Lesson 9 A

Question 1

screen lock

Answer 1

If threat actors can access smartphones or tablets, they can obtain a huge amount of information with which to launch further attacks. Apart from confidential data files that might be stored on the device, it is highly likely that the user has cached passwords for services such as email or remote access VPN and websites. In addition to this, access to contacts and message history (SMS, text messaging, email, and IM) greatly assists social engineering attacks. Consequently, it is imperative that mobiles be protected against loss, theft, and lunchtime attacks by a screen lock.

A screen lock activates if the device is unused or if the user presses the power button. The user must perform a gesture to unlock the device. A swipe gesture means that access to the device is unauthenticated. Simply swiping across the screen will unlock the device. While this might be suitable for a tablet deployed for shared or public use, access to a personal device must be protected by an authentication mechanism

Question 2

Personal identification number (PIN)

Answer 2

or password—Most devices require a PIN or password to be configured to enable screen lock authentication and generate an encryption key. The PIN can act as a primary or backup authentication method. If the device is configured to limit the number of attempts, a 4- or 6-digit PIN should offer adequate security for general users as long as the chosen PIN is not a simple sequence (1234 or 4321) or an easily guessable date. If there is a high risk of compromise, a strong password should be configured.

Question 3

Fingerprint

Answer 3

Many devices use a fingerprint sensor as a bio-gesture unlocking method. The user performs an enrollment fingerprint scan to create a template that is stored within a secure cache on the device. To authenticate, the user touches the reader, and the device compares the confirmation scan to the template.

Question 4

Facial recognition

Answer 4

This method creates a template computed from a 3-D image of the user’s face. A facial bio gesture has the advantage of being able to use the camera rather than a special sensor.
If a bio gesture is configured, the PIN or password acts as a backup mechanis

Question 5

Pattern

Answer 5

This requires the user to swipe a “join-the-dots” pattern. The pattern method has numerous weaknesses. It is easy to observe and can be reconstructed from smudges. Research has also demonstrated that users tend to select predictable patterns, such as C, M, N, O, and S shapes.

Question 6

A screen lock can be configured to restrict

Answer 6

failed login attempts . This means that if an incorrect passcode or bio gesture is used, the device locks for a set period. This could be configured to escalate—so the first incorrect attempt locks the device for 30 seconds, while the third locks it for 10 minutes, for instance. This deters attempts to guess the passcode or use a spoofed biometric.

Question 7

Mobile devices can use the same

Answer 7

classes of security software as PCs and laptops to protect against malware, phishing, and software exploits.

Question 8

Patching/OS Updates

Answer 8

Keeping a mobile OS and its apps up to date with patches/OS updates (and ideally new OS versions) is as critical as it is for a desktop computer. The install base of iOS is generally better at applying updates because of the consistent hardware and software platform. Updates for iOS are delivered via Settings > General > Software Update . App updates are indicated via notifications on the AppStore app icon and delivered via the Updates page in the app store.

Android patches are more reliant on the device vendor as they must develop the patch for their own “flavor” of Android. Support for new OS versions can also be mixed. Android uses the notification bar to deliver updates. You can also go to Settings > System > Advanced > System updates.

Question 9

Antivirus/Anti-malware Apps

Answer 9

Modern smartphones are vulnerable to software exploits and being targets of malware and viruses, especially if an untrusted app source has been configured. However, the emerging nature of mobile OS threats and vulnerabilities makes it difficult to create pattern databases of known threats or to use heuristics to identify malicious app behaviors.

Antivirus/anti-malware apps designed for mobile devices tend to work more like content filters to block access to known phishing sites and block adware/spyware activity by apps. Most security scanner apps will also detect configuration errors and monitor the permissions allocated to apps and how they are using (or abusing) them. These apps usually also offer a third-party data backup and device location service.

Question 10

Bring your own device (BYOD)

Answer 10

The mobile device is owned by the employee. The mobile will have to meet whatever profile is required by the company (in terms of OS version and functionality), and the employee will have to agree on the installation of corporate apps and to some level of oversight and auditing. This model is usually the most popular with employees but poses the most difficulties for security and network managers.

Question 11

Corporate owned, business only (COBO)

Answer 11

The device is the property of the company and may only be used for company business.

Question 12

Corporate owned, personally enabled (COPE)

Answer 12

The device is chosen and supplied by the company and remains its property. The employee may use it to access personal email and social media accounts and for personal web browsing (subject to whatever acceptable use policies are in force).

Question 13

Choose your own device (CYOD)

Answer 13

Similar to COPE but the employee is given a choice of device from a list.

Question 14

Mobile Device Management (MDM)

Answer 14

is a class of enterprise software designed to apply security policies to the use of smartphones and tablets in business networks. This software can be used to manage corporate-owned devices as well as BYOD.

Question 15

When the device is enrolled with the management software

Answer 15

it can be configured with policies to allow or restrict use of apps, corporate data, and built-in functions such as a video camera or microphone. Policies can also be set to ensure the device patch status is up to date, that antivirus software is present and updated, and that a device firewall has been applied and configured correctly.

