7. Deployment Options (OBJ. 3.1)
In this lesson, we’re going to discuss the different mobile device deployment options that you can use in your organization. Now, a mobile device deployment model describes the way employees are provided with mobile devices and applications to use as part of their job functions. Now, this can be one of the largest decisions an organization needs to make in the world of mobile devices. And there are four common models that are in use today corporate owned, Business Only, or Cob corporate owned, Personally enabled, or Cope choose your own Device, CYOD, or Bring your own Device BYOD. Now, corporate owned, Business Only, or Cobo devices are devices that are purchased by the company for use by the employees for work related purposes only.
All ownership, including the purchase, security, and maintenance of that device, is going to be handled by the organization. Now, this deployment model is considered the most secure, but it is also the most restrictive for employees and the most expensive for employers. The second model we have is the corporate owned, personally enabled or Cope model. Copi devices are a more relaxed version of corporate owned business only because it provides the employees with a company procured and managed device, but it also makes provisions to allow the employee to utilize it for personal use, too. This method can cause some privacy concerns for your employees, though, because the organization technically owns the device that the employee is putting all their personal data onto, and the company may choose to inspect those devices at any time.
Also, the employee is subject to the acceptable use policies of the organization when they’re using this device because it’s technically still part of the corporation’s network and not theirs. The third option we have is choose your own Device or CYOD. Now, CYOD is a method that allows the employee to select a device for an improved list of vendors or devices. This method is similar to corporate owned personally enabled, but the employee can actually choose the device they want to use from a list of supported devices. This allows the employee some choice in the smartphone, and it provides a limit to the different types of devices that an organization has to support. This also mitigates some of the major vulnerabilities because the organization can select two or three devices and create a pretested and approved version of a particular operating system or device for all the employees to use.
For example, at my last organization, we supported three models of iPhones and one model of Android that our employees could choose from, and then we would go out and buy that device and give it to the employee. Now, the fourth option we have is known as bring your own Device or BYOD. This refers to a deployment model where employees are allowed to bring their own laptops, tablets, and smartphones into work and then connect those devices to the corporate network. This transfers the financial cost of the device to the employee, but it does introduce a ton of security issues and legal concerns for your organization because these devices are not owned or maintained by your organization and yet their organizational data will find their way onto those devices.
Now, when you’re using a BYOD for your mobile devices, a lot of organizations will require the employee to purchase a compatible device. For example, a company might only support iPhones or only Android devices or whatever it is. In the BYOD model, the employee is going to agree to allow the company to install corporate applications and even give the company the ability to install an MDM or other oversight and auditing software on the device in a lot of organizations. Now, most employees like the BYOD model because they can own and choose their own devices, but it is the most difficult to secure for security professionals and it does bring up these privacy concerns.
Personally, I prefer to use corporate owned, business only or corporate owned personally enabled deployments in my organizations and my networks. Now, there is one other type of mobile deployment that you may come across in the real world. This is known as VMI or virtual mobile infrastructure. Now, VMI is similar to VDI or virtual desktop infrastructure that’s used in large organizations. But with VMI, we’re utilizing a virtualized mobile operating system that’s hosted in a server farm that’s accessed through a mobile web browser on your personal device or company owned device.
Now, this is a newer mobile deployment method and it is gaining some popularity because it has some really cool benefits. Virtual mobile mobile infrastructure provides a sandboxed environment for work related activities that provides a more secure method of accessing things from an employee’s perspective while still allowing those employees to have the ability to use a personally procured device. From an organizational security standpoint, it’s also great because your data is never leaving your network, nothing is stored on the employee’s device. It all remains in your cloud based infrastructure that you’re hosting as part of VMI.
8. Reconnaissance Concerns (OBJ. 3.1)
In this lesson, we’re going to discuss the different reconnaissance concerns that you need to be aware of in terms of our mobile devices and wearables. This includes the type of data and information that can be accessed through physical reconnaissance of your mobile devices, including the implications of wearable devices to our privacy and the ability for attackers to conduct wireless eavesdropping using our devices. First, let’s take a quick look at the types of information you can find on mobile devices devices. Now, mobile devices store data on the device itself, on removable memory cards and in the cloud.
