4. Connectivity Options (OBJ. 3.1)
In this lesson, we’re going to talk about connectivity options for your mobile devices and wearables. Specifically, we’re going to discuss NFC, RFID, infrared, Bluetooth, USB peripherals, and tethering. The first connectivity option we need to discuss is NFC or near field communication. Now, NFC devices use a radio frequency that sends an electromagnetic charge containing the transaction data over a short distance, usually just a few inches. Now, many mobile devices have features like tap to transfer, where if two NFC enabled smartphones touch up against each other, they can automatically transfer information. Now, NFC is also heavily used in mobile payments.
In the old days, we would actually pull out our credit card or debit card or even cash to pay for our morning coffee. But these days, we simply pull out our smartphones or our smartwatches and hold them up to an NFC reader. Whether you’re using Apple Pay, Samsung Pay, or Google Pay, a mobile device user can pull out their phone and tap it on a sensor to have their credit card or bank account automatically debited for their purchase price. This technology is usually going to be paired with a mobile wallet which contains digital versions of our different debit or credit cards. Now, each of these are going to be stored inside of Apple Pay, Samsung Pay, or Google Pay to conduct the transaction on our behalf. In addition to making payments with mobile devices, many businesses now use mobile devices as part of their point of sale or POS systems.
These systems act like a register, but they can be used anywhere. For example, if you’ve gone into an Apple store recently, you’ve noticed that they don’t have a standard register for checkout. Instead, their associates walk around with iPhones and a card reader and they take your payment from anywhere within the store. Now, these devices are really convenient for businesses that are often in different locations, like food trucks or people who sell items at a convention or fair. But they can also be vulnerable to attack or theft. For example, the card readers could be tampered with and uses a method of exploitation against the organization. For this reason, we should only use card readers that we have received from a trusted source in our supply chain.
Now, due to NFC’s very short distances, many people assume that it is a safe technology to use. But it does in fact have some vulnerabilities. For example, some high gain antennas can actually pick up the radio frequency signals emitted by NFC devices from several feet away, instead of just the two to four inches that are advertised as it was initially designed. Now, this means an attacker could eavesdrop on the communication from further away and go unnoticed. Another common attack is where an attacker attempts to skim information from an NFC device in a crowded area. By using an RF skimmer, this device will simply collect all the NFC signals that it can inside of an area. So if a person is hanging out near the checkout area, they may be skimming the NFC transactions using a skimmer and a high gain antenna, and you’d never even know it. Our second connectivity option that we need to discuss is RFID.
Now, RFID or Radio Frequency Identification is a form of radio frequency transmission that’s been modified for use in authentication systems. In an RFID system, two components called the tags and readers are going to be used. This is heavily used in inventory tracking systems and authentication systems. In inventory tracking systems, an RFID tag is placed on an object like a shipping container or a pallet, and then readers are used to identify that container or pallet as it goes throughout and is put in a warehouse, loaded on a truck, or moves along its designated logistical route. Another commonplace to find RFID technology is in an enterprise authentication system such as the employee’s identification badges.
Now, an RFID tag can be embedded into that employee’s identification badge and used as a possession factor in authentication. Now, because it uses radio frequency, though, there is a danger that that signal could be captured by an attacker and then retransmitted. For this reason, if you’re going to use RFID as an authentication system, you should always do it as part of a two factor authentication system and include a second authentication factor like a pin or a password. The third connectivity option we’re going to discuss is an older technology, and it’s known as Infrared. Now, it’s still used in some organizations and it’s known as Infrared Data or IRDA. IRDA is going to allow two devices to communicate using line of sight communication in the infrared spectrum.
Now, Infrared was actually quite popular about 20 years ago for connecting wireless mice and keyboards before Bluetooth started taking over. Now, Infrared does require a line of sight connection. This makes it a bit more secure than using Bluetooth, but it has a very low data rate. Some current uses of infrared include light fidelity, which is a moniker that uses LEDs instead of infrared to transmit data in this spectrum. The fourth connectivity option we have is actually Bluetooth, which replaced infrared for a lot of things. Bluetooth has become a common method of connecting between desktops, laptops, and mobile devices with all sorts of different peripherals like mice and keyboards and headphones.
