3.5 Secure mobile Solutions Flashcards
• One-to-one connection – Conversation between two devices • Connections between buildings – Point-to-point network links • Wi-Fi repeaters – Extend the length of an existing network
Point-to-point
• One of the most popular communication methods
802.11 wireless
• Does not imply full connectivity between nodes
Point-to-multipoint
• Mobile devices – “Cell” phones • Separate land into “cells” – Antenna coverages a cell with certain frequencies • Security concerns – Traffic monitoring – Location tracking – Worldwide access to a mobile device
Cellular networks
• Local network access – Local security problems • Same security concerns as other Wi-Fi devices • Data capture – Encrypt your data! • On-path attack – Modify and/or monitor data • Denial of service – Frequency interference
Wi-Fi
• High speed communication over short distances
– PAN (Personal Area Network)
• Connects our mobile devices
– Smartphones, tethering, headsets and
headphones, health monitors, automobile and
phone integration, smartwatches,
external speakers
Bluetooth
• It’s everywhere – Access badges – Inventory/Assembly line tracking – Pet/Animal identification – Anything that needs to be tracked • Radar technology – Radio energy transmitted to the tag – RF powers the tag, ID is transmitted back – Bidirectional communication – Some tag formats can be active/powered
RFID (Radio-frequency identification)
• Two-way wireless communication – Builds on RFID • Payment systems – Google wallet, Apple Pay • Bootstrap for other wireless – NFC helps with Bluetooth pairing • Access token, identity “card” – Short range with encryption support
Near field communication (NFC)
• Remote capture
– It’s a wireless network
– 10 meters for active devices
• Frequency jamming - Denial of service
• Relay / Replay attack - Man in the middle
• Loss of RFC device control - Stolen/lost phone
NFC security concerns
• Included on many smartphones, tablets, and smartwatches
– Not really used much for printing
• Control your entertainment center
– Almost exclusively IR
• File transfers are possible
• Other phones can be used to control your IR devices
IR (Infrared)
• Physical connectivity to your mobile device
– USB to your computer
– USB, Lightning, or proprietary on your phone
• Physical access is always a concern
– May be easier to gain access than over a remote
connection
• A locked device is relatively secure
– Always auto-lock
• Mobile phones can also exfiltrate
– Phone can appear to be a USB storage device
USB (Universal Serial Bus)
• Created by the U.S. Department of Defense
– Over 30 satellites currently in orbit
• Precise navigation
– Need to see at least 4 satellites
• Determines location based on timing differences
– Longitude, latitude, altitude
• Mobile device location services and geotracking
– Maps, directions
– Determine physical location based on GPS,
– WiFi, and cellular towers
Global Positioning System (GPS)
• Manage company-owned and user-owned mobile devices
– BYOD - Bring Your Own Device
• Centralized management of the mobile devices
– Specialized functionality
• Set policies on apps, data, camera, etc.
– Control the remote device
– The entire device or a “partition”
• Manage access control
– Force screen locks and PINs on these single user devices
Mobile Device Management (MDM)
• Managing mobile apps are a challenge
– Mobile devices install apps constantly
• Not all applications are secure
– And some are malicious
– Android malware is a rapidly growing security concern
• Manage application use through allow lists
– Only approved applications can be installed
– Managed through the MDM
• A management challenge
– New applications must be checked and added
Application management
• Mobile Content Management (MCM)
– Secure access to data, protect data from outsiders
• File sharing and viewing
– On-site content (Microsoft Sharepoint, file servers)
– Cloud-based storage (Box, Office 365)
• Data sent from the mobile device
– DLP (Data Loss Prevention) prevents copy/paste of
sensitive data
– Ensure data is encrypted on the mobile device
• Managed from the mobile device manager (MDM)
Content management
• Remove all data from your mobile device – Even if you have no idea where it is – Often managed from the MDM • Connect and wipe from the web – Nuke it from anywhere • Need to plan for this – Configure your mobile device now • Always have a backup – Your data can be removed at any time – As you are walking out the door
Remote wipe
• Precise tracking details - Tracks within feet
• Can be used for good (or bad)
– Find your phone, find you
• Most phones provide an option to disable
– Limits functionality of the phones
• May be managed by the MDM
Geolocation
• Some MDMs allow for geofencing
– Restrict or allow features when the device is in a
particular area
• Cameras
– Might only work when outside the office
• Authentication
– Only allow logins when the device is located in a
particular area
Geofencing
• All mobile devices can be locked – Keep people out of your data • Simple passcode or strong passcode – Numbers vs. Alphanumeric • Fail too many times? – Erase the phone • Define a lockout policy – Create aggressive lockout timers – Completely lock the phone
Screen lock
• Information appears on the mobile device screen
– The notification is “pushed” to your device
• No user intervention
– Receive notifications from one app when using a
completely different app
• Control of displayed notifications can be
managed from the MDM
– Or notifications can be pushed from the MDM
Push notification services
• The universal help desk call
– I need to reset my password
• Mobile devices use multiple authentication methods
– Password/passphrase, PINs, patterns
• Recovery process can be initiated from the MDM
– Password reset option is provided on the
mobile device
– “What is the name of your favorite car maiden
cat’s color?”
