3.5 Given a scenario, implement secure mobile solutions.
MDM/Unified Endpoint Management (UEM) - Mobile devices
*******(MDM) Mobile device management******** - The process and supporting technologies for tracking, controlling, and securing the organization's mobile infrastructure ---> sets device policies for authentication, feature use (camera and microphone), and connectivity. MDM can also allow device resets and remote wipes. Mobile Device Management (MDM) • Manage company-owned and user-owned mobile devices - BYOD - Bring Your Own Device • Centralized management of the mobile devices - Specialized functionality • Set policies on apps, data, camera, etc. - Control the remote device - The entire device or a "partition" • Manage access control - Force screen locks and PINs on these single user devices *********************************************************** ****(UEM) Unified Endpoint Management (UEM)****** Enterprise software for controlling device settings, apps, and corporate data storage on all types of fixed, mobile, and IoT computing devices. The core functionality of endpoint management suites extends the concept of network access control (NAC) solutions. The management software logs the use of a device on the network and determines whether to allow it to connect or not, based on administrator-set parameters. When the device is enrolled with the management software, it can be configured with policies to allow or restrict use of apps, corporate data, and built-in functions, such as a video camera or microphone. Unified Endpoint Management (UEM) • Manage mobile and non-mobile devices - An evolution of the Mobile Device Manager (MDM) • End users use different types of devices - Their use has blended together • Applications can be used across different platforms - Work on a laptop and a smartphone • All of these devices can be used from anywhere - User's don't stay in one place
Infrared \ RFID-Connection methods and receivers
***Infrared signaling has been used for PAN in the past (IrDA), but the use of infrared in modern smartphones and wearable technology focuses on two other uses: IR blaster—this allows the device to interact with an IR receiver and operate a device such as a TV or HVAC monitor as though it were the remote control handset. IR sensor—these are used as proximity sensors (to detect when a smartphone is being held to the ear, for instance) and to measure health information (such as heart rate and blood oxygen levels). ***Radio Frequency ID (RFID) is a means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else. A passive tag can have a range from a few centimeters to a few meters. When a reader is within range of the tag, it produces an electromagnetic wave that powers up the tag and allows the reader to collect information from it or to change the values encoded in the tag. There are also battery-powered active tags that can be read at much greater distances (hundreds of meters). One type of RFID attack is skimming, which is where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card. Any reader can access any data stored on any RFID tag, so sensitive information must be protected using cryptography. It is also possible (in theory) to design RFID tags to inject malicious code to try to exploit a vulnerability in a reader. IR (Infrared) • Included on many smartphones, tablets, and smartwatches - Not really used much for printing • Control your entertainment center - Almost exclusively IR • File transfers are possible • Other phones can be used to control your IR devices
MicroSD hardware (HSM)- Mobile devices
A MicroSD HSM is a small form factor hardware security module designed to store cryptographic keys securely. This allows the cryptographic material to be used with different devices, such as a laptop and smartphone. MicroSD HSM ( hardware security module) • Shrink the PCI Express - Hardware Security Module - Now in a microSD card form • Provides security services - Encryption, key generation, digital signatures, authentication • Secure storage - Protect private keys - Cryptocurrency storage
Virtual Desktop Infrastructure (VDI) - - Deployment models
A desktop operating system running within a virtual machine (VM) running on a server. Virtualization can provide an additional deployment model. Virtual desktop infrastructure (VDI) means provisioning an OS desktop to interchangeable hardware. The hardware only has to be capable of running a VDI client viewer, or have browser support for a clientless HTML5 solution. The instance is provided "as new" for each session and can be accessed remotely. The same technology can be accessed via a mobile device such as a smartphone or tablet. This removes some of the security concerns about BYOD as the corporate apps and data are segmented from the other apps on the device. • Virtual Desktop Infrastructure / Virtual Mobile Infrastructure - The apps are separated from the mobile device - The data is separated from the mobile device • Data is stored securely, centralized • Physical device loss - Risk is minimized • Centralized app development - Write for a single VMI platform • Applications are managed centrally - No need to update all mobile devices
point-to-multipoint - Connection methods and receivers
A point-to-point topology is one where two nodes have a dedicated connection to one another. In a point-to-multipoint topology, a central node mediates links between remote nodes. A communications arrangement in which one transmitter issues signals to multiple receivers. The receivers may be undefined, as in a broadcast transmission, or defined, as in a nonbroadcast transmission. Point-to-multipoint (P2M) microwave uses smaller sectoral antennas, each covering a separate quadrant. Where P2P is between two sites, P2M links multiple sites or subscriber nodes to a single hub. This can be more cost-efficient in high density urban areas and requires less radio spectrum. Each subscriber node is distinguished by multiplexing. Because of the higher risk of signal interception compared to P2P, it is crucial that links be protected by over-the-air encryption.
