Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

MobUbiq > 5 Mobile Security > Flashcards

5 Mobile Security Flashcards

1
Q

What does STRIDE mean

A

STRIDE is used for security threats

Spoofing
Tampering
Repudiating
Information Disclosure
Denial of Service
Elevation of Privilage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does DREAD mean?

A

DREAD is used to assess threats

Damage
Reproducibility 
Exploitability
Affected Users
Discoverability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

STRIDE. What does SPOOFING mean and how is it mitigated?

A

Spoofing is when a person/ program masquerades as another.
Gains access with false credentials
Hacks voicemails

You can mitigate with strong authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

STRIDE. What does TAMPERING mean and how is it mitigated?

A

Tampering means modifying data or binary code to gain root access ie through a fraudulent jailbreaking site.
Can be used to modify web service request to change delivery of purchase.

Mitigated by ensuring data integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

STRIDE. What does REPUDIATION mean and how is it mitigated?

A

Repudiation is where an attacker modifies the records to hide the attack.
eg sending a payment then wiping the record.

Mitigated with secure logging and digital signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

STRIDE. What does INFORMATION DISCLOSURE mean and how is it mitigated?

A

Information Disclosure is where an attacker gains knowledge they shouldn’t have.

Insecure transport - unencrypted file / databases where credentials accessed via an app

Mitigated with hidden passwords / not showing full CC no.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

STRIDE. What does Denial of Service mean and how is it mitigated?

A

Denial of Service (DoS) is where attackers prevent access to a site. A DDoS is where the malware is distributed through apps so that potentially millions of attacks can happen at once via bots.

Mitigated by access control, filtering and maintaining availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

STRIDE. What does Elevation of Privilege mean and how is it mitigated?

A

EoP is where someone gains root access and then elevates their rights to run unauthorised code.

Jailbroken phones vunerable.

Mitigated by requiring kernal mode code to be digitally signed to prevent vertical and horizontal EoP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 4 steps in Threat Modelling?

A
  1. Diagram of System
  2. Identify vunerabilities (via diagram and trust boundaries)
  3. Mitigate threats (DREAD - work on highest scoring)
  4. Validate mitigation - has it worked
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does DREAD stand for?

A 
Damage
Reproducibility
Exploitability
Affected Users
Discoverability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

DREAD. How is Damage scored?

A

If threat occurs, how much damage?

0 = None
5 = Individual 
10 = Company systems/ data destruction
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

DREAD. How is Reproducibility scored?

A

How easy to reproduce threat?

0 = very hard/ impossible
5 = few simple steps
10 = Just a web browser
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

DREAD. How is Exploitability scored?

A

What is needed to exploit the threat?

0 = Advanced programming knowledge
5 = malware/ tools exist
10 = Just a web browser
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

DREAD. How is Affected Users scored?

A

How many affected?

0 = None
5 = Some users
10 = All users
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

DREAD. How is Discoverability scored?

A

How easy for attackers to discover threat?

0 = Very hard/ impossible (requires source code or admin access)
5 = Identified by guess work or network monitoring
9 = Details of fault available online
10 = The info is available in the web browser address bar or form
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define a security strategy

A

A document capturing agreement between organisation and members defining who as access to what/ under what conditions

17
Q

Objectives of a security policy?

A

Reduce risk
Define rules of users (and monitoring)
Define organisations policy on security
Authorise security personnel to monitor/ probe/ investigate
Define and authorise the consequences of violation.
Help track compliance

18
Q

Additional themes of a mobile security policy…

A

Device types - All/ One brand/ authorised list
Physical security - passcodes, tracking, no leaving around
Backup/ restore - require or via software
Monitoring - State MDM (only use corporate if enrolled)
Permitted applications - Which installed, organisation app store. For BYOD only reputable stores/ apps
Network access - Recommend no open wifi. Use of VPN should be mandated.

19
Q

Challenges of BYOD

A

Reduced cost/ improved moral
Under users control - permissions
More device types
Implement MDM solution that supports all permitted device types

20
Q

Endpoint Security is…

A

Is security to protect against threats from remote devices on a corporate network. For example, a company may have a BYOD policy and each is a potential entry point for a threat.

21
Q

Endpoint security solutions offer:

A 
Remote wipe
Anti-virus/ malware
Anti-spam
Back up/ restore
Anti spyware
MDM clients
Firewall
22
Q

Sandboxing is…

A

Keeps data from one app separate from another (unless jailbroken).
3rd party: provide area of device mem. separate from users
Accessed via API
Not accessible to root user
Can be wiped remotely

23
Q

Mobile Device Management (MDM) offers:

A

Centralised management sever
Device security config
Provisioning (Enrol devices/ auto apply settings)
Security (checking configs applied)
Monitoring (report on connected device)
Decommisioning (Remote wiping/ removal from list)

24
Q

MDM solutions:

A

3rd Party: Zenprise, AirWatch
Apple profile manager (iOS only)
Google Apps device management (Android, iOS, Blackberry, Windows etc)

25
Q

What are requirements for Google Apps Device Management?

A

Apps Business Account required
Admin - logs on, defines devices
Android - install Google Device Policy
Non android users: Google provides mangual config

26
Q

What are features of Google Apps Device Management?

A

Password (enforced, complexity)
Settings (encryption, camera, auto sync when roaming)
App auditing, remote wipe, device activation

Non android users manually config via Exchange Active Sync - different features for different devices

27
Q

Features of iOS MDM config

A

Notified via push notifications
Devices connect to MDM server to authenticate themselves and download/ apple modified confg
Devices must enrl via wireless/usb

MDM config:
iOS updates
Lock screen
Device name
Installed apps/ documents
Profiles (passcode policy, restrictions, wifi, vpn)

OS-X server edition incorps MDM solution - Appl profile manager - allows config of iOS devices

MobUbiq (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions