Chapter 21

Implementing Secure Mobile Solutions

This chapter covers the following topics related to Objective 3.5 (Given a scenario, implement secure mobile solutions) of the CompTIA Security+ SY0-601 certification exam:

  • Connection methods and receivers

    • Cellular

    • WiFi

    • Bluetooth

    • NFC

    • Infrared

    • USB

    • Point-to-point

    • Point-to-multipoint

    • Global Positioning System (GPS)

    • RFID

  • Mobile device management (MDM)

    • Application management

    • Content management

    • Remote wipe

    • Geofencing

    • Geolocation

    • Screen locks

    • Push notifications

    • Passwords and PINs

    • Biometrics

    • Context-aware authentication

    • Containerization

    • Storage segmentation

    • Full device encryption

  • Mobile devices

    • MicroSD hardware security module (HSM)

    • MDM/Unified Endpoint Management (UEM)

    • Mobile application management (MAM)

    • SEAndroid

  • Enforcement and monitoring of:

    • Third-party application stores

    • Rooting/jailbreaking

    • Sideloading

    • Custom firmware

    • Carrier unlocking

    • Firmware over- the-air (OTA) updates

    • Camera use

    • SMS/Multimedia Messaging Service (MMS)/Rich communication services (RCS)

    • External media

    • USB On-The-Go (USB OTG)

    • Recording microphone

    • GPS tagging

    • WiFi direct/ad hoc

    • Tethering

    • Hotspot

    • Payment methods

  • Deployment models

    • Bring your own device (BYOD)

    • Corporate-owned personally enabled (COPE)

    • Choose your own device (CYOD)

    • Corporate-owned

    • Virtual desktop infrastructure (VDI)

This chapter starts by exploring connection methods and receivers. It then covers mobile device management (MDM) and the features and functions of this type of control. From there, the chapter moves into a discussion of security mechanisms in mobile devices such as HSM, UEM, MAM, and SEAndroid. This chapter also covers the enforcement of a number of mobile device security concerns, such as jailbreaking or rooting a device as well as sideloading and external media use, to name a few. The chapter concludes with an overview of mobile device deployment models.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Chapter Review Activities” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 21-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 21-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Connection Methods and Receivers

1, 2, 6

Mobile Device Management

4, 5

Mobile Device Management Enforcement and Monitoring

3

Mobile Devices

7

Deployment Models

8

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. Which of the following has benefits for contactless payments?

  1. NFC

  2. USB

  3. LTE

  4. None of these answers are correct.

2. Which of the following is utilized to alert when users enter or exit an organization’s physical borders?

  1. Point-to-point deployment

  2. Geofencing

  3. Infrared

  4. All of these answers are correct.

3. Which is a way to reduce the impact of mobile device theft?

  1. Full device encryption

  2. Application management

  3. Context-aware authentication

  4. None of these answers are correct.

4. Which MDM feature allows software updates to be pushed to devices remotely?

  1. GPS

  2. OTG

  3. WAP

  4. OTA

5. Which of the following terms means loading third-party apps from a location outside the official application store for that device?

  1. Carrier unlocking

  2. SIM card cloning

  3. Jailbreaking

  4. Sideloading

6. Which of the following terms means sending unsolicited messages to Bluetooth-enabled devices?

  1. Bluesnarfing

  2. Bluejacking

  3. Bluehacking

  4. None of these answers are correct.

7. Which of the following is one of the best ways to ensure that data is secured and that applications work properly without interference from potential attackers?

  1. Application whitelisting

  2. Encryption

  3. Application management

  4. None of these answers are correct.

8. Which of the following describes a policy in which the company supplies employees with phones?

  1. BYOD

  2. COPE

  3. VDI

  4. None of these answers are correct.

Foundation Topics

Connection Methods and Receivers

Here we cover the various connection methods and receivers that are included with most modern mobile devices today. We also cover some of the security concerns with these technologies and finish with an overview of secure implementation best practices.

Bluetooth, radio frequency identification (RFID), and near-field communication (NFC) are not wireless networking technologies in the general sense the way Wi-Fi is. But anything that has two or more wireless devices that communicate with each other could technically be considered a wireless network.

Like any wireless technology, Bluetooth is vulnerable to attack. Bluejacking and bluesnarfing are two types of vulnerabilities to Bluetooth-enabled devices. Bluetooth is also vulnerable to conflicts with other wireless technologies. For example, some WLAN (or Wi-Fi) standards use the 2.4-GHz frequency range, as does Bluetooth, and even though Bluetooth uses frequency hopping, conflicts can occur between 802.11g or 802.11b networks and Bluetooth personal area networks (PANs). To avoid this, you should use Bluetooth version 1.2 devices or greater, which employ adaptive frequency hopping, improving resistance to radio interference. Also, you should consider placing Bluetooth access points (if they are used) and WLAN access points in different areas of the building. Some companies have policies governing Bluetooth usage; in some cases, it is not allowed if 802.11 standards are in place, and in some cases, a company may enforce rules that say Bluetooth can be used only outside the building. In other cases, a company may put its 802.11 devices on specific channels or use WLAN standards that use the 5-GHz range.

Bluetooth-equipped devices can use near-field communication (NFC), which allows two mobile devices (or a mobile device and a stationary computer) to be automatically paired and transmit data. NFC is not limited to Bluetooth, but Bluetooth is probably the most common technology used to transmit data wirelessly over short distances. Of course, even though the distance is short, attackers can still eavesdrop on it. In addition, NFC is a data transmission protocol, but not necessarily secure. Data can be destroyed by use of a jammer, and users are also at risk of replay attacks. As of this writing, NFC does not offer preventive security in this respect, but users can prevent these attacks by using only applications that offer SSL/TLS or other secure channels during an NFC session.

Anytime a cell phone or smartphone connects, it uses some type of wireless service. Whether it’s 5G, 4G, 3G, GSM, Wi-Fi, infrared, RFID, or Bluetooth, security implications exist. To minimize risks, the best solution is to turn off the particular service when not in use, use airplane mode, or simply turn off the mobile device altogether if it is not being used.

