CNT4524: Mobile Security Chapter 1-

Select Detective Controls

- Audit the system security - Logging Events

Select three authentication mechanisms available on mobile devices.

- Biometric or thumb print readers - Passwords - Pins

Select the focused questions a company should ask when conducting a security assessment of mobile devices.

- Can it be managed centrally? - Does the device support company Policies and Standards? - Does technology fit organization's definition? - Does it incur extraordinary costs? - Does it have built-in security controls?

Select two mobile security models and corresponding definition discussed in Chapter 5.

- Data Centric Model which focuses on protecting the data. - Device Centric Model which focuses on protect the device.

What are some of the common tests that Network Access Control can perform? (Select all that apply)

- Determine if the device has prior authorization to connect to the network - Check for up-to-date antimalware signature files - Check for up-to-date OS patches - Determine of the device has active antimalware and firewall services installed and operating

Select the 4 main types of controls used in the Data Centric Model.

- Encryption - Blocking certain file types - Information Rights Management - Data-Centric Access Control

Select controls that can be used to reduce the risk of Brute Force Attacks.

- Enforcing complex passwords - Lock out the user after a set number of bad logon attempts - Wipe the device after a set number of bad logon attempts

Select the principles that the author mentioned in the "Follow the Bits" paragraphs.

- Good or bad actors manipulate files the same way. - One of the main points of "Follow the Bits" is to emphasize the risks that occurs when the data is moved between systems and devices. - A data file is the fundamental unit of information. - The most basic level of data is 0's and 1's which is also known as computer parlance as bits.

Ease of mobility:-------- How easily can an authorized person move the data from one place to another? Ease of mobility: --------How easily can an unauthorized person take the data and move it to another place?

- Intentional - Unintentional

Select the two categories the author used to demonstrate their positive and negative/accidental use of mobile devices.

- Intentional Mobility - Unintentional Mobility

Select all that apply to physical protection methods.

- Maintain possession of the data at all times - Keep Data Hidden - Split up data across different devices - Lock data in a container - Leverage special courier

Select the reasons why portable storage devices are used.

- Portable storage devices are inexpensive - Portable storage devices have large capacities - Portable storage devices are physically much smaller and are convenient for data transport

Select 5 capabilities of Information Rights Management.

- Prevent the copy-and-paste operations of information within a document - Prevent the copying of documents - Prevent the unauthorized forwarding of a document - Track the use and distribution of information - Prevent unauthorized access to a document

Select 4 categories that controls fit into: Absent controls Preventive controls Deterrent controls Enablement Controls Directive and administrative controls Detective controls

- Preventive Control - Deterrent Control - Directive and Administrative controls - Detective controls

Select two advantages of Data Centric Security Model.

- Protects the data while it travels across different networks. - Does not require a specific model of devices.

In the device centric model, the device should be able to store and transport confidential data and support which of the following controls.

- Selective feature restrictions - Logging and auditing capabilities - Access Control - Data-Flow Restrictions - Device Management

Select 5 common preventative controls Trusted platform modules Device-specific controls Auditing and Monitoring Encryption Content filtering and data loss prevention Policies and procedures Desktop virtualization

- Trusted Platform Modules - Device-specific controls - Encryption - Content filtering and data loss prevention - Desktop Virtualization

Select the three reasons when to use encryption.

- When data moves - When it's mandated by an authoritative body. - When existing access controls aren't sufficient to protect the data

Asymmetric encryption provides the follow security features:

- integrity - authenticity - nonrepudiation - confidentiality

Select each device that is classified as a mobile device.

1- Cell phones and smartphones 2- USB Drives, memory cards, and CDRom Drives 3- Digital Cameras

Select 5 common mobile data scenarios.

1- Copying a company's address book to a smart phone. 2- Copying a presentation file to universal serial bus (USB) flash drive. 3- Posting company information onto a webpage or social media site. 4- Taking pictures of coworkers and posting them to an online photo site. 5-Synchronizing your calendar, e-mail, and contacts to a smartphone or personal digital assistant (PDA).