When you’re thinking about the privacy issues and the amount of reconnaissance that could arise from the loss or theft of a smartphone, just think about how much personal information is really stored on that device. Now, our smartphones hold a treasure trove of information, including the subscriber and equipment Identifiers, our system and localization settings, our phone books and contacts, our calendar details, our text and multimedia messages, our call logs of outgoing incoming missed. And recent calls, our emails, our photos, our music, our videos, our instant messaging data, our web browsing history, our documents, our social media accounts, our banking information, our geolocation data, our biometric and health data and so much more.
And most of this data is stored both on the device itself and it’s also being backed up to a cloud service provider like Google Drive or Apple’s icloud. Therefore, organizations need to be careful to ensure that the devices are set to encrypt the data before being stored on those devices in case a thief steals it and then they could try to access that data. Additionally, all of your cloud backups need to be encrypted and stored using at least 128 bit AES encryption. If a device is lost or stolen, it is really important that users immediately report this loss to your organization. Most organizations use a mobile device management suite and these have the ability to either locate the stolen device or simply remotely wipe that device to remove any data from the device before a thief can access it.
Now, preparation here is truly the key to ensuring our data is secure in our mobile devices, and we should always properly configure the encryption for the data that’s being stored on our devices ahead of time. Now, beyond mobile devices, a lot of employees have now also adopted to the use of wearable technology. Wearable technology is any type of smart device that is worn on or implanted in to the body. Now, these devices take all sorts of different shapes and forms, including smartwatches cameras, fitness devices, glasses, headsets, and medical sensors. Smartwatches are watches that usually include a touchscreen interface and they have a mobile operating system, something like Android or Watch OS embedded into them.
These devices can perform functions like playing music, conducting fitness tracking, translate languages, provide directions, and much more. Some of these devices require a smartphone in order to operate, but others have built in cellular data receivers and transceivers to operate independently. Now, cameras also used to be independent devices, but with the recent introduction of body cameras for military police and security officers, they are now placed into the wearable category two. These devices are usually going to be always on, always recording technology, and when they run out of storage, they’ll simply overwrite the oldest material stored in their memory.
Now, fitness devices are used to track a person’s physical fitness metrics, and they’re another type of wearable. These can get all sorts of different metrics, like how fast a person walks, the number of steps they took that day, how fast their heartbeat is, and much more. These devices are usually worn as a bracelet or watch, but some take the form of a small square clip that can be placed in a shoe or on a shoe, or tied using the shoelaces. Now, glasses are the next category of wearables, and the idea here is that a pair of smart glasses can be worn like a normal pair of sunglasses, but they have the ability to project a digital image into the lenses and this intrigues a lot of people.
These devices could support different types of inputs as well, like eye movements, voice activation, and buttons on the side of the frames. These smart glasses could be used to provide information to a user while they’re walking around a city like directions, or allow them to see their smartphone screen while still inside their pocket. Another wearable we have is headsets. Headsets have been around for decades, and users use them to talk on their smartphones without having to hold the phone itself. These usually operate through Bluetooth and can send and receive audio like phone calls or even music to the user. Now, the biggest recent evolution in this technology has been their size, as they continually shrink down in size and provide better quality with additional battery life. The final type of wearable we’re going to talk about actually goes inside your body instead of on your body. These are medical sensors. These type of smart devices are now being incorporated into medical devices like pacemakers, and this gives them network connectivity as well as the ability to track your metrics from within your body.
These devices can notify a doctor when they sense that your body is having an issue, as opposed to relying on somebody noticing that issue themselves. Now, wearable technology gives us some unique ways of interacting with technology in our daily lives, but it is not without its own risk and security concerns. Wearables are a really big reconnaissance concern for us because they collect so much highly sensitive data, including biometric and health data about us. These devices can seem harmless, like using a GPS enabled wearable while you’re running to track your distance. But even as far back as 2017, we saw that secret military bases around the world were being identified due to a social network for Physical Fitness that displayed the data from military members who were exercising at those bases and sharing their data with the world.