Third-party application stores -Enforcement and monitoring of:
A trusted app source is one that is managed by a service provider. The service provider authenticates and authorizes valid developers, issuing them with a certificate to use to sign their apps and warrant them as trusted. It may also analyze code submitted to ensure that it does not pose a security or privacy risk to its customers (or remove apps that are discovered to pose such a risk). It may apply other policies that developers must meet, such as not allowing apps with adult content or apps that duplicate the function of core OS apps. The mobile OS defaults to restricting app installations to the linked store (App Store for iOS and Play for Android). Most consumers are happy with this model but it does not work so well for enterprises. It might not be appropriate to deliver a custom corporate app via a public store, where anyone could download it. Apple operates enterprise developer and distribution programs to solve this problem, allowing private app distribution via Apple Business Manager (developer.apple.com/business/distribute). Google's Play store has a private channel option, called Managed Google Play. Both these options allow an EMM/UEM suite to push apps from the private channel to the device Third-party app stores • Centralized app clearinghouses - Apple App Store - Google Play • Not all applications are secure - Vulnerabilities, data leakage • Not all applications are appropriate for business use - Games, instant messaging, etc. • MDM can allow or deny app store use.
Containerization (MDM)
A type of virtualization applied by a host operating system to provision an isolated execution environment for an application. Containerization allows the employer to manage and maintain the portion of the device that interfaces with the corporate network. An enterprise workspace with a defined selection of apps and a separate container is created. This container isolates corporate apps from the rest of the device. There may be a requirement for additional authentication to access the workspace. Containerization also assists content management and data loss prevention (DLP) systems. A content management system tags corporate or confidential data and prevents it from being shared or copied to unauthorized external media or channels, such as non-corporate email systems or cloud storage services • Difficult to separate personal from business - Especially when the device is BYOD - Owned by the employee • Separate enterprise mobile apps and data - Create a virtual "container" for company data - A contained area - limit data sharing - Storage segmentation keeps data separate • Easy to manage offboarding - Only the company information is deleted - Personal data is retained - Keep your pictures, video, music, email, etc.
Full Device Encryption
A way to assure data at-rest is secure even in the event of loss or theft is to usE. full device encryption. In iOS, there are various levels of encryption. 1.All user data on the device is always encrypted but the key is stored on the device. This is primarily used as a means of wiping the device. The OS just needs to delete the key to make the data inaccessible rather than wiping each storage location. 2.Email data and any apps using the "Data Protection" option are subject to a second round of encryption using a key derived from and protected by the user's credential. This provides security for data in the event that the device is stolen. Not all user data is encrypted using the "Data Protection" option; contacts, SMS messages, and pictures are not, for example. Full device encryption • Scramble all of the data on the mobile device - Even if you lose it, the contents are safe • Devices handle this in different ways - Strongest/stronger/strong ? • Encryption isn't trivial - Uses a lot of CPU cycles - Complex integration between hardware and software • Don't lose or forget your password! - There's no recovery - Often backed up on the MDM
context-aware authentication - MDM
An authentication method using multiple elements to authenticate a user and a mobile device. It can include identity, geolocation, the device type, and more. An access control scheme that verifies an object's identity based on various environmental factors, like time, location, and behavior. For example, smartphones now allow users to disable screen locks when the device detects that it is in a trusted location, such as the home. Conversely, an enterprise may seek more stringent access controls to prevent misuse of a device. For example, even if the device has been unlocked, accessing a corporate workspace might require the user to authenticate again. It might also check whether the network connection can be trusted (that it is not an open Wi-Fi hotspot, for instance). Who needs 2FA? - The attackers can get around anything • Authentication can be contextual - If it walks like a duck... • Combine multiple contexts - Where you normally login (IP address - Where you normally frequent (GPS information) - Other devices that may be paired (Bluetooth, etc.) • And others - An emerging technology - Another way to keep data safe
Recording microphone- Enforcement and monitoring of
Audio recordings - There are microphones on every mobile device • Useful for meetings and note taking - A standard for college classes • A legal liability - Every state has different laws - Every situation is different • Disable or geo-fence - Manage from the MDM
Biometrics - MDM
Biometric authentication mechanisms allow users to access an account through a physiological feature (fingerprint or iris pattern, for instance) or behavioral pattern You are the authentication factor - Fingerprint, face • May not be the most secure authentication factor - Useful in some environments - Completely forbidden in others • Availability is managed through the MDM - Organization determines the security of the device • Can be managed per-app - Some apps require additional biometric authentication
Bluetooth-Connection methods and receivers
