1. Enterprise Mobility
In this section of the course, we’re going to discuss enterprise mobility and the proper configurations, deployment methods, and security considerations involved with smartphones, tablets and wearable devices that may connect to or communicate with our enterprise networks. Now, in this section, we’re going to be focused on domain three, security, engineering and cryptography. Specifically objective three one. Objective Three One states that given a scenario, you must secure configurations to enterprise mobility. As we start out this section, we’re going to begin by covering enterprise mobility management, known as EMM, and how it’s going to be used to enable centralized management and control of the mobile devices in your organization.
Then we’ll talk about the latest version of WiFi, which is known as WPA Three or WiFi Protected Access version three, WPA Three or 800 and 211 Ax is a much stronger protocol than any wireless network protocol that came before it. So we’re going to discuss the strengths and the new features that enable it to better protect our wireless communications when we use WiFi. Next, we’re going to focus on the different types of connectivity that we have for our mobile devices, including near field communications or NFC, Bluetooth and Tethering. After that, we’ll switch our focus towards security configurations that we can use to protect our mobile devices, things like device configuration protocols, full device encryption, VPN configurations, location services, Geofencing and Geotagging.
Next, we’ll cover DNS protection options for your mobile devices, including custom DNS name servers and using DNS over Https. Then we’re going to discuss the four different mobile deployment options that you have to choose from. This includes bring Your Own Device or BYOD, corporate owned, business only or Cobo corporate owned, personally enabled, or Cope and Choose Your Own Device or CYOD, as well as the benefits and vulnerabilities that are associated with each of these different deployment models. Next, we’ll discuss some mobile device reconnaissance concerns that you should be aware of, including the types of information that can be gathered using digital forensic techniques, the implications of using wearable devices, and the threat of wireless eavesdropping.
Finally, we’re going to cover the concepts surrounding mobile device hardware and software security, including things like jailbreaking routing, side loading, unauthorized application store usage, containerization concerns with the manufacturing of the hardware itself, and security concerns in terms of the boot loader that’s used in the mobile device. As you can see, we have a lot of information to cover in this section. So let’s get started in our coverage of enterprise mobility in this section of the course.
2. Enterprise Mobility Management (EMM) (OBJ. 3.1)
Increasing move towards mobile devices and wearables. The big question becomes how do we secure all of these devices that are connecting to various networks that we can’t control? This is especially true when those devices are allowed to connect back to our own enterprise networks later on, such as our employees smartphones that travel with them from home to work and home again each and every day. Well, the answer to this challenge is enterprise mobility management, also known as Em. This is also going to be called mobile device management or MDM in some circles. Now, enterprise mobility management describes the suite of policies and technology tools that enable the centralized management and control of mobile devices in a corporate setting.
Put more easily, Em and MDM consist of the processes involved to conduct, tracking, controlling and securing of our organization’s mobile devices and infrastructure. Now, technically, Em and MDM are actually two different things because MDM or mobile device management is a subset of the larger enterprise mobility management suite. But most people use these two terms interchangeably. If we want to be really precise with our wording though, we should consider Em to be the policies and tools that are involved in securing our enterprise mobility devices, whereas MDM is really focused on the technical controls that we’re going to use to ensure compliance with an organization’s security requirements. So Em is both the policies and tools, but MDM is really just the tools themselves.
Now, in the marketplace there are a lot of solutions available to perform this technical control of our devices and therefore put our mobile device management functionality into our organizations. These solutions offer a centralized management control for our administrators to be able to implement and enforce our security policies over a wide variety of different mobile devices. Most of these solutions have six main features. First, we have application control. Application control is going to be used to provide the capability to install, configure and block or remove different apps from a given device. For example, your organization might want to block TikTok or Facebook from being installed on a smartphone that you provide to your users.