• MDM also has full control
– Completely remove all security controls
– Not the default or best practice
Passwords and PINs
• You are the authentication factor
– Fingerprint, face
• May not be the most secure authentication factor
– Useful in some environments
– Completely forbidden in others
• Availability is managed through the MDM
– Organization determines the security of the device
• Can be managed per-app
– Some apps require additional biometric
authentication
Biometrics
• Who needs 2FA? – The attackers can get around anything • Authentication can be contextual – If it walks like a duck… • Combine multiple contexts – Where you normally login (IP address – Where you normally frequent (GPS information) – Other devices that may be paired (Bluetooth, etc.) • And others – An emerging technology – Another way to keep data safe
Context-aware authentication
• Difficult to separate personal from business
– Especially when the device is BYOD
– Owned by the employee
• Separate enterprise mobile apps and data
– Create a virtual “container” for company data
– A contained area - limit data sharing
– Storage segmentation keeps data separate
• Easy to manage offboarding
– Only the company information is deleted
– Personal data is retained
– Keep your pictures, video, music, email, etc.
Containerization
• Scramble all of the data on the mobile device – Even if you lose it, the contents are safe • Devices handle this in different ways – Strongest/stronger/strong ? • Encryption isn’t trivial – Uses a lot of CPU cycles – Complex integration between hardware and software • Don’t lose or forget your password! – There’s no recovery – Often backed up on the MDM
Full device encryption
• Shrink the PCI Express
– Hardware Security Module - Now in a microSD card form
• Provides security services
– Encryption, key generation, digital signatures,
authentication
• Secure storage
– Protect private keys - Cryptocurrency storage
MicroSD HSM
• Manage mobile and non-mobile devices
– An evolution of the Mobile Device Manager (MDM)
• End users use different types of devices
– Their use has blended together
• Applications can be used across different platforms
– Work on a laptop and a smartphone
• All of these devices can be used from anywhere
– User’s don’t stay in one place
Unified Endpoint Management (UEM)
• Provision, update, and remove apps
– Keep everyone running at the correct version
• Create an enterprise app catalog
– Users can choose and install the apps they need
• Monitor application use
– Apps used on a device, devices with unauthorized apps
• Remotely wipe application data
– Securely manage remote data
Mobile Application Management (MAM)
• Security Enhancements for Android
– SELinux (Security-Enhanced Linux)
in the Android OS
– Supports access control security policies
• A project from the US National Security Agency (NSA)
– Based on the NSA’s SELinux
• Addresses a broad scope of system security
– Kernel, userspace, and policy configuration
• Enabled by default with Android version 4.3
– July 2013
– Protect privileged Android system daemons
– Prevent malicious activity
• Change from Discretionary Access Control (DAC) to
Mandatory Access Control (MAC)
– Move from user-assigned control to object labels
and minimum user access
– Isolates and sandboxes Android apps
• Centralized policy configuration
– Manage Android deployments
SEAndroid
• Centralized app clearinghouses – Apple App Store – Google Play • Not all applications are secure – Vulnerabilities, data leakage • Not all applications are appropriate for business use – Games, instant messaging, etc. • MDM can allow or deny app store use.