Bluetooth is one of the most popular technologies for implementing PANs. While native Bluetooth has fairly low data rates, it can be used to pair with another device and then use a Wi-Fi link for data transfer. This sort of connectivity is implemented by iOS's AirDrop feature. Bluetooth devices have a few known security issues: Device discovery—a device can be put into discoverable mode meaning that it will connect to any other Bluetooth devices nearby. Unfortunately, even a device in non-discoverable mode is quite easy to detect. Authentication and authorization—devices authenticate ("pair") using a simple passkey configured on both devices. This should always be changed to some secure phrase and never left as the default. Also, check the device's pairing list regularly to confirm that the devices listed are valid. Malware—there are proof-of-concept Bluetooth worms and application exploits, most notably the BlueBorne exploit (armis.com/blueborne), which can compromise any active and unpatched system regardless of whether discovery is enabled and without requiring any user intervention. There are also vulnerabilities in the authentication schemes of many devices. Keep devices updated with the latest firmware. bluejacking,-Sending an unsolicited message or picture message using a Bluetooth connection. Bluesnarfing - refers to using an exploit in Bluetooth to steal information from someone else's phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism. Even without an exploit, a short (4 digit) PIN code is vulnerable to brute force password guessing peripheral device with malicious firmware can be used to launch highly effective attacks. This type of risk has a low likelihood, as the resources required to craft such malicious peripherals are demanding. • High speed communication over short distances - PAN (Personal Area Network) • Connects our mobile devices - Smartphones, tethering, headsets and headphones, health monitors, automobile and phone integration, smartwatches, external speakers
Camera use - Enforcement and monitoring of:
Cameras are controversial - They're not always a good thing - Corporate espionage, inappropriate use • Almost impossible to control on the device - No good way to ensure the camera won't be used • Camera use can be controlled by the MDM - Always disabled - Enabled except for certain locations (geo-fencing)
Cellular-Connection methods and receivers
Cellular networks are microwave radio networks provisioned for multiple subscribers. Microwave radio is also used as a backhaul link from a cell tower to the service provider's network. These links are important to 5G, where many relays are required and provisioning fiber optic cabled backhaul can be difficult. Private microwave links are also used between sites. A microwave link can be provisioned in two mode Point-to-point (P2P) microwave uses high gain antennas to link two sites. High gain means that the antenna is highly directional. Each antenna is pointed directly at the other. In terms of security, this makes it difficult to eavesdrop on the signal, as an intercepting antenna would have to be positioned within the direct path. The satellite modems or routers are also normally paired to one another and can use over-the-air encryption to further mitigate against snooping attacks. Point-to-multipoint (P2M) microwave uses smaller sectoral antennas, each covering a separate quadrant. Where P2P is between two sites, P2M links multiple sites or subscriber nodes to a single hub. This can be more cost-efficient in high density urban areas and requires less radio spectrum. Each subscriber node is distinguished by multiplexing. Because of the higher risk of signal interception compared to P2P, it is crucial that links be protected by over-the-air encryption. Wireless controllers - Centralized management of wireless access points - Manage system configuration and performance • Securing wireless controllers - Control access to management console - Use strong encryption with HTTPS - Automatic logout after no activity • Securing access points - Use strong passwords - Update to the latest firmware Point-to-point • One-to-one connection - Conversation between two devices • Connections between buildings - Point-to-point network links • Wi-Fi repeaters - Extend the length of an existing network Point-to-multipoint • One of the most popular communication methods 802.11 wireless • Does not imply full connectivity between nodes Cellular networks • Mobile devices - "Cell" phones • Separate land into "cells" - Antenna coverages a cell with certain frequencies • Security concerns - Traffic monitoring - Location tracking - Worldwide access to a mobile device
Mobile Content management -Mobile Device Management
Containerization A type of virtualization applied by a host operating system to provision an isolated execution environment for an application Containerization allows the employer to manage and maintain the portion of the device that interfaces with the corporate network. An enterprise workspace with a defined selection of apps and a separate container is created. This container isolates corporate apps from the rest of the device. There may be a requirement for additional authentication to access the workspace A type of virtualization applied by a host operating system to provision an isolated execution environment for an application. Containerization also assists content management and data loss prevention (DLP) systems. A content management system tags corporate or confidential data and prevents it from being shared or copied to unauthorized external media or channels, such as non-corporate email systems or cloud storage services. Content management • Mobile Content Management (MCM) - Secure access to data, protect data from outsiders • File sharing and viewing - On-site content (Microsoft Sharepoint, file servers) - Cloud-based storage (Box, Office 365) • Data sent from the mobile device - DLP (Data Loss Prevention) prevents copy/paste of sensitive data - Ensure data is encrypted on the mobile device • Managed from the mobile device manager (MDM)
CYOD (Choose Your Own Device) - Deployment models
Enterprise mobile device provisioning model where employees are offered a selection of corporate devices for work and, optionally, private use. Enables employees to choose from a list of company approved choices. much the same as COPE but the employee is given a choice of device from a list.