A company needs to create a profile of security requirements and policies to apply for different employees and different sites or areas within a site. For example, it might be more secure to disable the camera function of any smartphone while onsite, but users might complain that they cannot use their phones for video calls. A sophisticated security system might be able to apply a more selective policy and disable the camera only when the device is within an area deemed high risk from a data confidentiality point of view. Some policies can be implemented with a technical solution; others require “soft” measures, such as training and disciplinary action.

Question 16

Device Encryption

Answer 16

All but the earliest versions of mobile device OSs for smartphones and tablets provide some type of default encryption. In iOS, there are various levels of encryption.

• All user data on the device is always encrypted, but the key is stored on the device. This is primarily used as a means of wiping the device. The OS just needs to delete the key to make the data inaccessible rather than wiping each storage location.
• Email data and any apps using the “Data Protection” option are subject to a second round of encryption using a key derived from and protected by the user’s credential. This provides security for data if the device is stolen. Not all user data is encrypted using the “Data Protection” option; contacts, SMS messages, and pictures are not, for example.

In iOS, Data Protection encryption is enabled automatically when you configure a passcode lock on the device.

Question 17

In Android, there are substantial differences in encryption options between versions (source.android.com/security/encryption). As of Android 10, there is no

Answer 17

full disk encryption as it is considered too detrimental to performance. User data is encrypted at file-level by default when a secure screen lock is configured.

Question 18

Remote Backup Applications

Answer 18

Most mobile OS devices are configured with a user account linked to the vendor’s cloud services (iCloud for iOS, Google Sync for stock Android, and OneDrive for Microsoft). The user can then choose to automatically perform remote backup of data, apps, and settings to the cloud. A user may choose to use a different backup provider (OneDrive on an Android phone, for instance) or a third-party provider, such as Dropbox.
As well as cloud services, a device can be backed up to a PC. For example, iOS supports making backups to macOS or to Windows via the iTunes program. A third option is for MDM software to be configured to back up user devices or the container workspace automatically.

Question 19

locator application

Answer 19

The Location Service can be used with a locator application to find the device if it is lost or stolen. Both Android and iOS have built-in find-my-phone features. Third-party antivirus and MDM software are also likely to support this type of functionality. Once set up, the location of the phone can be tracked from any web browser when it is powered on. Other functions of a locator app are to remotely lock the device, display a “Please return” message on the screen, call the device regularly at full volume, disable features such as the wallet, prevent changes to the passcode, and prevent location/network services from being disabled.

Question 20

remote wipe and device wipe

Answer 20

If a device is lost with no chance of recovery, it may be necessary to perform some level of remote wipe to protect data and account credentials. A device wipe performs a factory default reset and clears all data, apps, and settings.

Question 21

enterprise wipe

Answer 21

When a wipe is being performed due to risks to corporate data, a device wipe might not be appropriate. If the device is enrolled with MDM, an enterprise wipe can be performed against the corporate container only. This removes any corporate accounts and files but leaves personal apps, accounts, settings, and files untouched.

Question 22

Internet of Things (IoT)

Answer 22

appliances, home control systems, vehicles, and other items that have been equipped with sensors, software, and network connectivity. These features allow these types of objects to communicate and pass data among themselves and other traditional systems such as computer servers.

Question 23

Home Automation Systems
Smart devices are used to implement home automation systems. An IoT smart device network will generally use the following types of components:

Answer 23

• Hub/control system—IoT devices usually require a communications hub to facilitate wireless networking. There must also be a control system, as most IoT devices are headless, meaning they have no user control interface. A headless hub could be implemented as a smart speaker operated by voice control or use smartphone/PC app for configuration.
• Smart device types—IoT endpoints implement the function, (for example, a smart lightbulb, refrigerator, thermostat/heating control, or doorbell/video entry phone) that you can operate remotely. These devices are capable of compute, storage, and network functions that are all potentially vulnerable to exploits. Most smart devices use a Linux or Android kernel. Because they’re effectively running mini-computers, smart devices are vulnerable to some of the standard attacks associated with web applications and network functions. Integrated peripherals such as cameras or microphones could be compromised to facilitate surveillance.
• Wireless mesh networking—While the hub might be connected to the Wi-Fi network, communications between devices are likely to use some type of mesh networking, such as Z-Wave or Zigbee. These wireless standards use less power and make it easier for smart devices to forward data between nodes.

Question 24

Security Concerns

Answer 24

Consumer-grade smart devices and home automation products can be poorly documented, and patch management/security response processes of vendors can be inadequate. When they are designed for residential use, IoT devices can suffer from weak defaults. They may be configured to “work” with a minimum of configuration effort. There may be recommended steps to secure the device and procedures to apply security patches that the customer never takes. For example, devices may be left configured with the default administrator password.

In a corporate workspace, the main risk from smart device placement is that of shadow IT, where employees deploy a network-enabled device without going through a change and configuration management process. A vulnerability in the device would put it at risk of being exploited as an access point to the network. These devices also pose a risk for remote working, where the employee joins the corporate VPN using a home wireless network that is likely to contain numerous undocumented vulnerabilities and configuration weaknesses.

These risks can be mitigated by regular audits and through employee security awareness training.