Match the Encryption Purpose with the benefits: 1- Full-disk encryption 2- File/directory-based encryption 3 Virtual-disk and volume encryption 4 Hardware-Encysted drives

1- Protects the entire system Reduces threat of information loss Attackers can't get any information from system for data or analysis Reduces cost of lost system to hardware value. 2- Apply encryption only to sensitive files or directories and leave the rest of drive unaffected Flexibility with the type and amount of files that get encrypted 3- Virtual disk and volume may be portable to other systems Good for mobile devices that support file-based operations. 4- Generally runs faster because cryptographic processing is performed in dedicated hardware Can provide good tamper resistance against attack

Match each benefit to its corresponding control. 1- Network Access Control 2- Access Controls 3- Data Movement Restrictions 4- Encryption

1- Restricts network access to only authorized devices 2- Passwords and PINs can restrict who has access to the device. 3- Prevents sensitive data from moving to portable storage devices. 4- Can automatically encrypt all e-mail or certain classes of e-mail.

1- Symmetric Encryption 2- Asymmetric Encryption

1- Secret Key 2- Public key

Match the corresponding transports of portable storage devices. 1. Select the Intentional mobility for portable storage devices 2. Select the unintentional mobility for portable storage devices. 3. Select the intentional mobility for Tape Storage & Tapes 4. Select the intentional mobility for Dual-Use Device 5. Select the intentional mobility for multiple capable devices 6. Select the unintentional mobility of multiple capable devices

1- Store Music, Photos, and Backup Systems 2- Lost, stolen 3- Primarily used to back up data center servers. 4- A device that not only stores data files but has an additional functionality thru addition specialized software. 5- Improve personal productivity by providing many capabilities such as corporate and personal email, calendar and scheduling, contact information, applications and data files. 6- A lost or stolen device would potentially provide a wealth of data because each and every data type such as email, contacts, social circles and data files could be collected from the device.

Select the statements that best match the pros and cons for symmetric keys.

1- The main challenge with symmetric encryption is distributing the key securely to their recipients of the message. 2- Symmetric encryption provides the security feature: confidentiality 3- Symmetric encryption or system lacks in integrity protection

Select all of the unintentional mobility of instant messaging and text messaging

1- Traditionally has lacked strong authentication. 2- Spread of malware thru attachments because it bypasses scanning

Select the best definition for a mobile device.

A device, typically electronic in nature, that can store large amounts of information and may be easily transported from place to place without undue effort or cost.

------ ------ is a logical security control and is the mechanisms used to control who can access specific information and the procedures for making that determination.

Access Control

Which of the follow is NOT a type of control for portable computers?

Attachement Blocking

[____] is the process of proving one's identity.

Authentication

Controls are a from of [____] which are designed to lower overall risk for any particular process, system or technology.

Countermeasure

Select the best definition for Data at rest.

Data that has a fixed location (physically or virtually)

- ---- ----- ----- is a security strategy that applies multiple layers of defense because there is an assumption that any single protection mechanism in the environment will fail at some point.

Defense in Depth

Providing education and awareness that influence the organization's culture to be security minded falls into which control category?

Deterrent

Applying administrative changes which ensure systems are managed in a secure manner fall under which security control category?

Directive

Security policies and standards which provide the basis for information security throughout the organization and provide personnel with the model that must be adhered to as they perform their work applies to which security control?

Directive

Reducing the threat of malware by eliminating automatic installation is a benefit of which control?

Disable autorun features

--------- is the process of scrambling information through the use of a mathematical algorithm in such a way that the data is not usable unless the user employs a specific key to unscramble or decrypt the data

Encryption

Select the most common security control used in the Data Security Model.

Encryption

A tamper-[____] container will show if the contents have been compromised.

Evident

According to Newton's law, once data is mobile it will automatically convert back to data at rest state and will not require force to stop data in motion.

False

All data requires mobile devices to exist.

False

All people think of mobility the same way.

False

Antimalware services are 100% effective and do not require continuous updates for newer types of malware.

False

Asymmetric encryption suffers from the key distribution problem.

False

Data in motion has a lot of physical controls to protect the data.

False

Data requires mobile devices to exist.

False

Device Centric security model provides data protection even when the data leaves the device.

False

Each organization assesses risk the same and each have strict mobile device security policies.

False

Mobile devices cannot exist without data.

False

Mobile devices have little risk of being compromised.

False

One benefit of banning portable storage devices in the enterprise is that users will find other means to mobilize data.

False

One of the basic axioms in all security is that the amount of time spent on security efforts (in time, effort, money, or people) should always exceed the value of information being protected. After all, the company's reputation is always at stake.

False

Unintended mobility should not be considered when analyzing the risk of using mobile devices because the loss of data is unintended.

False

[____] are ones who resist new technologies because they find them impractical, unimportant, dangerous, useless, or too expensive.

Laggards

A [____] device is a device that is mobile.

