.

CIS 3500 1

Mobile Devices

Chapter #9:

Technologies and Tools

Chapter Objectives

n Examine the connection methods used by mobile devices

n Study mobile device management concepts

n Understand mobile device policy and enforcement

n Identify deployment models based on a given scenario

Mobile Devices2

Connection Methods

n Mobile devices require a non-wired means of connection

n On the enterprise side it is via the Internet

n On the mobile device side a wide range of options exist for

connectivity

n Where and how needs to be architected

Mobile Devices3

Cellular

n Cellular connections use mobile telephony circuits

n Fourth-generation (4G) or LTE, some 3G services still exist

n One of the strengths is robust nationwide networks

n The corresponding weakness is that gaps in cellular service

still exist is remote areas

Mobile Devices4

.

CIS 3500 2

Wi-Fi

n Wi-Fi refers to the radio communication methods developed

under the Wi-Fi Alliance

n These systems exist on 2.4- and 5-GHz frequency ranges

n This communication methodology is ubiquitous with

computing platforms and is relatively easy to implement

and secure

n Securing Wi-Fi is a mainstream method of constructing

networks today

Mobile Devices5

SATCOM

n SATCOM (satellite communications) is the use of terrestrial

transmitters and receivers and satellites in orbit to transfer

the signals

n SATCOM can be one way or two-way

n Satellites are expensive, both cost and line-of-sight issues

n But in rural areas or remote areas SATCOM is one of the

only options for communications

Mobile Devices6

Bluetooth

n It is a short-range, low-power wireless protocol that transmits in the

2.4-GHz band in personal area networks (PANs)

n Mobile phones, laptops, printers, and audio devices – even new cars

as a mobile phone hands-free kit

n The current version is 4.0 with support for three modes: classic, high

speed, and Low Energy

n Bluetooth uses pairing to establish a trust relationship

n The devices advertise capabilities and require a passkey – not all

devices can do that (keyboard does not have a screen, speakers)

Mobile Devices7

NFC

n Near Field Communication (NFC) is a set of wireless

technologies bridging a distance of 10 cm (3.9 in) or less

n Moving data between phones and in mobile payment systems

n NFC is likely to become a high-use technology

n Currently, NFC relies to a great degree on its very

short range for security, although apps that use it may have

their own security mechanisms

Mobile Devices8

.

CIS 3500 3

ANT

n ANT is a multicast wireless sensor network technology that operates

in the 2.4-GHz ISM band

n It has open access and a protocol stack to facilitate communication by

establishing standard rules for co-existence, data representation,

signaling, authentication, and error detection

n ANT is conceptually similar to Bluetooth Low Energy, but is oriented

toward usage with sensors, such as heart rate monitors, fitness

devices, and personal devices

n ANT uses a unique isosynchronousnetwork technology that works

well with multiple devices without interferenceMobile Devices9

Infrared

n Infrared (IR) is a band of electromagnetic energy just beyond the red

end of the visible color spectrum

n IR has been used in remote-control devices for years

n Started as a wireless method to connect to printers

n Now used with wireless keyboards, wireless mice, and mobile devices

exchange data via IR

n It is slow compared to other wireless technologies

n IR cannot penetrate walls but instead bounces off them

n Because IR can be seen by all in range, any desired security must be

on top of the base transmission mechanismMobile Devices10

USB

n Universal Serial Bus (USB) has become the ubiquitous

standard for connecting devices

n Mobile phones can transfer data and charge – laptops,

desktops, even servers have USB ports

n USB automatically recognizes a device being plugged into the

system and usually work without adding drivers

n This has spawned from music players to peripherals to storage

devices—virtually anything that can consume or deliver data

n USB mini, USB micro, and now USB Type-CMobile Devices11

Mobile Device Management Concepts

n Mobile device management (MDM) concepts is essential

n Device locking with a strong password

n Encryption of data on the device

n Device locking automatically after a period of inactivity

n Remotely lock the device if it is lost or stolen

n Wipe the device automatically after a certain number of failed

login attempts

n Remotely wipe the device if it is lost or stolen

Mobile Devices12

.

