In this chapter, we are going to look at different mobile devices and their characteristics, and applications that run on those devices. In the Security+ exam, you need to know all of these aspects thoroughly, as this chapter is heavily tested. Let's first of all look at deploying mobile devices securely, followed by their management and security.
We will cover the following exam objectives in this chapter:
Explain the impact associated with types of vulnerabilities: Pointer dereference—race conditions
Given a scenario, deploy mobile devices securely: Connection methods—cellular—Wi-Fi—SATCOM—Bluetooth—NFC—ANT—infrared—USB. Mobile device management concepts—application management—content management—remote wipe—Geofencing—Geolocation—screen locks—push notification services—passwords and pins—biometrics—context-aware authentication. Containerization—storage segmentation—full device encryption. Enforcement and monitoring for: third-party app stores—rooting/jailbreaking—sideloading—custom firmware—carrier unlocking—firmware OTA updates—camera use—SMS/MMS—external media—USB OTG—recording microphone—GPS tagging—Wi-Fi direct/ad hoc—tethering—payment methods. Deployment models—BYOD—COPE—CYOD—corporate-owned—VDI
Explain the security implications of embedded systems: SCADA/ICS—smart devices/IoT—wearable technology—home automation—HVAC—SoC—RTOS—printers/MFDs—camera systems. Special purpose—medical devices—vehicles—aircraft/UAV
Summarize secure application development and deployment concepts: Development life cycle models—waterfall versus agile. Secure DevOps—security automation—continuous integration—baselining—immutable systems—infrastructure as code. Version control and change management. Provisioning and deprovisioning. Secure coding techniques—proper error handling—proper input validation—normalization—stored procedures—code signing—Encryption—obfuscation/camouflage—code reuse/dead code—Server-side vs. client-side—execution and validation—memory management—use of third-party libraries and SDKs—Data exposure. Code quality and testing—static code analyzers—dynamic analysis (for example, fuzzing)—stress testing—Sandboxing—model verification. Compiled versus runtime code
Mobile devices are now used in our everyday lives and they pose problems for security teams as they are very portable and extremely easy to steal. In this module, we will look at some of the problems that you may face as a security professional. First, let's look at the different deployment models.
Mobile Device Management (MDM) sets policies on the use of these tools to protect the network. For example, they may prevent the camera being used on mobile devices and could also prevent a smartphone from being able to send/receive texts.
Bring Your Own Device (BYOD) is where an employee is encouraged to bring in their own device so that they can use it for work. Although it may save the employer money, it also has its pitfalls. BYOD needs to two policies to be effective:
Acceptable Use Policy (AUP): An AUP outlines what the employee can do with the device during the working day; for example, they will not be allowed to play games or surf their personal email. If this is not acceptable, then the BYOD fails at the first hurdle and employees cannot bring their devices to work.
Onboarding policy: The onboarding policy would ensure that the device coming into the company's network is fully patched and secure before being attached to the network.
Offboarding policy: The offboarding policy covers such things as handing back the company's data as this could pose a problem. If the device owner does not agree, you may have to take them to court to get your data back. Some companies use storage segmentation, where they may insert a storage card where the business data would reside. During the offboarding, the employee would simply be asked to hand back the card.
Example 1: A new employee has brought their mobile device into the company and within 30 minutes one of the file servers has caught a virus. The security team tracks the source of the virus to the mobile device. How could this have been avoided? It's simple—the onboarding policy has not been carried out properly; if it had been, the virus would have been removed before connecting the device.
Example 2: John, a member of the sales team, who has been using his tablet for BYOD, has just won the National Lottery and decided to leave the company. During the offboarding phase, he was asked to reset his tablet to its factory settings to ensure that the data was deleted. John has refused to do this as he has personal data and music files on the tablet. The company have called the local Police and accused him of stealing their data. John informed the police officer that this is his personal device with his own data, and he produced a copy of the sales receipt for the device. The police officer was powerless and could do nothing further. The company would have to take John to court and prove that the data was theirs. John is now traveling the world, leaving the company with a further headache—they cannot take John to court because they don't know which country he is in. If they had used storage segmentation and asked John for the storage card on exit, this scenario would never have occurred.
