Module 5 - Mobile, Embedded, & Specialized Device Security Flashcards
What are examples of types of mobile devices?
Tablets, Smartphones, Wearables, Portable computers (Laptop, Notebook, Subnotebook, 2-1, Web-based computer)
What are some mobile device core features?
1) Small form factor
2) Mobile OS
3) Wireless data network interface for accessing the Internet, such as Wi-Fi or cellular telephony
4) Stores or other means of acquiring applications (apps)
5) Local nonremovable data storage
6) Data synchronization capabilities w/ a separate computer or remote servers
What are Additional Features of the Core Feature “Small form factor”?
Global Positioning System (GPS)
What are Additoinal Features of the Core Feature “Mobile OS”?
Microphone and/or digital camera
What are Additional Features of the Core Feature “Wireless dat network interface for accessing the Internet, such as Wi-Fi or cellular telephony”?
Wireless cellular connection for voice communications
What are the Additional Features of the Core Feature “Stores of other means of acquiring applications (apps)”?
Wireless personal area network interfaces such as Bluetooth or near field communications (NFC)
What are the Additional Features of the Core Feature “Local nonremovable data storage”?
Removable storage media
What are the Additional Features of the Core Feature “Data synchronization capabilities w/ a separate computer or remote servers”?
Support for using the device itself as removable storage for another computing device
What are some Mobile Device Connectivity Methods (4)?
1) Cellular
2) Wi-Fi
3) Infrared
4) USB Connections
What is “Cellular”?
- coverage area for a cellular telephony network is divided into cells
Hexagon-shaped cells measure 10 square miles
Transmitters are connected through a mobile telecommunications switching office (MTSO) that controls all of the transmitters in the cellular network
What is “Wi-Fi”?
A wireless local area network (WLAN) designed to replace or supplement a wired local area network (LAN)
What is “Infrared”?
- uses light instead of radio frequency (RF) as the communication media
Due to slow speed & other limitations, infrared capabilities are rarely found today
Next to visible light on the light spectrum &, although invisible, has many of the same characteristics of visible light
At one time, infrared data ports were installed on laptop computers, printers, cameras, watches, & other devices so data could be exchanged using infrared light
What are “USB Connections”?
These include standard-size connectors, mini-connectors, & micro connectors
Universal Serial Bus (USB) – used for data transfer
What is “Bring your own device (BYOD”?
Allows users to use their own personal mobile devices for business purposes
What is “Corporate owned, personally enabled (COPE)”?
Employees choose from a selection of company approved devices
What is “Choose your own device (CYOD)”?
Employees choose from a limited selection of approved devices, but the employee pays the upfront cost of the device while the business owns the contract
What is “Virtual desktop infrastructure”?
Storing sensitive applications & data on a remote server that is accessed through a smartphone
What is “Corporate owned”?
A mobile device that is purchased & owned by the enterprise
What are some Enterprise Deployment Models (5)?
1) Bring your own device (BYOD)
2) Corporate owned, personally enabled (COPE)
3) Choose your own device (CYOD)
4) Virtual desktop intrastructure (VDI)
5) Corporate owned
What are benefits of BYOD, COPE, & CYOD models for the enterprise (6)?
1) Management flexibility
2) Less oversight
3) Cost savings
4) Increased employee performance
5) Simplified IT infrastructure
6) Reduced internal service
What do user benefits include (3)?
1) Choice of device
2) Choice of carrier
3) Convenience
What are security risks associated w/ using mobile devices (3)?
1) Mobile device vulnerabilities
2) Connection vulnerabilities
3) Accessing untrusted content
What are some Mobile Device Vulnerabilities?
1) Physical security
2) Limited updates
3) Location tracking
4) Unauthorized recording
What are the 2 dominant OSs for mobile devices?
1) Apple
2) Google
What is a Physical Security mobile device vulnerability?
Mobile devices are frequently lost or stolen
What is a Limited Updates mobile device vulnerability?
Security patches & updates for mobile OSs are distributed through firmware over-the-air (OTA) updates
What is a Location Tracking mobile device vulnerability?
Mobile devices w/ GPS capabilities typically support geolocation
What is an Unauthorized Recording mobile vulnerability?
