CompTIA® Security+ Exam Notes : Given A scenario,Steps To Deploy Mobile Devices Securely

2. Technologies and Tools

2.5 Given a scenario, deploy mobile devices securely

Some security controls frequently used for mobile devices are given below:

Screen lock: Uses a password to lock the device. This prevents a thief from using a stolen device. Screen lock helps in preventing the un-authorized user from seeing the contents. However, an attacker may ultimately gain access to the data.

Proximity lock: Automatically locks your mobile device or smart-phone when you are away from the phone. It uses a proximity sensor that you may personally carry such as a blue tooth device.

Strong password: Any time a password is used to protect a mobile device (or any device or system), it should be strong. This means they are at least eight characters and include multiple character types, such as upper case, lower case, numbers, and symbols.

Data encryption: Encryption protects the confidentiality of data and smart-phone security includes device encryption to protect the data against loss of confidentiality. It's possible to selectively encrypt some data on a system, an entire drive, or an entire device.

Remote wipe: Remote wipe capabilities are useful if the phone is lost. The owner can send a remote wipe signal to the phone to delete all the data on the phone. Remote wipe executed from another machine over a network This also deletes any cached data, such as cached online banking passwords, and provides a complete sanitation of the device, ensuring that all valuable data is removed.

Screen lock may prevent the thief from accessing the device for some time, but susceptible to brute force method. The thief may also resort to other methods to open the screen lock. By using remote wipe, it is possible to completely erase the data. However, note that the portable device may not be accessible after remote wipe. Further, it may not show up using geo-tagging as all applications are erased.

Voice encryption: It's possible to use voice encryption with some phones to help prevent the interception of conversations

Biometric: A biometric authentication depends on the physical characteristic of a human being. It is not something that can be remembered. Usually, bio authentication is very secure, though not widely used due to cost constraints.

Global positioning system (GPS): tracking. A GPS pinpoints the location of the phone. Many phones include GPS applications that you can run on another computer. If you lose your phone, GPS can help you find it. If the data is sensitive, you use remote wipe feature to erase the data on the mobile. This is useful to know before you send a remote wipe signal. GPS tracking helps locate the lost device, but does not protect the data.

Cable locks: The number of laptops stolen during lunches at conferences is astronomical. Many people don't seem to know how common thefts are and often leave their laptops unprotected. Cable locks can secure a mobile computer. They often look about the same as a cable lock used to secure bicycles.

Locked cabinet : Small devices can be secured within a locked cabinet or safe. When they aren't in use, a locked cabinet helps prevent their theft. Locking of cabinets that hold switches and routers is a good way to maintain security of equipment, as well as the network. It is possible that a hacker use an unused port on a switch to connect SPAN (mirror another port) and have access to confidential information.

Mantrap: A mantrap is a small room with an entry door on one wall and an exit door on the opposite wall. One door of a mantrap cannot be unlocked and opened until the opposite door has been closed and locked. Mantraps are most often used in physical security to separate non-secure areas from secure areas and prevent unauthorized access. They can also be found in high tech manufacturing to provide entry and exit chambers for server rooms or data centers.

Proximity reader: are typically activated with a proximity card, which can be shared between people. A sophisticated mantrap can be activated with a proximity card that also requires a PIN unique to the card and the user. This provides multi-factor authentication (something you have and something you know). However, the primary purpose of a mantrap is to prevent tailgating, not authentication.

Server room

Bring Your Own Device (BYOD): BYOD policy is not relevant in this context because the company has already provided laptops to it's employees. This is a common issue in the modern workplace, and it can pose substantial security risks.

COPE: In Company-Owned and - Provided Equipment (COPE), the company owns mobile devices. Using COPE, the company has complete control of the devices, and thus it can ensure a higher level of security. With this approach, the company creates a list of approved devices that meet the company's minimum security standards. Employees then can select from among this list of pre-approved devices.

Geo-tagging: Geo-tagging is the process of tagging the geo information to the file being generated. Sometimes, it may become a threat to the employee or the organization because an attacker would be able to know where the owner of the file is residing. An example of geo-tagging is when you append the place information to a picture uploaded to a social media site. Geo tagging is used to identify the location of a mobile device, such as a smart phone over a network.


Mobile device management ensures that up to date patches or bug fixes are applied to the mobile device.

Full device encryption is another method in preventing an un-authorized user from accessing the data.

