CompTIA Security+: Mobile Devices

Next up in the CompTIA Security+ series is mobile devices.  Since pretty much everyone has a mobile device nowadays, there’s nothing really mind-blowing in this chapter.  I’ll try to get through it quickly.  : )

This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.

Connection Methods

Mobile devices are, of course, wireless, so they need a wireless method of communication.  Heads up that the exam questions cover some nitty-gritty details (like data rate speeds).  It also covers strengths and weaknesses of each type.

• Cellular:  mobile telephony circuits, commonly either 4G or LTE.  Good coverage within most cities and suburbs, but issues in more rural areas.
• Wifi:  ubitiquous, especially with local governments rolling out public wifi in some cities.  2.4GHz and 5GHz bands.  Pretty easy to implement and security.
• SATCOM:  short for “satellite communications.”  The use of terrestrial transmitters and receivers communicating through satellites in orbit.  Costly, and has line-of-sight issues but good in rural areas.
• Bluetooth:  originally developed by Ericsson in 1998, now a popular worldwide standard.  Short-range, roughly 30 feet.  2.4GHz band.  Bluetooth 4.0 has three modes:  classic, high-speed and Low Energy (BLE).  Bluetooth 3.0 and 4.0 both have a maximum data transfer rate of 24 Mbps.
• NFC:  near field communication, typically in use for mobile payments.  Very short-range… 10cm or less.
• ANT:  multicast wireless sensor network, oriented towards sensor usage.  Proprietary standard and similar to Bluetooth.  Good at managing communication within its crowded band (2.4GHz) without interference.
• Infrared:  also referred to as IR.  Frequently used in remote-control devices and wirelessly connecting to printers.  Can’t penetrate walls or solid objects, needs line-of-sight.
• USB:  universal serial bus is the standard for connecting devices with cables.  Both data and power… I’m sure that you’ve seen and used USB cables before.

Mobile Device Management Concepts

Device management refers to IT-type policies that help manage the use and security of mobile devices.

• Application Management:  there’s a lot of stuff in mobile app stores, and not all of it is good.  Managing the applications allowed on devices, and the permissions that they need fall under the category of application management.
• Content Management:  control of what content is available or allowed on phones.  Also covers what content is available to individual applications on a phone.
• Remote Wipe:  mobile devices are more susceptible to loss or theft than laptops.  Remote wiping allows you to clear data stored on the device and reset it to factory settings.  This prevents an attacker or thief from brute forcing access.
• Geofencing:  GPS and RFID technology can be used to make a virtual fence around given areas.  When the phone “knows” that it’s within that area, functionality can be enabled/disabled, alerts can be sent, and so on.
• Geolocation:  again, using GPS, a phone can be aware of its location and report that location to others.
• Screen Locks:  screen locking is when you’re required to enter a passcode or pin to use a device.  It keeps out attackers, and/or siblings.  The CompTIA book recommends a passcode policy that is consistent with overall corporate password policy.  It also recommends remote wipe after too many incorrect attempts.
• Push Notification Services:  services that deliver information to a phone without the phone requesting it.  Push notifications allow for the transfer of external information to the device, so there are some security implications.
• Passwords and Pins:  pretty self-explanatory.  Passcodes should be sufficiently complex.  Relying on swipe patterns isn’t a good plan–the oil residue on your phone will give you away.
• Biometrics:  use of fingerprints, faces, etc as phone authentication.  Should be considered convenience features, not security features.
• Context-Aware Authentication:  use of contextual information like who the user is, where the phone is, how they are connected, and so on.  This is used to determine what actions or resources to permit.
• Containerization:  division of the phone memory into a series of containers.  This can allow for separation between personal and work information.
• Storage Segmentation:  similar to containerization.  Logical separation of storage within the phone.
• Full Device Encryption:  since phones are more likely to be stolen or lost, encrypting the data on the device is a good idea.

Enforcement and Monitoring

• Third-Party App Stores:  another thing everyone should be pretty familiar with.  Apple’s App Store or iTunes, and Google Play.  Managing what apps a user can add is important for security.  Restrictions depend on corporate policy and whether the device is corporate owned or not.
• Rooting and Jailbreaking:  jailbreaking is where a user escalates their privilege level to bypass normal OS controls.  Typically refers to iOS devices.  Rooting is bypassing OS controls, typically refers to Android devices.  In both cases, there’s a potential for security features to be bypassed.
• Sideloading:  adding apps without using the authorized app store(s).  This means you don’t get vendor screening of the apps.
• Custom Firmware:  altering the firmware for the device from its original setting.  Again, can result in security holes.
• Carrier Unlocking:  most mobile devices are tied to a carrier.  Carrier unlocking is severing that connection.
• Firmware OTA Updates:  pretty much all mobile updates happen “over the air” nowadays.
• Camera Use:  most (all?) phones have cameras and can record photos and video.  This can have some security implications, especially if applications have access to the photos.  Photos may also be geotagged.
• SMS/MMS:  short message service and multimedia message service.  SMS can send 160 characters, text only.
• External Media:  any item or device that can store data.  We’re back to talking about data exfiltration and unwittingly delivering malware.
• USB OTG:  USB on the go is a USB technology that allows for direct connection between USB OTG-enabled devices.
• Recording Microphone:  again, virtually all phones can record audio.  This might result in the recording of sensitive conversations.
• GPS Tagging:  also called geotagging.  When a phone embeds the location of where a photo was taken into the photo metadata.
• Wi-Fi Direct/Ad Hoc:  wifi direct is when two wifi devices connect to each other via a single-hop connection.  One device acts as an access point for the other.  Wifi ad hoc is similar but you can have multiple devices communication with each other.
• Tethering:  using a mobile device to connect another device to a network for shared network access.
• Payment Methods:  using near field communication (NFC) to facilitate credit card transactions.

Deployment Models

• BYOD:  bring your own device.  Advantages include minimizing cost for the organization, and allowing employees to have one single device.  Disadvantages include limited corporate control.
• CYOD:  choose your own device.  Employees can choose what type of device they want from a provided list.  The advantage is that the organization can avoid insecure choices or having to support too many types of devices.  Might also be easier to impose restrictions.
• COPE:  corporate owned, personally enabled.  The organization provides devices to employees that they have chosen and paid for.  But, employees can still use the devices for personal activities.  The organization has more control over policies and enforcement.
• Corporate-Owned:  also known as corporate-owned, business-only.  The organization chooses and pays for a device and restricts it to company-only use.  This gives them complete control and likely makes the devices more secure, but employees have to carry multiple devices.

Aaaand we’re done.