Mobile Device Enforcement – CompTIA Security+ SY0-501 – 2.5

| November 28, 2017


There are many mobile device features that require additional policies and management for use. In this video, you’ll learn about these common mobile device enforcement issues.

<< Previous Video: Mobile Device Management Next: Mobile Device Deployment Models >>


If you’re in charge of a Mobile Device Manager and you have to set policies for all of your mobile devices, there are a number of different characteristics you have to consider when deciding what type of security features to enable. Users can download apps from a number of different sources, but there are certainly centralized application clearing houses that most people will use. Apple’s App Store, Google Play, and Microsoft Store are three app stores that make it very easy for your users to download applications.

But of course, not all applications are created with security in mind. And a number of applications may have vulnerabilities, or data leakage that no one even realizes until someone starts to use that application. Of course, there are a number of applications that have nothing to do with business.

And if someone’s using a mobile device that is dedicated for business, you may want to have the option to prevent things like games and instant messaging from being installed onto these mobile devices. The best place to manage all of your controls for applications, what’s installed, and what can be downloaded, are from your Mobile Device Manager. You can enable or disable access to an app store, or set up a whitelist that would limit what applications could be installed on a mobile device.

On most mobile devices, the end user is never interacting directly with the operating system. We see a nice graphical front end, and we’re able to use the applications without ever using any of the components of the operating system directly. There are ways to gain access to the operating system of these devices. On Android, this is called rooting. And if you’re using an apple iOS device, this is called jailbreaking.

This usually requires that someone replace the entire operating system of this device with their own customized firmware that allows access to the operating system. Once that’s installed, the end user will have complete access to the device. If somebody is trying to circumvent your security controls, this would be a very good way to do it. You can download your own applications in something called side loading that downloads it from places other than the app stores. And your Mobile Device Manager policies at this point are circumvented by the rooted or the jailbroken device.

Most of the mobile devices we use these days are locked down to a particular carrier. If we purchase a mobile phone on AT&T for example, we can’t take that mobile phone over to Verizon and use the phone on Verizon’s network. That’s because the cost of the phone is added to or subsidized in the monthly payment that we’re making. If we were able to buy the phone for a small amount from AT&T, AT&T would never be able to recoup those costs if you were to take that phone over to Verizon.

There are ways to unlock the phone. And your carrier may allow you to unlock the phone after a certain amount of use, or a certain number of payments. In some countries, the carrier is not allowed to lock the phone, and regardless of where you purchase the phone, you can use it on whatever carrier you’d like.

If someone does move their device to another carrier, it could possibly circumvent the security that you’ve enabled through your Mobile Device Manager. If this is a personal phone, you may not be able to prevent somebody from unlocking the phone and taking it to another carrier. So you may need to set up policies in your organization that determine what people are able to do with mobile devices and carriers while still maintaining security of the corporate data.

Like our desktop computers and our laptops, the operating system of these mobile devices is constantly being updated. And usually, we can receive firmware and operating system updates without connecting it to any particular computer. We receive those updates over the air, or OTA. Those updates don’t require us to plug into a computer, which means we could be anywhere with our mobile device and be able to upgrade the firmware or update the operating system of that device.

These patches or updates could be significant. They could change the entire operating system of the mobile device, or provide a series of security patches over time. This may or may not be a good thing. There could be a patch released that could change the way a particular application operates on that mobile device, and it could prevent you from being able to do the work that’s required in your organization. That’s why many security teams will manage all of those updates through the Mobile device manager, and you’ll have the updates pushed out to your device once they’ve been approved by the security team.

Using cameras on our mobile phones and mobile devices has become very popular, but it’s not always the best use for a corporate device. For example, it’s very easy in a very secretive environment for somebody to use a camera to get information out of the organization. And these cameras can be used for inappropriate use as well.

It’s difficult to manage how the camera is used on a local device, or if the camera is even used on the local device. That’s why many security teams will disable the functionality of the camera in the Mobile Device Manager, or perhaps only enable the use of the camera if you’re outside of the building using a capability known as geo-fencing. This means that you could still use the camera away from work, but limit its capabilities if somebody is inside the building.

Most of us couldn’t live without text messaging on our mobile devices. The technical term for these are SMS, for short message service. And MMS, which is the multimedia messaging service. This is how we send text messages, video, audio, and other information to each other in a very easy to use text message form.