Bluetooth is especially vulnerable to virus attacks, as well as bluejacking and bluesnarfing. Bluejacking is the sending of unsolicited messages to Bluetooth-enabled devices such as mobile phones. You can stop bluejacking by setting the affected Bluetooth device to undiscoverable or by turning off Bluetooth altogether.

Bluesnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection. Generally, bluesnarfing is the theft of data (calendar information, phonebook contacts, and so on). Ways of discouraging bluesnarfing include using a pairing key that is not easy to guess; for example, you should stay away from 0000 or similar default Bluetooth pairing keys! Otherwise, you should set Bluetooth devices to undiscoverable (only after setting up legitimate Bluetooth devices, of course) or turn off Bluetooth altogether.

Wi-Fi has many vulnerabilities as well. Not only should mobile devices connect in a secure, encrypted fashion, but also you, as security administrator, need to keep a sharp eye on the current Common Vulnerabilities and Exposures (CVEs) and the available updates and patches for those vulnerabilities. For example, there was a flaw in the programming of a well-known Wi-Fi System on Chip (SoC). The firmware had a vulnerability that could result in buffer overflows, which could then be exploited by attackers—connecting remotely via Wi-Fi—ultimately enabling the execution of their own code. Sometimes SoCs are not properly vetted for vulnerabilities, so you must be ready to patch at a moment’s notice. This approach applies not only to smartphones and other typical mobile devices but also to just about all devices in the Internet of Things (IoT) that have built-in Wi-Fi connections.

RFID and NFC

Radio frequency identification (RFID) has many uses, but it all boils down to identifying and tracking tags that are attached to objects. In the security world, that generally means authentication.

As with any wireless technology, RFID is susceptible to attack. For example, some RFID tags can be affected by skimming, on-path attacks (formerly known as man-in-the-middle, or MITM, attacks), sniffing, eavesdropping/replaying, spoofing, and jamming (DoS). From an authentication standpoint, attackers are using these attacks to try to find out the passcode. An RFID tag can also be reverse engineered if attackers get possession of it. Finally, power levels can be analyzed to find out passwords. On some RFID tags, correct passcodes emit a different level of power than incorrect passcodes. To prevent these attacks, you (or your security admin team) should consider newer generation RFID devices, encryption, chip coatings, filtering of data, and multifactor authentication methods. Encryption is one of the best methods. Included in this prevention method are rolling codes, which are generated with a pseudorandom number generator (PRNG), and challenge-response authentication (CRA), where the user (or user’s device) must present the valid response to the challenge.

RFID ranges vary depending on the EM band used—from 10 cm up to 200 meters. Many authentication readers can be as much as 1 meter away, which is enough to facilitate skimming of information by attackers. One way to avoid skimming is to use newer RFID proximity readers and keys—ones that use lower frequencies—from respectable companies. Another way is to utilize the set of protocols called near-field communication. NFC generally requires that communicating devices be within 4 cm of each other, which makes skimming of information difficult. If an employee uses a smartphone to enter a building instead of an RFID device, NFC should be implemented. NFC has obvious benefits for contactless payment systems or any other non-contact-oriented communications between devices. However, for optimal security, you should use contact-oriented readers and cards.

More Wireless Connection Methods and Receivers

Let’s not forget about cellular connections. Many companies don’t allow cellular access, meaning 2G, 3G, 4G, 5G LTE, and so on. These connections are often denied within company premises, and instead the company relies on Wi-Fi methods—for example, Wi-Fi calling. This is common in choose-your-own-device (CYOD) and corporate-owned, personally enabled (COPE) environments. But if cellular is necessary in a bring-your-own-device (BYOD) environment, security can be increased by using newer devices, updating the devices’ operating systems, updating the preferred roaming list (PRL), updating identification technologies (such as IMEI and IMSI), and using a VPN for data connections over cellular. You should use these methods for employees who must be on the road as well. And if there are foreseeable instances where cellular is not available for mobile employees, you should be sure that they understand the risks of open Wi-Fi networks and that they should avoid them as much as possible.

When it comes down to it, the use of a Global Positioning System (GPS) in general should be examined carefully, weighing the benefits against the possible vulnerabilities. This includes GPS derivatives such as GPS tagging, geofencing, and geolocation. Many executives and other employees use their mobile devices at work, which brings up many security concerns besides GPS. Collectively, they are known as BYOD concerns and are described in the following sections.

For the purposes of privacy, it is best to disable GPS whenever possible. Also, you should consider disabling other GPS and geolocation-related technologies. For example, in geotagging, geographical identification information, such as latitude and longitude coordinates, is added to photographs, websites, SMS messages, and more. It is common in social media and can be a great tool, but it can also be an easy way for attackers to zero in on high-profile executives and other employees of an organization. In these cases, you should consider a geofence—a virtual fence defining the boundaries of an actual geographical area. Geofencing is an excellent way to be alerted to users entering and exiting an organization’s physical premises and can provide security for wireless networks by defining the physical borders and allowing or disallowing access based on the physical location of users, or more accurately, the users’ computers or mobile devices!

Some organizations rely on satellite communications (SATCOM): sometimes for long-distance communications and sometimes for communicating between buildings in a campus in a point-to-point or point-to-multipoint deployment. Either way, it is important to understand that SATCOM devices can be at risk if their firmware is not updated. Exploits could include the installation of malicious firmware and the execution of arbitrary code. Updating may require physical access to the parabolic antenna using a laptop or terminal device. But remember, the easier it is to access these antennas, the more likely they can be hacked by malicious individuals. Of course, in some cases these antennas can be hacked remotely as well. Secure planning is necessary when it comes to physical access, firewalling (if possible), and especially updating.

A wireless connection method that is often overlooked when it comes to security is infrared. It is employed in many technologies that we use every day, including mobile phones. Consequently, it is often not secured properly. Of course, many wireless receivers can be added to a device by simply plugging in a USB adapter. This capability is also often overlooked.

