Module 5 - Endpoint Security: Mobile, Embedded, and Specialized Device Security

features that mobile device management tools provide

- Apply or modify default device settings. - Approve or quarantine new mobile devices. - Configure email, calendar, contacts, and Wi-Fi profile settings. - Detect and restrict jailbroken and rooted devices. - Distribute and manage public and corporate apps. - Enforce encryption settings, antivirus updates, and patch management. - Enforce geofencing, which is using the device's GPS to define geographical boundaries where an app can be used. - Securely share and update documents and corporate policies - Selectively erase corporate data while leaving personal data intact. - Send SMS text messages to selected users or groups of users (called push notification services).

Malicious USB cable

A USB cable embedded with a Wi-Fi controller that can receive commands from a nearby device to send malicious commands to the connected mobile device. - The device will recognize the cable as a Human Interface Device (similar to a mouse or keyboard), giving the attacker enough permissions to exploit the system.

malicious flash drive (Connection Vulnerabilities)

A USB flash drive infected with malware.

smart meters (specialized system)

Digital meters that measure the amount of utilities consumed. - are replacing analog meters - Meter readings are transmitted daily, hourly, or even by the minute to the utility company. - Battery replacement every 20 years. - Can alert utility in the event of tampering or theft. - Transmits "last gasp" notification of a problem to utility company.

sideloading (Accessing Untrusted Content)

Downloading unofficial apps.

Compute (Security Constraints for Embedded Systems and Specialized Devices)

Due to their size, small devices typically possess low processing capabilities, which restricts complex and comprehensive security measures.

QR (quick response) code (Accessing Untrusted Content)

a matrix or two-dimensional barcode consisting of black modules (square dots) arranged in a square grid on a white background - can store website URLs, plain text, phone numbers, email addresses, or virtually any alphanumeric data up to 4,296 characters, which can be read by an imaging device such as a mobile device's camera - An attacker can create an advertisement listing a reputable website, such as a bank, but include a QR code that contains a malicious URL. - the code directs the web browser on the mobile device to the attacker's imposter website or to a site that immediately downloads malware.

Which enterprise deployment model of mobile devices stores sensitive applications and data on a remote server that you can access through a smartphone? a. VDI b. CYOD c. BYOD d. COPE

a. VDI (virtual desktop infrastructure)

wearables

class of mobile technology consists of devices that can be worn by the user instead of carried - devices can provide even greater flexibility and mobility. - most popular technology is a smart watch - another type is a fitness tracker: provide continuous heart rate monitoring, GPS tracking, oxygen consumption, repetition counting (for weight training), and sleep monitoring. - Many fitness trackers and smart watches use two colors of LED lights on the underside of the device to read vital signs on the human body and then measure the light absorption with photodiodes. - They use green LED lights when the wearer is exercising because blood absorbs green light, so the heart rate can be determined by measuring the changes in green light absorption (photoplethysmography, or PPG) - Red LED lights are used when the wearer is not exercising. Human blood reflects red light, so about every 10 minutes, the red LEDs flash to measure the resting heart rate. - Green LEDs are more accurate but use more battery - red LEDs are less accurate but save battery life

web based computer (type of portable computer)

contains a limited version of an OS and a web browser with an integrated media player. - are designed to be used while connected to the Internet. - No traditional software applications can be installed, and no user files are stored locally on the device. - Instead, the device accesses online web apps and saves user files on the Internet - most common OSs for web-based computers are the Google Chrome OS and Microsoft Windows 10 in S Mode

primary reason for tablet popularity

tablet computers have an operating system (OS) that allows them to run third-party apps. - The most popular OSs for tablets are Apple iOS and iPadOS, Google Android, and Microsoft Windows.

One of the greatest risks of a mobile device

the loss or theft of the device - Unprotected devices can be used to access corporate networks or view sensitive data stored on them.

(T/F) With the exception of corporate-owned devices, each of the other enterprise deployment models (BYOD, COPE, and CYOD) permit the owner of a mobile device to use it for both business and personal needs.

true

(T/F) integrated circuits (ICs) on standard computers as well as a Raspberry Pi and Arduino cannot be user programmed

true - FPGA ICs CAN be user programmed, however

containerization (segmenting mobile device storage)

Separating storage into separate business and personal "containers."