When these devices are connected to the system, a personal area network connection is going to be created over the two 4 GHz frequency band, and this allows wireless connectivity between the peripheral and the device. Now, Bluetooth is very convenient, but it does introduce some vulnerabilities. The first is known as bluejacking. bluejacking occurs when unsolicited messages are sent to a Bluetooth enabled device. To prevent this, devices should not be put into Discoverable Mode unless we’re actively connecting to a new peripheral. When we finish that configuration, we should turn Discoverability Mode back off. Blue Snarfing is another vulnerability, and Blue snarfing occurs when somebody makes an unauthorized access to a device through the Bluetooth connection.
In this case, the attacker tries to take data off of a device using that Bluetooth connection. If we’re in a high security environment, it is better to disable Bluetooth altogether and simply use cabled, mice, keyboards and headsets to eliminate this vulnerability. Now, a more modern threat to Bluetooth is known as Blueborn. Blueborn is an attack that allows an attacker to gain complete control over device without even being connected to the target device. This is due to a vulnerability in the Bluetooth protocol itself and has been shown to work in Windows, Android and Apple devices. Our fifth option for connectivity is USB devices and peripherals things like thumb drives, external hard drives, headphones chargers and battery packs.
All of these devices have the ability to be connected through USB or the Lightning port on the bottom of your mobile device. And they all have been known to provide a method for malware to be introduced into our network. Now, many of these rogue peripherals will look and act just like you would expect the normal device to look, but they also perform malicious actions in the background. For example, look at the OMG cable. It’s designed to look just like a regular Lightning cable that you would use to charge your iPhone. But if you connect this cable to your iPhone, it can conduct keystroke, injection, payloads, conduct keystroke, logging against your device, and much more.
For this reason, you should always train your users to never use a public charging station or someone else’s cables because those are untrusted and they could contain malicious payloads. Our 6th connectivity option that we needed to discuss is known as tethering. Now, tethering is the ability to share the cellular data Internet connection from a smartphone to multiple other devices, usually by creating a WiFi hotspot, a Bluetooth connection between a phone and a laptop, or a direct USB connection between two devices. Most commonly, this is done from your smartphone to your tablet or laptop. Now, when you’re doing this, most smartphones will now allow tethering to one or more devices, especially if you’re using it as a WiFi hotspot.
This technology has some amazing utility for the business traveler, but it also does have some risks. For example, if we create a WiFi hotspot through our phone, we need to ensure that we’re enabling WPA Three or at a minimum WPA Two with encryption and a strong password. Otherwise other people could see that open hotspot and pair with it. If they pair with our smartphone, they can then use that to conduct malicious actions that would then be traced back to us. Also, you need to be wary of connecting to other people’s hotspots. These devices could be set up as a form of Onpath or man in the middle attack, where the provider of the free WiFi is actually capturing all of the traffic that’s being sent over it, such as the login and password information for work related banking or other social media websites.
To best protect yourself, always connect to the trusted wireless network that you know like your home office or personal hotspot network. Another vulnerability you need to be aware of is allowing your users to tether their corporate devices to a smartphone and this is a way that some people will use to be able to try to circumvent your data loss prevention or web content filtering policies. If you don’t have hostbased protection installed on your corporate laptops, then you need to disallow the ability for them to connect to hotspots or wireless networks to prevent this type of circumvention of your networkbased controls to be used.
5. Security Configurations (OBJ. 3.1)
In this lesson, we’re going to discuss the different security configurations that you can use in your mobile devices. This includes device configuration profiles, full device encryption, VPNs, location services, and geofencing. And geotagging. First, we have device configuration protocols. Now, device configuration protocols are used to implement different settings and restrictions for your mobile devices from your centralized mobile device management systems, and then those are going to be deployed to your mobile devices across your organization.
Most device configuration protocols are written as XML files, but this does depend on your mobile device management suite. These XML files contain all the configuration details for a specific user or device, depending on your MDM. These device configuration protocols are then going to be installed on a device either manually or through an automated deployment using your MDM after the device has been enrolled into the mobile device management suite. Profiles are most commonly used for security, but they also provide a vulnerability that can be exploited by an attacker because profiles can be pushed to a device by email, text message or as a download from a rogue web page. In these cases, an attacker will try to trick a user into accidentally installing the profile in order to gain access to enterprise data or the enterprise network by using that mobile device as a zombie or pivot point.