By infecting a device w/ malware, a threat actor can spy on an unsuspecting victim & record conversations or videos
What are some Connection Vulnerabilities (4)?
1) Tethering
2) USB On-the-Go (OTG)
3) Malicious USB cable
4) Hotspots
Description/Vulnerability of Tethering as a Connection Vulnerability.
Description:
A mobile device w/ an active Internet connection can be used to share that connection w/ other mobile devices through Bluetooth or Wi-Fi
Vulnerability:
An unsecured mobile device may infect other tethered mobile devices or the corporate network
Description/Vulnerability of USB On-the-Go (OTG) as a Connection Vulnerability.
Description:
An OTG mobile device w/ a USB connection can function as either a host (to which other devices may be connected such as a USB flash drive)
Vulnerability:
Connecting a malicious flash drive infected w/ malware to a mobile device could result in an infection, just as using a device as a peripheral while connected to an infected computer could allow malware to be sent to the device
Description/Vulnerability of Malicious USB Cable as a Connection Vulnerability.
Description:
A USB cable could be embedded w/ a Wi-Fi controller that can receive commands from a nearby device to send malicious commands to the connected mobile device
Vulnerability:
The device will recognize the cable as a Human Interface Device (similar to a mouse or keyboard), giving the attacker enough permissions to exploit the system
Description/Vulnerability of Hotspots as a Connection Vulnerability.
Description:
A hotspot is a location where users can access the Internet w/ a wireless signal
Vulnerability:
Because public hotspots are beyond the control of the organization, attackers can eavesdrop on the data transmissions & view sensitive information
How do users circumvent the built-in installation on their smartphone?
Jailbreaking - Apple
Rooting - Android
What are the 3 types of text messaging?
1) SMS - text message up to 160 characters
2) MMS - text message w/ pictures, video, audio
3) RCS - can convert a texting app into a live chat platform
What are configurations that should be considered when setting up a mobile device for use?
1) Strong Authentication
2) Managing Encryption
3) Segmenting Storage
4) Enabling Loss or Theft Services
What are 5 ways to use Strong Authentication?
1) A passcode
2) A PIN
3) A fingerprint
4) A pattern connecting dots to unlock the device
5) A screen lock
What are some Android Smart Lock Configuration Options?
1) On-body detection
2) Trusted Places
3) Trusted Devices
4) Trusted Face
5) Trusted Voice
What does it mean to “Segment Storage”?
Separates business data from personal data on mobile devices
Users can apply containerization to separate storage into business & personal “containers”
What are 5 Security Features for Locating Lost or Stolen Mobile Devices?
1) Alarm
2) Last known location
3) Locate
4) Remote lockout
5) Thief picture
What are 4 Mobile Management Tools?
1) Mobile Device Management (MDM)
2) Mobile Application Management (MAM)
3) Mobile Content Management (MCM)
4) Unified Endpoint Management (UEM)
What is Mobile Device Managment?
Tools allow a device to be managed remotely by an organization
- Typically involves a server, which sends out management commands to the mobile devices, & a client component, which runs on the mobile device to receive & implement the management commands
What is Mobile Application Management?
Covers application management, which comprises the tools & services responsible for distributing & controlling access to apps
- The apps can be internally developed or commercially available
What is Mobile Content Management?
Supports the creation & subsequent editing & modification of digital content by multiple employees
- Tunes to provide content management to hundreds or even thousands of mobile devices used by employees in an enterprise
What are the 4 things Mobile Content Management (MCM) can include?
1) Tracking editing history
2) Version control
3) Indexing
4) Searching
What is Unified Endpoint Management (UEM)?
A group or class of software tools w/ a single management interface for mobile devices as well as computer devices
- It provides capabilities for managing & securing mobile devices, applications, & content
What are the 5 Categories of Embedded & Specialized Devices?
1) Hardware & software
2) Specialized systems
3) Industrial systems
4) Other devices
5) IoT devices
What is the Raspberry Pi?
A low-cost, credit-card-sized computer motherboard
- Can perform almost any task that a standard computer can & can be used to control a specialized device
What is the Arduino?