Remember this: wireless technologies are always evolving. But anything is hackable, given time and ingenuity. When it comes to over-the-air (OTA) technology, you should be ever vigilant: know the latest exploits and prepare a worthy defense.

Secure Implementation Best Practices

When it comes to the best practices of secure implementation of communication methods and receivers, they are all similar. Therefore, the same controls can apply in most situations. Some of the biggest security issues with mobile device connection methods and receivers are vulnerabilities in the actual firmware and/or the software that runs on the device to interface with these technologies. These vulnerabilities can be used to interrupt or capture the communications between devices. The way to address this type of concern is to always verify that you are using the latest software version available for the device or radio. When it comes to mobile devices, typically these types of software updates are packaged into a larger update for the device that includes other fixes and features. However, sometimes a vulnerability is so severe that it requires a hotfix or patch to quickly address the vulnerability. Either way, keeping your device up to date is a solid approach to this concern.

There is software on your device that interacts with the hardware radio. That access can be controlled through the operating system permissions. By limiting access to the use of these communication mechanisms, you are essentially reducing the attack surface. Doing so helps mitigate the impact of software vulnerabilities as they come up. Lastly, if you are not using a specific connection method, you can simply turn it off. This again reduces your attack surface. Of course, turning off a connection is not always possible, so it is always a decision you need to make based on the environment you are in. For instance, if you’re at a large security conference such as DEFCON, turning off all unnecessary connection methods is a very good idea. If you are just sitting around your house, however, there is obviously less of a concern that someone might be acting in a malicious way to attack your device. We hope these best practices give you an idea of how to reduce the risk when implementing mobile solutions.

Mobile Device Management

The key to having a successful BYOD implementation is to implement storage segmentation—a clear separation of organizational and personal information, applications, and other content. It must be unmistakable where the data ownership line occurs. For networks with a lot of users, you should consider third-party offerings from companies that make use of mobile device management (MDM) platforms. These centralized software solutions can control, configure, update, and secure remote mobile devices such as Android, iOS, BlackBerry, and so on, all from one administrative console. The MDM software can be run from a server within the organization or administered within the cloud. It makes your job as a mobile IT security administrator at least manageable. From a central location, you can carry out the tasks of application management, content management, and patch management. You can also set up more secure levels of mobile device access control.

Access control is the methodology used to allow access to computer systems. For larger organizations, MDM software makes it easy for you to view inventory control, such as how many devices are active for each of the mobile operating systems used. It also makes it simpler to track assets, such as the devices themselves, and the types of data each contains.

In addition, MDM software makes it less complicated to disable unused features on multiple devices at once, thereby increasing the efficiency of the devices, reducing their footprint, and ultimately making them more secure. For instance, an employee who happens to have both a smartphone and a tablet capable of making cellular calls doesn’t necessarily need the latter. As administrator, you could disable the tablet’s cellular capability, which would increase battery efficiency as well as security for that device.

User acceptance of BYOD is mixed in its reactions. Some employees like the idea of using their own device (which they might not have been allowed to use at work previously) and not having to train on a separate work computer. However, some employees believe that BYOD is just a way to move computing costs from the company to the user, and the level of trust is low. This brings up a variety of legal concerns, such as the right to privacy. Companies that offer BYOD MDM solutions counter this perception by drawing a clear line in the sand, defining exactly what employers can see (for example, corporate email) and what they can’t see (such as personal texts). In general, these companies try to protect the privacy of individuals. Many organizations write clear privacy policies that define, if necessary, selective wipes of secure corporate data while protecting personal data.

Part of the debate over BYOD includes some additional concerns; for example, additional legal concerns exist about employee misconduct and fraud. Anything found that could possibly implicate an employee of wrongdoing would have to be found in the organizational portion of the data. From a forensics point of view, however, and because the device can’t be split in two, if any potential wrongdoing is investigated, the device would need to be confiscated for analysis.

Most employees (of all age groups) are also concerned with how on-board devices (such as on-board cameras) can be used against them with or without their knowledge. Companies that offer BYOD solutions tend to refer to the camera (and photos/video taken) as part of the personal area of the device. However, those same companies include GPS location as something they can see, but this can be linked to a corporate login, with GPS tracking users only when they are logged in. Onboarding and offboarding in general are other concerns. Essentially, onboarding means that you, as security administrator, take control of the device temporarily to configure it, update it, and perhaps monitor it, and offboarding means that you relinquish control of the device when finished with it. This control brings up some questions for employees: When does it happen? How long does it last? How will my device be affected? Are there any architectural/infrastructural concerns? For example, will the BYOD solution change the core files of my device? Will an update done by a person when at home render the device inactive the next day at work? That’s just the tip of the iceberg when it comes to questions and concerns about BYOD. The best course of action is for an organization to set firm policies about all of these topics.

Policies that need to be instituted include an acceptable use policy, data ownership policy, and support ownership policy. In essence, these policies define what users are allowed to do with the device (during work hours), who owns what data and how that data is separated, and under what scenarios the organization takes care of technical support for the device as opposed to the users.

To help secure the mobile devices in a BYOD enterprise environment, some third-party providers offer an embedded certificate authority for managing devices and user identity, sophisticated posture monitoring and automated policy workflow so that noncompliant devices do not get enterprise access, and certificate-based security to secure email and reduce the chance of data loss.

Unfortunately, smartphones and tablets (and other mobile devices) can be the victims of attack as well. Attackers might choose to abuse your service or use devices as part of a larger-scale attack and possibly to gain access to account information. Though mobile devices can be considered computers, there are some other factors to consider specifically for mobile devices.

Users of mobile devices should be careful about giving their phone number to others and should avoid listing their phone number on any websites, especially when purchasing products. You should train your users not to follow any links sent by email or by text messages if they are unsolicited. (If there is any doubt in a user’s mind, then it is best to ignore the communication.) Explain the issues with much of the downloadable software, such as games and ringtones, to your users. Also, use a locking code/password/gesture that’s hard to guess; this locks the mobile device after a specific amount of time has elapsed. In addition, use complex passwords when necessary—for example, if required by company policy.

