CompTIA Security+ SYO-401

Certification Training
9444 Learners
View Course Now!
33 Chapters +

Summarizing Mobile Security Concepts and Technologies Tutorial

1 Summarizing Mobile Security Concepts and Technologies

It has become quite common for an increasing number of people to use smartphones for a variety of purposes such as e-mailing, texting, and exchanging confidential business documents. However, it has also become common for these mobile users to be exposed to several types of threats. Security threats, such as someone stealing your smartphone that has confidential data, call for implementation of security controls and techniques to be implemented for ensuring mobile security. Smartphones transfer a variety of data such as audios, videos, and photos through secured and non-secured connections such as mobile Internet, Bluetooth, and Wi-Fi. Therefore, the organizational IT security policy should enforce IT security controls on all the mobile devices used for business purposes. After completing this lesson, you will be able to: • Describe the concepts and techniques used for mobile device security, • Describe the concepts and techniques used for mobile application security, and • Identify the BYOD concerns.

2 Techniques and Controls for Device Security

In this topic, you will learn about the different techniques and controls to implement for device security. Generally, mobile devices do come with a few security features although there may be a few without any security options. On those devices where security features are available, you need to enable and configure those features for making the devices as secure as possible, thus keeping the required functionality intact. Device security, thus, refers to the range of probable security features or options available for a mobile device. Just ensure that you consider the security options before buying a new mobile device. We shall now look at the different security features or options available for mobile devices. Full-Disk Encryption (FDE) works at the hardware level and encrypts full drive. If the disk or the device that has the disk with FDE is lost or stolen, the risk of data loss is minimized less. This is because without the proper authentication key, the data cannot be accessed by the adversary. It is easy for the authenticated user to read and write to the drive, as no extra step is required to encrypt or decrypt data. Encryption and decryption of data happens on the fly, while the data is written or read from the drive. For security purpose, encryption key backup should be taken for retrieving data, which is useful when the authorized user forgets the password or leaves the organization suddenly and unexpectedly. However, there are two disadvantages of full device encryption. First, the data can be easily compromised if the device is unlocked and is with the adversary. Second, FDE can slow down the device a bit if the virtual memory is running low. Data in mobile devices can be remotely deleted by giving a remote command of wipe over the mobile 2G/3G connection or Wi-Fi. Remote wiping can be used when the mobile device is lost or stolen so that it can prevent the data on the device from being accessible to an unauthorized user. For remote wiping to work, the mobile device needs to have established connection to the Internet. If the thief prevents the device from finding such a connection, then remote wiping would not work. Lockout of a mobile device happens when a wrong password or PIN is used to unlock the device more than the predefined number of times. You should enable the screen lock functionality for lockout to work. When the mobile device is locked out, it can be unlocked either by a predefined super password, or PIN, or after a predefined interval of time. You can configure the device to wipe off drive data on lockout. Above all, you should implement the lockout functionality according to the security requirements of the mobile device. Screen-lock allows the screen of the mobile device to lock after a small predefined interval of time. This prevents an unauthorized user from accessing the mobile device. For unlocking, the device may come with one or more of several available options such as submitting the correct password, providing the correct PIN, drawing a pattern, and using biometrics such as fingerprint scan, eye scan, or face recognition. However, some mobile devices have poor implementation of screen lock where the security feature is bypassed using an emergency calling feature, Bluetooth, Wi-Fi, or USB. Most smartphones come with a Global Positioning System, or GPS, chip. This chip helps in locating the smartphone remotely. This feature is helpful when the smartphone is lost or stolen. It works only when the device can connect to the Internet. GPS also helps in monitoring the movement of both the device and the person carrying it. This can help the law enforcement personnel locate the person who has stolen the device. In the same way, an adversary can fetch the movement of both the smartphone and user to get access to mobile data . This is because GPS data is stored in the smartphone and is accessible using a removable medium or USB connection, in case the adversary manages to get access to the device. Application control refers to the security control or device management solution an organization has on its devices such as smartphones. It is used to force a few applications to be installed or to enforce some features or settings of some applications on smartphones of business employees. You can implement a whitelist of applications that are only to be installed and/or a blacklist of applications that cannot be installed or used.