Mobile

It is important to consider the [____] by or data's user when evaluating the security and privacy of data.

managed

Data in [____] does not have a fixed location (physically or virtually).

motion

Data protections that focus on the securing the communication path or securing the container should be applied to data in this state.

motion

A tamper-[____] container can prevent an attacker from getting the contents of the container without destroying either the container or the contents in the process.

proof

Data in this state is best protected focusing on the storage or location of the data

rest

Data management should be considered when protecting sensitive data and to minimize risk it is best not to put data on a mobile device if the data isn't required.

true

In order to protect data in motion, you need to encrypt data in motion whenever possible and limit the use of applications and devices that can't support data encryption.

true

Once data is copied to a smartphone the data is consider to be data at rest because at that point the data is not being transmitted.

true

One of the main differences between data in motion and data at rest is ownership. Data at rest you generally have ownership of where the data is stored but Data in motion you do not have control over the environment that data takes when transmitted.

true

When evaluating a security product to manage devices it is important to answer the following questions to keep the assessment within scope: What are you trying to protect? What are you most worried about?

True

Non-Voluntary controls keep users from performing activities or functions which ensures policies and procedures are adhered to fall in which control category?

Preventive

Select the best example of Data Flow Restriction discussed in the device centric model.

Restrict a technology such as Bluetooth or Flash Drives due to risk of data loss from the device.

A [____] profile is the quantitative analysis of the types of threats an organization, asset, project or individual faces.

Risk

[____] = (Threat x Vulnerability x Value) - Countermeasures.

Risk

Why don't security professionals recommend "security through obscurity" while securing information in systems.

Security professions can't accept the risk of someone finding the data and possibly tamper or steal the data.

------- --------- can be a smartphone or mobile device that is used to carry the data and the data is consider data at rest.

data container

Select the best mobile security model.

There isn't a best model because it depends on the situation and business requirements.

A challenge of feature restrictions is that it can be difficult to enforce unless the devices are centrally managed and administered.

True

A company may choose not to use a specific mobile device if the device and supporting system cannot log security events.

True

According to Information Systems Audit and Control Associations (ISACA) "controls" are the policies, procedures, practices and organizational structures designed to provide reasonable assurance that the business objectives will be achieved and undesired events will be prevented or detected.

True

Asymmetric encryption uses two mathematically related keys, one key is private and the second key is public.

True

Attachment blocking can reduce the loss of sensitive information or intellectual property due to wayward attachments on unprotected systems.

True

Brute force attacks are attempts to guess a password by trying all possible combinations of characters in the password.

True

Companies that utilize VPN services should require the use of multi factor authentication.

True

Currently, there are no laws or regulations for financial institutions to store data that is transmitted to mobile devices.

True

Data Classification occurs when data is label based on the data sensitivity or need for security protection.

True

It is important to define what you are trying to protect to prevent spending more on security controls than the value of the information being protected.

True

It is important to select an encryption algorithm that has withstood the test of time and to select an encryption product after thorough evaluation to ensure if a vulnerability is discovered the vendor will respond quickly.

True

It takes an action or a force to make data mobile.

True

Key management is important to companies because it allows the security team to access the data on a compromised machine and/or helps the user recover the data if the user loses his/her keys.

True

Mobile data is data that is capable of being moved and doesn't remain stationary.

True

One way to implement access control is to require passwords or smart cards or token authentication

True

Organizations may define mobile data as information that is intentionally moved beyond an organization's borders (physically or logically) by means of mobile device.

True

Risk profiles of mobile data may change based on the characteristics of the device where it resides and at any given time.

True

Standard configurations can help ensure uniform application of security settings and configuration

True

The definition of mobile is: "Capable of moving or being moved : movable"

True

The further (logically) the data moves from its original source location, the less control the data owner can exert over its protection and security. This definition also is referred to as the Inverse Distance Principle.

True

The use of a cryptographic process is to transform information into a form that cannot be understood by unauthorized people.

True

There is often news about data loss from lost or stolen laptops but the news often forgets to ask questions as to why the data was on the laptop, where the data originated, who was the data intended for and who was sending the data.

True

Unintentional mobility of electronic mail could include breaking into the e-mail server, stealing a mobile device that has the mail client, and capturing the mail in transit.

True

When assessing the risk of losing data it is important to understand the possible paths data can take.

True

With all of the improvements in data security will there be cases when the data is too sensitive to be transmitted to mobile devices?

Yes

Protecting data at rest on mobile devices do not carry additional risk because mobile devices have the same defense in depth protection that are traditionally applied to PCs and Servers.

false