But of course, this ease of data transfer has a significant security concern associated with it. Being able to send information means that there could be data leaks or financial information could leak out. And having inbound text messaging means that somebody could provide phishing for someone to gain access to internal controls. Of course, the Mobile Device Manager can enable or disable this text messaging function. Or you might only want to enable it during certain times of the day, or limit its capabilities to certain locations that are outside of the corporate campus.

If you were to connect many of our mobile devices to our computers via USB, they look to the computer as if they are a removable storage device. This means that someone could copy files to the device, and even copy files to flash drives that might be plugged into our mobile phones. This makes it easy for someone to copy information to our mobile phone, remove the flash drive, and simply walk the data out of the building, and plug that flash drive into another computer to download it.

It’s very simple to do. It’s built into the capabilities of many of our mobile devices. But of course, you can enable or disable this function through the Mobile Device Manager.

Normally, we think about connecting our mobile devices to a computer via USB, but many mobile devices support a USB connection function called USB OTG. It stands for USB on-the-go. It allows you to connect multiple mobile devices directly together without using any type of computer.

This means that this mobile device acts as both a host, and a storage device. This makes it very easy to transfer data from one device to another. It’s part of the USB 2.0 standard, and we commonly see USB OTG available on Android devices. From a security perspective, this is almost too convenient, and you may want to set policies within your mobile device manager on whether USB OTG is something you want to enable or not.

Since we use these mobile devices as mobile phones, we know that there is a microphone built into all of these mobile devices that we use. And these are very convenient. We can use it to record information during a meeting or during a class, and be able to reference that for notes later. But of course, there are legal liabilities for the things that you can audio record, and it’s different depending on what state you happen to live in. Some organizations will allow or disallow this recording in their Mobile Device Manager, or set up geo-fencing that limits where you’re able to use this recording functionality.

The GPS functionality of our phones allows us to keep track of where our phone happens to be. We can use it when we’re trying to get directions to a particular location. And it makes the phone much more convenient to use. But of course, this also means that some of this location information could get into the hands of other people.

For example, you can take a picture or video, and the GPS coordinates of where you’re located can be attached to the metadata associated with that media. As you take more pictures, and more movies, and store more documents, you may find that there is more and more geotagged information stored on your mobile device, and that makes you much easier to be able to track. This could be significant security concerns, especially if you’re uploading pictures to social media, and those important metadata details are not removed from the picture before posting it publicly.

For local wireless communication, we’ve gotten very used to connecting to our 802.11 wireless networks, looking for particular SSID, and providing the details to be able to join that network. There is also wireless communication that allows two devices to communicate to each other without using an access point in the middle. You would manually configure this function on both of those devices, and it’s called ad hoc mode.

There’s an even easier way to connect devices together wirelessly called Wi-Fi direct. This uses a discovery method, and automatically allows many devices to communicate to each other without using an access point. This not only makes it easier for your devices to communicate with each other, it also makes it easier for the bad guys to communicate with your devices. So enabling Wi-Fi direct on your systems may not be the best option for maintaining security of your mobile devices.

It’s very convenient that our mobile phones have access to the internet through our wireless carrier. And many phones allow you to turn your mobile phone also into an 802.11 hotspot. This means that all of the other devices around your mobile phone could gain access to a wireless network that then allows them to communicate to the internet using your mobile phone connection.

The ability to enable this hotspot functionality is based on the phone that you’re using, and if your carrier allows it. And there may be extra costs associated with enabling this hotspot function. As you can imagine, enabling a hotspot on an internal network without proper security could turn your phone into a rogue access point that third parties could use to gain access to your internal network. So it’s useful to configure your Mobile Device Manager to allow or disallow this hotspot functionality.

Many of our mobile phones now allow us to use the phone as a payment device. This is through something called NFC, or near field communication. We can simply move our mobile phone next to a payment terminal, and you can use this to pay for groceries, you can use it to pay for transportation, or anything else that requires some type of payment.

There are a number of different standards, and your phone may support one or more of these different standards. There’s Apple Pay, Android Pay, Samsung Pay, and others. There is usually some type of initial authentication you have to use to enable this payment function. But if someone was able to bypass that authentication, they could potentially use your phone to pay for things without your authentication. From a security perspective, you may want to enable or disabled this payment function from your Mobile Device Manager to limit the liability your organization might have for these kinds of payments.

Category: CompTIA Security+ SY0-501

Comments are closed.

X
My Security+ Study Group is Wednesday! Click here to register
My free Live Network+ Study Group is Wednesday. Click here to register!