In general, mobile operating system software must be updated just like desktop computer software. You should keep these devices up to date, and there will be less chance that they will be affected by viruses and other malware. You can encrypt data in several ways; some organizations even have policies that specify how data will be encrypted. More good general tips are available at the following National Cyber Awareness System (NCAS) and U.S. Computer Emergency Readiness Team (US-CERT) website links:

www.us-cert.gov/ncas

https://us-cert.cisa.gov/ncas/tips (Go to the Mobile Devices section.)

MDM Security Feature Concerns: Application and Content Management

Let’s speak more about the applications’ security on mobile devices. We’ve already mentioned that applications should (usually) be updated to the latest version and discussed the importance of proper user interaction, but let’s delve a bit deeper and talk about ways to encrypt data that is transferred through applications.

Encryption is one of the best ways to ensure that data is secured and that applications work properly without interference from potential attackers. However, you should consider whole device encryption, which encrypts the internal memory and any removable (SD) cards. Sometimes you might forget about one or the other. Then there is data in transit—data that is on the move between a client and a server. Most applications for mobile devices communicate with a server of some sort; for example, when a person uses a web browser, an email client, a contacts database, or actual “apps” that work independently of a browser but operate in a similar manner, meaning that they ultimately connect to a server. Weather apps, games, social media apps, and so on all fall into this category.

Let’s consider the web browser, for instance. A mobile device connects to websites in a similar manner to a desktop computer. Basic websites use a Hypertext Transfer Protocol (HTTP) connection. But websites that require any type of personally identifiable information (PII) use HTTP Secure (HTTPS). This can then utilize one of several types of encryption, such as Transport Layer Security (TLS).

Whatever the security protocol, the important point here is that the server you are connected to makes use of a database that stores encryption keys. The key (or a portion thereof) is sent to the client device and is agreed upon (handshaking occurs) so that the transfer of data, especially private information, is encrypted and protected. Often, HTTPS pages are used to aid in the process of authentication—the confirmation of a person’s (or computer’s) identity, typically with the help of a username/password combination. Examples include when you log in to your account with a bank or with a shopping portal.

One of the important roles for the server is key management—the creation, storage, usage, and retirement of encryption keys. Proper key management (and the regular updating of keys) is your primary concern as security administrator. Generally, an organization purchases a master key algorithm from a third-party company such as VeriSign. That company informs the organization if a key has become compromised and needs to be revoked. These third parties might also take part in credential management (the managing of usernames, passwords, PINs, and other passcodes, usually stored within a secure database) to make things a bit easier for you. Whether this is the case depends on the size of the organization and its budget. Key management gets quite in depth, as you can imagine. For now, realize that a mobile device is an easy target. Therefore, applications (especially third-party apps) should be scrutinized to make sure they are using a solid encryption plan when personal information is transferred back and forth.

Authentication to servers and other networks (and all their applications) can get even more complicated when the concept of transitive trust is implemented. Effectively, a transitive trust occurs when two networks (or more) have a relationship such that users logging in to one network get access to data on the other. In days gone by, these types of trusts were created automatically between different sections of networks; however, it was quickly realized that this type of transitivity was insecure, allowing users (and potential attackers) access to other networks that they shouldn’t have had access to in the first place. There’s a larger looming threat here as well. The transitive trust is based on the transitive property in mathematics, which states that if A is equal to B, and B is equal to C, then A is automatically equal to C. Put into computer terms: If the New York network trusts the California network, and the California network trusts the Hong Kong network, then the New York network automatically trusts the Hong Kong network. You can imagine the security concerns here, as well as the domino effect that could occur. So, organizations usually prefer the nontransitive trust, where users need to be authenticated to each network separately, and therefore are limited to the applications (and data) they have access to on a per-network basis.

To further restrict users and increase application security, allow lists (application whitelisting) are often used. This means that you, as administrator, create a list of approved applications and that users can work with only those applications, and no others. This is often done within a computer policy and can be made more manageable by utilizing a mobile device management system (which we describe elsewhere in this chapter). Users often need access to several apps: phone, email, contacts, and web browser. These applications would make up the allow list, and if a user tried to use other apps, that user would be denied, or at the very least, would be prompted for additional user credentials. If a user needed access to another app, such as the camera, you would weigh the security concerns (GPS, links to social media, and so on) and decide whether to add the app to the whitelist. Whitelisting can also be helpful when dealing with apps that utilize OAuth—a common mechanism used by social media companies to permit users to share account information with third-party applications and websites. Contrast the concept of using allow lists with block lists/deny lists—the denial of individual applications—a common method used when working with email, and by antivirus and hardware-based intrusion detection systems (HIDS) programs.

MDM Security Feature Concerns: Remote Wipe, Geofencing, Geolocation, Screen Locks, Passwords and PINs, Full Device Encryption

More than 100 mobile devices end up missing (often stolen) every minute. Yes—every minute! You can imagine the variety of reasons why these thefts occur. The worst attack that can be perpetuated on a smartphone or tablet is theft. The theft of a mobile device means the possible loss of important data and personal information. There are a few ways to protect against this loss of data and to recover from the theft of a mobile device if it does happen.

First, mobile devices in an organization should utilize data encryption. The stronger the encryption, the more difficult it is for a thief to decode and use the data on the device. If at all possible, you should use full device encryption. Most modern mobile device operating systems such as Apple iOS and Android have this capability built in. So there really is no reason not to have it enabled on devices. The actual conversations on phones can also be encrypted. Voice encryption can protect the confidentiality of spoken conversations and can be implemented with a special microSD chip (preferably) or with software.

Mobile devices should also be set up for GPS tracking so that they can be tracked if they are lost or stolen. The quicker a device can be located, the less risk of data loss, especially if it is encrypted. However, GPS tracking can also be a security vulnerability for the device and possibly the user if an attacker knows how to track the phone.

The beauty of mobile devices is in their inherent portability—that and the ability to track SIM cards. If you are an administrator for mobile devices, you should consider remote lockout programs. If a device is lost or stolen, you can lock the device, disallowing a would-be attacker access. In addition, the device can be configured to use the “three strikes and you’re out” rule, meaning that if a user tries to be authenticated to the device and is unsuccessful after three attempts, that user is locked out.

