CIS 3500 1rowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter09.pdf · Geolocation n Most mobile...
Transcript of CIS 3500 1rowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter09.pdf · Geolocation n Most mobile...
.
CIS 3500 1
Mobile Devices
Chapter #9:
Technologies and Tools
Chapter Objectives
n Examine the connection methods used by mobile devices
n Study mobile device management concepts
n Understand mobile device policy and enforcement
n Identify deployment models based on a given scenario
Mobile Devices2
Connection Methods
n Mobile devices require a non-wired means of connection
n On the enterprise side it is via the Internet
n On the mobile device side a wide range of options exist for
connectivity
n Where and how needs to be architected
Mobile Devices3
Cellular
n Cellular connections use mobile telephony circuits
n Fourth-generation (4G) or LTE, some 3G services still exist
n One of the strengths is robust nationwide networks
n The corresponding weakness is that gaps in cellular service
still exist is remote areas
Mobile Devices4
.
CIS 3500 2
Wi-Fi
n Wi-Fi refers to the radio communication methods developed
under the Wi-Fi Alliance
n These systems exist on 2.4- and 5-GHz frequency ranges
n This communication methodology is ubiquitous with
computing platforms and is relatively easy to implement
and secure
n Securing Wi-Fi is a mainstream method of constructing
networks today
Mobile Devices5
SATCOM
n SATCOM (satellite communications) is the use of terrestrial
transmitters and receivers and satellites in orbit to transfer
the signals
n SATCOM can be one way or two-way
n Satellites are expensive, both cost and line-of-sight issues
n But in rural areas or remote areas SATCOM is one of the
only options for communications
Mobile Devices6
Bluetooth
n It is a short-range, low-power wireless protocol that transmits in the
2.4-GHz band in personal area networks (PANs)
n Mobile phones, laptops, printers, and audio devices – even new cars
as a mobile phone hands-free kit
n The current version is 4.0 with support for three modes: classic, high
speed, and Low Energy
n Bluetooth uses pairing to establish a trust relationship
n The devices advertise capabilities and require a passkey – not all
devices can do that (keyboard does not have a screen, speakers)
Mobile Devices7
NFC
n Near Field Communication (NFC) is a set of wireless
technologies bridging a distance of 10 cm (3.9 in) or less
n Moving data between phones and in mobile payment systems
n NFC is likely to become a high-use technology
n Currently, NFC relies to a great degree on its very
short range for security, although apps that use it may have
their own security mechanisms
Mobile Devices8
.
CIS 3500 3
ANT
n ANT is a multicast wireless sensor network technology that operates
in the 2.4-GHz ISM band
n It has open access and a protocol stack to facilitate communication by
establishing standard rules for co-existence, data representation,
signaling, authentication, and error detection
n ANT is conceptually similar to Bluetooth Low Energy, but is oriented
toward usage with sensors, such as heart rate monitors, fitness
devices, and personal devices
n ANT uses a unique isosynchronousnetwork technology that works
well with multiple devices without interferenceMobile Devices9
Infrared
n Infrared (IR) is a band of electromagnetic energy just beyond the red
end of the visible color spectrum
n IR has been used in remote-control devices for years
n Started as a wireless method to connect to printers
n Now used with wireless keyboards, wireless mice, and mobile devices
exchange data via IR
n It is slow compared to other wireless technologies
n IR cannot penetrate walls but instead bounces off them
n Because IR can be seen by all in range, any desired security must be
on top of the base transmission mechanismMobile Devices10
USB
n Universal Serial Bus (USB) has become the ubiquitous
standard for connecting devices
n Mobile phones can transfer data and charge – laptops,
desktops, even servers have USB ports
n USB automatically recognizes a device being plugged into the
system and usually work without adding drivers
n This has spawned from music players to peripherals to storage
devices—virtually anything that can consume or deliver data
n USB mini, USB micro, and now USB Type-CMobile Devices11
Mobile Device Management Concepts
n Mobile device management (MDM) concepts is essential
n Device locking with a strong password
n Encryption of data on the device
n Device locking automatically after a period of inactivity
n Remotely lock the device if it is lost or stolen
n Wipe the device automatically after a certain number of failed
login attempts
n Remotely wipe the device if it is lost or stolen
Mobile Devices12
.
