CompTIA Security+ SY0-601 – 3.5 Implement secure mobile solutions. Given

1. Mobile Connection methods and receivers

In this video, we’re going to be talking about mobile device connection methods and how to receive data. So this here quick video. You guys should be familiar with everything I’m about to tell you here. Just something in the objective. Let’s just get through this pretty quickly. What we’re talking about here. How does mobile devices connect to your network? Well, you guys already know a bunch of them. Number one, your cellular networks. So LTE connections, four G, five G connections that we have in order to use to connect to the Internet is what these devices will use. You guys are familiar with wireless, right? WiFi networks, we talked a lot about that in a previous section, how to secure an app. If you guys remember earlier in the course we talked with Bluetooth. So wireless devices, we’re going to use Bluetooth to communicate with your headsets. You have bluetooth.

You can even have communicated with keyboards nowadays to type into these types of devices. NFC near Field communications for these devices allows this especially like my phone, to tap and make payments. We talked about this earlier in the class. Also infrared. So infrared is more of a site type communication. It has to see something. Infrared communication. Old cell phones used to have infrareds on them that allow you to do infrared things. Remember one of my old Samsung phone used to have an infrared port on it and you could have used it to change the channels on a TV. They don’t really have those things anymore, but some old device did. USB connections. Now you could use USB. You could connect USB to these devices and share things like Internet connection. And you can also extract data from these devices.

Point to point connection is when you have one wireless device connected, creating an ad hoc network to another wireless device. Point to multi point is when you have multiple wireless device, like one wireless device speaking to multiple wireless device. Generally this is done using WiFi. The other thing here we have is GPS. Now these wireless devices does have GPS in them, so it’s going to detect where the device is. We’re going to talk about this coming up in a few minutes. We talk about MDM software and RFID. So RFID, you use this, these are card readers to log into different types of smart, using smart cards to log into different systems and keeping track of devices. Okay, so these are different connection methods and received when it comes to mobile devices. Now let’s keep going in this course. Let’s move on now to the next topic of MDM.

2. Mobile device management (MDM)

In this video, I’m going to be talking about MDM mobile device management. So you work in an organization and you like to use your own phone. Now, I’ve used every single note since Note Two, and if I go work for an organization, I’m going to make sure that I still use my phone. So in organizations today, there’s a lot of employees bring in their own device BYOD which tends to bring your own device, and the organization has to support it. The problem with this is, how do we manage these devices? Right? How can we apply a policy to these devices that can keep track of them, that can ensure they have complex passwords or Pin, or to use Biometrics? How can we remote wipe them in case they’re lost? And for that is what we’re going to use, something called an MDM for mobile device management. Now, you go back from a very, very long time ago.

We had MDM software such as the BlackBerry Enterprise Server. I remember setting up a long time ago. But nowadays you have some famous ones, and I’ll show you guys two very famous ones. You have Microsoft Intune, that’s one of them. Microsoft Intune is a very famous MDM software that is out there for you to configure and manage your mobile. If you have Office 365 and you join your phone to it, you could set this up in Office 365. We’ll talk about what the MDM does in a minute. The other one is VMware Air Watch is another one. VMware Air Watch is the other good famous one that allows you to manage your mobile devices. Now what exactly are these software doing? So I give you guys two good software there.

What is it that the MDMs are going to help us do? Well, for your exam, you want to know some of its features. You don’t have to go to learn how to set it up, but you want to know when people, when organizations implement these MDMs, what are we going to get done? So let’s go into it. We’re going to be able to do application management. We can determine what applications they could or could not install. Remember in your class we talked a little bit whitelisting and blacklist. We could whitelist application. So these are all you’re allowed to install. We can block certain content from being on the device. We can do remote wiping so they lose the phone. We can go in there and we can set a remote wiping, erase the phone completely. You have geofencing and geolocation. Geolocation is the ability to find where the device is.

Now, geofencing is a hot topic term that you may see on your exam. Geofencing is when they create a fence, geographical, virtual fence around a certain location. When a user exits this location, they may be prompted with a message or some kind of error that the phone is out of the area where it should be located in. This helps to secure data. So if you don’t want people to be traveling outside the country or outside of specific boundaries, you can geofence it. And if they do, you can implement all the policies to have other things done to the phone. If they do, screen locks don’t use the phone for a particular period of time. Let the screen lock come on. We can push that out. We can even push notifications to the phones. We could set complex passwords and pins.

We could make that mandatory or make biometrics mandatory. The other thing when it comes to authentication is context aware. So context aware authentication would be you could use things like what time of day it is. You could say then you can log into the device. You could say what type of device and the type of logging in. One of the things that’s good is that we can do containers within the application. So containerization or storage segmentation. So what this is, one thing I had mentioned earlier in the class was sandboxing, if you guys remember that. So what these are is basically they’re going to segment the memory within the device themselves. And what we’re going to be doing is that way no data in one storage segment can get or retrieve data from another.