And you can do this with application control inside of your mobile device management toolset. Second, we have passwords and passcode functionality. Now, most MDMs provide you with the ability to enforce password policies for the entire device or you can control password protection for specific applications. For example, one of my previous organizations required that all iPhones use a long and strong password of at least 16 characters that consisted of uppercase, lowercase numbers and special characters. Or alternatively, you can enable the fingerprint reader or the facial scanning feature instead. Now, if you try to enable a four to six digit numeric passcode though, the MDM would block this ability and force you to use one of the stronger methods instead.
Now, in addition to this global password policy setting, the MDM can also enable stricter controls on a specific application so that it’s going to be required to have a facial scan or a fingerprint scan before you can use that application, even if the phone itself only requires a password to unlock the device. The third feature of most MDMs is the ability to require multifactor authentication. Now, MSA or multifactor authentication requirements can be set so that a device must be authenticated with two or more authentication factors such as using a password, a one time use code that’s texted to the phone, or a biometric factor like a fingerprint or facial recognition scan.
With most MDMs you can set the ability for multifactor authentication to become required if that device meets certain conditions. For example, it might no longer be located in the same state or country as your organization’s headquarters and therefore it now needs two factor authentication or whatever other risk factors you may be trying to mitigate. The fourth feature we have that’s provided by most MDMs is token based access. Now, token based access requires that the enrolled device is provided a token or digital certificate in order for it to be able to gain access to your network resources by fulfilling the requirements of NAC or network access control solutions. This is a solution that does authentication and checks before somebody is allowed to connect to your network.
This can be done using digital certificates using something like the 802 one X protocol or other features inside of your knack. The fifth feature that an MDM provides is the ability for organizations to conduct patch management through the use of a centralized patch repository. This centralized repository of tested and validated patches can then be used to ensure all of your corporate enrolled devices are being patched and updated to a certain version level in a controlled and scheduled manner. For example, in one of my previous organizations we would give all of our mobile device users only seven days to update their devices to a particular iOS version once it was out and it was tested and approved by us.
If the device wasn’t updated by the end of the seven day period though, we would then place them into a block group and this would deny them from gaining access to our network by using our MDM and NAX solutions until that device was updated to the correct version. So as you can see, we can use these mobile device management tools to manage our applications, our data and other content that we want to have authorized for use on our devices, as well as push security controls across our entire device inventory instead of trying to apply the policies individual to each and every smartphone device. Now when it comes to patch management, for example, many MDM solutions will also provide you with the ability to push out operating system and application patches and updates, or to conduct authentication of devices, or enforce a security policy, or locate devices through GPS, or push out notifications to large groups of users or devices, or remotely lock or wipe lost devices.
Now, this last feature, remote wipe, is an important feature too, because mobile devices are often lost or stolen and we want to ensure that our sensitive information doesn’t fall into the wrong hands. To prevent this, a device can be subject to a remote wipe if it’s been reported lost or stolen by our employees. A remote wipe is going to be used to send a remote command from your MDM solution to a mobile device in order to delete the data and settings on that mobile device. This will revert the device back to its factory default settings and essentially sanitize the sensitive data from the device’s onboard storage. Now, note here a device must have a connection to the Internet or the cellular network in order to receive that remote white command from the mobile device management tool, though.
So if a thief puts your smartphone in a Faraday bag or turns it onto airplane mode, they can prevent the remote wipe from being initiated by your mobile device management suite. Now, to overcome this limitation of remote wipe, though, your devices can also be configured to remote wipe that device if the incorrect password or passphrase is entered too many times, or if the device tries to connect to the network and it no longer meets the minimum baseline requirements. Another important concept here that we need to discuss in terms of smartphones is that device certificates can be used on them.
Now, device certificates can come in two different types. We can have a trust certificate and a user specific certificate. Now, a trust certificate is a digital certificate that’s going to be used to globally identify a trusted device within an organization. In its simplest form, this relies on a single certificate that’s going to be installed on all the trusted devices within the organization. Then, when a device tries to connect to the network, that trust certificate is going to be checked, and if it’s found to be in place, the device is considered trusted and is able to connect to the network. Now, the vulnerability here though, is that if the trust certificate is copied by an attacker, they can then pretend to be authorized as well. And if you need to revoke the certificate because a single device has gone missing, it’s going to actually revoke it for all devices because they all use the same certificate. For this reason, I prefer to rely on user specific certificates instead.