COBO - Deployment models
Enterprise mobile device provisioning model where the device is the property of the organization and personal use is prohibited the device is the property of the company and may only be used for company business. The company owns the device - And controls the content on the device • The device is not for personal use - You'll need to buy your own device for home • Very specific security requirements - Not able to mix business with home use
Firmware over-the-air (OTA) updates - Enforcement and monitoring of:
Firmware OTA updates - A firmware update delivered on a cellular data connection. • The operating system of a mobile device is constantly changing - Similar to a desktop computer • Updates are provided over the air (OTA) - No cable required • Security patches or entire operating system updates - Significant changes without connecting the device • This may not be a good thing - The MDM can manage what OTA updates are allowed There are various ways of exploiting vulnerabilities in the way these updates work. A well-resourced attacker can create an "evil base station" using a Stingray/International Mobile Subscriber Identity (IMSI) catcher. This will allow the attacker to identify the location of cell devices operating in the area. In some circumstances it might be possible to launch a man-in-the-middle attack and abuse the firmware update process to compromise the phone.
Geolocation - MDM
Geolocation is the use of network attributes to identify (or estimate) the physical position of a device. The device uses location services to determine its current position. Location services can make use of two systems: 1.Global Positioning System (GPS)—a means of determining the device's latitude and longitude based on information received from satellites via a GPS sensor. 2.Indoor Positioning System (IPS)—works out a device's location by triangulating its proximity to other radio sources, such as cell towers, Wi-Fi access points, and Bluetooth/RFID beacons. Indoor Positioning System (IPS)—A means of deriving a device's location when indoors, by triangulating its proximity to radio sources such as Bluetooth beacons or WAPs. Precise tracking details - Tracks within feet • Can be used for good (or bad) - Find your phone, find you • Most phones provide an option to disable - Limits functionality of the phones • May be managed by the MDM
Global Positioning System (GPS) - Connection methods and receivers
Means of determining a receiver's position on the Earth based on information received from GPS satellites. The receiver must have line-of-sight to the GPS satellites A global positioning system (GPS) sensor triangulates the device position using signals from orbital GPS satellites. As this triangulation process can be slow, most smartphones use Assisted GPS (A-GPS) to obtain coordinates from the nearest cell tower and adjust for the device's position relative to the tower. A-GPS uses cellular data. GPS satellites are operated by the US Government GPS signals can be jammed or even spoofed using specialist radio equipment. This might be used to defeat geofencing mechanisms, for instance Created by the U.S. Department of Defense - Over 30 satellites currently in orbit • Precise navigation - Need to see at least 4 satellites • Determines location based on timing differences - Longitude, latitude, altitude • Mobile device location services and geotracking - Maps, directions - Determine physical location based on GPS, - WiFi, and cellular towers
Push notifications - MDM
Mechanism to send text messages to a browser or mobile device. Push notifications are store services (such as Apple Push Notification Service and Google Cloud to Device Messaging) that an app or website can use to display an alert on a mobile device. Users can choose to disable notifications for an app, but otherwise the app developer can target notifications to some or all users with that app installed. Developers need to take care to properly secure the account and services used to send push notifications. There have been examples in the past of these accounts being hacked and used to send fake communications. Information appears on the mobile device screen - The notification is "pushed" to your device • No user intervention - Receive notifications from one app when using a completely different app • Control of displayed notifications can be managed from the MDM - Or notifications can be pushed from the MDM
custom firmware - Enforcement and monitoring of:
Mobile device firmware other than the firmware provided with the device. People sometimes use custom firmware to root Android devices. Rooting—this term is associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device. For some devices it is necessary to exploit a vulnerability or use custom firmware. Custom firmware is essentially a new Android OS image applied to the device. This can also be referred to as a custom ROM, after the term for the read only memory chips that used to hold firmware.