Now, this becomes a reconnaissance concern, especially for the military, because these secret bases were now being identified. Now, another concern is wireless eavesdropping. Because these wearables often utilize unencrypted communications. Many of these devices are low powered and don’t have enough computing power to encrypt their communications either. Even if you wanted to, some of these devices were actually designed with no security whatsoever because it just wasn’t important in the function of that device. Therefore, these wearables can introduce a lot of vulnerabilities into our networks or into our physical environment, because those communications could be captured and read in plain text using wireless eavesdropping techniques over cellular WiFi or Bluetooth.
When you consider if your organization should allow the use of wearables, you need to decide your risk appetite before accepting these devices into your network or into your office environment. Many of these devices, especially ones with cameras, can be remotely turned on or off, and this could be a major issue if an attacker was able to gain access to our network. That way, they could turn on our cameras and then use them to conduct their own reconnaissance of our facility as we’re walking around. Or if they were part of a group trying to break into our facility, they could remotely disable our security cameras before breaking into the facility.
With the addition of Smartwatches Smart glasses and other wearables, it has become much easier for criminals to perform reconnaissance of our organization’s buildings. As people walk around the building every day. The cameras and microphones on your devices can record everything that is going on, and hackers could analyze it once they’re off property. Again, depending on your risk appetite, you may wish to not allow any wearables inside your facility, and this is common in a lot of military organizations. With the increased use of fitness trackers and medical sensors, we also need to concern ourselves with the health privacy of the data these things are collecting.
This is extremely important when dealing with these medical sensors, because HIPAA rules could apply if the device was implanted by a doctor. Fitness trackers don’t fall under HIPAA rules, though, but the data should still be protected. Finally, if our organization owns some of these wearables, we need to consider how we’re going to conduct digital forensics on them. If they’re used as an infection vector into our networks, these devices often have unique cable connections, and they don’t support standard disk storage technologies. Plus, most digital forensic suites aren’t set up to capture information from these devices. Therefore, if wearables become part of our organizational network, this is definitely something that has to be considered ahead of time to make sure you’re well prepared.
9. Mobile Security (OBJ. 3.1)
In this lesson, we’re going to discuss a few key concepts to increase our mobile device security. This includes a discussion of some key things to avoid like jailbreaking routing, side loading and unauthorized application stores, as well as some best practices to utilize like containerization application wrapping, trusted OEM suppliers, and enabling bootloader security. First, let’s talk about jailbreaking. Now jailbreaking is a term that’s used to describe an exploit that enables a user to obtain root privileges, side load applications, change or add carriers, and customize the interface of an iOS device like an iPhone or an iPad. The problem with jailbreaking a device is that it essentially removes all the protections that Apple has created for that device, in addition to all of the restrictions on that device.
Now jailbroken devices are actually the largest threat vector that’s going to be exploited by an attacker when it comes to iOS devices. When you jailbreak a device, you no longer have the protections and restrictions that Apple gives you. If a phone is jailbroken, it also can’t receive proper vendor patches and upgrades and this makes your device much more vulnerable to attack. In the old days, you could jailbreak the device and boot it up with a patch kernel each time the phone was reset. Apple continually was hard at work trying to eliminate jailbreaking, and so they’ve made it much harder to perform. Currently, most jailbreaks are known as tethered jailbreaks, which means the device must be attached to a computer when it’s being booted up in order for that patch kernel to actually be loaded and give you root access.
Because of this jailbreaking, iPhones and iPads is not nearly as prevalent as it once was. Android devices, on the other hand, use a technique known as rooting. Now rooting is an exploit that enables the user to obtain root privileges on an Android device so they can perform whatever they want on that device. There are some authorized routing techniques though as well, that are performed by some vendors, if you have those type of phones. This goes to the more open nature of Android versus iOS. Now, most users though, should not have a reason or need to actually route their device. If the vendor doesn’t provide a routing mechanism, then you’d have to root it using an exploit to a vulnerability, and that way you can gain access as root. Or you could load a custom firmware into your phone instead.
Now, a custom firmware is a new Android OS image that can be applied to your device. And this custom firmware is also known as a custom Rom, and some people have created their own versions of Android with different settings and interfaces using these custom ROMs too. Now, these custom ROMs though, could contain malicious code, bugs or other vulnerabilities that you’re not aware of, and they’re usually not supported by larger security communities or the manufacturer itself when things break. And so therefore, you need to be careful if you’re going to use a custom Rom. Another type of route level access that you can achieve on an Android device is known as systemless root.