Of course, we all know that password authentication is not the strongest authentication method. Utilizing multifactor authentication is a way to enhance the strength of your authentication security—for instance, utilizing biometrics as one of the authentication factors alongside password/PIN authentication. Most modern mobile devices and even tablets have some sort of biometrics capability, such as fingerprint or face recognition. Taking it to the next level, if the data is extremely sensitive, you might want to consider a remote wipe program. If the mobile device is reported as lost or stolen, these programs can remove all data from the phone in a bit-by-bit process, making it difficult (if not impossible) to recover. This process is known as sanitizing the phone remotely. Of course, a solid backup strategy should be in place before a data sanitizing or remote wipe solution is implemented.

Screen locks, complex passwords, and taking care when connecting to wireless networks are also important. Though a screen lock won’t deter knowledgeable attackers, it will usually deter the average person who, for example, finds a stray phone sitting in a coffee shop, mall, or other public location. User training should be implemented when users first receive their devices. Though many organizations don’t take the time for training, it is a great way to show users how to secure their device, while checking whether their encryption, GPS tracking, and other features are working properly. They can also be trained on how to inform your organization and local law enforcement in the case that a device is lost or stolen, effectively reducing the risk of data loss by allowing you to find the device faster or mitigate the problem in other ways.

Another important function of an MDM solution is providing context-aware authentication by limiting or preventing access to organization resources based on the device profile and security posture (for example, a device that is rooted should not be able to access certain resources).

Note

In the case of theft, the two best ways to protect against the loss of confidential or sensitive information are encryption and a remote wipe program.

Table 21-2 summarizes some of the mobile security concerns that are addressed with implementing mobile device management. With a mixture of user adherence to corporate policies, the workplace respecting the user’s right to privacy, and a strong security plan, BYOD can be a success.

Table 21-2 Mobile Device Security Concerns and Countermeasures

Mobile Device Security Topic

Countermeasure

Malware

Update device to latest version (or point release for the current version).

Use security suites and AV software. Enable them if preloaded on the device and update regularly.

Train users to carefully screen email and selectively access websites.

Be careful of social networks and third-party apps.

Botnets and DDoS

Download apps from a legitimate source. If BYOD is in place, use company-approved apps.

Refrain from rooting or jailbreaking the device.

Have data backed up in case the device becomes part of a botnet and has to be wiped.

SIM cloning

Use V2 and newer cards with strong encryption algorithms.

Wireless attacks

Use a strong password for the wireless network.

Turn off unnecessary wireless features such as mobile hotspots and tethering.

Disable Bluetooth if not in use for long periods of time (also to conserve the battery).

Set the device to undiscoverable.

Theft

Utilize data and voice encryption (especially in BYOD implementations).

Implement lockout, remote locator, and remote wipe programs.

Limit the amount of confidential information stored on the device.

Use screen locks and complex passwords.

Application security

Use encryption from reputable providers.

Use antimalware endpoint protection platforms.

Utilize nontransitive trusts between networks and apps.

Allow list (whitelist) applications.

Disable geotagging.

BYOD concerns

Implement storage segmentation.

Utilize an MDM solution.

Create and implement clear policies that the organization and users must adhere to.

Consider CYOD or COPE as opposed to the traditional BYOD method.

Mobile Device Management Enforcement and Monitoring

Mobile device management controls the deployment, operations, and monitoring of mobile devices used to access organization resources. MDM is used to enforce an organization’s security policy on mobile devices. Let’s look at some of the features and controls that are part of a typical MDM solution and why they are implemented:

  • Disabling user access to third-party application stores. It is very important to control the access to application stores that are not approved by your company policy. Different application stores perform different levels of application security validation before they allow the application to be available on their store. Some of them do not perform any security validation. Therefore, the applications that are posted on these stores have a higher risk of containing malicious software.

  • Restricting user or application access to mobile device hardware, such as digital cameras, network interfaces, GPS, and services or native applications such as the built-in web browser or email client.

  • Rooting/jailbreaking/sideloading. Insecure user configurations such as rooting and jailbreaking can be blocked from MDM, as can sideloading—the art of loading third-party apps from a location outside the official application store for that device. Note that sideloading can occur in several ways:

    • By direct Internet connection (usually disabled by default)

    • By connecting to a second mobile device via USB OTG (USB On-The-Go) or Bluetooth

    • By copying apps directly from a microSD card or via tethering to a PC or Mac

    Application control becomes easier as well. Applications can be installed, uninstalled, updated, and secured from that central location. Even devices’ removable storage (often USB-based) can be manipulated—as long as the removable storage is currently connected to these devices.

  • Monitoring, alerting, and reporting on policy violation (for example, if a user is trying to root the mobile device). It is important to keep an eye on policy violations that might occur on a mobile device because they could lead to a compromise of the device and/or sensitive data.

  • Encrypting data communication between the device and the organization as well as full device encryption of data stored on the device or in removable storage. Mobile devices often connect to nontrusted networks. This means that anyone on that network can view the data traversing the network. That is why encryption of the data communication from the device to the organization is essential. Encryption is typically set using a VPN. There are also new hybrid-like approaches such as Secure Access Service Edge (SASE) solutions. Also, because of the “mobile” aspect of these devices, there is more of a concern that such devices might be lost or stolen. If they are lost or stolen, the risk of data leakage is greatly reduced if these devices have full encryption implemented. Gleaning data from a device with full encryption and strong authentication will be very difficult.

  • Providing the ability to remotely wipe the device in case the device is lost or stolen and in case of device reuse. Devices are lost or stolen every day. Most of us have had this happen to us at some point. If a device containing corporate data is lost, the organization must have the capability to remotely wipe the device to prevent access to that data.

  • Enforcing strong password and PIN code authentication for accessing the device and/or organization resources. This includes password strength policies, clipping level, and so on. Enforcing authentication is usually one of the first things that is required on a device when it first connects to a corporate network and registers with the MDM. Without it, a lost device would be open to anyone who acquired it and so would the data stored on it.