Rooting/Jailbreaking - Enforcement and monitoring of:
Modify (a smartphone or other electronic device) to remove restrictions imposed by the manufacturer or operator, e.g. to allow the installation of unauthorized software ********************************************************* Rooting—this term is associated with Android devices. Some vendors provide authorized mechanisms for users to access the root account on their device. For some devices it is necessary to exploit a vulnerability or use custom firmware. Custom firmware is essentially a new Android OS image applied to the device. This can also be referred to as a custom ROM, after the term for the read only memory chips that used to hold firmware ********************************************************* Jailbreaking—iOS is more restrictive than Android so the term "jailbreaking" became popular for exploits that enabled the user to obtain root privileges, sideload apps, change or add carriers, and customize the interface. iOS jailbreaking is accomplished by booting the device with a patched kernel. For most exploits, this can only be done when the device is attached to a computer when it boots (tethered jailbreak). *********************************************************** If the user has root permissions, then essentially any management agent software running on the device is compromised. If the user has applied a custom firmware image, they could have removed the protections that enforce segmentation. The device can no longer be assumed to run a trusted OS. EMM/UEM has routines to detect a rooted or jailbroken device or custom firmware with no valid developer code signature and prevent access to an enterprise app, network, or workspace. Containerization and enterprise workspaces can use cryptography to protect the workspace in a way that is much harder to compromise than a local agent, even from a rooted/jailbroken device. ******************************************************** Rooting/jailbreaking • Mobile devices are purpose-built systems - You don't need access to the operating system • Gaining access - Android - Rooting / Apple iOS - Jailbreaking • Install custom firmware - Replaces the existing operating system • Uncontrolled access - Circumvent security features, sideload apps without using an app store - The MDM becomes relatively useless
point-to-point - Connection methods and receivers
Point-to-point (P2P) microwave uses high gain antennas to link two sites. High gain means that the antenna is highly directional. Each antenna is pointed directly at the other. In terms of security, this makes it difficult to eavesdrop on the signal, as an intercepting antenna would have to be positioned within the direct path. The satellite modems or routers are also normally paired to one another and can use over-the-air encryption to further mitigate against snooping attacks A point-to-point topology is one where two nodes have a dedicated connection to one another. In a point-to-multipoint topology, a central node mediates links between remote nodes Point-to-point • One-to-one connection - Conversation between two devices • Connections between buildings - Point-to-point network links • Wi-Fi repeaters - Extend the length of an existing network
Screen Locks (Device Security) - MDM
Prevents someone from easily accessing the device and the data it contains Access control can be implemented by configuring a screen lock that can only be bypassed using the correct password, PIN, or swipe pattern. Many devices now support biometric authentication, usually as a fingerprint reader but sometimes using facial or voice recognition. All mobile devices can be locked - Keep people out of your data • Simple passcode or strong passcode - Numbers vs. Alphanumeric • Fail too many times? - Erase the phone • Define a lockout policy - Create aggressive lockout timers - Completely lock the phone
Remote wipe - Mobile Device Management
Remote wipe - Software that allows deletion of data and settings on a mobile device to be initiated from a remote server The remote wipe could be triggered by several incorrect passcode attempts or by enterprise management software • Remove all data from your mobile device - Even if you have no idea where it is - Often managed from the MDM • Connect and wipe from the web - Nuke it from anywhere • Need to plan for this - Configure your mobile device now • Always have a backup - Your data can be removed at any time - As you are walking out the door
SMS/MMS/RCS -Enforcement and monitoring of
SMS -A system for sending text messages between cell phones. (MMS)Multimedia Message Service (MMS) allow transmission of text messages and binary files. Vulnerabilities in SMS and the SS7 signaling protocol that underpins it have cast doubt on the security of 2-step verification mechanisms RCS - Rich Communication Services -is designed as a platform-independent advanced messaging app, with a similar feature set to proprietary apps like WhatsApp and iMesssage. These features include support for video calling, larger binary attachments, group messaging/calling, and read receipts. RCS is supported by carriers via Universal Profile for Advanced Messagin The main drawbacks of RCS are that carrier support is patchy (messages fallback to SMS if RCS is not supported) and there is no end-to-end encryption, at the time of writing Vulnerabilities in processing attachments and rich formatting have resulted in DoS attacks against certain handsets in the past, so it is important to keep devices patched against known threats. ********************************************************* Short Message Service / Multimedia Messaging Service - Text messages, video, audio • Control of data can be a concern - Outbound data leaks, financial disclosures - Inbound notifications, phishing attempts • MDM can enable or disable SMS/MMS - Or only allow during certain timeframes or locations