Now, a user specific certificate is a digital certificate that’s assigned to a device to uniquely identify it on the network. To ensure the right certificate is installed on each device, you should implement a Pkibased solution with your MDM to issue and install those certificates onto each authorized device. This will also allow you to revoke individual certificates if you need to, instead of removing everybody’s trust certificate at once. All right, the final concept we need to discuss is firmware updates. Now, firmware updates are usually conducted over the air, and they’re going to be used to update the baseband of the radio modem inside of your device that’s used for cellular, WiFi, Bluetooth, NFC and GPS connectivity. Regardless of if you have an Android or iOS device.
Your smartphone also has a second type of firmware installed on it, and this is going to be used to run a software defined radio within your mobile device. This firmware is essentially the operating system for your modem, and it has its own processor and memory. So it relies on a real time operating system known as an RTOs to conduct the modulation and frequency shifts that are required to maintain radio connectivity with the different cellular towers. Over time, the cellular company may need to make changes to their frequency or modulation or other parameters, and they may send out a firmware over the air update to add these new capabilities or performance capabilities to your smartphone.
Now, while over the air updates are necessary for cellular devices to maintain the best connectivity, attackers have also found ways to exploit these updates for their own evil purposes. For example, if an attacker in a local area has set up a stingray or IMSI catcher as an evil base station, they could trick a user’s smartphone phone into connecting to the attacker like an onpath attack and then send corrupted or malicious firmware to those handsets without the victim even being aware of it. To prevent this, smartphone manufacturers and cell phone providers are working to embed authentication and integrity mechanisms into the over the air update process. But until that is commonplace, this is a vulnerability you need to be aware of.
3. WPA3 (OBJ. 3.1)
In this lesson, we’re going to talk about WPA Three, or WiFi Protected Access version Three and its improvements over the older Web WPA and WPA Two protocols. Now, WiFi Protected Access Three or WPA Three, as it’s normally referred to as, is the latest and most secure version of wireless network encryption that’s currently available. It was introduced back in 2018 and WPA Three is part of the Wi Fi Six standard to be the default encryption. Now, this is also part of the IEEE 800 and 211 Ax standard, which is also known as WiFi Six. Now there are really four main benefits of using WPA Three over the previous wireless encryption protocols. First WPA three uses updated cryptographic protocols. Now, WPA Three uses the Advanced Encryption Standard or AES, but it does so with 192 bit key inside your enterprise networks.
If you’re using a personal network, it’s going to use 192 bit key or 128 bit key depending on how you’ve configured it. Now this makes it stronger than the older WPA Two protocol which use AES cipher with 128 bit key for all of its networks. WPA Three, like WPA Two, can also be operated in either enterprise mode or personal mode. Also, instead of using AES with counter mode with cipher blockchaining message authentication protocol known simply as CCMP, WPA Three uses AES with GCMP, which is the Gallois countermode protocol. Now, GCMP is a highperformance mode of operation for symmetric encryption that provides for authenticated encryption with associated data, also known as AEG.
Now, we’re not going to dive too deep into the differences between CCMP and GCMP here, but just remember that WPA Three is faster and more secure than WPA Two because it uses GCMP instead of CCMP. Second, WPA Three has a feature known as Enhanced Open and this enables encryption for the open authentication method. Now, with Enhanced Open, a WPA Three wireless network can provide opportunistic wireless encryption known as Owe on your public and open networks. Now, even if a network is set to open and it doesn’t have a password to protect it, the data between the wireless client and the wireless access point can still be encrypted for privacy and to prevent eavesdropping attacks. This is really great if you run a public wireless network like in a coffee shop, a hotel or even a public library.