CIS 3500 4
Application Management
n Application store for finding and purchasing apps
n Making sure that offered apps are approved and don’t
create an overt security risk
n Many apps request access to various information
n These are all potential problems over data security
n Installing Facebook on an Android phone
Mobile Devices13
Content Management
n Content management is the set of actions used to control
content issues, including what content is available and to
what apps, on mobile devices
n Most organizations have a data ownership policy
n Examining what content belongs on specific devices and
then using mechanisms to enforce these rules
n MDM solutions exist to assist
Mobile Devices14
Remote Wipe
n Remote wiping removes data stored on the device and resets the
device to factory settings
n Use of BYOD devices that store both personal and enterprise data
n The software controls for separate data containers have been
proposed but are not a mainstream option yet
n Remote wipe can only be managed via apps on the device
n For Apple and Android devices, the OS also has the ability to set
the device up for remote locking and factory reset
Mobile Devices15
Geofencing
n Geofencing is the use of GPS and/or RFID technology to
create a virtual fence and detect when mobile devices cross
n This enables devices to be recognized by others
n Geofencing is used in marketing to send messages to
devices
n Geofencing has been used for remote workers management
when they have arrived at remote work sites
n Turning off geofencing is possible via the device
Mobile Devices16
.
CIS 3500 5
Geolocation
n Most mobile devices are now capable of using GPS
n Many apps rely heavily on GPS location
n Such technology can be exploited to track movement and
location of the mobile device, which is referred to as
geolocation
n This tracking can be used to assist in the recovery of lost
devices
Mobile Devices17
Screen Locks
n Most corporate policies require the use screen-locking
n This usually consists of entering a passcode or PIN to unlock the
device
n It is highly recommended that screen locks be enforced for all mobile
devices
n Quality of the passcode should be consistent with your corporate
password policy
n If not users tend to use easy-to-remember passcodes
n If the passcode is entered incorrectly a specified number of times, the
device is automatically wiped (optional)Mobile Devices18
Push Notification Services
n Push notification services deliver information to mobile
devices without a specific request from the device
n As push notifications enable the movement of information
from external sources to the device, this has some security
implications
n device location, and
n potential interaction with the device
n e.g. it is possible to push the device to emit a sound, even if
the sound is muted on the deviceMobile Devices19
Passwords and Pins
n Passwords and pins are common security measures
n The rules for passwords apply to mobile devices as well
n Having a simple gesture-based wipe on the screen can be
discovered by looking at the oil pattern on the screen
n Finger painting with body grease J
n Either cleaning or dirtying the whole screen is the obvious
solution
Mobile Devices20
.
CIS 3500 6
Biometrics
n Biometrics are used across a wide range of mobile devices
n Less than perfect recognition
n The newest biometric method, facial recognition, based on
a camera image of the user’s face while they are holding
the phone, offers some promise, but similar concerns
n Bypassable, they should be considered convenience
features, not security features
n Management policies should reflect this fact
Mobile Devices21
Context-Aware Authentication
n Context-aware authentication is the use of contextual
information
n who the user is
n what resource they are requesting
n what machine they are using
n how they are connected, and so on
n This approach can be used to allow users to access network
resources from inside the office but deny it if they are
connecting via a public Wi-Fi networkMobile Devices22
Containerization
n Containerization refers to dividing the device into a series of
containers: one container holding work-related materials, the
other personal
n Separate apps, data … virtually everything on the device
n This enables a much stronger use case for mixing business and
personal matters on a single device
n Most MDM solutions offer the ability to encrypt the containers,
especially the work-related container, providing another layer of
protection for the data
Mobile Devices23
Storage Segmentation
n On mobile devices, it can be very difficult to keep personal
data separate from corporate data
n Storage segmentation is similar to containerization
n Some companies have developed capabilities to create
separate virtual containers
n For devices that handle highly sensitive corporate data, this
form of protection is highly recommended
Mobile Devices24
.