GPS tagging- Enforcement and monitoring of
Sometimes know as Geotagging. If your smartphone, video camera or digital camera has GPS it can add GPS information to the video,photo giving it's location (longitude /latitude co-ordinates. Useful for making digital holiday photo albums as the user knows where the image was taken. Your phone knows where you are - Location Services, GPS • Adds your location to document metadata - Longitude, latitude - Photos, videos, etc. • Every document may contain geotagged information - You can track a user quite easily • This may cause security concerns - Take picture, upload to social media Geofencing refers to accepting or rejecting access requests based on location
External media - Enforcement and monitoring of
Store data onto external or removable drives - SD flash memory or USB/lightning drives • Transfer data from flash - Connect to a computer to retrieve • This is very easy to do - Limit data written to removable drives - Or prevent the use of them from the MDM
Password and PINs - MDM
Strong passwords should always be set on mobile devices, as simple 4-digit PIN codes can easily be brute-forced. Swipe patterns are vulnerable to poor user choice The universal help desk call - I need to reset my password • Mobile devices use multiple authentication methods - Password/passphrase, PINs, patterns • Recovery process can be initiated from the MDM - Password reset option is provided on the mobile device - "What is the name of your favorite car maiden cat's color?" • MDM also has full control - Completely remove all security controls - Not the default or best practice
Storage segmentation (MDM)
The container can also enforce storage segmentation. With storage segmentation the container is associated with a directory on the persistent storage device that is not readable or writable by apps that are not in the container. Conversely, apps cannot write to areas outside the container, such as external media or using copy and paste to a non-container app. App network access might be restricted to a VPN tunneled through the organization's security system.
Geofencing - MDM
The practice of creating a virtual boundary based on real-world geography. Geofencing can be a useful tool with respect to controlling the use of camera or video functions or applying context-aware authentication. An organization may use geofencing to create a perimeter around its office property, and subsequently, limit the functionality of any devices that exceed this boundary. An unlocked smartphone could be locked and forced to reauthenticate when entering the premises, and the camera and microphone could be disabled. The device's position is obtained from location services. Geofencing • Some MDMs allow for geofencing - Restrict or allow features when the device is in a particular area • Cameras - Might only work when outside the office • Authentication - Only allow logins when the device is located in a particular area
carrier unlocking - Enforcement and monitoring of:
The process of unlocking a mobile phone from a specific cellular provider. Carrier unlocking—for either iOS or Android, this means removing the restrictions that lock a device to a single carrier.
Payment methods - Enforcement and monitoring of
There are three major mobile wallet apps: Apple Pay, Google Pay (formerly Android Pay), and Samsung Pay. FC is vulnerable to several types of attacks. Certain antenna configurations may be able to pick up the RF signals emitted by NFC from several feet away, giving an attacker the ability to eavesdrop from a more comfortable distance. An attacker with a reader may also be able to skim information from an NFC device in a crowded area, such as a busy train. An attacker may also be able to corrupt data as it is being transferred through a method similar to a DoS attack—by flooding the area with an excess of RF signals to interrupt the transfer. Skimming a credit or bank card will give the attacker the long card number and expiry date. Completing fraudulent transactions directly via NFC is much more difficult as the attacker would have to use a valid merchant account and fraudulent transactions related to that account would be detected very quickly. Send small amounts of data wirelessly over a limited area (NFC) - Built into your phone - Payment systems, transportation, in-person information exchange • A few different standards - Apple Pay, Android Pay, Samsung Pay • Bypassing primary authentication would allow payment - Use proper security - or disable completely
USB - Connection methods and receivers
USB (Universal Serial Bus) • Physical connectivity to your mobile device - USB to your computer - USB, Lightning, or proprietary on your phone • Physical access is always a concern - May be easier to gain access than over a remote connection • A locked device is relatively secure - Always auto-lock • Mobile phones can also exfiltrate - Phone can appear to be a USB storage device
USB On-The-Go (USB OTG)- Enforcement and monitoring of