Exam tip:
BYOD relies on an acceptable use policy and onboarding/offboarding policies being adopted.
Choose Your Own Device (CYOD) avoids problems of ownership because the company has a variety of tablets, phones, and laptops. When a new employee comes along, they merely choose one of these devices from a list. When they leave the company and offboard, the devices are taken from them as they belong to the company. The acceptable user policy would state that the devices can only store company data as they are corporate-owned devices.
Corporate-Owned Personally-Enabled (COPE) is where the company purchases the device, such as a tablet, phone, or laptop, and allows the employee to use it for personal use. It is a much better solution for the company than BYOD. However, the IT team can limit what applications run on the devices as they as corporate-owned.
The COPE model can also help IT work within legal and regulatory parameters. Some European countries prohibit companies from wiping data on personal devices; if an employee loses a device, a remote wipe cannot be done. However, with COPE, the IT team has every right to wipe it remotely as it is corporate-owned and they remain compliant.
A Virtual Desktop Infrastructure (VDI) is where an employee's desktop is based in the cloud or a virtual platform, and this can be accessed by using a mobile device, such as a tablet or laptop.
There are various different connection methods for mobile devices:
Cellular: This is where tablets and phones are using 3G, 4G, or 5G to connect to their provider without needing any other devices. Cellular connections are encrypted to prevent anyone seeing who is logging on or stealing your data. The problem that cellular faces is that if there are no masts nearby and the device has a setting of no service, they will not work.
Wi-Fi: Connecting to a wireless access point is a common method of gaining access to the internet. The connection needs to be encrypted to prevent man-in-the-middle attacks. Some wireless providers have hotspots in major cities and airports so that their customers can connect.
If you live in an area where the cellular data shows no service, you could turn on your modern smartphone using Wi-Fi calling to connect to their network—but beware, this is only a method to connect to your carrier's network, they still charge you as normal for the calls.
If you are connecting to a Wi-Fi hotspot in a hotel, you must be careful as most are insecure
Companies often have a guest wireless network that visitors can use, or their employees can use at lunchtime.
Exam tip:
Near field communication is used for contactless payment within 4 cm of the card.
Bluetooth: You may see someone walking down the street with a piece of gray plastic on one of their ears and they seem to be talking to themselves, but they are using their phone with a Bluetooth connection. Most Bluetooth devices have a range of about 10 meters. The devices are paired using a code to connect.
Example: Ian is driving and has his phone set to hands-free. As he is driving, he receives a phone call from a friend and has him on loudspeaker; this is an example of using Bluetooth.
Near Field Communication (NFC): NFC is normally used to make a wireless payment when the card must be within 4 cm of the card reader. You should store your NFC-enabled card inside an aluminum pouch or wallet to prevent someone standing very close to you and skimming your card.
Infrared: An infrared device is purely line-of-sight and has a maximum range of about 1 meter. This can be used to print from your laptop to an infrared printer. Infrared connections are not encrypted but you could see an attacker as they need to be within 1 meter.
USB: Some mobile devices can be tethered to a USB dongle to gain access to the internet. A flash USB device can be used to transfer data between devices, as it is self-installing, and security teams tend to use group policy to prevent data being stolen by removable devices or use Data Loss Prevention (DLP).
Secure Satellite Communications (SATCOM): The secure satellite communications (SATCOM) equipment used by the US military is currently undergoing impressive capacity and performance advances. At the same time, it faces increasing security threats on several fronts. Military operations demand robust and flexible network-centric communication solutions for reliable information flow between frontline troops, support personnel, and commanders, both for operational control and situational awareness:
Figure 1: SATCOM
ANT: ANT is a proprietary, open access, multicast wireless sensor network, very similar to Bluetooth low energy. It can provide secure access to wireless sensors.
MDM is a software that allows security administrators to control, secure, and enforce policies on smartphones, tablets, and other endpoint devices. Let us look at the different aspects of MDM.
Push notification services can be used to inform the device owner that an email or a text has arrived. For example, if someone sends you a message to your LinkedIn account, a push notification can tell you that you have a new message.