Virtual desktop infrastructure (VDI) (Enterprise Deployment Models)

Stores sensitive applications and data on a remote server accessed through a smartphone. - Users can customize the display of data as if the data were residing on their own mobile device. - Enterprise can centrally protect and manage apps and data on server instead of distributing to smartphones.

Industrial control systems (ICSs) (specialized system)

Systems that control locally or at remote locations by collecting, monitoring, and processing real-time data to control machines. - machines can directly control devices such as valves, pumps, and motors without human intervention - are managed by a larger supervisory control and data acquisition (SCADA) system.

jailbreaking (Apple)/rooting (android) (Accessing Untrusted Content)

- Circumventing the installed built-in limitations on Apple iOS devices. - Circumventing the installed built-in limitations on Android devices. - done to download from an unofficial third-party app store (called sideloading) or even write their own custom firmware to run on their device. - Because the apps have not been vetted, they may contain security vulnerabilities or malicious code. - Jailbreaking and rooting give access to the underlying OS and file system of the mobile device with full permissions

Mobile device additional features

- GPS - Microphone and/or digital camera - Wireless cellular connection for voice communications - Wireless personal area network interfaces such as Bluetooth or near field communications (NFC) - Removable storage media - Support for using the device itself as removable storage for another computing device

benefits of the BYOD, COPE, and CYOD models include the following for the enterprise:

- Management flexibility (BYOD and CYOD): ease the management burden by eliminating the need to select a wireless data carrier and manage plans for employees. - less oversight of employee usage - cost savings: employees are responsible for their own mobile device purchases and wireless data plans (BYOD) or receive a small monthly stipend (CYOD), the company can save money. - increased employee performance/productivity - simplified IT structure: By using the existing cellular telephony network, companies do not have to support a remote data network for employees. - reduced internal service: BYOD, COPE, and CYOD reduce the strain on IT help desks because users will be primarily contacting their wireless data carrier for support.

Security Features for Locating Lost or Stolen Mobile Devices

- alarm: The device can generate an alarm even if it is on mute. - last known location: If the battery is charged to less than a specific percentage, the device's last known location can be indicated on an online map. - locate: The current location of the device can be pinpointed on a map through the device's GPS. - remote lockout: The mobile device can be remotely locked and a custom message sent that is displayed on the login screen. - thief picture: Thieves who enter an incorrect passcode three times will have their picture taken through the device's on-board camera and emailed to the owner.

unmanned aerial vehicle (UAV) (specialized system)

- also known as a drone - an aircraft without a human pilot on board to control its flight. - can be controlled by a remote human operator, usually on the ground, or autonomously by preprogramming the onboard computers - were originally used in military applications, today they have expanded into commercial, scientific, agricultural, and recreational uses. - commonly used for policing and surveillance, product deliveries, aerial photography, infrastructure inspections, and even drone racing.

Mobile Device Connectivity Methods

- cellular - Wi-Fi - Infrared - USB - Bluetooth - NFC

benefits of the BYOD, COPE, and CYOD models include the following for the employee:

- choice of device - choice of carrier - convenience

file based encryption (android devices)

- considered more secure than full disk encryption - encrypts each file with a different key so that files can be unlocked independently without decrypting an entire partition at once. -device can decrypt and use files needed to boot the system and process critical notifications while not decrypting personal apps and data.

advantages of segmenting storage on mobile devices

- helps companies avoid data ownership privacy issues and legal concerns regarding a user's personal data stored on the device. - allows companies to delete only business data when necessary without touching personal data.

strong authentication (Device Configuration)

- requiring a strong passcode - restricting unauthorized users with a screen lock. - Another option is to use a personal identification number (PIN). - Unlike a password that can be comprised of letters, numbers, and characters, a PIN is made up of numbers only. - Although the length of the PIN can usually range from four to 16 numbers, many users choose to set a short four-digit PIN (limited security) - A third option is to use a fingerprint, face scan, or voice recognition to unlock the mobile device (biometrics) - A final option is to draw or swipe a specific pattern connecting dots to unlock the device (swipe patterns) - can be detected by threat actors who watch a user draw the pattern or observe any lingering "smear" on the screen. - screen lock - context aware authentication