USB specification allowing a mobile device to act as a host when a device such as an external drive or keyboard is attached. allows a port to function either as a host or as a device. For example, a port on a smartphone might operate as a device when connected to a PC, but as a host when connected to a keyboard or external hard drive. The extra pin communicates which mode the port is in. Media connected to the smartphone could host malware. The malware might not be able to affect the smartphone itself but could be spread between host computers or networks via the device. It is also possible that a charging plug could act as a Trojan and try to install apps (referred to as juice-jacking), though modern versions of both iOS and Android now require authorization before the device will accept the connection. USB On-The-Go - Connect devices directly together - No computer required, only a cable • The mobile device can be both a host and a device - Read from an external device, then act as a storage device itself - No need for a third-party storage device • A USB 2.0 standard - Commonly seen on Android devices • Extremely convenient - From a security perspective, it's too convenient
Sideloading - Enforcement and monitoring of:
Unlike iOS, Android allows for selection of different stores and installation of untrusted apps from any third party, if this option is enabled by the user. With unknown sources enabled, untrusted apps can be downloaded from a website and installed using the .apk file format. This is referred to as sideloading sideloading>>>>Installing an app to a mobile device without using an app store. a management suite might be used to prevent the use of third-party stores or sideloading and block unapproved app sources
Full Device Encryption (MDM)
What is a very secure option for all of the information on your mobile device, but might require third party management software?
WiFi Direct/Ad hoc - Enforcement and monitoring of
Wi-Fi Direct allows one-to-one connections between stations, though in this case one of the devices actually functions as a soft access point. Wi-Fi Direct depends on Wi-Fi Protected Setup (WPS), which has many vulnerabilities. Android supports operating as a Wi-Fi Direct AP, but iOS uses a proprietary multipeer connectivity framework. You can connect an iOS device to another device running a Wi-Fi direct soft AP, however. A Wi-Fi standard enabling devices to easily connect with each other without requiring a wireless access point. ********************************************************* ad hock wi-fi A type of wireless network where connected devices communicate directly with each other instead of over an established medium. meaning that the network is not made permanently available. There is no established, standards-based support for ad hoc networking, however We're so used to access points - SSID configurations • The wireless standard includes an ad hoc mode - Connect wireless devices directly - Without an access point • WiFi Direct simplifies the process - Easily connect many devices together - Common to see in home devices • Simplicity can aid vulnerabilities - Invisible access to important devices
NFC (Near Field Communication (NFC)-Connection methods and receivers
a protocol, based on RFID, that defines how a network uses close-range radio signals to communicate between two devices or objects equipped with NFC technology A standard for peer-to-peer (2-way) radio communications over very short (around 4") distances, facilitating contactless payment and similar technologies. NFC is based on RFID. An NFC transaction is sometimes known as a bump, NFC does not provide encryption, so eavesdropping and man-in-the-middle attacks are possible if the attacker can find some way of intercepting the communication and the software services are not encrypting the data. The widest application of NFC is to make payments via contactless point-of-sale (PoS) machines. To configure a payment service, the user enters their credit card information into a mobile wallet app on the device. The wallet app does not transmit the original credit card information, but a one-time token that is interpreted by the card merchant and linked backed to the relevant customer account. There are three major mobile wallet apps: Apple Pay, Google Pay (formerly Android Pay), and Samsung Pay. Vulnerabilities : Certain antenna configurations may be able to pick up the RF signals emitted by NFC from several feet away, giving an attacker the ability to eavesdrop from a more comfortable distance. An attacker with a reader may also be able to skim information from an NFC device in a crowded area, such as a busy train. An attacker may also be able to corrupt data as it is being transferred through a method similar to a DoS attack—by flooding the area with an excess of RF signals to interrupt the transfer. Skimming a credit or bank card will give the attacker the long card number and expiry date. Completing fraudulent transactions directly via NFC is much more difficult as the attacker would have to use a valid merchant account and fraudulent transactions related to that account would be detected very quickly. Near field communication (NFC) • Two-way wireless communication - Builds on RFID • Payment systems - Google wallet, Apple Pay • Bootstrap for other wireless - NFC helps with Bluetooth pairing • Access token, identity "card" - Short range with encryption support NFC security concerns • Remote capture - It's a wireless network - 10 meters for active devices • Frequency jamming - Denial of service • Relay / Replay attack - Man in the middle • Loss of RFC device control - Stolen/lost phone
Corporate-owned personally enabled (COPE) - Deployment models
