Securing Mobile Device & Protecting Data
Data at Rest
It is any data stored on media (hard drives, mobile phones, USB flash drives, external drives and backups). The best way to protect data-at-rest >> Encrypt it
Data in Use
It refers to any data that resides in temporary memory. Applications retrieve stored data, process it, and may either save it back to storage or send it over the network. The application is responsible for protecting data in use. Confidentiality is primarily protected through encryption and strong access controls.
5.2.1.1 File-Level Encryption
Many OS support file and folder-level encryption. Linux systems support GNU privacy guard (gpg) -> command line tool used to encrypt and decrypt files with a password Microsoft -> Encrypting File System (EFS) Benefits of file-level encryption: • You can encrypt individual files without encrypting the entire disk Issues of file-level encryption: • Encryption can be lost if an authorized user copies encrypted files to another disk that doesn't support encryption •The solution to this is to do whole device/full disk encryption
What is MDM?
Mobile Device Management - Include technologies to manage mobile devices such as smartphones and tablets Mobile device management tools help ensure systems are up-to-date with current patches and have up-to-date antivirus installed. These tools often block devices that are not up-to-date. Goal: To ensure these devices have similar security methods in place as desktop computers
RFID
Radio-frequency identification (RFID) methods - often used for inventory controls
5.2.2.1.2 Storage Root Key
The TPM creates the storage root key when a user adds the TPM owner password and activates the TPM. TPM use this key to create and protect other encryption keys used within applications.
TPM
Trusted Platform Module - hardware chip on the computer's motherboard that stores cryptographic keys used for encryption Has a unique Rivest, Shamir, Adleman (RSA) key burned into the chip • Used for asymmetric encryption Once enable -> provides full disk encryption capabilities -> Keeps hard drives locked (or sealed) until the system completes a system verification and authentication process A Trusted Platform Module (TPM) - a hardware chip on the motherboard, included on many newer laptops It provides full disk encryption. • Includes a unique RAS asymmetric key • When a user activates TPM -> TPM creates a Storage Root Key and store other cryptographic keys
How does BitLocker use TPM?
• BitLocker uses TPM to detect tampering of any critical OS files or processes as part of a platform verification process • The drive remains locked until the platform verification and user authentication processes are complete
TPMs use 3 categories of encryption keys:
• Endorsement key • Storage root key • Application key
How does data exfiltration happen?
•Attackers take control of systems and transfer data outside an organization using malware •Malicious insiders can also transfer data
3 most common data categories
•Data at rest •Data in transit •Data in use
TPM vs HSM
•HSMs are removable or external devices •TPMs are chips embedded into the motherboard •Both provide secure encryption capabilities by storing and using RSA keys
What can a DLP do to protect data?
•Scan the text of all emails and contents of attached files •Has the ability to scan for PII •Scan the content of other traffic, such as FTP and HTTP
Data exfiltration:
•The unauthorized transfer of data outside an organization •A significant concern with data leakage
UTM
•Unified Threat Management • A UTM is a device that is a switch, router and firewall into one device
network-based DLP system
A network-based DLP system can examine and analyze network traffic. •Can detect if confidential data or PII is included in email and reduce the risk of internal users emailing sensitive data outside the organization
AUP
ACCEPTABLE USE POLICY - o Issues about BYOD should be address in the Acceptable Use Policy o It describes user's responsibilities when using an organization's IT resources
5.2.1.3 Encrypting Database Content
Another form of software-based encryption It is more common to encrypt the data held within a database instead of encrypting the entire database. -> protects sensitive data -> Use less processing power It is possible to encrypt the entire database.
6.1.2 Endpoint Protection
Another method of preventing data loss is by restricting use of hardware at the computer (endpoint). Any portable devices: • USB flash drives • External hard drives • MP3 players >> can prevent users from copying or printing sensitive data A DLP solution is more selective. It can prevent a user from copying or printing files with specific content. Ex: The DLP solution can prevent users from copying, printing or scanning any classified documents marked with a label of "Confidential."
DLP
Data Loss Prevention (DLP) techniques examine and inspect data looking for unauthorized data transmission. DLP systems can be: • Network-based -> to inspect data in motion • Storage-based -> to inspect data at rest • Endpoint-based -> to inspect data in use
Mobile device security includes:
Device encryption -> to protect the data Screen locks -> to help prevent unauthorized access Remote wipe capabilities -> to delete all data on a lost device
6.1.1 Data in Motion
Different types of content filters used in unified threat management (UTM) devices (such as web security gateways). • UTM devices -> monitor incoming data streams looking for malicious code • A Network-based DLP -> monitors outgoing data looking for sensitive data
5.2.1.2 Full Disk Encryption
Full disk encryption programs encrypt an entire disk. E.g., TrueCrypt
HSM
Hardware Security Module HSM is a security device you can add to a system to manage, generate and securely store cryptographic keys. High-performance HSMs - external devices connected to a network using TCP/IP Smaller HSMs - come as expansion cards you install within a server, or as devices you plug into computer ports HSM - a removable or external device that can generate, store and manage RSA keys used in asymmetric encryption. Many server-based applications use an HSM to protect keys.
MDM tools include:
Patch management Antivirus management Application control o Can restrict what applications can run on mobile devices o Often use application whitelists to control the applications
Primary methods of protecting the confidentiality of data
Primary methods of protecting the confidentiality of data (including data at rest and data in transit) are encryption and strong access controls.
Software-Based Encryption
Software-based encryption - can encrypt individual files and folders, entire disks, removable media, mobile devices, and databases.
5.2.2 Hardware-Based Encryption
Software-based encryption has several drawback -> • it takes extra processing power and time • It isn't useful when large quantity of data, such as the entire disk, needs to be encrypted Examples of Hardware-based Encryption Devices: • Trusted Platform Module • Hardware security module
What is the security concern for: storage segmentation?
Some mobile devices have the possibility to segment storage of data
5.2.2.1.1 Endorsement key
The manufacturer embeds an endorsement key into the TPM. This key stays with the TPM throughout its lifetime.
5.2.2.1.3 Application Keys
These keys are derived from the storage root key Applications use them to encrypt disks. Example: Microsoft BitLocker uses an application key to encrypt entire disks. If a system includes a TPM, you can use an application within the OS to enable it. E.g., Many Microsoft systems include BitLocker, which you can enable for systems that include the TPM
What is the security concern for: removable storage?
o USB thumb drives and other removable storage devices are source of data leakage and malware distribution -> security policy often restrict the use of USB thumb drives and other portable devices (e.g., ipod) o Using strong encryption of devices -> can be effective at protecting the confidentiality of the data
Off-boarding
the procedures that remove the devices from the network
On-boarding
the procedures to allow users to connect their devices to the network