Mobile device core features

- small form factor - mobile OS - Wireless data network interface for accessing the Internet, such as Wi-Fi or cellular telephony - Stores or other means of acquiring applications (apps) - Local nonremovable data storage - Data synchronization capabilities with a separate computer or remote servers

types of mobile devices:

- tablets - smartphones - wearables - portable computers

cellular (cellular telephony) (Mobile Device Connectivity Method)

A communications network in which the coverage area is divided into hexagon-shaped cells. - in a typical city, the hexagon-shaped cells measure 10 square miles (26 square kilometers). - At the center of each cell is a transmitter that mobile devices in the cell use to send and receive signals. - The transmitters are connected through a mobile telecommunications switching office (MTSO) that controls all of the transmitters in the cellular network and serves as the link between the cellular network and the wired telephone world.

arduino (types of embedded devices)

A controller for other devices. - similar to raspberry pi - Unlike the Raspberry Pi, which can function as a complete computer, it is designed as a controller for other devices - it has an eight-bit microcontroller instead of a 64-bit microprocessor on the Raspberry Pi, a limited amount of RAM, and no operating system - it can only run programs compiled for the platform, most of which must be written in the C++ programming language - is generally considered a better solution than a raspberry pi - It has only a single USB port, a power input, and a set of input/output pins for connections but consumes little power.

multifunctional printer (MFP) (specialized systems)

A device that combines the functions of a printer, copier, scanner, and fax machine. - are essentially special-purpose computers with a CPU; a hard drive that stores all received print jobs, faxes, and scanned images; a LAN or wireless LAN connection; a telephone connection for faxes; and a USB port to allow users to print documents stored on that device - Smart MFDs even have an OS that allows additional applications to be installed that extend the abilities of the MFD.

external media access

A device with a USB connection that can function as a host (to which other devices may be connected such as a USB flash drive) for access to media.

unified endpoint management (UEM)

A group or class of software tools has a single management interface for mobile devices as well as computer devices. - All the capabilities in MDM, MAM, and MCM can be supported by this - provides capabilities for managing and securing mobile devices, applications, and content.

field-programmable gate array (FPGA)

A hardware integrated circuit (IC) that can be programmed by the user to carry out one or more logical operations - is an IC that consists of internal hardware blocks with user-programmable interconnects to customize operations for a specific application - are used in aerospace and defense, medical electronics, digital television, consumer electronics, industrial motor control, scientific instruments, cybersecurity systems, and wireless communications.

Hotspots (Connection Vulnerabilities)

A location where users can access the Internet with a wireless signal. - Because public hotspots are beyond the control of the organization, attackers can eavesdrop on the data transmissions and view sensitive information.

raspberry Pi (types of embedded devices)

A low-cost credit-card-sized computer motherboard. - The motherboard has hardware ports that can connect to a range of peripherals - can perform almost any task that a standard computer device can, such as browsing the Internet, playing high-definition video, creating spreadsheets, and playing games. - can also be used to control a specialized device.

Corporate owned (Enterprise Deployment Models)

A mobile device that is purchased and owned by the enterprise. - Employees use the phone only for company-related business. - Enterprise is responsible for all aspects of the device.

personal identification number (PIN)

A passcode made up of numbers only.

Universal Serial Bus (USB) connectors (Mobile Device Connectivity Method)

A port on mobile devices used for data transfer. - different types and sizes exist for different devices and data transfer speeds - include standard-size connectors, mini connectors, and micro connectors, all of which are available as either type A (flat) or type B (square)

Global Positioning System (GPS)

A satellite based navigation system that provides information to a GPS receiver anywhere on (or near) the earth where there is an unobstructed line of sight to four or more GPS satellites.

screen lock

A security setting that prevents a mobile device from being accessed until the user enters the correct passcode permitting access. - should be configured so that whenever the device is turned on or is inactive for a period, the user must enter the passcode.

system on a chip (SoC)

