CompTIA® Security+ Exam Notes : Given A scenario,Steps To Deploy Mobile Devices Securely

2. Technologies and Tools

2.5 Given a scenario, deploy mobile devices securely

Some security controls frequently used for mobile devices are given below:

Screen lock: Uses a password to lock the device. This prevents a thief from using a stolen device. Screen lock helps in preventing the un-authorized user from seeing the contents. However, an attacker may ultimately gain access to the data.

Proximity lock: Automatically locks your mobile device or smart-phone when you are away from the phone. It uses a proximity sensor that you may personally carry such as a blue tooth device.

Strong password: Any time a password is used to protect a mobile device (or any device or system), it should be strong. This means they are at least eight characters and include multiple character types, such as upper case, lower case, numbers, and symbols.

Data encryption: Encryption protects the confidentiality of data and smart-phone security includes device encryption to protect the data against loss of confidentiality. It's possible to selectively encrypt some data on a system, an entire drive, or an entire device.

Remote wipe: Remote wipe capabilities are useful if the phone is lost. The owner can send a remote wipe signal to the phone to delete all the data on the phone. Remote wipe executed from another machine over a network This also deletes any cached data, such as cached online banking passwords, and provides a complete sanitation of the device, ensuring that all valuable data is removed.

Screen lock may prevent the thief from accessing the device for some time, but susceptible to brute force method. The thief may also resort to other methods to open the screen lock. By using remote wipe, it is possible to completely erase the data. However, note that the portable device may not be accessible after remote wipe. Further, it may not show up using geo-tagging as all applications are erased.

Voice encryption: It's possible to use voice encryption with some phones to help prevent the interception of conversations

Biometric: A biometric authentication depends on the physical characteristic of a human being. It is not something that can be remembered. Usually, bio authentication is very secure, though not widely used due to cost constraints.

Global positioning system (GPS): tracking. A GPS pinpoints the location of the phone. Many phones include GPS applications that you can run on another computer. If you lose your phone, GPS can help you find it. If the data is sensitive, you use remote wipe feature to erase the data on the mobile. This is useful to know before you send a remote wipe signal. GPS tracking helps locate the lost device, but does not protect the data.

Cable locks: The number of laptops stolen during lunches at conferences is astronomical. Many people don't seem to know how common thefts are and often leave their laptops unprotected. Cable locks can secure a mobile computer. They often look about the same as a cable lock used to secure bicycles.

Locked cabinet : Small devices can be secured within a locked cabinet or safe. When they aren't in use, a locked cabinet helps prevent their theft. Locking of cabinets that hold switches and routers is a good way to maintain security of equipment, as well as the network. It is possible that a hacker use an unused port on a switch to connect SPAN (mirror another port) and have access to confidential information.

Mantrap: A mantrap is a small room with an entry door on one wall and an exit door on the opposite wall. One door of a mantrap cannot be unlocked and opened until the opposite door has been closed and locked. Mantraps are most often used in physical security to separate non-secure areas from secure areas and prevent unauthorized access. They can also be found in high tech manufacturing to provide entry and exit chambers for server rooms or data centers.

Proximity reader: are typically activated with a proximity card, which can be shared between people. A sophisticated mantrap can be activated with a proximity card that also requires a PIN unique to the card and the user. This provides multi-factor authentication (something you have and something you know). However, the primary purpose of a mantrap is to prevent tailgating, not authentication.

Server room

Bring Your Own Device (BYOD): BYOD policy is not relevant in this context because the company has already provided laptops to it's employees. This is a common issue in the modern workplace, and it can pose substantial security risks.

COPE: In Company-Owned and - Provided Equipment (COPE), the company owns mobile devices. Using COPE, the company has complete control of the devices, and thus it can ensure a higher level of security. With this approach, the company creates a list of approved devices that meet the company's minimum security standards. Employees then can select from among this list of pre-approved devices.

Geo-tagging: Geo-tagging is the process of tagging the geo information to the file being generated. Sometimes, it may become a threat to the employee or the organization because an attacker would be able to know where the owner of the file is residing. An example of geo-tagging is when you append the place information to a picture uploaded to a social media site. Geo tagging is used to identify the location of a mobile device, such as a smart phone over a network.

images/pin-icon.png

Mobile device management ensures that up to date patches or bug fixes are applied to the mobile device.

Full device encryption is another method in preventing an un-authorized user from accessing the data.

Geofencing: Geofencing relies on GPS tracking, but it goes a step further. With geofencing, the device will only function if it is within certain geographical locations. So, if a mobile device is stolen, that device will not work when taken outside the company perimeter.

DLL hijacking: DLL highjacking takes advantage of the load order of legitimate DLLs by placing a spoofed version in a higher load position than the real DLL

Sideloading: It works in a similar fashion as DLL hijacking. DLL side loading makes use of the WinSxS directory (C:\Windows\WinSxS). This directory holds multiple versions of DLL files for application compatibility reasons. An application using this directory to retrieve a DLL will need to have a manifest. The manifest lists the DLL file that the program needs to load at runtime execution and is used by the DLL loader to determine which version should be used. A malicious DLL with a spoofed name could be placed in this location due to the lack of verifications that are performed on files in this folder. As a result, a vulnerability similar to the one that allows DLL hijacking exists in the side-by-side feature.

USB OTG (USB On The Go): USB OTG introduces the concept of a device performing both master and slave roles, Whenever two USB devices are connected and one of them is a USB OTG device, they establish a communication link. For instance, a mobile phone may read from removable media as the host device, but present itself as a USB Mass Storage Device when connected to a host computer. This means that any portable device carried into your network could be used to exfiltrate files and data from your network by presenting itself as a storage device or a Wi-Fi hotspot to the attacker.

Previous   Contents   Next


Security+ Cram Notes Contents
certexams ad

simulationexams ad