Geofencing: Geofencing relies on GPS tracking, but it goes a step further. With geofencing, the device will only function if it is within certain geographical locations. So, if a mobile device is stolen, that device will not work when taken outside the company perimeter.

DLL hijacking: DLL highjacking takes advantage of the load order of legitimate DLLs by placing a spoofed version in a higher load position than the real DLL

Sideloading: It works in a similar fashion as DLL hijacking. DLL side loading makes use of the WinSxS directory (C:\Windows\WinSxS). This directory holds multiple versions of DLL files for application compatibility reasons. An application using this directory to retrieve a DLL will need to have a manifest. The manifest lists the DLL file that the program needs to load at runtime execution and is used by the DLL loader to determine which version should be used. A malicious DLL with a spoofed name could be placed in this location due to the lack of verifications that are performed on files in this folder. As a result, a vulnerability similar to the one that allows DLL hijacking exists in the side-by-side feature.

USB OTG (USB On The Go): USB OTG introduces the concept of a device performing both master and slave roles, Whenever two USB devices are connected and one of them is a USB OTG device, they establish a communication link. For instance, a mobile phone may read from removable media as the host device, but present itself as a USB Mass Storage Device when connected to a host computer. This means that any portable device carried into your network could be used to exfiltrate files and data from your network by presenting itself as a storage device or a Wi-Fi hotspot to the attacker.

Mobile Devices

MDM/Unified Endpoint Management (UEM): MDM software is an application that runs on a mobile device and, when activated, can manage aspects of the device, including connectivity and functions. The purpose of an MDM application is to turn the device into one where the functionality is limited in accordance with the enterprise policy.

Unified endpoint management (UEM): Unified endpoint management refers to securely managing all the endpoints in an organization using a comprehensive solution. IT asset footprints are growing rapidly and managing these assets such as laptops, desktops, tablets, and smart phones has become critical. Endpoint management becomes even harder with heterogeneous devices, or with devices that travel outside of the organization's network. The best way to ensure your devices are being managed properly is by employing an endpoint management software, such as UEM solution.

Mobile Application Management (MAM): Mobile Application Management (MAM) or mobile app management, refers to the management of the complete lifecycle of every app used in an enterprise, including installing, updating and deleting apps on both corporate and personally owned devices in the organization. Enterprise mobile application management also includes managing mobile app licenses, permissions, configurations, and defining organizational app policies that includes restrictions pertaining to the apps and data stored on the apps.

Mobile device management (MDM): MDM is a type of security software used by an IT department to monitor, manage and secure employees' mobile devices that are deployed across multiple mobile service providers and across multiple mobile operating systems being used in the organization.

Containerization: In mobile device management, "containerization" is used to isolate the mobile application from the mobile operating system or other applications installed on the same device.

Mobile Content Management: A mobile content management strategy enables employees to securely access mission-critical enterprise data and collaborate with other employees across any network or mobile device without being slowed down or restricted from data they need access to for their work function.

Push notification services: A push notification is a message that pops up on a mobile device. App publishers can send them at any time; users don't have to be in the app or using their devices to receive them. They can do a lot of things; for example, they can show the latest sports scores, get a user to take an action, such as downloading a coupon, or let a user know about an event, such as a flash sale. Push notifications provide convenience and value to app users. For example, users can receive:

Sports scores and news right on their lock screen

Utility messages like traffic, weather and ski snow reports

Flight check in, change, and connection information

Deployment models

VDE: A virtual desktop environment ( VDE) stores everything related to the user (wallpaper,folders,windows and so on) remotely and client software locally simulates the user's desktop environment and capabilities while running them on the host.

VDI: Virtual desktop infrastructure (VDI) is the process of running a user desktop inside a virtual machine that lives on a server in the data center. It enables fully personalized desktops for each user yet maintains centralized management and security.

There are two main types of desktops you can deploy in a virtual desktop infrastructure (VDI):

1. persistent and
2. non-persistent.

With persistent VDI (one-to-one desktop), each user gets his or her own desktop The user's settings are saved and appear each time at login. persistent VDI is basically the same setup you had with your physical desktops, making it easier for many admins to manage.

Nonpersistent desktops are many-to-one, meaning that they are shared among end users. When users access a nonpersistent desktop, none of their settings or data is saved once they log out. At the end of a session, the desktop reverts back to its original state and the user receives a fresh image the next time he logs in.

Previous   Contents   Next

Security+ Cram Notes Contents
certexams ad

simulationexams ad