A single microprocessor chip on which all the necessary hardware components are contained. - even smaller component than raspberry pi and arduino - combines all the required electronic circuits of the various computer components on a single integrated circuit (IC) chip - The Raspberry Pi and Arduino are tiny motherboards that contain ICs, one of which is an SoC - often use a real-time operating system (RTOS), an OS specifically designed for an SoC in an embedded or specialized system.

third party app store

A site from which unofficial apps can be downloaded.

supervisory control and data acquisition (SCADA) system (specialized system)

A system that controls multiple industrial control systems (ICS). - help to maintain efficiency and provide information on issues to help reduce downtime. - often found in military installations, oil pipeline control systems, manufacturing environments, and even nuclear power plants.

mobile content management (MCM)

A system that is tuned to provide content management to mobile devices used by employees in an enterprise. - content management includes Tools used to support the creation and subsequent editing and modification of digital content by multiple employees. - can include tracking editing history, version control (recording changes and "rolling back" to a previous version if necessary), indexing, and searching.

voice over IP (VoIP) (specialized system)

A technology that uses a data-based IP network to add digital voice clients and new voice applications onto the IP network. - the convergence of voice and data traffic over a single Internet Protocol (IP) network - Using IP, various services such as voice, video, and data can be combined (multiplexed) and transported under a universal format.

remote wipe

A technology used to erase sensitive data stored on the mobile device. - used if a lost or stolen device cannot be located - ensures that even if a thief accesses the device, no sensitive data will be compromised.

Wi-Fi (Mobile Device Connectivity Method)

A wireless local area network (WLAN), commonly called Wi-Fi, is designed to replace or supplement a wired local area network (LAN) - Devices such as tablets, laptop computers, and smartphones within range of a centrally located connection device can send and receive data at varying transmission speeds.

GPS tagging (Geo tagging)

Adding geographical identification data to media such as digital photos taken on a mobile device

Bring your own device (BYOD) (Enterprise Deployment Models)

Allows users to use their own personal mobile devices for business purposes - Employees have full responsibility for choosing and supporting the device. - This model is popular with smaller companies or those with a temporary staff.

USB On-the-Go (OTG) (Connection Vulnerabilities)

An OTG mobile device with a USB connection can function as either a host (to which other devices may be connected such as a USB flash drive) for external media access or as a peripheral (such as a mass storage device) to another host. - Connecting a malicious flash drive infected with malware to a mobile device could result in an infection, just as using a device as a peripheral while connected to an infected computer could allow malware to be sent to the device.

real-time operating system (RTOS)

An operating system that is specifically designed for an SoC in an embedded system. - is tuned to accommodate high volumes of data that must be immediately processed for critical decision making

Internet of Things (IoT) (specialized system)

Connecting any device to the Internet for the purpose of sending and receiving data to be acted upon. - a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies - often refers to devices that heretofore were not considered as computing devices connected to a data network. - include wearable technology and multifunctional devices as well as many everyday home automation items such as thermostats, coffee makers, tire sensors, slow cookers, keyless entry systems, washing machines, electric toothbrushes, headphones, and light bulbs

firmware over-the-air (OTA) updates

Mobile operating system patches and updates that are distributed as an over-the-air (OTA) update.

embedded system

Computer hardware and software contained within a larger system that is designed for a specific function. - Computing capabilities can be integrated into appliances and other devices - growing trend is to add the capabilities to devices that have never had computing power before

smartphones

Earlier models of cellular telephones were called feature phones because they included a limited number of features, such as a camera, an MP3 music player, and ability to send and receive text messages. - has all the tools of a feature phone plus an OS that allows it to run apps and access the Internet. - Because it has an OS, offers a broader range of functionality. - Users can install apps to perform tasks for productivity, social networking, music, and so forth, much like a standard computer. - are essentially handheld personal computers.

Choose your own device (CYOD) (Enterprise Deployment Models)

Employees choose from a limited selection of approved devices but pay the upfront cost of the device while the business owns the contract. - Employees are offered a suite of choices that the company has approved for security, reliability, and durability. - Company often provides a stipend to pay monthly fees to wireless carrier.

Corporate owned, personally enabled (COPE) (Enterprise Deployment Models)

Employees choose from a selection of company-approved devices. - Employees are supplied the device chosen and paid for by the company, but they can also use it for personal activities. - Company decides the level of choice and freedom for employees.