And then we can also push that full device encryption so we can enable that from the MDM and it hits these devices on the phone. So this is good that when somebody loses the phone, they just can’t take the drives out or try to read the memory from these devices and take the data right off of them. I do have that enabled. I know the iPhones, I think by default have full device encryption enabled. All right, so MDM software very important in big organizations today. Even Tis Monos. We have MDM. We use the Microsoft Office 365. One that comes with it is free to us. So why not? It does give us good complete control over the devices that joins our network.

3. UEM and MAM

In this video, I’m going to be talking about a few other mobile device security things that we can look at. And I got a couple of things here, and some of these here we mentioned already, we’re just going to be expanding on it. We’re going to be talking about microSD HSM, which is a fairly unique thing. We got UEMS mams. And then we have Se android. So let’s get started on this. Let’s take a look at this. So, the first interesting topic I have, I found this to be very interesting. All my years in security, I didn’t even know this thing exists. I know what HSMs are, hardware security modules. Hardware security modules are basically devices that helps to create, store and manage cryptographic keys for you. But there is actually HSMs that you can put on a micro SD card. And I was able to find a couple.

Now, I’m not endorsing these devices because I’m not sure if they’re good or not, but here is a micro HSM card. microSD HSM card. And what this thing does is that it’s able to store encryption and process encryption. So its functionality is that it could do network authentication and basically it stores and manage cryptographic keys, just as a normal HSM would accept any microSD format that you can install on your device. You guys can check out this website and it goes in Oops. You guys can check out this website and you guys can see what this thing is all about. I don’t think your exam is going to go much into this. Okay, the other one here that we have is a UEM. Now, we talked about MDMs in the previous video.

Let’s talk about what exactly is a UEM? A unified endpoint management. So UEMS are really important for your exam because what UEM does is that it combines MDMs, it combines endpoint protection, it combines basically all of it into one shot. So if you think about it, you have endpoint protection software, then you have MDM software, right? So they have two different consoles to look at the administrator test, watts. So with a unified endpoint management, may have one console that doesn’t both. Most MDM software falls into this category. I mean, we don’t have just a pure UE, pure MDM anymore. Here’s a another one that is Mass 360 with Watson from IBM. This one is a unified endpoint protection. This manages everything from laptops, desktops, and mobile devices all in one shop.

Okay? The other thing here we have is mobile application management. Now, mobile application management, what this does is that it basically manages applications, not the device. MDM takes control of the entire device. But what if we can set it up that we can only manage the application on our networks, on these mobile devices? That’s what this would do. Popular options for companies with custom applications, not so much. So if you’re just using commercial apps and the last thing here we want to mention is something called Se Android. Now, Se Android is built on something called Se Linux and this implements well, my handwriting is horrible. I’m going to stop right in.

All right, guys. This is built on something called Se Linux, and this implements something called mandatory access control into the Android operating system, which basically prevents people from doing privilege escalations within the operating system. This is a hot topic term, but I’m not going to cover right now. Mandatory access control. Don’t forget, Se Linux that the Se Android is based on will be based on it. So later on in the course when I start talking about Mac mandatory Access control, just keep in mind that Se Android basically is that basically utilizes Se Linux that utilizes that okay, just some interest in mobile device security. Let’s keep going.

4. Enforcement and monitoring of mobile devices

In this video I’m going to be talking about enforcement and monitoring of a variety of different things when it comes to mobile devices. In fact, we have a whole list of things that your organization may want to monitor. Now these are things that you may want to prevent, things that you may want to stop, things that you may just want to keep an eye on. Mobile all devices poses a huge threat to It security because technically users are walking around with your company data all over the place that they go. Basically you lose a lot of control of this information. So here are some things that we should take a look at. Number one, when it comes to enforcement of monitoring, maybe we want to prevent third party application stores. So on my phone, I don’t know where it is.

I’m around around here. On my phone I do have the ability to install like the Amazon App Store. There are other third party app stores that you could use also. But the organization may say, you know what, those app stores are not vetting the app enough so we may choose to ban them. Don’t forget you can ban those with MDM software. The other thing is you should not allow routing or jailbreaking of a phone. This gives you root access to the phone. This basically allows you to have full complete control over the phone. Back in the days they used to root an Android phone to get full permission to the phone to install illegal applications or they would jailbreak the iPhone. Installed illegal app stores to get free apps. This of course would be loaded with malware jeopardize integrity of the phone.

