Security+: Mobile Security Concepts and Technology (SY0-401) [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
Unfortunately, tablets and smartphones (and several other mobile devices) can be vulnerable to a variety of cyberattacks. An attacker can compromise the mobile device through either the user’s private or corporate network. Once an attack is carried out, the attacker can gain access to the mobile device and steal personal or corporate secrets saved in the form of emails, text messages, contacts, and potentially sensitive documents and notes. As cyberattacks are growing by leaps and bounds, employees should steer clear of saving sensitive information on mobile devices. If saving data on mobile devices is necessary, users should comply with corporate security and BYOD policy that help in preventing potential damage.
The Security+ exam includes various mobile security concepts and technologies that students must understand to pass the exam.
What Do I Need to Know about Mobile Device Security?
Device security encompasses the range of security features that every mobile device contains. However, device security features are useless unless they are enabled and configured properly. The underlying device security features are important for the Security+ exam.
Full device encryption: Most smartphones, including tablets, portable computers, and other mobile devices offer device encryption security mechanisms. Device encryption ensures the protection of data by converting it into an unreadable form. Android 5.0 or higher offers two types of encryption, “Encrypt phone” and “Encrypt SD card storage.” However, it’s not a complete solution because there are still sophisticated ways to steal information. These ways include using an Android debug bridge (ADB), boot loaders, and recovery techniques.
Remote wiping/sanitation: This is a security feature that allows a device owner or network administrator to send a command to a device (usually a stolen device) to delete data. Several programs, such as Google Apps and Microsoft Exchange Server 2010, are used for remote wiping/sanitation purposes.
Lockout: Lockout occurs when a user fails to provide his/her credentials after several attempts. The lockout remains active for a specific period or until the administrator remove the lockout flag. Moreover, the lockout is configured with screen locks.
Screen locks: A screen lock is a security feature designed to prevent unauthorized persons from accessing the mobile device. Each time a user wakes up the screen or turns on the device, he/she will be asked to unlock the device with a password, PIN, pattern, fingerprints, or face/eyeball recognition.
GPS: A Global Positioning System (GPS) is a satellite-based navigation system using 24 satellites that were put into orbit by U.S Department of Defense (USDOD). Various mobile devices include GPS chips and application. If a mobile device is stolen, the GPS can be used to track down a device.
Application control: Application control is another security feature on mobile devices aims at not only preventing users from installing applications through untrusted sources but also blocking unnecessary updates or applications from being installed automatically.
Storage segmentation: Storage segmentation offers a special feature whereby the user can artificially categorize different types of data on a mobile device’s storage media. By default, a device uses storage segmentation to divide the device’s preinstalled apps and operating system from the user data and user-installed apps.
Asset tracking: Asset tracking is a mobile device management system in which security management creates an accurate and complete list of all devices being used within the organization. Asset tracking can help in finding stolen or missing devices.
Inventory control: Most mobile devices offer a camera feature that can be used, in addition to taking photos and videos, to scan barcodes of physical goods for the purpose of tracking. These devices use near-field Communication (NFC) or radio-frequency Identification (RFC) features to interact with electronically tagged physical objects.
Mobile device management (MDM): This is a security mechanism designed to manage a wide range of mobile devices that workers use to access company resources and equipment. MDM can manage both bring your own device (BYOD) and company-owned devices. The purpose of MDM is to enable remote management, improve security, support troubleshooting, and provide monitoring of resources.
Device access control: It makes sure that only authorized entities have access to a mobile device. To achieve this goal, the device should be locked with a strong password so that only a person having the code or password can unlock the device.
Removable storage: Most mobile devices support removable media, such as microSD cards and external USBs. When a device is connected to the internet, the sensitive information on the removable media can be vulnerable to various types of attacks. Using an updated antivirus or firewall is the great idea to steer clear of unwanted damage.
Disabling unused features: Apart from enabling the security features, the employees must remove unwanted apps and disable unnecessary features that aren’t required for personal use or essential business tasks.
What Do I Need to Know about Application Security?
Managing application security of mobile devices is necessary to protect data and information. Some best practices for application security include:
Key management: Key management is essential in cryptography systems. Inappropriate key management can lead to the failure of the cryptosystems. When creating a key, the best random number should be selected through reliable random-number-generating mechanisms.