Third-party app stores
• Mobile devices are purpose-built systems
– You don’t need access to the operating system
• Gaining access - Android - Rooting / Apple iOS -
Jailbreaking
• Install custom firmware
– Replaces the existing operating system
• Uncontrolled access
– Circumvent security features, sideload apps without
using an app store
– The MDM becomes relatively useless
Rooting/jailbreaking
• Most phones are locked to a carrier
– You can’t use an AT&T phone on Verizon
– Contract with a carrier subsidizes the cost of the phone
• You can unlock the phone
– If your carrier allows it
– A carrier lock may be illegal in your country
• Security revolves around connectivity
– Moving to another carrier can circumvent the MDM
– Preventing a SIM unlock may not be possible on a
personal device
Carrier unlocking
• The operating system of a mobile device is
constantly changing - Similar to a desktop computer
• Updates are provided over the air (OTA)
– No cable required
• Security patches or entire operating system updates
– Significant changes without connecting the device
• This may not be a good thing
– The MDM can manage what OTA updates are allowed
Firmware OTA updates
• Cameras are controversial
– They’re not always a good thing
– Corporate espionage, inappropriate use
• Almost impossible to control on the device
– No good way to ensure the camera won’t be used
• Camera use can be controlled by the MDM
– Always disabled
– Enabled except for certain locations (geo-fencing)
Camera use
• Short Message Service / Multimedia Messaging Service
– Text messages, video, audio
• Control of data can be a concern
– Outbound data leaks, financial disclosures
– Inbound notifications, phishing attempts
• MDM can enable or disable SMS/MMS
– Or only allow during certain timeframes or locations
SMS/MMS
• Store data onto external or removable drives
– SD flash memory or USB/lightning drives
• Transfer data from flash
– Connect to a computer to retrieve
• This is very easy to do
– Limit data written to removable drives
– Or prevent the use of them from the MDM
External media
• USB On-The-Go - Connect devices directly together
– No computer required, only a cable
• The mobile device can be both a host and a device
– Read from an external device, then act as
a storage device itself
– No need for a third-party storage device
• A USB 2.0 standard - Commonly seen on Android devices
• Extremely convenient
– From a security perspective, it’s too convenient
USB OTG
• Audio recordings – There are microphones on every mobile device • Useful for meetings and note taking – A standard for college classes • A legal liability – Every state has different laws – Every situation is different • Disable or geo-fence - Manage from the MDM
Recording microphone
• Your phone knows where you are
– Location Services, GPS
• Adds your location to document metadata
– Longitude, latitude - Photos, videos, etc.
• Every document may contain geotagged information
– You can track a user quite easily
• This may cause security concerns
– Take picture, upload to social media
Geotagging / GPS tagging
• We’re so used to access points – SSID configurations • The wireless standard includes an ad hoc mode – Connect wireless devices directly – Without an access point • WiFi Direct simplifies the process – Easily connect many devices together – Common to see in home devices • Simplicity can aid vulnerabilities – Invisible access to important devices
WiFi Direct/ad hoc
• Turn your phone into a WiFi hotspot
– Your own personal wireless router
– Extend the cellular data network to all of your devices
• Dependent on phone type and provider
– May require additional charges and data costs
• May provide inadvertent access to an internal network
– Ensure proper security / passcode
Hotspot/tethering
• Send small amounts of data wirelessly over
a limited area (NFC)
– Built into your phone
– Payment systems, transportation, in-person
information exchange
• A few different standards
– Apple Pay, Android Pay, Samsung Pay
• Bypassing primary authentication would allow payment
– Use proper security - or disable completely
Payment methods
• Bring Your Own Device / Bring Your Own Technology
• Employee owns the device
– Need to meet the company’s requirements
• Difficult to secure
– It’s both a home device and a work device
– How is data protected?
– What happens to the data when a device is
sold or traded in?
BYOD
• Corporate owned, personally enabled
– Company buys the device
– Used as both a corporate device and a personal device
• Organization keeps full control of the device
– Similar to company-owned laptops and desktops
• Information is protected using corporate policies
– Information can be deleted at any time
• CYOD - Choose Your Own Device
– Similar to COPE, but with the user’s choice of device
COPE
• The company owns the device – And controls the content on the device • The device is not for personal use – You’ll need to buy your own device for home • Very specific security requirements – Not able to mix business with home use
Corporate owned
• Virtual Desktop Infrastructure / Virtual Mobile
Infrastructure
– The apps are separated from the mobile device
– The data is separated from the mobile device
• Data is stored securely, centralized
• Physical device loss - Risk is minimized
• Centralized app development
– Write for a single VMI platform
• Applications are managed centrally
– No need to update all mobile devices
VDI/VMI