  • Remotely locking the device and screen and remotely resetting the password. Devices are lost or stolen every day. Most of us have had this happen to us at some point. If a device containing sensitive data is lost, the organization must have the capability to remotely lock the device to prevent access to that data.

  • Enabling the enforcement of data loss prevention (DLP) on mobile devices. Mobile devices on a corporate network have the same capabilities as laptops. This means that corporate data can be easily moved to and from mobile devices. This is why it is critical to implement a policy that will enforce controls for data loss prevention.

  • Performing application management by restricting the types of applications that can be installed; for example, via allow listing (whitelisting) or block list/deny listing (blacklisting) and which resources the applications can use. Due to the large threat that untrusted applications could pose to the organization, application management is usually handled within a mobile application management (MAM) framework.

  • Disabling the ability for users to install custom firmware or to detect custom firmware. A jailbreak and/or root access is normally necessary to install custom firmware on a device. For this reason, it is important to validate that the device has not been tampered with in this way before allowing it on the network. With Android devices, you can also disable ADB access, for example.

  • Disabling mobile device camera use. This is necessary in some highly secure environments such as government buildings. For this reason, it is important for an MDM solution to have the capability to disable camera use. There are, of course, other reasons to disable the use of a camera. This is only one sample use case.

  • Pushing firmware over-the-air (OTA) updates to managed devices. Keeping a device updated is critical in maintaining the secure posture of any device. Mobile devices typically require additional control over which updates are installed and when they are installed. For instance, if a critical vulnerability that affects a specific mobile device is released, the rollout of the fixed software needs to happen very quickly. Remember, these devices are typically connected directly to the Internet all the time, so they are at a higher risk for exploitation.

  • Enabling/disabling Short Message Service (SMS)/Multimedia Messaging Service (MMS)/Rich Communication Services (RCS). Of course, SMS and MMS are typically used in text messaging applications. Sometimes organizations need to disable the use of these applications permanently or temporarily to reduce the risk of data leakage as well as threats from SMS-type phishing attacks, which are sometimes called smishing attacks.

  • Disabling the use of external media. The capability to disable use of external media can be useful for protecting users against possible malware that is spread via external media. It can also be used as a mitigation for data loss.

  • Using USB On-The-Go (USB OTG) for attaching external devices to your mobile device via the USB connection. They can be USB flash drives, adapters, the keyboard, the mouse, and so on. Anything you physically connect to the USB port on a mobile device can possibly be malicious. For this reason, it is recommended that you disable this capability using an MDM solution.

  • Deactivating the recording microphone. This feature of MDM is primarily useful when in highly secure environments.

  • Disabling carrier locking or SIM cloning (also known as phone cloning), which allows two phones to utilize the same service and allows attackers to gain access to all phone data. V1 SIM cards had a weak algorithm that made SIM cloning possible (with some expertise). However, V2 cards and higher are much more difficult (if not impossible) to clone due to a stronger algorithm on the chip. Users and administrators should be aware of the version of SIM card being used and update it (or the entire smartphone) if necessary. There are techniques available to unlock a smartphone from its carrier. Users should be advised against this, and you should create and implement policies that make unlocking the SIM card difficult, if not impossible. Unlocking the phone—making it SIM-free—effectively takes it off the grid and makes it difficult to track and manage. When the SIM is wiped, the international mobile subscriber identity (IMSI) is lost, and afterward the user cannot be recognized. However, you can attempt to block list/deny list (blacklist) the smartphone through its provider using the international mobile equipment identity (IMEI), electronic serial number (ESN), or mobile equipment identifier (MEID). The ID used varies depending on the type and age of smartphone. Regardless, as a security administrator, you should avoid that tactic altogether because the damage has already been done; so, protection of the SIM becomes vital.

  • Disabling GPS tagging. Most mobile devices contain a GPS. This feature is obviously useful for many reasons, such as use of maps and location services. However, it can also create a risk that users are leaking their location in files such as pictures taken on the device. When these pictures are posted on the Internet, the metadata would still have this GPS location information. For this reason, it is necessary for MDM to have the capability to disable the GPS hardware on the device.

  • Enabling/disabling Wi-Fi direct/ad hoc network access. Wi-Fi direct is a method for devices to communicate directly with each other without the use of an access point. Wi-Fi ad hoc is a network of mobile devices that communicate directly with each other without the use of a network. Either can be a bad thing if implemented incorrectly. For instance, if a mobile device is configured to automatically join ad hoc networks, it might just be allowing communication from an untrusted device. These types of communication should be disabled on a corporate managed device to reduce the risk of compromise from untrusted devices.

  • Enabling/disabling payment methods such as Apple Pay or Google Pay can be a requirement for some policies. If a device is corporate owned and used only for work purposes, you would want to have a way to control these methods.

  • Enabling/disabling using tethering as a method for allowing another device, such as a laptop, to connect to the Internet through your phone. In general, tethering is accomplished via USB cable. It can be useful for people who are on the road and need to access the Internet from another device. However, it can also allow data transfer between a connected device and the mobile device. This capability opens up the device to yet another attack surface. Consequently, it is important that an MDM solution have the capacity to enable or disable the tethering capability of the mobile device.

  • Enabling/disabling using a hotspot to allow access to the Internet through the mobile device. This feature is similar to tethering. However, with a hotspot, instead of using a physical connection like USB to connect to the device, it utilizes wireless. Typically, this is done via Wi-Fi but can also be done using Bluetooth connectivity. When you enable this feature, you are essentially turning your mobile device into a Wi-Fi access point. If not properly secured, this hotspot can be used by anyone within range. This capability, of course, opens up an attack surface, but it also runs the risk of high data usage. For this reason, many organizations disable the hotspot feature using an MDM solution.

Mobile device management capabilities could be offered by the mobile vendor or provided by a third-party management tool that offers multivendor support. The second option is currently the most used due to the increased adoption of BYOD and heterogeneous types of devices used within an organization.