Similarly, digital certificates can also be delivered and distributed to a device like a rogue profile can. So you should always be careful when accepting and trusting new digital certificates that are presented over an email, text message, or rogue web page. Second, you should consider implementing full device encryption on all of your mobile devices. Every mobile device has an internal solid state storage device that contains the operating system, application files and data files. In addition to this, many Android devices also have an additional memory card slot for additional or expansion storage. To protect the data stored on these devices, you need to implement full disk encryption to provide data at rest protection. While many organizations may not bother to use full disk encryption on their desktops, it is extremely important to use it on your laptops and mobile devices.
Many data breaches have come as a result of an employee’s laptop, tablet or smartphone being stolen from their home or car, and that data was easily read from the storage device because full disk encryption was not being utilized. Now, iPhones and iPads use a 256 bit unique ID for each device, and you can combine that with the user’s password in order to encrypt the storage device for full device encryption on Apple devices. Android Devices prior to Marshmallow, which was version 60, one use full disk encryption using 128 bit AES key protected with a password. But starting with Android version seven, file based encryption was also introduced to allow for the independent encrypting and decrypting of files. As of Android version nine, metadata encryption was also supported and this allows Android to provide full device filebased and metadata encryption to provide you with additional protections and data at rest.
To aid in all of this encryption, a lot of these devices have an embedded micro SD hardware security module, also known as an HSM, which stores the different cryptographic keys securely inside that mobile device, similar to the way a TPM module does in a laptop or desktop. The third security configuration you should implement is the use of virtual private networks, or VPNs. Just like traditional desktops and laptops, mobile devices must rely on a VPN to access our organization’s network resources when they’re not connected directly to the organization’s network. Mobile devices have a few options that they can use to create this VPN. Most mobile operating systems natively support VPNs through their settings. To configure these VPNs.
They’re going to rely normally on a username and password to create a more secure VPN solution. Though some mobile device management solutions will also provide a third party VPN client that can support digital certificates. And other forms of authentication such as a fingerprint to be able to establish a secure VPN connection through the Mobile Device Management Gateway server. When implementing a VPN, our organization needs to decide which type of encryption is going to be utilized, such as secure socket layer tunnels, transport layer security tunnels, or some other form of encryption. Remember, when you’re configuring a device to use a VPN, be sure you follow both your organization’s traditional VPN security policies and any mobile specific policies you may have.
Now, as I said, mobile devices have extensive support for virtual private networks, and you can actually do this at three different layers the operating system layer, the application layer, and the web based layer. At the operating system level, a VPN provides an Oasan protection capability that will capture all the device traffic and forward it through an encrypted tunnel to your VPN’s endpoint. If you’re using an application level VPN, this will focus on providing a VPN on a per app basis. These Applevel VPNs can then be configured to protect the traffic generated by a single application. Instead of tunneling all the device’s network traffic through that VPN, a web based VPN solution works within the web browser on a mobile device to protect traffic by masking or changing the device’s true location to bypass geo restrictions or firewall restrictions.
Now, web based VPNs do not provide as much protection as an OS level VPN, but they may be useful depending on your business case and your needs. Our fourth security configuration we need to think about is Location Services. Now, the Location Services setting refers to how a mobile device is allowed to use your cellular, WiFi, GPS and Bluetooth to determine your physical location. For example, if you want to determine a user’s device and where it is precisely, you can triangulate that device using GPS with a highly accurate result, or you can actually triangulate the device using the cellular modem and multiple cellular towers to get a rough or coarse position if GPS is not working.
Now, different applications on your device will ask for permission to access your course or precise location, and you can configure their ability to read and access that information in your profile or your MDM policies. Now, the fifth security configuration we need to discuss is also related to location services, and it’s known as geolocation, which is used by geofencing and geotagging. Now, geolocation uses a device’s ability to detect its location in order to determine if access to a particular resource should be granted. This can be accomplished by using the device’s public IP address, the GPS coordinates of the device’s current location, or even the location based on the triangulation of its position to the cellular towers in its local area that it’s using for data access. As I said, geolocation is closely related to location services.