Third, WPA Three provides for management protection frames, which also helps prevent eavesdropping on the wireless traffic being sent. The protected management frames are going to be used for both unicast and multicast management frames and this protects against key recovery attacks that include deauthentication and disassociation frames as part of their attack tactics. Now fourth and most notably, WPA Three includes SAE, which is the simultaneous authentication of equals. Now, SAE replaces the older four way handshake authentication and associated mechanism that was first introduced with the WPA protocol. This older handshake was based on the Diffie Hellman key agreement and this was used to exchange a pre shared key between the client and the access point, but it was vulnerable to interception, cracking, and replay attacks.
Now, with WPA three, those simply aren’t possible because we removed that key exchange. Instead, we use the simultaneous authentication of equals. This is a secure password based authentication and password authenticated key agreement method that relies on forward secrecy. Now, you may be wondering what is forward secrecy? Well, forward secrecy, also known as perfect forward secrecy, is a feature of a key agreement protocol like SAE that provides assurance that the session keys will not be compromised even if the long term secrets used in the session key exchange have been compromised. Now, this is a really big deal because even if somebody gets the long term password that you have for your network, they still can’t go in and authenticate as you because that forward secrecy.
That’s using SAE is going to prevent that. To make this happen, forward secrecy uses a five step process. The first step only happens once, and this is where your wireless access point and your wireless client are going to use a public key system to generate a pair of long term keys. This is the long term key that even if it’s compromised, the rest of the system isn’t going to be compromised. Now the second step is for the access point and the client to exchange a one time use session key. In SAE, we use Dragonfly as our secure handshake algorithm. To do this, dragonfly is a lot like Diffi Hellman, but it uses an elliptic curve key agreement instead. So what am I talking about with this one time use session key? Well, let’s say you and I want to connect to each other and send some data back and forth securely.
To do this, we need to create an encrypted tunnel. And in order to do that, we have to have a shared secret that we can encrypt that tunnel with. Now, here in step two, the access point is going to create this one time ephemeral session key by choosing some large random number. Then it’s going to send that as part of the Dragonfly handshake to conduct this key exchange. And then we can send that long term key from step one over to the client and do our authentication. Since we both now have the same key, we can use that to secure our tunnel. Next, we move into step three, and this is where the access point starts sending client messages and encrypts them individually using that session key that we created. So we’ve created this key in step two and we perform that key exchange.
And now every time one of us sends a message, we’re going to encrypt it using that key. After that, we move into the fourth step, and in this step, the client is going to decrypt that message using that one time use session key. This means that when the other person gets the message, they can decrypt it because they also know what that key is. And finally, we move into our fifth step, which is where we go back and repeat steps two, three and four over and over again for every single message that’s being sent between us. This way we can do this one time use session key over and over and over again. And so if it gets compromised, it doesn’t really matter. This is how we maintain forward secrecy throughout the communication process. Notice here I said that we’re going to go back and do step two for each message.
This means we’re creating a new one time use session key each and every time. So we create a session key, we encrypt the message, I send it to you, you decrypt that message, and then we start all over again. And we keep doing this each time, getting a new one time use session key. So even if an attacker gets the session key we’re using right now, it really doesn’t matter because we’re quickly changing over to the next session key and it’s no longer going to be valid because we’re constantly using new keys the entire time.
This is the benefit of using WPA Three and that is how it maintains perfect forward secrecy. Now, since we’ve used simultaneous authentication of equals or SAE inside WPA Three and WiFi Six, an attacker will be unable to sniff out our wireless traffic inside of an attempt to capture the handshake and obtain the hash value of that key. Because we have these rapidly changing ephemeral session keys being used. Even if one is collected, it would take them way too long to conduct an offline brute force attack or a dictionary attack to cover the actual password, making WPA Three much safer for wireless communications than our older WPA Two WPA, or web encryption protocols that we used to use on our wireless networks and mobile devices.