CIS 3500 7
Full Device Encryption
n You may need to consider full device encryption
n More and more, mobile devices are used when accessing and
storing business-critical data or other sensitive information
n Protecting the information on mobile devices is becoming a
business imperative
n This is an emerging technology, so you’ll need to do
some research to determine what product meets your needs
Mobile Devices25
Enforcement and Monitoring
n Your organization’s mobile device policies should be
consistent with computer security policies
n Training programs should include instruction on mobile
device security
n Disciplinary actions should be consistent
n Monitoring programs should be enhanced to include mobile
devices
Mobile Devices26
Third-Party App Stores
n App stores are considered by an enterprise to be third-
party app stores
n Apple App Store for iOS devices and Google Play for
Android devices
n The Apple App Store is built on a principle of exclusivity,
and stringent security requirements
n Google Play has fewer restrictions
n These apps can create security risks for an organization
Mobile Devices27
Rooting/Jailbreaking
n Jailbreaking is a process by which the user escalates their
privilege level, bypassing the operating system’s controls and
limitations
n Complete functionality plus additional capabilities, bypassing
the OS-imposed user restrictions
n Running a device with enhanced privileges can result in errors
that cause more damage
n Rooting a device is a process by which OS controls are
bypassedMobile Devices28
.
CIS 3500 8
Sideloading
n Sideloading is the process of adding apps to a mobile
device without using the authorized store
n Currently, it only works on Android devices
n Adding apps to the device without having to have it hosted
on the requisite app store – greater risk of installing
malicious software in the guise of a desired app
Mobile Devices29
Custom Firmware
n Custom firmware is firmware for a device that has been
altered from the original factory settings
n This firmware can bring added functionality, but it can also
result in security holes
n Custom firmware should be used only on devices that do
not have access to critical information
Mobile Devices30
Carrier Unlocking
n Devices in the United States can come locked to a carrier
n Other parts of the world they are unlocked, relying upon a subscriber
identity module (SIM) for connection and billing
n This is a byproduct of the business market decisions made early in the
mobile phone market lifecycle
n If you have a carrier-locked device, a SIM from another carrier, the
device will not work
n Carrier unlocking is the process of programming the device to sever
itself from the carrier – inputting of a special key sequence that
unlocks the deviceMobile Devices31
Firmware OTA Updates
n Firmware OTA (over the air) updates are a solution to
update firmware
n You can tap a menu option on a mobile device to connect to
an app store and update the device firmware
n All major device manufacturers support this model, for it is
the only real workable solution
Mobile Devices32
.
CIS 3500 9
Camera Use
n Many mobile devices include on-board cameras, and the
photos/videos they take can divulge information
n This information can be associated with anything the
camera can image—whiteboards, documents, even the
location of the device when the photo/video was taken via
geo-tagging ( “GPS Tagging” )
n Another challenge is the possibility that they will be used
for illegal purposes – create liability for the company
Mobile Devices33
SMS/MMS
n Short Message Service (SMS) and Multimedia Messaging
Service (MMS) are standard protocols to send messages,
including multimedia over a cellular network.
n SMS is limited to text-only messages of fewer than 160 char
n MMS is a more recent development
n Because of the content, it is important to at least address
these communication channels in relevant policies
Mobile Devices34
External Media
n External media refers to any item or device that can store
data
n Flash drives, hard drives, music players, smartphones, even
smart watches, are a pathway for data exfiltration
n They can also deliver malware into the enterprise
n These devices can carry data into and out of the enterprise
n The key is to develop a policy that determines where these
devices can exist and where they should be banned
Mobile Devices35
USB OTG
n Universal Serial Bus is a common method of connecting
mobile devices to computers
n Connecting mobile devices to each other required changes
n USB OTG (USB On-The-Go), an extension of USB
n It allows those devices to switch back and forth between
the roles of host and device
n It is relatively new, most mobile devices made since 2015
are USB OTG compatible
Mobile Devices36
.