3 Storage Segmentation

Storage segmentation is a way to split the storage area on a mobile device so that each of these segments can have different security controls such as encryption and access control. Access control does not only mean what level of access a user has on the storage segment but also indicates what level of access the holding device and its components have over that specific segment. This is useful when a single smartphone, for example, is used for both business and personal use. Here, the organizational policy can manage and secure only the business data, while excluding the personal data of the user, thus keeping the user’s privacy intact. Asset tracking is done to verify if the asset, for example, the smartphone, is in possession of the authorized user. This kind of tracking is useful for maintaining the organizational inventory. Asset tracking can be implemented simply by writing a serial number on the asset, having a bar code, assigning a Radio Frequency Identification or RFID, or activating GPS on the device. In a way, inventory control can be referred to as hardware asset tracking. However, it can also refer to using a device for tracking inventory in a storage unit such as warehouse. Because a majority of mobile devices come with a camera, an installed tracking app can easily track the physical goods by taking photos or scanning bar codes. The devices with RFID, or Near Field Communication, or NFC, capabilities can even interact with the goods or their electronically tagged containers. Mobile Device Management, or MDM, helps an organization manage and secure mobile devices. It aims to improve security, provide timely monitoring, enable remote management, and support troubleshooting. Mobile device management can be done over the Internet. You can use MDM to remove apps, enforce settings, and manage mobile data through Wi-Fi or a carrier network. You can consider MDM to manage personally owned as well as company-owned devices in case the organization allows for Bring-Your-Own-Device, or B-Y-O-D, environment. Device access control refers to who in the organization has access to mobile devices such as smartphones. Usually, having a strong password for unlocking the device falls short of security as the device is accessible through USB cable or Bluetooth. This means that the access to the device is not completely blocked despite the device being locked. However, you can ensure “no access at all” by implementing both a strong password and storage encryption. This is one example of how you can smartly implement device access control. Another example is to implement a MDM solution to enforce a screen lock and prevent a user from disabling it. In short, you need to consider any means capable of minimizing unauthorized access to the employees’ mobile devices. If an organization a mobile device issued by with removable storage like an SD card, it should be disabled or encrypted. By disabling the removable storage slot, you can ensure that the user cannot copy data to the removable storage just to result in compromised data or confidentiality breach. By encrypting data on the removable storage, the risk of compromising confidentiality is reduced. As a rule of thumb, the wider the range of installed apps and features enabled, the higher is the risk of data exploitation or device harm. Therefore, it is wise enough to disable or remove unwanted apps and disable unused features. These apps and features are actually not essential for performing business tasks. Implementing common security practices, such as device hardening, decreases the attack surface of mobile devices.