A controller for other devices
- Has 8-bit microcontroller, limited amount of RAM, no OS
What is a Field-Programmable Gate Array (GPFA)?
A hardware “chip” that can be programmed by the user to carry out one or more logical operations
What is a System on a Chip (SoC)?q
Combines all the required electronic circuits of the various computer components on a single chip
- An OS specifically designed for an SoC is an embedded or specialized system
What is an Embedded System?
Computer hardware & software contained within a larger system that is designed for a specific function
- Receive a large amount of data very quickly
What are 4 kinds of Specialized Systems & what do they use?
1) Utilities
2) Medical systems
3) Aircraft
4) Vehicles
Smart meter.
What are 4 actions of Meters (Analog vs Smart)?
1) Meter readings
2) Servicing
3) Tamper protection
4) Emergency communication
Analog vs Smart Meters of Meter Reading.
Analog:
Employee must visit the dwelling each month to read the meter
Smart:
Meter readings are transmitted daily, hourly, or even by the minute to the utility company
Analog vs Smart Meters of Servicing.
Analog:
Annual servicing is required in order to maintain accuracy
Smart:
Battery replacement every 20 years
Analog vs Smart Meters of Tamper Protection.
Analog:
Data must be analyzed over long periods to identify anomalies
Smart:
Can alert utility in the event of tampering or theft
Analog vs Smart Meters of Emergency Communication.
Analog:
None available
Smart:
Transmits “last gasp” notification of a problem to utility company
What are Industrial Control Systems?
Systems that control locally or remote locations by collecting, monitoring, & processing real-time data to control machines
What are Industrial Control Systems managed by?
And what do they help do?
1) Managed by supervisory control & data acquisition (SCADA) systems
2) Help to maintain efficiency & provide information on issues to help reduce downtime
What is a Supervisory Control & Data Acquisition (SCADA) System?
A system that controls multiple industrial control systems (ICS)
What are drones used for?
1) Policing & surveillance
2) Product deliveries
3) Aerial photography
4) Infrastructure inspections
5) Drone racing
What are examples of “Other Specialized Systems”?
1) HVAC
2) Multifunctional printer (MFP)
3) Unmanned aerial vehicle (UAV) aka drone
4) Voice over IP (VoIP)
What is the Internet of Things (IoT)?
Any device to the Internet for the purpose of sending & receiving data to be acted upon
What is an example of IoT where it’s related to the body?
Body area networks (BAN) - network system of IoT devices in close proximity to a person’s body that cooperate for the benefit of the user
Managed body sensor network (MBSN) - when readings are transmitted via computer or smartphone to a third-party physician who can make decisions regarding any medications to prescribe or lifestyle changes to recommend
Autonomous body sensor network (ABSN) - introduces actuators in addition to the sensors so that immediate effects can be made on the human body
What are 10 Security Constaints for Embedded Systems & Specialized Devices?
1) Power
2) Compute
3) Network
4) Cryptography
5) Inability to patch
6) Authentication
7) Range
8) Cost
9) Implied trust
10) Weak defaults
How is Power a Security Constraint?
To prolong battery life, devices, & systems are optimized to draw very low levels of power & thus lack the ability to perform strong security measures
How is Compute a Security Constraint?
Due to their size, small devices typically possess low processing capabilities, which restricts complex & comprehensive security measures
How is Network a Security Constraint?
To simplify connecting a device to a network, many device designers support network protocols that lack advanced security features
How is Cryptography a Security Constraint?
Encryption & decryption are resource-intensive tasks that require significant processing & storage capacities that these devices lack
How is Inability to Patch a Security Constraint?
Few, if any, devices have been designed w/ the capacity for being updated to address exposed security vulnerabilities
How is Authentication a Security Constraint?
To keep costs at a minimum, most devices lack authentication features
How is Range a Security Constraint?
Not all devices have long-range capabilities to access remote security updates
How is Cost a Security Constraint?
Most developers are concerned primarily w/ making products as inexpensive as possible, which means leaving out all security protections
How is Implied Trust a Security Constraint?
Many devices are designed w/o any security features but operate on an “implied trust” basis that assumes all other devices or users can be trusted
