Exam Cram Chapter 8
Onboard Camera/Video
* A comprehensive BYOD policy should clearly state restrictions on the usage of cameras, video, audio, or other applications and services.
Transitive Trust/Authentication
* Application transitive trusts and authentication can be used to improve availability of service access but can present security issues. When applications interact with each other, restricting one application may create an environment for data to still leave the mobile device through the other application. An application with only local permissions may send sensitive data through third-party applications to external destinations.
Host Availability/Elasticity
* Elasticity is most often found in cloud environments, where resources can be purchased for a short period of time based on demand and then deleted when no longer needed.
Device Access Control
* Firewall policies should be created specifically for handheld device traffic limiting access only to the types of data required via the device. - Next Generation Firewall (NGFW) and intrusion-prevention systems (IPS) have the capability to enforce policies blocking certain mobile devices and high-risk applications at the network level.
GPS
* GPS tracking features can be used on company-issued devices as a deterrent to prevent the unauthorized, personal use of vehicles and the taking of unauthorized unscheduled breaks. If a mobile device is lost, you can also use GPS tracking to find the location of the device.
Patch and Antivirus Management
* In a BYOD environment the organization sets minimum security requirements as a condition for allowing personal devices access to network resources.
Forensics
* In a BYOD environment, legal requirements take precedence. In the event of an investigation, the employee may be temporarily unable to use the personal device during the investigation period. - Organization needs to address this scenario when creating a BYOD policy.
Key Management
* Key management is intended to provide a single point of management for keys and to enable users to manage the life cycle of keys and to store them securely, while also making key distribution easier.
Mobile Device Management (MDM)
* MAM focuses on application management. MDM solutions provide a more comprehensive level of device management. This allows the management of devices from applications and application data all the way down to device firmware and configuration settings.
ExamAlert
* Make sure that you can identify the difference between a host-based and a network-based firewall
Remote Wiping
* Remote wipe enables the handheld's data to be remotely deleted if the device is lost or stolen. All the major smartphone platforms have this capability. The most common ways to remote wipe are using applications installed on the handset, through an IT management console, or a cloud-based service.
User Acceptance
* The employee should sign a written consent agreeing to all terms and conditions of the BYOD policy so the organization can easily refute any claim of policy unawareness.
Authentication
* Using static password for authentication has few security flaws because passwords can be guessed, forgotten, or written down.
Virtualization
* Virutalization improves enterprise desktop management and control with faster deployment of desktops and fewer support calls because of applications conflicts.
White listing
* White listing applications tends to make an environment more closed by only allowing approved applications to be installed - Applications white listing is the preferred method of restricting applications because the approved applications can be allowed to run using numerous methods of trust.
Snapshots
- A snapshot preserve the entire state and data of the virtual machine at the it is taken. * Snapshots may capture sensitive data present on the system at the time of the snapshot was taken and can present a situation where personal information is inadvertently put at risk.
Antivirius
- Antivirus software scans for malicious code in email and downloaded files. - Scanning identifies virus code based on a unique string of characters known as signature. - If a machine does become infected, the first step is to remove it from the network so that it cannot damage other machines. * Heuristic scanning looks for instructions or commands that are not typically found in application programs. The issue with these methods is that they are susceptible to false positives and cannot identify new viruses until the database is updated.
Asset Tracking and Inventory Control
- Asset tracking provides effective management of assets in the field so that the device location is known at all times. - Asset tracking is important to quickly identify a device when it is stolen. - Inventory control helps the organization keep a firm handle on how many devices on hand, how many are issued, and to monitor that devices are returned upon employment termination.
BYOD
- Bring your own device focuses on reducing corporate cost and increasing productivity by allowing employees partners, and guest to connect to the corporate network. * Formulating a BYOD program requires a security model that provides differential levels of access by device, user, application, and location
Group Policies
- Collections of configuration settings applied to a system based on computer or user group membership, which may influence the level, type, and extent of access provided.
Geotagging
- Geotagging location services are based on positions and coordinates provided by a GPS. * The security risk assoicated with geotagging are unwanted advertising, spying, stalking, and theft. Some social networking sites and services show the location of the logged-on user.
Host-Based Intrusion Detection (HIDS)
- HIDS monitor communication on a host-by-host basis and try to filter malicious data by mean of a locally installed agent. HIDS can do log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and alerting. - These types of IDS are good at detecting unauthorized file modifications and user activity.
Cable locks
- Laptops should never be left in an area that is open where anyone can have easy access to them. - Security cables with combination locks can provide such security. - The cable is used to attach the computer to an immovable object.
Full Device Encryption
- Mobile voice encryption can allow executives and employees alike to discuss sensitive information without having to travel to secure company locations. - Third-part software applications can provide secure VoIP communication for iPhone, Andriod, and Blackberry devices using 256-bit AES encryption to encrypt calls between users. For added security, 1024-bit RSA encryption can be used during the symmetric key exchange. - You cannot create a secure connection between a device that has software installed and one that does not. This includes hardware solutions as well. - embedded encryption, KoolSpan's TrustChip is one solution.
Support Ownership
- Most BYOD policies establish what type of devices are permitted to access the network and state that employees are responsible for voice and data plan billing and maintenance of their devices.