4 Techniques and Controls to Implement for Application Security on Mobile Devices

In this topic, you will learn about the different techniques and controls to implement for application security on mobile devices. Image: Show a box with some random numbers and label them Random Number Generators (RNGs). From here, draw an arrow pointing to a set of keys and show a Wi-Fi icon over the arrow. For the last paragraph, show the same keys and draw two arrows. Point one arrow to a portable hard drive with a label “Removable Hardware” and another to a chip and label it as “Trusted Platform Module.” Apart from securing the mobile devices, you should also secure the applications and functions used on these devices. One of the ways to do so is key management, when you have implemented cryptography for encrypting mobile communications. Do you know that improper key management is often the cause of a cryptosystem failure rather than the algorithm encrypting the data? While selecting a strong key is based on the availability of quality random numbers, many mobile devices implement poor random-number-generating procedures. However, a significant number of mobile devices rely on more powerful random number generators, or RNGs, over a wireless connection. However, having only a strong key is not enough to ensure security. Once such keys are generated, it is essential to store them safely such that its exposure is minimized. The best option to store such keys safely is a removable hardware or a trusted platform module abbreviated as T-P-M. However, TPMs are hardly available on mobile devices. Image: Show two users holding a mobile phone and in between them, show a double arrow pointing at each other. In between the arrow, show a text box with the encrypted text as ‘#fg6d$5GHA5l2Mt%9@!’ Label this box “Encryption.” Encryption is usually considered a powerful and useful protection technique. It aims to prevent unauthorized access to data, whether in transit or in storage. Nowadays, many mobile gadgets come with some kind of encryption mechanism for storing data. You only need to enable that encryption option for securing the stored data. Further, a few mobile devices do extend native support for encrypting communication. However, a significant number of devices are capable of running add-ons for encrypting sessions, video conferences, and voice calls. Image: Show three boxes with a login page and connect them through arrows to a server. Label it “Central Server.” Credential management refers to the technique of managing the storage of credentials centrally. It can be troublesome to manage a unique set of credentials for each of the various Internet sites and services in use. To simplify this process, a credential management solution acts as a means of storing a variety of credential sets systematically and securely, probably at a central location. Most often, these solutions use a master credential set for unlocking the dataset or credentials when needed. A few of them even offer auto-login options for sites and apps. Images: Show a collection of these images: password, fingerprint, face and recognition. When it comes to mobile devices, authentication is quite simple, especially for tablets and smartphones. Many of them come with a swipe or pattern access, but it certainly does not make up for a strong authentication. Therefore, it is advisable to also use a PIN or password, activate face or eye recognition, or use a proximity device such as an RFID or NFC ring. Using one or more of these means of authentication makes it tougher for an intruder to bypass it. It is also wise to combine device encryption and authentication for preventing access to stored data through a USB cable. Mobile devices with GPS allow the insertion of geographical location in terms of latitude and longitude along with date and time on photos taken by the device camera. This is called geotagging, which one can use for not only legal but also illicit purposes such as finding out the time when the user usually performs routine activities. Geo-tagging enables an intruder to track photos from a social networking site if uploaded there, and precisely find out the captured time and place of a specific photo. In this way, a potential cyber stalker can have access to more information. Give the same labels. Just remove Figure and figure nos. Transitive access, authentication, or trust refer to a probable way or a side door for working around the conventional means of access control. Here, the concept is that user A can use an application B and that this application can use application C. Application C is allowed to access a process D. However, if application B becomes inaccessible before application C does its job, application C may return access to process D to user A, although the user does not have direct access to process D. This is both beneficial in case quick access is essential and harmful if the user is an intruder. A few mechanisms of access control actually do not help in preventing this issue. Therefore, it is extremely important to validate all users before allowing them access to processes and objects of an application instead of depending on former verification.