Mobile devices are very small and very easy to steal, therefore we need to look at how we can prevent someone from accessing the data even if the device's host has been lost or stolen. We will first look at screen locks and passwords, followed by biometrics, and then context-aware authentication:
Screen locks: Screen locks activate once the mobile device has not been accessed for a period of time. Then, after it is locked, the user gets a number of attempts to insert the PIN before the device is disabled.
Passwords and PINs: Some mobile devices, such as smartphones, are very easy to steal and you can conceal them by putting them in a pocket. It is crucial that strong passwords and PINs with six or more characters are used. This makes decoding them more difficult and can lead to the device being disabled.
Example: An iPhone gives you six attempts to log in, and after that it will disable the login for 1 minute. If you then fail on the seventh attempt, it locks you out for a further 2 minutes. If you continue to input the wrong PIN, you get locked out for 60 minutes on your ninth attempt.
Exam tip:
Mobile devices need screen locks and strong passwords to protect them.
Biometrics: Mobile devices can use biometrics, such as fingerprint or facial recognition. Apple uses Touch ID and Microsoft uses Windows Hello.
Context-aware authentication: Context-aware security requires knowledge of who the user is, what the user is requesting, how the user is connected, when the user is requesting information, and where the user is located. The goal is to prevent unauthorized end users or insecure computing devices from being able to access corporate data.
Example: Mary, a financial director based in London, is using context-aware authentication. For the authentication to be successful, the user must be Mary, the time has to be between 9 am-5 pm, Monday to Friday, and she needs to be in London. If all of these criteria are not met then authentication fails.
Corporate devices need to be controlled so that employees cannot simply connect to an app store and download every application that they wish. For example, allowing games on corporate devices would have an adverse impact on productivity and security. We are now going to look at the downloads, applications, and content managers, and their characteristics, followed by remote wipe:
Download manager: The download manager controls the number of connections and the speed of downloading onto a mobile device
Application management: Application management uses whitelists to control which applications are allowed to be installed onto the mobile device
Content management: Content management stores business data in a secure area of the device in an encrypted format to protect it against attacks
Remote wipe: When a mobile device has been lost or stolen, it can be remote-wiped—the device will revert to its factory settings and the data will no longer be available
Exam tip:
Geo-tracking will tell you the location of a stolen device.
Mobile devices are very easy to lose or steal, so we must have some way of finding those devices; we are going to look at the differences between geofencing, geolocation, and using cable locks:
Geofencing: Geofencing uses the Global Positioning System (GPS) or RFID to define geographical boundaries; once the device is taken past the defined boundaries, the security team will be alerted.
Geolocation: Geolocation uses GPS to give the actual location of a mobile device. This is used when you lose your iPad and then use your iPhone to determine its location. This can be very useful if you lose or drop a device.
Cable locks: Cable locks on laptops and tablets prevent them being stolen.
Exam tip:
Geofencing prevents mobile devices from being taken off the company's premises.
To protect the data that is stored on a device, we should implement Full Device Encryption (FDE) as this protects data stored on mobile devices when they are data at rest. The device requires a Trusted Platform Module (TPM) chip to store the encryption keys:
Example: A salesperson has just received a new company laptop where the operating system had been hardened. The device used Bitlocker encryption, where the whole device is encrypted to protect the data stored on the hard drive. In the Security+ exam, this is known as FDE.
Containerization offers organizations the ability to deploy and manage corporate content securely in an encrypted space on the device. All corporate resources, such as proprietary applications, corporate emails, calendars, and contacts, reside within this managed space. We could also place an application inside a virtual machine to segregate it from the laptop.
Storage segmentation is where an external device is connected to a laptop, for example a USB flash drive, or it could be a Secure Data card (SD card). This allows the data on storage segmentation to be separate from any application or data already on the device.
Example: You are using your own smartphone as a BYOD but your company has asked you to separate the business data that they give you from your personal data, for example, pictures of family and friends that you already have stored on the phone. The easiest way to do this is to install an SD card on the phone where you will store the company data. This makes offboarding your data pretty easy—all you would have to do is eject the SD card and surrender it to the company.