CIS 3500 4

Application Management

n Application store for finding and purchasing apps

n Making sure that offered apps are approved and don’t

create an overt security risk

n Many apps request access to various information

n These are all potential problems over data security

n Installing Facebook on an Android phone

Mobile Devices13

Content Management

n Content management is the set of actions used to control

content issues, including what content is available and to

what apps, on mobile devices

n Most organizations have a data ownership policy

n Examining what content belongs on specific devices and

then using mechanisms to enforce these rules

n MDM solutions exist to assist

Mobile Devices14

Remote Wipe

n Remote wiping removes data stored on the device and resets the

device to factory settings

n Use of BYOD devices that store both personal and enterprise data

n The software controls for separate data containers have been

proposed but are not a mainstream option yet

n Remote wipe can only be managed via apps on the device

n For Apple and Android devices, the OS also has the ability to set

the device up for remote locking and factory reset

Mobile Devices15

Geofencing

n Geofencing is the use of GPS and/or RFID technology to

create a virtual fence and detect when mobile devices cross

n This enables devices to be recognized by others

n Geofencing is used in marketing to send messages to

devices

n Geofencing has been used for remote workers management

when they have arrived at remote work sites

n Turning off geofencing is possible via the device

Mobile Devices16

.

CIS 3500 5

Geolocation

n Most mobile devices are now capable of using GPS

n Many apps rely heavily on GPS location

n Such technology can be exploited to track movement and

location of the mobile device, which is referred to as

geolocation

n This tracking can be used to assist in the recovery of lost

devices

Mobile Devices17

Screen Locks

n Most corporate policies require the use screen-locking

n This usually consists of entering a passcode or PIN to unlock the

device

n It is highly recommended that screen locks be enforced for all mobile

devices

n Quality of the passcode should be consistent with your corporate

password policy

n If not users tend to use easy-to-remember passcodes

n If the passcode is entered incorrectly a specified number of times, the

device is automatically wiped (optional)Mobile Devices18

Push Notification Services

n Push notification services deliver information to mobile

devices without a specific request from the device

n As push notifications enable the movement of information

from external sources to the device, this has some security

implications

n device location, and

n potential interaction with the device

n e.g. it is possible to push the device to emit a sound, even if

the sound is muted on the deviceMobile Devices19

Passwords and Pins

n Passwords and pins are common security measures

n The rules for passwords apply to mobile devices as well

n Having a simple gesture-based wipe on the screen can be

discovered by looking at the oil pattern on the screen

n Finger painting with body grease J

n Either cleaning or dirtying the whole screen is the obvious

solution

Mobile Devices20

.

CIS 3500 6

Biometrics

n Biometrics are used across a wide range of mobile devices

n Less than perfect recognition

n The newest biometric method, facial recognition, based on

a camera image of the user’s face while they are holding

the phone, offers some promise, but similar concerns

n Bypassable, they should be considered convenience

features, not security features

n Management policies should reflect this fact

Mobile Devices21

Context-Aware Authentication

n Context-aware authentication is the use of contextual

information

n who the user is

n what resource they are requesting

n what machine they are using

n how they are connected, and so on

n This approach can be used to allow users to access network

resources from inside the office but deny it if they are

connecting via a public Wi-Fi networkMobile Devices22

Containerization

n Containerization refers to dividing the device into a series of

containers: one container holding work-related materials, the

other personal

n Separate apps, data … virtually everything on the device

n This enables a much stronger use case for mixing business and

personal matters on a single device

n Most MDM solutions offer the ability to encrypt the containers,

especially the work-related container, providing another layer of

protection for the data

Mobile Devices23

Storage Segmentation

n On mobile devices, it can be very difficult to keep personal

data separate from corporate data

n Storage segmentation is similar to containerization

n Some companies have developed capabilities to create

separate virtual containers

n For devices that handle highly sensitive corporate data, this

form of protection is highly recommended

Mobile Devices24

.