CIS 3500 10
Recording Microphone
n Recording microphones can be used to record
conversations, collecting sensitive data without the parties
under observation even being aware of the activity
n The key is to determine the policy of where recording
microphones can be used and the rules for their use
n U n d e r F e d e r a l la w , i t ’ s i l l e g a l t o r e c o r d t e le p h o n e c o n v e r s a t io n s u n le s s y o u
l iv e in a s t a t e t h a t p e r m it s o n e p a r t y c o n s e n t , w h ic h m e a n s t h a t a p e r s o n
c a n r e c o r d t h e i r o w n p h o n e c o n v e r s a t io n w i t h o u t t h e o t h e r p a r t y ’s c o n s e n t
o r k n o w le d g e . C o lo r a d o is a o n e p a r t y c o n s e n t s t a t e .
Mobile Devices37
GPS Tagging
n Photos taken on mobile devices or with cameras that have GPS
capabilities can have location information embedded in the
digital photo
n This is called GPS tagging or geo-tagging
n Posting photos with geo-tags embedded in them has its use,
but it can also unexpectedly publish information that users
may not want to share
n It is recommended that it be disabled unless you have a
specific reason for having the location information addedMobile Devices38
Wi-Fi Direct/Ad Hoc
n Wi-Fi direct: two Wi-Fi devices connect to each other via a
single-hop connection – they can be connected with all of
the bells and whistles of modern wireless networking
n Wi-Fi ad hoc: multiple devices can communicate with each
other, with each device capable of communicating with all
other devices
Mobile Devices39
Tethering
n Tethering is the connection of a device to a mobile device
that has a means of accessing a network for the purpose of
sharing the network access
n Connecting a mobile phone to a laptop so that the laptop
can use the phone to connect to the Internet is tethering
n When you tether a device, you create additional external
network connections
Mobile Devices40
.
CIS 3500 11
Payment Methods
n Twenty years ago, payment methods were cash, check, or
charge
n New intermediaries; smart devices with Near Field
Communication (NFC) linked to credit cards
n Actual payment is still a credit/debit card charge, the payment
pathway is through the digital device
n Utilizing the security features of the device, NFC,
biometrics/pin has some advantages as it allows additional
specific security measures, such as biometric-based approval
for the transactionMobile Devices41
Deployment Models
n Consider how …
n how security will be enforced
n how all the policies will be enforced
n what devices will be supported
n You can choose from a variety of device deployment models
n employee-owned model (BYOD)
n strict corporate-owned model
n several hybrid models in between
Mobile Devices42
BYOD
n The bring your own device (BYOD)
n minimizing device cost for the organization
n users tend to prefer to have a single device
n users have less of a learning curve on devices they already
know how to use or have an interest in learning
n This model is popular in small firms and in organizations that
employ a lot of temporary workers.
n The disadvantage is that employees will not be eager to limit their
use based on corporate policies, so corporate control will be limited
Mobile Devices43
CYOD
n The choose your own device (CYOD) deployment model is
similar to BYOD in concept in that it gives users a choice in
the type of device
n In most cases, the organization constrains this choice to a
list of acceptable devices that can be supported
n Device is owned by the organization, it has greater
flexibility in imposing restrictions on device use in terms of
apps, data, updates, and so forth
Mobile Devices44
.
CIS 3500 12
COPE
n In the corporate owned, personally enabled (COPE)
deployment model, employees are supplied a mobile device
that is chosen and paid for by the organization
n But they are given permission to use it for personal activities
n The organization can decide how much choice and freedom
employees get
n This allows the organization to control security functionality
while dealing with the employee dissatisfaction
Mobile Devices45
Corporate-Owned
n In the corporate-owned, business only (COBO) deployment model,
the company supplies employees with a mobile device that is
restricted to company-only use
n The disadvantage of this model is that employees have to carry
two devices: one personal and one for work, and then separate
functions between the devices based on purpose of use
n The advantage is that the corporation has complete control over
its devices and can apply any security controls without
interference from other device functionality
Mobile Devices46
VDI
n Virtual desktop infrastructure (VDI) solution can bring control to
the mobile environment associated with non-corporate-owned
equipment
n The enterprise can set up virtual desktop machines that are fully
security compliant and contain all the necessary applications
n Employee will access it via either a virtual connection or a remote
desktop connection
n This can solve most if not all of the security and application
functionality issues associated with mobile devices – data!
Mobile Devices47
Stay Alert!
There is no 100 percent secure system, and
there is nothing that is foolproof!