5 Bring Your Own Device or BYOD

In this topic, you will learn about Bring Your Own Device or BYOD concerns. image Show a network with a collection of devices and servers above these hands. Below this pasted image, show a label “Are These Personal Devices Compliant?” BYOD refers to a policy allowing the organizational employees to use their personal mobile devices at work by connecting to the business network or Internet to use business resources. While this policy can help in boosting job satisfaction and employee morale, it can trigger a security risk as well. Users should comprehend the benefits, consequences, and restrictions of using their personal devices at work. In most cases, signing off on the BYOD policy after reading it and being a part of a training program are just enough for reasonable awareness. If there are no restrictions, the policy simply allows any device to access the company’s network. As all mobile devices do not come with strong security features, such a policy does not stop noncompliant devices from joining the company’s production network. Therefore, it is essential for a BYOD policy to permit only specific devices, which can help reduce chances of a security breach. Such a mandate may require the company to buy devices for those who cannot buy a compliant one. This is one BYOD concern to address. There are many more concerns, which we will now look at in the upcoming screens. Image: Show a policy document and give a heading that says BYOD – In Case of Lost Device. From here, show two arrows pointing to two labels: Personal Data and Business Data. Below each of these labels, show a server and label it Backup Server. Near the Personal Data label, show a user with callout with label as Remote Wipe and a cross mark on it. Near label of Business Data, show an admin with label of Remote Wipe and a tick on it. It is obvious that when a personal device is used in a corporate environment, it is likely to use both personal and business data. Therefore, it becomes essential to define ownership of data clearly. However, doing so is complicated. For example, if a device is lost, you may want a remote wipe to delete all information. However, the employee will not like this as it will remove his personal information as well. This wipe would be a hasty measure, especially if there are chances of recovering the device. Keeping such complexities in mind, you need to define clear policies about ownership. One of the ways to do so is to implement an MDM solution offering not only data segmentation but also business data refinement without affecting personal data. Further, the BYOD policy should address backups, preferably separate mobile device backup solutions for each type of data. This will certainly reduce the chance of data loss in case of remote wipe or device failure. Image: Show a policy document and gives a heading as BYOD – Support Ownership. Within, show ticks as bullet points as 1) Repair, Replace – User 2) Technical Support through Live Chat and Email – Both Service Provider and Corporate Admin Support ownership is another critical concern for ensuring a smooth and safe BYOD environment. It is concerned with delegating the responsibility of repairing, replacing, and giving technical support to the device in case it experiences a fault, failure, or damage. Keeping this in mind, the BYOD policy should define the kind of support to be provided by the organization, the user, and his or her service provider. Image: Show a policy document and give BYOD as the heading– Patch Management. Within, show ticks as bullet points as 1) Install all Updates – User 2) Test all Updates before Installation - Corporate Admin The BYOD policy should also address the means for patch management for personal devices. It should clearly state whether the user is responsible for installing the available and new updates or not, and whether the organization needs to test the updates before installation or not. It should also ideally mention whether the updates are to be handled via Wi-Fi or a service provider. Image: Show a policy document and give a heading as BYOD – Anti-virus Management. From here, draw three arrows pointing to the icons of anti-virus, anti-malware, and anti-spyware with a tick on each. There should be an anti-virus management clause in the BYOD policy. It should clearly talk about the anti-malware, anti-virus, and anti-spyware programs to be installed on personal mobile devices. It should also indicate the applications or products advisable for use, along with their corresponding settings. Image: Show a policy document and give a heading as BYOD – Forensics. Within show ticks as bullet points: 1) Can be taken for investigation 2) Can be taken to a forensic lab after confiscation The employees should know that their devices might be taken away from them for investigations or forensic evidence in the event of a criminal activity. Further, a few processes of collecting evidence can be destructive, while a few legal investigations demand confiscation of their personal devices. These specifications must be specified in the BYOD policy. Image: Show a policy document and give a heading as BYOD – Privacy. Within show a tick bullet: 1) Can be tracked even when not in office and/or during office hours Privacy will be lost to a certain extent when a user uses a personal device for business chores. This is because the employees have to agree to the tracking and monitoring of their personal mobile devices, even during the non-business hours and when not in office. This should be clearly stated in the BYOD policy. Image: Show a policy document and give a heading as BYOD – On-boarding/Off-boarding. Within, show ticks as bullet points: 1) On-boarding – (sub-bullets) a) Installation of applications related to productivity, management, and security