Now, systemless root is a method that does not modify the system partitions or files, and therefore it is less likely to be detected than a custom Rom or firmware based routing. Next, we have side loading. Now, side loading is the practice of installing an application on a mobile device directly from an installation package instead of downloading it through an official store like the Google Play Store or the Apple App Store. Now, when an application is submitted by a developer to the official Store, it has to pass a number of security checks before it becomes available to users to download. But if the user simply installs an application they find online, it can actually have vulnerabilities in it or malicious code that they’re not aware of.
Now, by default, Android and iOS devices block the installation of third party apps by using side loading. But a user can enable the installation of thirdparty apps under their settings in Android devices. To prevent this, organizations should use mobile device managers to prevent the installation of unauthorized apps or thirdparty apps. Another security issue with applications is the installation of unsigned apps. Now, when an application comes from the official Store, it’s going to be digitally signed by the developer to ensure its code has been verified and has not changed since they signed it. If the user downloaded and installed an unsigned application, there is no way of knowing if the application has been tampered with between the time it was developed and the time the user downloaded it. To prevent the introduction of malware into our devices, we should only download and install applications through an official application store and ones that are digitally signed by those devices. Next, let’s talk about some security best practices. First, we have containerization. Containerization is a security configuration that you can use to bring additional security to your mobile device deployments. This works great for Cope CYOD and BYOD deployments, especially. Now, mobile containerization involves segmenting corporate owned data and resources from your personally enabled devices.
By doing this, you can prevent employees personal apps and processes from interacting with the corporate resources that are located on that device because those things are placed in a separate logical container within the mobile device. In addition to this, the container might also allow network connectivity to occur over a VPN using app based VPN capabilities. And this provides additional security to the live network traffic that’s being sent and received through that application. To utilize mobile containerization, you need to enable it through an MDM or mobile device management solution and encrypt the contents of the organizational container to keep it logically separated from the rest of the applications and data on the device. Another best practice is the use of application wrapping. Now, application wrapping is the process of adding an additional layer of security over an existing application on that device. This extra layer of protection ensures the organization’s security policy is going to be used instead of relying on the app’s native security features.
This is usually implemented through a mobile device manager as well. The wrapping layer typically functions by intercepting system or other API calls and handling those calls based on its security policy. Next, we have the best practice of using trusted original equipment manufacturers or OEM as our suppliers. For example, Android is a wide open operating system that anyone can use in their mobile devices, but some manufacturers provide better support than others. And if you’re buying Android devices for your organization, you’re going to receive better firmware and security updates and patches if you’re using a major OEM supplier like Samsung, Google or Motorola, than if you’re using a smaller manufacturer who just started making smartphones last year.
Also, mobile devices are just a collection of a lot of different parts that are put together to form an end product. This includes processors, memory controllers, antennas, connectors, and cases that are created by multiple different suppliers. Each of these components at each supplier could be modified or tampered with, embedding, malware, or a backdoor into the end user’s mobile device without anybody knowing it. Supply chain issues are a real concern that you need to worry about, but unless you work for a really large organization, you are unlikely to be able to influence this area much in your daily role as a cybersecurity practitioner. So if you use a larger OEM device manufacturer, they are more likely to have better control over their supply chain than does a smaller manufacturer. And you can mitigate this risk of supply chain issues a little bit. When you’re choosing your manufacturer.
You need to also consider the reputation in terms of supply chain management and supply chain security. Finally, you should consider enabling bootloader security in your devices. Most modern mobile devices allow you to perform a device validation of the bootloader prior to loading the operating system. This will ensure the boot loader is intact and has not been modified prior to booting up the device. To achieve this, the devices are going to use an Efuse. Now, an EFUs is a means for the software or firmware to permanently alter the state of a transistor on a computer chip. If your boot loader is modified or altered, then when the device is powered on, it checks if the Efuse is intact. If it is, then the boot loader is known to have not been modified and can be trusted. By using bootloader security and eFUSEs, our devices can ensure that the integrity remains intact and the boot process can be trusted to properly and securely load our operating system.