One of the characteristics of an MDM solution is the use of over-the-air device management. OTA historically refers to the deployment and configuration performed via a messaging service, such as Short Message Service (SMS), Multimedia Messaging Service (MMS), Rich Communication Services (RCS), or Wireless Application Protocol (WAP). Nowadays it’s used to indicate remote configuration and deployment of mobile devices, including the following benefits/needs:

  • Higher level of control

  • Intellectual property retention

  • Regulatory compliance (for example, if it is not possible to store data in the cloud)

Mobile Devices

A mobile application management (MAM) framework can be used to address the types of applications that can be installed (for example, by using allow lists or block/deny lists and which resources the applications can use). Due to the large threat that untrusted applications may pose to an organization, application management is usually handled within the MAM framework.

The messaging app is a particularly devious gateway for attackers. SMS, MMS, and RCS are vulnerable to malware, and unwary users of mobile devices are especially susceptible to Trojans and phishing via SMS texts. One way to prevent these types of attacks is to install mobile antimalware in the form of one mobile security suite or another. This endpoint protection platform needs to be updated and is best controlled from an MDM solution. Another way is to block messaging apps altogether or to use company-approved messaging apps. This option depends on what type of mobile environment you allow. It works for some mobile environments where the IT department has more control over devices, but probably not for BYOD.

If your organization uses a mobile payment method, it is important to understand that the applications that control these payment methods and the devices they run on can have several vulnerabilities. They include weak passwords (for the mobile device and for the payment app), user error, and phishing. Not only that, the technology itself is inherently insecure given the mobility of the devices. Users should be educated about not using their mobile devices for payment while making a public Wi-Fi connection. They should also be taught how to properly and discreetly use payment apps. And, of course, they should be instructed on how to avoid loss or theft of mobile devices and what to do if loss or theft occurs. As the security administrator, you should consider using an external reader for payment transactions on mobile devices and teaching users to keep the reader separate from mobile devices when not in use.

Geotagging (also written as geo-tagging) is another application concern. Photos, videos, websites, messages, and much more can be geotagged. Geotagging is the adding of data to the content in question, helping users to gather location-specific information. For example, if a user wanted to take a picture of a favorite store at the mall and help friends find it, that user could geotag the picture. However, doing so requires that the smartphone (or other mobile device) have GPS installed and running. This then means that the user’s smartphone can be physically located and tracked. Depending on the applications running, being tracked could pose a security threat. In a corporate environment, the security administrator often chooses to disable geotagging features.

There are several privacy implications when it comes to geotagging. One of the most dangerous is the fact that many users don’t even know that they are geotagging their media when they do so; some of the applications are that transparent. For people in the company such as executives (who might carry a wealth of confidential information), this is the type of feature that should be disabled. If a potential attacker can track an executive, then the attacker can find out where the executive lives, determine when the executive is in the office, and determine the location of clients, all of which can help the attacker commit corporate espionage. When it comes down to it, the use of GPS in general should be examined carefully, weighing the benefits against the possible vulnerabilities. This includes GPS derivatives such as GPS tagging, geofencing, and geolocation.

To be a good security administrator, you must be proactive. Preventing the threats discussed in this chapter requires updating systems and applications, and possibly redesigning networks and systems from the ground up. It also means using firewalls, host-based intrusion detection systems (HIDSs), and data loss prevention (DLP) systems. It requires in-depth configuration of applications, filtering, and secure policies. And, of course, this all signifies a need for user training.

Software is not the only place to increase security. Hardware can be physically protected, and firmware such as the BIOS should be secured as well. As mentioned, the most important thing to a company (technologically speaking) is its data. So, securing all types of storage devices, especially removable storage, is paramount. This can be done in a physical manner and in a logical manner by utilizing MicroSD hardware security modules (HSMs) and encryption, respectively.

Hardware security modules are physical devices that act as secure cryptoprocessors. This means that they are used for encryption during secure login/authentication processes, during digital signings of data, and for payment security systems. The beauty of a hardware-based encryption device such as an HSM (or a TPM) is that it is faster than software encryption.

HSMs can be found in various adapter card forms such as MicroSD HSM, as well as devices that plug into a computer via USB, and as network-attached devices. They are generally tamper-proof, giving a high level of physical security. They can also be used in high-availability clustered environments because they work independently of other computer systems and are used solely to calculate the data required for encryption keys. However, many of these devices require some kind of management software to be installed on the computer they are connected to. Some manufacturers offer this software as part of the purchase, but others do not, forcing the purchaser to build the management software themselves. Due to this lack of management software and the cost involved in general, HSMs have seen slower deployment with some organizations. This concept also holds true for hardware-based drive encryption solutions.

Often, HSMs are involved in the generation, storage, and archiving of encrypted key pairs such as the ones used in Secure Sockets Layer (SSL) sessions online, public key cryptography, and public key infrastructures (PKIs).

MDM/Unified Endpoint Management

As we discussed earlier in this chapter, MDM enables you to manage end-user mobile devices by controlling the deployment, operations, and monitoring of mobile devices used to access organization resources. It is used to enforce an organization’s security policy on mobile devices. Unified endpoint management (UEM) includes this as well as the capabilities of a mobile application management (MAM) system, mobile content management (MCM), mobile threat management (MTM), containerization, as well as identity and access management (IAM) capabilities.

SEAndroid

Security-Enhanced Linux (SELinux) is a security enhancement for Linux based on mandatory access control (MAC). SEAndroid is a modification of SELinux made by Google to enable the use of SELinux on the Android platform. SEAndroid provides much more robust security for the Android mobile platform by working in a deny first, least-privilege manner. This approach is, of course, great for security, but it also makes things more difficult for application developers. This is why in many cases there is an option to enable or disable SEAndroid. It is implemented in different ways by each mobile device manufacturer. For instance, on a Samsung Android device, SEAndroid utilizes a policy file to control which users and/or apps can access specific files and resources on the device. This, of course, is not something that end users should be responsible for maintaining; otherwise, they would likely end up with nonfunctioning devices. SEAndroid can be enabled in three different modes.