b) Implementation of efficient and safe configuration settings 2) Off-boarding – a) Formal wipe b) Removal of business apps c) Factory reset d) Full device wipe The BYOD policy should disclose the on-boarding and off-boarding procedures for personal mobile devices. On-boarding should include everything about installing applications related to productivity, management, and security, along with implementing efficient and safe configuration settings. Similarly, off-boarding should include an official wipe of the business data and removal of any business-related applications. The policy should also address factory reset and a full device wipe to deal with critical situations. Image: Show a policy document and give a heading as BYOD – Adherence to Corporate Policies. Within, show ticks as bullet points: 1) BYOD Equipment is company’s property 2) 100% Adherence to company’s policies and restrictions It should be clearly stated in the BYOD policy that using a personal mobile device for office-related work does not allow a worker to stop adhering to corporate policies. Whether on business property or not, the employee should treat the BYOD equipment as office property and comply with all restrictions, even during off hours. Image: Show a policy document and give a heading as BYOD – User Acceptance. Show an arrow from here pointing to a set of users with a callout ‘Agreed’ For many employees as corporate network users, the limitations, MDM tracking, and restrictions mentioned in the BYOD policy can be much more burdensome than their imagination. Therefore, it is essential to explain the complete details of a BYOD policy before permitting the employees to use their personal devices in the office environment. Not only that, but you must also gain their consent and acceptance usually via their signature before their devices are in use. Image: Show a policy document and give a heading as BYOD – Architecture/Infrastructure Considerations. Inside, show tick bullets: 1) Delegating IP addresses 2) Managing data priority 3) Isolating communications 4) Increasing monitoring load of Intrusion Detection System or IDS or Intrusion Prevention System or IPS 5) Increasing bandwidth consumption 6) Additional Cost of Infrastructure When it is the matter of implementing BYOD, it is vital for your organization to assess their network and security design, infrastructure, and architecture. Allowing employees to use their own personal device calls for planning for delegating IP addresses, managing data priority, isolating communications, increasing the monitoring load of Intrusion Detection System, or IDS, or Intrusion Prevention System, or IPS, and increasing bandwidth consumption. Because most mobile devices operate wirelessly, you will need a more robust wireless setup, which can smartly deal with Wi-Fi congestion and interference. You should consider designing BYOD for the extra infrastructure investment it may demand. Image: Show a team of lawyers with policy documents in hands, sitting as a panel or on a table. The attorneys hired by the organization need to assess the legal concerns related to BYOD. Allowing the use of personal devices for business tasks indicates increased liability as well as increased risk of data seepage. While the employees are happy to use their devices, the organization might not be happy because of it not being a very cost-effective or worthwhile venture. Image: Show a document labeled BYOD Policy and another document labeled Acceptable Mobile Device Usage Policy. In this second document, just show one heading as ‘Usage Rules for Android’. Join them with an arrow and label the arrow as ‘In Accordance With’ Using personal mobile devices in office always adds to the risk of information leakage, work distraction, and access to inappropriate content. The employees are supposed to be aware of the primary goal of achieving productivity while at work. Therefore, the BYOD policy should be in accordance with the organization’s standard policy for acceptable use or should include usage rules for a specific mobile device version. Image: Show a document labeled BYOD Policy. Inside, show bullets in the form of tick marks: 1) Cameras not allowed during office hours and in office premises It is common for mobile devices to have camera whose usage terms must be specified in the BYOD policy. If you disallow any type of cameras for security purpose, the employees should know that they need to use BYOD equipment without a camera. In case you allow cameras, you should clearly disclose when to use the camera and when not to use it, in the policy. The same should also be explained to the employees.

7 Summary

Let us summarize the topics covered in this lesson. • Device security encompasses a range of effective security options or features available for a mobile device. • The device security options or features include full device encryption, lockout, remote wiping, GPS, screen locks, storage segmentation, GPS, inventory control, mobile device management, and hardening. • You must secure the applications and functions being used on a mobile gadget by implementing key and credential management, encryption, authentication, and application whitelisting. • Bring your own device, or BYOD, is a policy permitting employees to use their own personal mobile devices for business tasks. • A BYOD policy should address several concerns such as data and support ownership, patch and anti-virus management, privacy, forensics, on-boarding/off-boarding, user acceptance, adherence to corporate policies, and on-board cameras/video usage. With this we conclude this lesson, “Summarizing Mobile Security Concepts and Technologies.” In the next lesson, we will look at “Given a Scenario, Select the Appropriate Solution to Establish Host Security.”

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*