offboarding
– Only the company information is deleted
– Personal data is retained
– Keep your pictures, video, music, email, etc.

Answer 23

Containerization

Question 24

• Scramble all of the data on the mobile device
– Even if you lose it, the contents are safe
• Devices handle this in different ways
– Strongest/stronger/strong ?
• Encryption isn’t trivial
– Uses a lot of CPU cycles
– Complex integration between hardware
and software
• Don’t lose or forget your password!
– There’s no recovery
– Often backed up on the MDM

Answer 24

Full device encryption

Question 25

• Shrink the PCI Express
– Hardware Security Module - Now in a microSD card form
• Provides security services
– Encryption, key generation, digital signatures,
authentication
• Secure storage
– Protect private keys - Cryptocurrency storage

Answer 25

MicroSD HSM

Question 26

• Manage mobile and non-mobile devices
– An evolution of the Mobile Device Manager (MDM)
• End users use different types of devices
– Their use has blended together
• Applications can be used across different platforms
– Work on a laptop and a smartphone
• All of these devices can be used from anywhere
– User’s don’t stay in one place

Answer 26

Unified Endpoint Management (UEM)

Question 27

• Provision, update, and remove apps
– Keep everyone running at the correct version
• Create an enterprise app catalog
– Users can choose and install the apps they need
• Monitor application use
– Apps used on a device, devices with unauthorized apps
• Remotely wipe application data
– Securely manage remote data

Answer 27

Mobile Application Management (MAM)

Question 28

• Security Enhancements for Android
– SELinux (Security-Enhanced Linux)
in the Android OS
– Supports access control security policies
• A project from the US National Security Agency (NSA)
– Based on the NSA’s SELinux
• Addresses a broad scope of system security
– Kernel, userspace, and policy configuration
• Enabled by default with Android version 4.3
– July 2013
– Protect privileged Android system daemons
– Prevent malicious activity
• Change from Discretionary Access Control (DAC) to
Mandatory Access Control (MAC)
– Move from user-assigned control to object labels
and minimum user access
– Isolates and sandboxes Android apps
• Centralized policy configuration
– Manage Android deployments

Answer 28

SEAndroid

Question 29

• Centralized app clearinghouses
– Apple App Store
– Google Play
• Not all applications are secure
– Vulnerabilities, data leakage
• Not all applications are appropriate for business use
– Games, instant messaging, etc.
• MDM can allow or deny app store use.

Answer 29

Third-party app stores

Question 30

• Mobile devices are purpose-built systems
– You don’t need access to the operating system
• Gaining access - Android - Rooting / Apple iOS -
Jailbreaking
• Install custom firmware
– Replaces the existing operating system
• Uncontrolled access
– Circumvent security features, sideload apps without
using an app store
– The MDM becomes relatively useless

Answer 30

Rooting/jailbreaking

Question 31

• Most phones are locked to a carrier
– You can’t use an AT&T phone on Verizon
– Contract with a carrier subsidizes the cost of the phone
• You can unlock the phone
– If your carrier allows it
– A carrier lock may be illegal in your country
• Security revolves around connectivity
– Moving to another carrier can circumvent the MDM
– Preventing a SIM unlock may not be possible on a
personal device

Answer 31

Carrier unlocking

Question 32

• The operating system of a mobile device is
constantly changing - Similar to a desktop computer
• Updates are provided over the air (OTA)
– No cable required
• Security patches or entire operating system updates
– Significant changes without connecting the device
• This may not be a good thing
– The MDM can manage what OTA updates are allowed

Answer 32

Firmware OTA updates

Question 33

• Cameras are controversial
– They’re not always a good thing
– Corporate espionage, inappropriate use
• Almost impossible to control on the device
– No good way to ensure the camera won’t be used
• Camera use can be controlled by the MDM
– Always disabled
– Enabled except for certain locations (geo-fencing)

Answer 33

Camera use

Question 34

• Short Message Service / Multimedia Messaging Service
– Text messages, video, audio
• Control of data can be a concern
– Outbound data leaks, financial disclosures
– Inbound notifications, phishing attempts
• MDM can enable or disable SMS/MMS
– Or only allow during certain timeframes or locations

Answer 34

SMS/MMS

Question 35

• Store data onto external or removable drives
– SD flash memory or USB/lightning drives
• Transfer data from flash
– Connect to a computer to retrieve
• This is very easy to do
– Limit data written to removable drives
– Or prevent the use of them from the MDM

Answer 35

External media

Question 36

• USB On-The-Go - Connect devices directly together
– No computer required, only a cable
• The mobile device can be both a host and a device
– Read from an external device, then act as
a storage device itself
– No need for a third-party storage device
• A USB 2.0 standard - Commonly seen on Android devices
• Extremely convenient
– From a security perspective, it’s too convenient

Answer 36

USB OTG

Question 37

• Audio recordings
– There are microphones on every mobile device
• Useful for meetings and note taking
– A standard for college classes
• A legal liability
– Every state has different laws
– Every situation is different
• Disable or geo-fence - Manage from the MDM

Answer 37

Recording microphone

Question 38

• Your phone knows where you are
– Location Services, GPS
• Adds your location to document metadata
– Longitude, latitude - Photos, videos, etc.
• Every document may contain geotagged information
– You can track a user quite easily
• This may cause security concerns
– Take picture, upload to social media

Answer 38

Geotagging / GPS tagging

Question 39

• We’re so used to access points
– SSID configurations
• The wireless standard includes an ad hoc mode
– Connect wireless devices directly
– Without an access point
• WiFi Direct simplifies the process
– Easily connect many devices together
– Common to see in home devices
• Simplicity can aid vulnerabilities
– Invisible access to important devices

Answer 39

WiFi Direct/ad hoc

Question 40

• Turn your phone into a WiFi hotspot
– Your own personal wireless router
– Extend the cellular data network to all of your devices
• Dependent on phone type and provider
– May require additional charges and data costs
• May provide inadvertent access to an internal network
– Ensure proper security / passcode

Answer 40

Hotspot/tethering

Question 41

• Send small amounts of data wirelessly over
a limited area (NFC)
– Built into your phone
– Payment systems, transportation, in-person
information exchange
• A few different standards
– Apple Pay, Android Pay, Samsung Pay
• Bypassing primary authentication would allow payment
– Use proper security - or disable completely

Answer 41

Payment methods

Question 42

• Bring Your Own Device / Bring Your Own Technology
• Employee owns the device
– Need to meet the company’s requirements
• Difficult to secure
– It’s both a home device and a work device
– How is data protected?
– What happens to the data when a device is
sold or traded in?

Answer 42

BYOD

Question 43

• Corporate owned, personally enabled
– Company buys the device
– Used as both a corporate device and a personal device
• Organization keeps full control of the device
– Similar to company-owned laptops and desktops
• Information is protected using corporate policies
– Information can be deleted at any time
• CYOD - Choose Your Own Device
– Similar to COPE, but with the user’s choice of device

Answer 43

COPE

Question 44

• The company owns the device
– And controls the content on the device
• The device is not for personal use
– You’ll need to buy your own device for home
• Very specific security requirements
– Not able to mix business with home use

Answer 44

Corporate owned

Question 45

• Virtual Desktop Infrastructure / Virtual Mobile
Infrastructure
– The apps are separated from the mobile device
– The data is separated from the mobile device
• Data is stored securely, centralized
• Physical device loss - Risk is minimized
• Centralized app development
– Write for a single VMI platform
• Applications are managed centrally
– No need to update all mobile devices

Answer 45

VDI/VMI