  • Disabled mode means that SEAndroid is completely disabled on the device.

  • Permissive mode runs in a manner such that the policies are in place and monitoring, but not enforcing or blocking anything.

  • Enforcing mode means that SEAndroid is, in fact, blocking access to files and resources based on the policies applied.

Deployment Models

Around 2011, organizations began to allow employees to bring their own mobile devices into work and connect them to the organization’s network (for work purposes only, of course). This bring-your-own-device concept has since grown into a more popular method of computing for many organizations. It is enticing from a budgeting standpoint but can be very difficult on you, as security administrator, and possibly on the users as well.

A computer is a computer. It doesn’t matter if it’s a PC from 1986 or a mobile device from this year. All computers need to be secured using the same principles and policies; however, historically mobile devices have tended to fall through the cracks. So, companies have really started gearing up the security for these devices. In most organizations, it is not feasible to stop people from bringing their smartphones into work. Some organizations have decided to embrace this practice and benefit from it with a bring-your-own-device (BYOD) policy to be used for work purposes in addition to personal. Companies may implement similar strategies, such as choose-your-own-device (CYOD), where employees select a device from a company-approved list, or corporate-owned, personally enabled (COPE), where a company supplies employees with a phone that can also be used for personal activities.

Although these policies create a whole slew of new security considerations, some organizations are implementing BYOD and CYOD successfully by creating a well-defined demarcation point between the users’ data and the organization’s. When a company institutes this concept, along with an MDM solution and strong policies for theft, wireless attacks, and application security, mobile devices can survive and thrive in the enterprise or small office, yet remain safe and accessible for personal use.

Note

Some organizations utilize a virtual desktop infrastructure (VDI) to address the BYOD challenges. This way, users can use their own hardware or corporate-owned hardware but connect to a VDI environment to access all the applications and data needed to do their work.

Secure Implementation of BYOD, CYOD, and COPE

When it comes to implementation of BYOD, CYOD, and COPE, they are all similar. For simplicity in this section, we refer to these collectively as BYOD unless CYOD or COPE needs to be addressed specifically.

First, your BYOD implementation should be driven by your policies. You should at least have a mobile device and acceptable use policy when it comes to connecting to your corporate network. The specifics of this policy should be ironed out before you begin your implementation. One of the primary concerns that should be addressed in the policy is what kind of devices you will allow on your network. Identifying these devices helps determine which is the best solution for implementing BYOD in your organization. Another determination you need to make is what kind of access you are planning to offer users of the BYOD system. For instance, if you are in a corporate environment, you may or may not allow BYOD-registered devices to access corporate data. You might decide to only allow them to access the Internet on a segmented network. If you are only allowing access to the Internet and the traffic is utilizing a segmented network that cannot interact with corporate data, your risk is much lower and you will not need to do as much validation of the device when connecting to the network. However, if the device is going to be connecting to your corporate network where it will have access to corporate data and mission-critical applications, you will want to implement your BYOD system in a much stricter manner. For example, a device connecting to a corporate network should be required to go through a multifactor authentication process. You should then evaluate the device’s security posture to determine if it meets the minimum requirements set in your policies for mobile devices. This includes minimum operating system level, up-to-date and clean antivirus/antimalware software state, validation that the device is not jailbroken, and so on.

Of course, when you are securely implementing a BYOD program, your primary goal should be to keep corporate and personal data safe. In some cases, this can and should require the devices connecting to meet some stringent requirements. However, for a BYOD program to be successful, the experience should be as easy as possible for the end user as well you, as administrator. This is where picking the right tools to implement comes in. A number of software vendors offer BYOD solutions. It is best for you to evaluate these solutions against your policies and requirements to determine which one is best for your organization. One example is the Cisco Identity Services Engine (ISE). Figure 21-1 shows the dashboard for ISE.

A screenshot shows the dashboard for Cisco Identity Services Engine.

FIGURE 21-1 Cisco Identity Services Engine Dashboard View

Most BYOD platforms include a capability for implementing policy, monitoring, and onboarding devices, just to name a few. Figure 21-2 shows the BYOD work center in Cisco ISE. As you can see, it is essentially a step-by-step guide or wizard for getting started with implementing BYOD in your organization.

A screenshot shows the BYOD work center in Cisco ISE.

FIGURE 21-2 Cisco Identity Services Engine BYOD Work Center

Chapter Review Activities

Use the features in this section to study and review the topics in this chapter.

Review Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 21-3 lists a reference of these key topics and the page number on which each is found.

Table 21-3 Key Topics for Chapter 21

Key Topic Element

Description

Page Number

Section

Connection Methods and Receivers

570

Paragraph

Mobile device management

574

Table 21-2

Mobile Device Security Concerns and Countermeasures

580

List

Features and controls that are part of a typical MDM solution

581

Section

Mobile Devices

585

Section

SEAndroid

588

Section

Deployment Models

588

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

near field communication (NFC)

radio-frequency identification (RFID)

Global Positioning System (GPS)

mobile device management (MDM)

allow lists

block lists/deny lists

sideloading

firmware over-the-air (OTA) updates

mobile application management (MAM)

MicroSD hardware security modules (HSMs)

unified endpoint management (UEM)

SEAndroid

bring your own device (BYOD)

choose your own device (CYOD)

corporate-owned, personally enabled (COPE)

virtual desktop infrastructure (VDI)

Review Questions

Answer the following review questions. Check your answers with the answer key in Appendix A.

1. What solution do some organizations use to address BYOD challenges, where users connect to an environment to access all the applications and data needed to do their work?

2. What is a security enhancement based on mandatory access control (MAC)?

3. What is the adding of data to content that would help gather location-specific information?

4. What is the denial of individual applications called?

5. What is the sending of unsolicited messages to Bluetooth-enabled devices such as mobile phones?

6. What mobile phone feature allows a phone to connect an external device such as a USB flash drive?

7. What is the unauthorized access of information from a wireless device through a Bluetooth connection?

8. What is the art of loading third-party apps from a location outside the official application store for that device?

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
44.192.15.251