Onboarding/offboarding (BYOD)
- Onboarding is a term describing the process of registering an asset and provisioning the asset so it can be used to access the corporate network. - Offboarding is the opposite process. - When an employee is terminated, retires, or quits, it might be difficult to segregate and retrieve organization data and application - BYOD policy should address how data and corporate-owned applications will be retrieved during the offboarding process. In some instances, the organization may opt for a total device wipe
Application Control
- One of the biggest security risk is applications that share data across environments such as Dropbox, Box, Google Drive, OneDrive, and iCloud. * In a corporate environment, applications can be managed through provisioning and controlling access to available mobile applications. This is called mobile application management (MAM)
OS Hardening
- Operating system hardening includes configuring log files and auditing, changing default administrator account names and default passwords, and the institution of account lockout and password policies to guarantee strong passwords that can resist brute-force attacks. - File level security and access control mechanisms serve to isolate access attempts within the operating system environment
Lockout
- Passcodes are a first line of defense and should be required on all devices that access corporate resources.
Storage Segmentation
- Storage segmentation separates personal and business content on the device. Encrypted with Advanced Encryption Standard (AES) 192-bit encryption. This solution also encrypts any data that's in transit between the device and servers behind the organization's firewall. * Storage segmentation allows protection of business content from security risks introduced by personal usage.
Privacy
- The BYOD policy should clearly disclose how the organization will access an employee's personal data, and in instances where the organization offers device data backup, it should state whether personal data will be stored on backup media or otherwise.
Application White Listing
- The general concept behind application white listing is that instead of attempting to block malicious files and activity as black listing does, application white listing permits only known good apps. * When security is a concern, white listing applications is a better option because it allows organization to maintain strict control over the apps employees are approved to use.
Anti-spam
- The main component of anti-spam software is heuristic filtering. Heuristic filtering has a predefined rule set that compares incoming email information against the rule set. The software reads the contents of each message and compares the words in that message against the words in typical spam messages.
Host Software Baselining
- The measure of normal activity is known as baseline. Without a baseline, it is harder to see what is wrong because you do no know what is normal. - Baselining must be updated on a regular basis and certainly when the computer has changed or new technology has been deployed. - Baselining should be done for both host and applications processes so that you can tell whether its a hardware or software issue.
Application Security
- The primary attack points on mobile devices are data storage, key stores, the application file system, application databases, caches, and configuration files. - Recommendations for application security include restricting which applications may be installed through white listing, digitally signing applications to ensure that only applications from trusted entities are installed on the device, and distributing the organization's applications from a dedicated mobile application store.
Device Security
- The risk associated with mobile devices are physical risk, including theft or loss, unauthorized access risk, operating system or application risk, network risk, and mobile device data storage risk. - To mitigate these risk, many of the same protections that apply to computers apply to mobile devices. Safeguards include screen locks, encryption, remote wipes, GPS tracking, and proper access.
Patch Compatibility
- This feature is important when an OS patch or update causes an incompatibility issue with a currently installed application or configuration. - Snapshots can be taken and stored so that administrators can easily roll back the VM when a patch causes a compatibility issue.
Disabling Unused Features
- Unused features on the mobile device should be disabled. * If Bluetooth is necessary for an organization mobile devices, it should be set to nondiscoverable
Data ownership
- When formulating a BYOD policy, the organization should clearly state who owns that data stored on the device specifically addressing what data belongs to the organization. - The policy should include language stipulating the organization will remote wipe data if the employee violates the BYOD policy, terminate employment, or purchases a new device.
Sandboxing
- is to provide a safe execution environment for untrusted programs. * Web applications are launch in a sandbox, meaning they run in their own browser windows without the ability to read or write files from sensitive areas. - Another common use for sandboxing is malware analysis.
Security challenges in an elastic model include
Enforcing proper configuration, enforcing change management, and adequate administrative separation between virtual customer environment.
Principle of least privilege
Every user or service of a system should only operate with the minimal set of privileges required to fulfill their job duty or function.
Black Listing
Black listing applications consists of listing all applications the organization deems undesirable or banned and then preventing those applications from being installed.
Types of configuration settings you should be familiar with include the following
below
Host Intrustion Prevention Systems (HIPS)
HIPS protect hosts against known and unknown malicious attacks from the network layer up through the application layer. HIPS technologies can be categorized by what they scan for, how they recognize an attack, and what layer they attempt to detect the attack.
Configuration baselines
Many industries must meet specifc criteria established as a baseline measure of security. - An example of this is the healthcare industry, which has a lengthy set of requirements for information technology specified in the Health Insurance Portability and Accountability ACT (HIPPA) security standards. - Security baselines, or industry representatives, such as the Payment Card Industry Data Security Standard (PCI DSS) requirements established by the credit card industry for businesses collecting and transacting credit information.
Security templates
Sets of configuration that reflect a particular role or standard established through industry standards or within an organization, assigned to fulfill a particular purpose - Examples include a "minimum-access" configuration template assigned to limited-access kiosk system, whereas a "high-security" template could be assigned to systems requiring more stringent login and access control mechanisms.
