3.5 Secure mobile Solutions Flashcards
• One-to-one connection – Conversation between two devices • Connections between buildings – Point-to-point network links • Wi-Fi repeaters – Extend the length of an existing network
Point-to-point
• One of the most popular communication methods
802.11 wireless
• Does not imply full connectivity between nodes
Point-to-multipoint
• Mobile devices – “Cell” phones • Separate land into “cells” – Antenna coverages a cell with certain frequencies • Security concerns – Traffic monitoring – Location tracking – Worldwide access to a mobile device
Cellular networks
• Local network access – Local security problems • Same security concerns as other Wi-Fi devices • Data capture – Encrypt your data! • On-path attack – Modify and/or monitor data • Denial of service – Frequency interference
Wi-Fi
• High speed communication over short distances
– PAN (Personal Area Network)
• Connects our mobile devices
– Smartphones, tethering, headsets and
headphones, health monitors, automobile and
phone integration, smartwatches,
external speakers
Bluetooth
• It’s everywhere – Access badges – Inventory/Assembly line tracking – Pet/Animal identification – Anything that needs to be tracked • Radar technology – Radio energy transmitted to the tag – RF powers the tag, ID is transmitted back – Bidirectional communication – Some tag formats can be active/powered
RFID (Radio-frequency identification)
• Two-way wireless communication – Builds on RFID • Payment systems – Google wallet, Apple Pay • Bootstrap for other wireless – NFC helps with Bluetooth pairing • Access token, identity “card” – Short range with encryption support
Near field communication (NFC)
• Remote capture
– It’s a wireless network
– 10 meters for active devices
• Frequency jamming - Denial of service
• Relay / Replay attack - Man in the middle
• Loss of RFC device control - Stolen/lost phone
NFC security concerns
• Included on many smartphones, tablets, and smartwatches
– Not really used much for printing
• Control your entertainment center
– Almost exclusively IR
• File transfers are possible
• Other phones can be used to control your IR devices
IR (Infrared)
• Physical connectivity to your mobile device
– USB to your computer
– USB, Lightning, or proprietary on your phone
• Physical access is always a concern
– May be easier to gain access than over a remote
connection
• A locked device is relatively secure
– Always auto-lock
• Mobile phones can also exfiltrate
– Phone can appear to be a USB storage device
USB (Universal Serial Bus)
• Created by the U.S. Department of Defense
– Over 30 satellites currently in orbit
• Precise navigation
– Need to see at least 4 satellites
• Determines location based on timing differences
– Longitude, latitude, altitude
• Mobile device location services and geotracking
– Maps, directions
– Determine physical location based on GPS,
– WiFi, and cellular towers
Global Positioning System (GPS)
• Manage company-owned and user-owned mobile devices
– BYOD - Bring Your Own Device
• Centralized management of the mobile devices
– Specialized functionality
• Set policies on apps, data, camera, etc.
– Control the remote device
– The entire device or a “partition”
• Manage access control
– Force screen locks and PINs on these single user devices
Mobile Device Management (MDM)
• Managing mobile apps are a challenge
– Mobile devices install apps constantly
• Not all applications are secure
– And some are malicious
– Android malware is a rapidly growing security concern
• Manage application use through allow lists
– Only approved applications can be installed
– Managed through the MDM
• A management challenge
– New applications must be checked and added
Application management
• Mobile Content Management (MCM)
– Secure access to data, protect data from outsiders
• File sharing and viewing
– On-site content (Microsoft Sharepoint, file servers)
– Cloud-based storage (Box, Office 365)
• Data sent from the mobile device
– DLP (Data Loss Prevention) prevents copy/paste of
sensitive data
– Ensure data is encrypted on the mobile device
• Managed from the mobile device manager (MDM)
Content management
• Remove all data from your mobile device – Even if you have no idea where it is – Often managed from the MDM • Connect and wipe from the web – Nuke it from anywhere • Need to plan for this – Configure your mobile device now • Always have a backup – Your data can be removed at any time – As you are walking out the door
Remote wipe
• Precise tracking details - Tracks within feet
• Can be used for good (or bad)
– Find your phone, find you
• Most phones provide an option to disable
– Limits functionality of the phones
• May be managed by the MDM
Geolocation
• Some MDMs allow for geofencing
– Restrict or allow features when the device is in a
particular area
• Cameras
– Might only work when outside the office
• Authentication
– Only allow logins when the device is located in a
particular area
Geofencing
• All mobile devices can be locked – Keep people out of your data • Simple passcode or strong passcode – Numbers vs. Alphanumeric • Fail too many times? – Erase the phone • Define a lockout policy – Create aggressive lockout timers – Completely lock the phone
Screen lock
• Information appears on the mobile device screen
– The notification is “pushed” to your device
• No user intervention
– Receive notifications from one app when using a
completely different app
• Control of displayed notifications can be
managed from the MDM
– Or notifications can be pushed from the MDM
Push notification services
• The universal help desk call
– I need to reset my password
• Mobile devices use multiple authentication methods
– Password/passphrase, PINs, patterns
• Recovery process can be initiated from the MDM
– Password reset option is provided on the
mobile device
– “What is the name of your favorite car maiden
cat’s color?”
• MDM also has full control
– Completely remove all security controls
– Not the default or best practice
Passwords and PINs
• You are the authentication factor
– Fingerprint, face
• May not be the most secure authentication factor
– Useful in some environments
– Completely forbidden in others
• Availability is managed through the MDM
– Organization determines the security of the device
• Can be managed per-app
– Some apps require additional biometric
authentication
Biometrics
• Who needs 2FA? – The attackers can get around anything • Authentication can be contextual – If it walks like a duck… • Combine multiple contexts – Where you normally login (IP address – Where you normally frequent (GPS information) – Other devices that may be paired (Bluetooth, etc.) • And others – An emerging technology – Another way to keep data safe
Context-aware authentication
• Difficult to separate personal from business
– Especially when the device is BYOD
– Owned by the employee
• Separate enterprise mobile apps and data
– Create a virtual “container” for company data
– A contained area - limit data sharing
– Storage segmentation keeps data separate
• Easy to manage offboarding
– Only the company information is deleted
– Personal data is retained
– Keep your pictures, video, music, email, etc.
Containerization
• Scramble all of the data on the mobile device – Even if you lose it, the contents are safe • Devices handle this in different ways – Strongest/stronger/strong ? • Encryption isn’t trivial – Uses a lot of CPU cycles – Complex integration between hardware and software • Don’t lose or forget your password! – There’s no recovery – Often backed up on the MDM
Full device encryption