Cryptography (Security Constraints for Embedded Systems and Specialized Devices)

Encryption and decryption are resource-intensive tasks that require significant processing and storage capacities that these devices lack.

heating, ventilation, and air conditioning (HVAC) (specialized systems)

Environmental systems that provide and regulate heating and cooling.

Inability to patch (Security Constraints for Embedded Systems and Specialized Devices)

Few, if any, devices have been designed with the capacity for being updated to address exposed security vulnerabilities.

custom firmware (Accessing Untrusted Content)

Firmware that is written by users to run on their own mobile devices.

Location Tracking (Mobile Device Vulnerabilities)

Global Positioning System (GPS) is a satellite-based navigation system that provides information to a GPS receiver anywhere on (or near) the Earth with an unobstructed line of sight to four or more GPS satellites. - Mobile devices with GPS capabilities typically support geolocation, or identifying the geographical location of the device. - When finding a person carrying a mobile device, geolocation also identifies the location of a close friend or displays the address of the nearest coffee shop. - However, mobile devices using geolocation are at increased risk of targeted physical attacks. An attacker can determine where users with mobile devices are currently located and use that information to follow them and steal the mobile devices or inflict physical harm - related risk is GPS tagging (also called geo-tagging), which is adding geographical identification data to media such as digital photos taken on a mobile device

infrared (Mobile Device Connectivity Method)

Light that is next to visible light on the light spectrum and was once used for data communications. - although invisible, has many of the same characteristics of visible light. - At one time, infrared data ports were installed on laptop computers, printers, cameras, watches, and other devices so that data could be exchanged using infrared light. - due to its slow speed and other limitations, infrared capabilities in mobile devices are rarely found today.

constraints

Limitations that make security a challenge for embedded systems and specialized devices.

note about mobile device management (MDM) and mobile application management (MAM)

MDM provides a high degree of control over the device but a lower level of control on the apps, whereas MAM gives a higher level of control over apps but less control over the device.

Implied trust (Security Constraints for Embedded Systems and Specialized Devices)

Many devices are designed without any security features but operate on an "implied trust" basis that assumes all other devices or users can be trusted.

rich communication services (RCS) (Accessing Untrusted Content)

Mobile device communication which can convert a texting app into a live chat platform and supports pictures, videos, location, stickers, and emojis. - specially crafted messages can introduce malware onto the device

Cost (Security Constraints for Embedded Systems and Specialized Devices)

Most developers are concerned primarily with making products as inexpensive as possible, which means leaving out all security protections.

Range (Security Constraints for Embedded Systems and Specialized Devices)

Not all devices have long-range capabilities to access remote security updates.

limited updates (Mobile Device Vulnerabilities)

Security patches and updates for these two mobile OSs are distributed through firmware over-the-air (OTA) updates. - Though they are called "firmware" OTA updates, they include modifying the device's firmware and updating the OS software. - Apple commits to providing OTA updates for at least four years after the OS is released. Users can set iOS updates to occur automatically or manually - However, OTA updates for Android OSs vary considerably. Mobile hardware devices developed and sold by Google receive Android OTA updates for three years after the device is first released. Other OEMs are required to provide OTAs for at least two years. - Due to the high cost of some mobile devices, users are keeping their devices for longer periods of time. This can result in people using mobile devices that no longer receive OTA security updates and thus have become vulnerable.

push notification services

Sending SMS text messages to selected users or groups of users.

storage segmentation (segmenting mobile device storage)

Separating business data from personal data on a mobile device.

multimedia messaging service (MMS) (Accessing Untrusted Content)

Text messages in which pictures, video, or audio can be included. - specially crafted messages can introduce malware onto the device

short message service (SMS) (Accessing Untrusted Content)

Text messages of a maximum of 160 characters. - Threat actors can send SMS messages containing links to untrusted content

full disk encryption

The encryption of all user data on a mobile device. - Although user data on a mobile device—local data-at-rest—is encrypted so that unauthorized users cannot access it, mobile device data can still be accessed through remote data-at-rest.

physical security (Mobile Device Vulnerabilities)