Credential Management: Credential management is a technique for storing credentials in a central location. There are millions of websites today and each has particular login requirements. Therefore, it can be a burden to use unique name and password for each website. To deal with this issue, credential management provides a solution to store countless credential sets securely, often by using auto-login options for websites and apps.
Authentication: Authentication is a security mechanism used to prevent unauthorized access to a mobile device. Authentication techniques involve swipe or pattern access, PINs, passwords, face/eyeball recognition, fingerprints, or a proximity device, such as RFID or NFC mechanisms.
Geo-tagging: Geo-tagging is a process of adding geographical information, typically in the form of longitude and latitude coordinates, to images, videos, mobile device transmissions, and websites. Most mobile devices with GPS features can support geo-tagging. Would-be attackers use geotagging for nefarious purposes, such as to view photos from social networking sites and determine accurately where and when a photo was captured.
Application whitelisting: This is another important security feature on mobile devices that prohibits the execution of unauthorized applications or scripts, such as viruses and malware. A user can place all the legitimate applications on the whitelist so the device could grant their execution. However, attackers can circumvent the whitelisting solution by taking advantage of kernel-level vulnerabilities and an application’s configuration issues.
Transitive trust/authentication: Transitive access, trust, or authentication allows one entity to accept a user on behalf of another identity without requiring additional authentication. It isn’t a good idea and could create vulnerabilities. Instead of bypassing the authentication, the user should have to pass through all possible security steps that authentication offers in order to make it more reliable and strong.
What BYOD Concerns Do I Need to Know?
Bring-your-own-device (BYOD) is the security policy that defines the rules about the usage of employees’ personally-owned devices (smartphones, tablets, laptops) in the work environment. Though BYOD can improve employees’ job satisfaction and morale, it also increases security risks. These risks may include:
Data ownership: While carrying out business tasks, the BYOD may have to store essential corporate data and information. Under such circumstances, the company owns the data on BYOD, rather than the individual who owns that device. Additionally, if the device is lost, the company has the right to perform remote wiping/sanitation to delete corporate secrets (if it may have). Regular backups can prevent data loss and therefore should be a part of BYOD policy.
Support ownership: BYOD policy should explicitly defines that if user’s mobile device undergoes a fault, failure, or damage, who will be responsible (either individual or company or both) for the device’s technical support, repair, or replacement.
Patch management: The important rule that BYOD policy should explain about patch management is whether the employee or the company or both are responsible for installing the latest updates.
Antivirus management: The BYOD policy should determine whether an antivirus, anti-spyware, or anti-malware should be installed on a mobile device. Also, it should dictate which apps/products are recommended and which are not recommended.
Forensics: The employees must be aware of the fact that his/her mobile device can be presented for forensic purposes in the event of criminal activity or security violations.
Privacy: Privacy and monitoring of a personal mobile device should be a part of BYOD policy. In addition to company data, the mobile device may contain employee’s personal images, videos, or documents. On the basis of personal data, the employee cannot deny the monitoring and inspection of the mobile device if the company requires.
On-boarding/off-boarding: BYOD on-boarding is used to carve out the separate section on a mobile device’s storage media for business data. Conversely, BYOD off-boarding refers to the process of deleting all the business data on a mobile device in case of employee’s termination or retirement.
Adherence to corporate policies: In addition to BYOD policy, employees must comply with the organization’s overall security policies.
Architecture/infrastructure considerations: When personal devices connect to a corporate network, an overload on the network devices and servers may occur. Therefore, the organizations should consider network architecture/infrastructure when implementing BYOD policy.
Legal concerns: BYOD may lead to security risk and vulnerabilities. Hence, companies should hire attorneys to evaluate the legal concerns of these potential security problems.
Acceptable use policy (AUP): An AUP defines how IT systems can be used within the company. The BYOD policy determines how personal devices can access or communicate with companies’ IT infrastructure.
On-board camera/video: Most mobile devices contain on-board cameras. However, various organizations don’t allow cameras in the working environment. Hence, the BYOD policy should define whether the company allows on-board cameras or not.
InfoSec Security+ Boot Camp
The InfoSec Institute offers a Security+ Boot Camp that teaches you information theory and reinforces that theory with hands-on exercises that help you learn by doing.
InfoSec also offers thousands of articles on all manner of security topics.