There are many different tools and features that roll out with mobile devices. As a security professional, you need to know the security threats that they pose. Some of the features that a security professional should be well-versed in are mentioned here:
Network access control: Network access control ensures that mobile devices that connect to your network are fully patched and compliant before obtaining access to the internal network.
Firmware over-the-Air (OTA) updates: Firmware is software that is installed on a small, read-only memory chip on a hardware device and is used to control the hardware running on the device. Firmware OTA updates are pushed out periodically by the vendor, ensuring that the mobile device is secure. An example is when the mobile device vendor sends a notification that there is a software update, this will include a firmware update.
Custom firmware—Android rooting: Custom firmware downloads are used so that you can root your mobile device. This means you are going to give yourself a higher level of permissions on that device. The main benefit is the ability to remove any unwanted apps and games that your carrier or phone maker installs, as rooting can grant you a full uninstallation. Deleting apps that you will never use can also free up some additional storage capacity. However, be aware that your downloads from an unknown vendor may pose security risks.
Exam tip:
Rooting and jailbreaking remove the vendor restrictions on a mobile device to allow unsupported software to be installed.
Carrier unlocking: Carrier unlocking is where a mobile device is no longer tied to the original carrier. This will allow you to use your device with any provider.
Jailbreaking: Jailbreaking is similar to rooting, only this time the operating system is Apple's iOS – this allows you to run unauthorized software on Apple devices and remove device restrictions placed on the device. You can still access the Apple App Store even though jailbreaking has been carried out.
Third-party app stores: There is a danger of downloading apps from third-party app stores as there is no guarantee of the quality of the app being installed. This could pose a security risk, as later you could find that it had embedded monitoring software.
Sideloading: Sideloading is having an application package in an .apk format and then installing it on a mobile device. This is useful for developers who want to trial third-party apps, but also allows unauthorized software to be run on a mobile device.
USB On-The-Go (USB OTG): USB OTG allows USB devices, such as tablets and smartphones, to act as a host, allowing other USB devices, such as USB flash drives, digital cameras, mice, and keyboards, to be attached to them. Apple does not allow USB OTG. Attaching USB devices can pose security problems as it makes it easy to steal information.
Camera use: Smartphones and tablets roll out with very good quality camera and video recorders whose media can be circulated on social media within seconds. This poses a security risk to companies, as trade secrets could be stolen very easily. Research and development departments ban the use of personal smartphones in the workplace. MDM polices may disable the cameras on company-owned smartphones.
Recording microphones: Smartphones and tablets can record conversations with their built-in microphones. They could be used to take notes, but they could also be used to tape conversations or record the proceedings of a confidential meeting.
SMS/MMS: Short Message Service (SMS) is known as text messaging, and has become a common method of communication. These messages can be sent between two people in a room without other people in the room knowing about their communication; these text messages could be used to launch an attack. The Multimedia Messaging Service (MMS) is a standard way to send messages that include multimedia content.
GPS tagging: When you take a photograph, GPS tagging inputs the location where the photograph was taken. Most modern smartphones do this by default.
Payment methods: Smartphones allow credit card details to be stored locally so that the phone can be used to make contactless payments. If this is a BYOD, it needs to be carefully monitored as someone could leave the company with a company credit card and continue to use it. MDM may prevent the payment function by disabling this tool in the mobile device management policies.
Wi-Fi direct/ad hoc: The Wi-Fi direct wireless network allows two Wi-Fi devices to connect to each other without requiring a wireless access point. It is single-path, therefore it cannot be used for internet sharing. An ad hoc wireless network is where two wireless devices can connect with a wireless access point, but it is multipath and can share an internet connection with someone else.
Tethering: Tethering is where a GPS-enabled smartphone can be attached to a mobile device to provide internet access. Microsoft's Windows 10 is capable of tethering. The danger of this is if someone uses a laptop to connect to the company's network and then tethers to the internet; it could result in split tunneling. This is where a user has a secure session via VPN to the corporate LAN, and then opens up a web browser with an insecure session that could be hacked and gives the attacker a gateway to a secure session to your LAN. MDM must ensure that this does not happen. When tethering, to ensure security, we must only create one session at one time.