The greatest asset of a mobile device—its portability—is also one of its greatest vulnerabilities. - Mobile devices are frequently lost or stolen. - mobile devices are often used outside of the enterprise's normal protected physical perimeter - even a strong physical perimeter does not always provide protection from theft - Unless properly protected, any data on a stolen or lost device could be retrieved by a thief. - Of greater concern may be that the device itself can serve as an entry point into corporate data

geolocation

The process of identifying the geographical location of a device. - Mobile devices with GPS capabilities typically support this

Authentication (Security Constraints for Embedded Systems and Specialized Devices)

To keep costs at a minimum, most devices lack authentication features.

power (Security Constraints for Embedded Systems and Specialized Devices)

To prolong battery life, devices and systems are optimized to draw very low levels of power and thus lack the ability to perform strong security measures.

Network (Security Constraints for Embedded Systems and Specialized Devices)

To simplify connecting a device to a network, many device designers support network protocols that lack advanced security features.

mobile device management (MDM)

Tools that allow a mobile device to be managed remotely by an organization. - typically involves a server component, which sends out management commands to the mobile devices, and a client component, which runs on the mobile device to receive and implement the management commands. - administrator can then perform OTA updates or change the configuration on one device, groups of devices, or all devices. - focus on controlling the devices

mobile application management (MAM)

Tools that are used for distributing and controlling access to apps on mobile devices. - focus on managing the applications installed on the mobile device - The apps can be internally developed or commercially available apps.

Internet of Things (IoT) Cybersecurity Improvement Act of 2019

US government legislation aiming to address security vulnerabilities in IoT and embedded devices - Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices. - Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations - Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed. - Require any Internet-connected devices purchased by the federal government to comply with those recommendations. - Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies

carrier unlocking (Accessing Untrusted Content)

Uncoupling a phone from a specific wireless provider.

Weak defaults (Security Constraints for Embedded Systems and Specialized Devices)

User names (such as "root," "admin," and "support") and passwords ("admin," "888888," "default," "123456," "54321," and even "password") for accessing devices are often simple and well known.

context aware authentication

Using a contextual setting to validate a user. - can be configured so that the device automatically unlocks and stays unlocked (ignoring the inactivity setting) until a specific action occurs - example: in the Google Android OS, which has a feature called Smart Lock that can be configured depending on the context (trusted voice, trusted face, trusted places, trusted devices, etc)

tethering (Connection Vulnerabilities)

Using a mobile device with an active Internet connection to share that connection with other mobile devices through Bluetooth or Wi-Fi. - An unsecured mobile device may infect other tethered mobile devices or the corporate network.

geofencing

Using the mobile device's GPS to define geographical boundaries where an app can be used.

unauthorized recording (Mobile Device Vulnerabilities)

Video cameras ("webcams") and microphones on mobile devices have been a frequent target of attackers. - By infecting a device with malware, a threat actor can secretly spy on an unsuspecting victim and record conversations or videos

portable computers

devices that closely resemble standard desktop computers. - have similar hardware (keyboard, hard disk drive, and RAM, for example) and run the same OS (Windows, Apple macOS, or Linux) and applications (such as Microsoft Office and web browsers) as general-purpose desktop computers. - primary difference is that they are smaller, self-contained devices that can easily be transported from one location to another while running on battery power. - laptop is earliest version of this - notebook computer is a smaller version of a laptop and is considered a lightweight personal computer - subnotebook computer is even smaller than standard notebooks and use low-power processors and solid-state drives (SSDs) - 2 in 1 computer (also called a hybrid or convertible) can be used as either a subnotebook or a tablet. The devices have a touch screen and a physical keyboard

tablets

portable computing devices first introduced in 2010. - Designed for user convenience, tablets are thinner, lighter, easier to carry, and more intuitive to use than other types of computers - often classified by their screen size. The two most common categories of tablet screen sizes are 5-8.5 inches (12.7-21.5 cm) and 8.5-10 inches (12.7-25.4 cm) - have a sensor called an accelerometer that detects vibrations and movements. It can determine the orientation of the device so that the screen image is always displayed upright. - generally lack a built-in keyboard or mouse. - Instead, they rely on a touch screen that users manipulate with touch gestures to provide input - primary display devices with limited power but are still popular today