device is chosen and supplied by the company and remains its property. The employee may use it to access personal email and social media accounts and for personal web browsing (subject to whatever acceptable use policies are in force). • Corporate owned, personally enabled - Company buys the device - Used as both a corporate device and a personal device • Organization keeps full control of the device - Similar to company-owned laptops and desktops • Information is protected using corporate policies - Information can be deleted at any time • CYOD - Choose Your Own Device - Similar to COPE, but with the user's choice of device
Hotspot - Enforcement and monitoring of
hotspot - Using the cellular data plan of a mobile device to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi (a mobile hotspot). A smartphone can share its Internet connection with another device, such as a PC. Where this connection is shared over Wi-Fi with multiple other devices, the smartphone can be described as a hotspot. ********************************************************** Tethering Where the connection is shared by connecting the smartphone to a PC over a USB cable or with a single PC via Bluetooth, it can be referred to as tethering. However, the term "Wi-Fi tethering" is also quite widely used to mean a hotspot. This type of functionality would typically be disabled when the device is connected to an enterprise network, as it might be used to circumvent security mechanisms, such as data loss prevention or a web content filtering policies. Hotspot/tethering • Turn your phone into a WiFi hotspot - Your own personal wireless router - Extend the cellular data network to all of your devices • Dependent on phone type and provider - May require additional charges and data costs • May provide inadvertent access to an internal network - Ensure proper security / passcode
Mobile Device Management (MDM)
remotely controls smart phones and tablets, ensuring data security The process and supporting technologies for tracking, controlling, and securing the organization's mobile infrastructure
Mobile application management (MAM) -Mobile Device Management (MDM)
sets policies for apps that can process corporate data, and prevents data transfer to personal apps. This type of solution configures an enterprise-managed container or workspace. Enterprise management function that enables control over apps and storage for mobile devices and other endpoints. Application management • Managing mobile apps are a challenge - Mobile devices install apps constantly • Not all applications are secure - And some are malicious - Android malware is a rapidly growing security concern • Manage application use through allow lists - Only approved applications can be installed - Managed through the MDM • A management challenge - New applications must be checked and added
Mobile application management (MAM) - Mobile devices
sets policies for apps that can process corporate data, and prevents data transfer to personal apps. This type of solution configures an enterprise-managed container or workspace. Enterprise management function that enables control over apps and storage for mobile devices and other endpoints. Application management • Managing mobile apps are a challenge - Mobile devices install apps constantly • Not all applications are secure - And some are malicious - Android malware is a rapidly growing security concern • Manage application use through allow lists - Only approved applications can be installed - Managed through the MDM • A management challenge - New applications must be checked and added Mobile Application Management (MAM) • Provision, update, and remove apps - Keep everyone running at the correct version • Create an enterprise app catalog - Users can choose and install the apps they need • Monitor application use - Apps used on a device, devices with unauthorized apps • Remotely wipe application data - Securely manage remote data
BYOD (bring your own device) - Deployment models
the mobile device is owned by the employee. The mobile will have to meet whatever profile is required by the company (in terms of OS version and functionality) and the employee will have to agree on the installation of corporate apps and to some level of oversight and auditing. This model is usually the most popular with employees but poses the most difficulties for security and network managers. An arrangement in some companies' IT departments where employees are permitted to use their own phones or other mobile devices instead of company-issued ones. Also, a feature of some wireless carriers where you can buy an unsubsidized device and use it to get cheaper wireless rates. BYOD • Bring Your Own Device / Bring Your Own Technology • Employee owns the device - Need to meet the company's requirements • Difficult to secure - It's both a home device and a work device - How is data protected? - What happens to the data when a device is sold or traded in?
SEAndroid
uses mandatory access control (MAC) policies to run apps in sandboxes. When the app is installed, access is granted (or not) to specific shared features, such as contact details, SMS texting, and email. SEAndroid • Security Enhancements for Android - SELinux (Security-Enhanced Linux) in the Android OS - Supports access control security policies • A project from the US National Security Agency (NSA) - Based on the NSA's SELinux • Addresses a broad scope of system security - Kernel, userspace, and policy configuration • Enabled by default with Android version 4.3 - July 2013 - Protect privileged Android system daemons - Prevent malicious activity • Change from Discretionary Access Control (DAC) to Mandatory Access Control (MAC) - Move from user-assigned control to object labels and minimum user access - Isolates and sandboxes Android apps • Centralized policy configuration - Manage Android deployments