CIS 3500 7

Full Device Encryption

n You may need to consider full device encryption

n More and more, mobile devices are used when accessing and

storing business-critical data or other sensitive information

n Protecting the information on mobile devices is becoming a

business imperative

n This is an emerging technology, so you’ll need to do

some research to determine what product meets your needs

Mobile Devices25

Enforcement and Monitoring

n Your organization’s mobile device policies should be

consistent with computer security policies

n Training programs should include instruction on mobile

device security

n Disciplinary actions should be consistent

n Monitoring programs should be enhanced to include mobile

devices

Mobile Devices26

Third-Party App Stores

n App stores are considered by an enterprise to be third-

party app stores

n Apple App Store for iOS devices and Google Play for

Android devices

n The Apple App Store is built on a principle of exclusivity,

and stringent security requirements

n Google Play has fewer restrictions

n These apps can create security risks for an organization

Mobile Devices27

Rooting/Jailbreaking

n Jailbreaking is a process by which the user escalates their

privilege level, bypassing the operating system’s controls and

limitations

n Complete functionality plus additional capabilities, bypassing

the OS-imposed user restrictions

n Running a device with enhanced privileges can result in errors

that cause more damage

n Rooting a device is a process by which OS controls are

bypassedMobile Devices28

.

CIS 3500 8

Sideloading

n Sideloading is the process of adding apps to a mobile

device without using the authorized store

n Currently, it only works on Android devices

n Adding apps to the device without having to have it hosted

on the requisite app store – greater risk of installing

malicious software in the guise of a desired app

Mobile Devices29

Custom Firmware

n Custom firmware is firmware for a device that has been

altered from the original factory settings

n This firmware can bring added functionality, but it can also

result in security holes

n Custom firmware should be used only on devices that do

not have access to critical information

Mobile Devices30

Carrier Unlocking

n Devices in the United States can come locked to a carrier

n Other parts of the world they are unlocked, relying upon a subscriber

identity module (SIM) for connection and billing

n This is a byproduct of the business market decisions made early in the

mobile phone market lifecycle

n If you have a carrier-locked device, a SIM from another carrier, the

device will not work

n Carrier unlocking is the process of programming the device to sever

itself from the carrier – inputting of a special key sequence that

unlocks the deviceMobile Devices31

Firmware OTA Updates

n Firmware OTA (over the air) updates are a solution to

update firmware

n You can tap a menu option on a mobile device to connect to

an app store and update the device firmware

n All major device manufacturers support this model, for it is

the only real workable solution

Mobile Devices32

.

CIS 3500 9

Camera Use

n Many mobile devices include on-board cameras, and the

photos/videos they take can divulge information

n This information can be associated with anything the

camera can image—whiteboards, documents, even the

location of the device when the photo/video was taken via

geo-tagging ( “GPS Tagging” )

n Another challenge is the possibility that they will be used

for illegal purposes – create liability for the company

Mobile Devices33

SMS/MMS

n Short Message Service (SMS) and Multimedia Messaging

Service (MMS) are standard protocols to send messages,

including multimedia over a cellular network.

n SMS is limited to text-only messages of fewer than 160 char

n MMS is a more recent development

n Because of the content, it is important to at least address

these communication channels in relevant policies

Mobile Devices34

External Media

n External media refers to any item or device that can store

data

n Flash drives, hard drives, music players, smartphones, even

smart watches, are a pathway for data exfiltration

n They can also deliver malware into the enterprise

n These devices can carry data into and out of the enterprise

n The key is to develop a policy that determines where these

devices can exist and where they should be banned

Mobile Devices35

USB OTG

n Universal Serial Bus is a common method of connecting

mobile devices to computers

n Connecting mobile devices to each other required changes

n USB OTG (USB On-The-Go), an extension of USB

n It allows those devices to switch back and forth between

the roles of host and device

n It is relatively new, most mobile devices made since 2015

are USB OTG compatible

Mobile Devices36

.