Now, based on this location data, your app policy, your network policy, or your MDM policy can enable or disable certain functionality of the device or even prevent authentication entirely. This is done through geofencing, which is the creation of virtual boundaries based on geographical locations and coordinates. Geofencing can also be used to track a user’s location and keep them within a certain area. For example, there’s applications out there that a parent can install on their child’s smartphone that will send a text or alert if the child tries to leave a predefined boundary that was set by the parent. But parents aren’t the only ones using geofencing. Let’s pretend for a moment that you’re the CIO for a small company here in the United States and you don’t have any international employees.
You might enable geofencing as a way to prevent any users from outside the United States from logging into your systems. You could do this based on the location of the source of the IP address of that user or the GPS coordinates of the device the user is using when they’re trying to log into your systems. This is geofencing at work. Finally, a related topic is known as geotagging. Now, geotagging is the addition of location metadata to files or devices. Often this is used by our mobile device management systems and asset tracking systems to ensure the devices are located where we believe that they should be located. For example, let’s pretend you run a small chain of coffee shops and each point of sale system is really an iPad with a credit card reader attached to it. You could implement geotagging of all the transactions to be able to ensure they occurred from the proper location. Or you could geotag the device itself and only allow it to operate when it’s within the local area of its designated coffee shop.
6. DNS Protection (OBJ. 3.1)
In this lesson, we’re going to discuss DNS protection of our devices. Now, DNS protection can be accomplished using either custom DNS or DNS over Https, or both. As you probably already know, every time you try to access some service on the Internet, like a website, you’re performing a DNS lookup. For example, let’s say you want to reach my website. You’re going to go and type in www. diontraining. com. com, and then your computer would conduct a DNS lookup to identify my server’s IP address, and then you’ll connect to my web server using that IP address over port four four three. Now, the danger here is that if somebody was able to trick your computer to use a DNS server that they control instead, they could redirect you from going to my secure website to a website they control.
In fact, you see this happening all the time if you connect to WiFi on an airplane or in a hotel, when you open up your web browser and you enter Google. com or Facebook. com and you’re instantly redirected to their login page. This is usually done because they control the DNS server that you connected to on that WiFi network. And then if you look up one of those domains and they don’t want to direct you to that website until you become an authorized user of their WiFi. Normally, this is done by signing in or paying a fee to gain access to the wider Internet, and then they’ll start forwarding those DNS requests. This is actually a custom DNS at work, but to the advantage of the airline or the hotel instead of your own.
Now, by default, DNS is an unencrypted protocol, and so it provides a unique place to have reconnaissance where you can actually see what people are trying to connect to based on their DNS requests. Anybody can observe, track, and customize the requests and responses that are being sent if they run their own custom DNS service as well. In addition to that, there are custom DNS services like Cisco Umbrella, Clean Browsing, and Cloudflare DNS that you can use to protect your privacy and browsing activities, as well as to block dangerous sites by redirecting you to a safe alternative using DNS. Using a custom DNS as an organization, you can actually identify blocks of sites that you want to block completely, much like a proxy server would.
Now, our second method of DNS protection that you should consider is known as DNS over Https, also known as DOH. Now, DNS over Https was created to provide additional privacy by encrypting the DNS requests that a client is making by telling all of those DNS requests through a TLS tunnel using the Https protocol. For this to work, you need to have a DNS over Https provider, though, and then you’re going to make an initial request to them over port 53 for DNS, and then all your other lookups will be done using port four four three by tunneling your DNS request over the Https protocol to your DOH provider.
This provides a lot of privacy for the end user, but as an enterprise network security administrator, you do need to worry about this, because it allows a client device to bypass your corporate DNS restrictions because these requests don’t appear here as DNS requests, but instead they look like Https requests now. So like most things in cybersecurity, DNS over Https can be a good thing and increase your privacy. But it can also be used to bypass some of our corporate restrictions by hiring users if we’re not careful.