CIS 3500 10

Recording Microphone

n Recording microphones can be used to record

conversations, collecting sensitive data without the parties

under observation even being aware of the activity

n The key is to determine the policy of where recording

microphones can be used and the rules for their use

n U n d e r F e d e r a l la w , i t ’ s i l l e g a l t o r e c o r d t e le p h o n e c o n v e r s a t io n s u n le s s y o u

l iv e in a s t a t e t h a t p e r m it s o n e p a r t y c o n s e n t , w h ic h m e a n s t h a t a p e r s o n

c a n r e c o r d t h e i r o w n p h o n e c o n v e r s a t io n w i t h o u t t h e o t h e r p a r t y ’s c o n s e n t

o r k n o w le d g e . C o lo r a d o is a o n e p a r t y c o n s e n t s t a t e .

Mobile Devices37

GPS Tagging

n Photos taken on mobile devices or with cameras that have GPS

capabilities can have location information embedded in the

digital photo

n This is called GPS tagging or geo-tagging

n Posting photos with geo-tags embedded in them has its use,

but it can also unexpectedly publish information that users

may not want to share

n It is recommended that it be disabled unless you have a

specific reason for having the location information addedMobile Devices38

Wi-Fi Direct/Ad Hoc

n Wi-Fi direct: two Wi-Fi devices connect to each other via a

single-hop connection – they can be connected with all of

the bells and whistles of modern wireless networking

n Wi-Fi ad hoc: multiple devices can communicate with each

other, with each device capable of communicating with all

other devices

Mobile Devices39

Tethering

n Tethering is the connection of a device to a mobile device

that has a means of accessing a network for the purpose of

sharing the network access

n Connecting a mobile phone to a laptop so that the laptop

can use the phone to connect to the Internet is tethering

n When you tether a device, you create additional external

network connections

Mobile Devices40

.

CIS 3500 11

Payment Methods

n Twenty years ago, payment methods were cash, check, or

charge

n New intermediaries; smart devices with Near Field

Communication (NFC) linked to credit cards

n Actual payment is still a credit/debit card charge, the payment

pathway is through the digital device

n Utilizing the security features of the device, NFC,

biometrics/pin has some advantages as it allows additional

specific security measures, such as biometric-based approval

for the transactionMobile Devices41

Deployment Models

n Consider how …

n how security will be enforced

n how all the policies will be enforced

n what devices will be supported

n You can choose from a variety of device deployment models

n employee-owned model (BYOD)

n strict corporate-owned model

n several hybrid models in between

Mobile Devices42

BYOD

n The bring your own device (BYOD)

n minimizing device cost for the organization

n users tend to prefer to have a single device

n users have less of a learning curve on devices they already

know how to use or have an interest in learning

n This model is popular in small firms and in organizations that

employ a lot of temporary workers.

n The disadvantage is that employees will not be eager to limit their

use based on corporate policies, so corporate control will be limited

Mobile Devices43

CYOD

n The choose your own device (CYOD) deployment model is

similar to BYOD in concept in that it gives users a choice in

the type of device

n In most cases, the organization constrains this choice to a

list of acceptable devices that can be supported

n Device is owned by the organization, it has greater

flexibility in imposing restrictions on device use in terms of

apps, data, updates, and so forth

Mobile Devices44

.

CIS 3500 12

COPE

n In the corporate owned, personally enabled (COPE)

deployment model, employees are supplied a mobile device

that is chosen and paid for by the organization

n But they are given permission to use it for personal activities

n The organization can decide how much choice and freedom

employees get

n This allows the organization to control security functionality

while dealing with the employee dissatisfaction

Mobile Devices45

Corporate-Owned

n In the corporate-owned, business only (COBO) deployment model,

the company supplies employees with a mobile device that is

restricted to company-only use

n The disadvantage of this model is that employees have to carry

two devices: one personal and one for work, and then separate

functions between the devices based on purpose of use

n The advantage is that the corporation has complete control over

its devices and can apply any security controls without

interference from other device functionality

Mobile Devices46

VDI

n Virtual desktop infrastructure (VDI) solution can bring control to

the mobile environment associated with non-corporate-owned

equipment

n The enterprise can set up virtual desktop machines that are fully

security compliant and contain all the necessary applications

n Employee will access it via either a virtual connection or a remote

desktop connection

n This can solve most if not all of the security and application

functionality issues associated with mobile devices – data!

Mobile Devices47

Stay Alert!

There is no 100 percent secure system, and

there is nothing that is foolproof!