The other thing here you have is going to be custom side loading. So side loading is basically installing application from unknown sources. So you’re not installing it from the store that you should be down like the Android App Store, the Apple App Store, you’re not installing it from there, you’re installing it from other places where you download off of a website. Generally not a good idea. Probably don’t want to allow that custom firmware on phones. Custom firmer may give a user a lot of additional features that the original firmware may not. Or sometimes they’re customized for a particular team. But when it comes to application security, something you probably don’t want to allow because what would happen with custom firmware is that it could have embedded malware, especially rootkits in there.

The other thing here is going to be carrier on lock in. So carrier on lock in. In order to move a device from one carrier to the other, you have to call the carrier, you have to unlock the device. This is something you want to keep a monitoring. Now if users are moving from one carrier to the other, may not be an issue. So you may just want to monitor It firmware over the air updates, which is probably fine. You want to keep these devices updated and getting them updated over there, especially from the mobile networks, is probably okay. Camera use is something that in your work space, in the physical work environment, you may want to stop or not allow. Because people can take pictures of screens, confidential data on a screen, people can take pictures of blueprints, of devices you’re making, or secret projects you’re working on.

So something that you may want to not allow, right, you may want to enforce and say that’s not allowed. Similarly, the recording of microphones, you may want to along with the camera, we may want to disallow those particular things. You want to monitor what people are using over SMS or MMS or whatever you want to call a rich communication service. SMS train users to detect phishing scams going through SMS nowadays, think of text messages coming through your phone chat, different chat messages come through different applications. Train users to be able to detect these things that they could be fished or scammed or click on links to embed malware into their devices. External Media certain device like my phone does support external media. You want to make sure media is encrypted.

USB on the go, so it’s an old standard and we can all do it. It’s a standard that basically allows you to put your phone and mounted as a USB stick and that happens a lot by just plugging your phone in. So USB on the go basically allows that something you may want to disallow. People just can’t plug their phone in and before now the computer has access to the phone’s data. Now Geo tagging is something you may want to keep an eye on and may even disallow. What Geotagon does is that it allows you to tag the locations of pictures. For example, tag the physical location to a picture when you take it. So when people post it like Facebook, it will actually put where they’re located. So something you may want to disallow WiFi Direct and Ad hoc. You should not allow users to have ad hoc networks.

Now there’s two types of wireless networks. You have infrastructure and ad hoc mode. So infrastructure is when you have a device communicating to another device, device to laptop, that would be an ad hoc. So these are basically going through wireless. You probably don’t want to allow this because now you’re allowing, here how this sounds, allowing users to set up their own wireless connection. This in its nature just sounds bad. You don’t want this. You don’t want users controlling this. One of the things that I do is I tether. You could do this with USB. You plug USB and you tether from your phone? From my phone to my laptop. So basically I’m getting internet from my phone and I’m connecting to my laptop. Some organizations allow this, maybe not much of a security issue.

You want to watch the cost. Sometimes the service provider may charge for this. So it’s setting up hotspots. So you just turn it on a hotspot generally straight out of wireless off the phone and the WiFi on the phone becomes a hotspot and then users can connect to this hotspot to get internet. Now, security wise, you got to train the users to create good security key and always use WPA two payment method. Think of NFC payments that you can put into the phone. You want to make sure that it’s secure there also. Okay, so quite a lot of things there to consider when using mobile devices.

Don’t forget mobile devices is all over your network now. Everybody spends too much time on their phone nowadays and as a security professional, they are a nightmare. So these are things that we want to consider when managing this nightmare of mobile devices.

5. Mobile Deployment Models

Managing mobile networks in today’s environment could be very complex. So in this video we’re going to take a look at some of the deployment models with this. Now depending on the one you choose it’s going to be complex. Let’s find out. So we got a few different deployment models I can look at. So the first one I have is known what is known as Bring your own device. Now Bring your own device is a model where you take your own mobile device to work. This is popular for small mid size, even large corporations uses this. The problem with bring your own device, it’s a nightmare for it. In fact it’s a disaster for it. And the reason is because there are so many types of mobile devices, so many versions of this operating system and then basically the user owns the device and they can put whatever they like on it.

So bring your own device, you’re going to have to use things like MDM software or UEM in order to secure these types of device. This type of device is being added onto your network. But then when you do this you get privacy issues. Users don’t want you to track where they’re going or what you can install. You think about this, imagine the company’s data is being stored on people’s personal devices that they control. The thought of that sounds terrible but bring your own device is a popular option in many businesses today. So BYOD the other one here that we have is known as corporate owned personally enable. And the other one I’ll mention is choose your own device. Right? So corporate owned, corporate owned means that the company owns it but you can basically use it as your own device.

Cope then choose your own device. This is when they give you a list of devices to choose from and you can choose one of theirs. And then corporate owned is just what they own and just give you just got to take it. So let’s talk about these three things here. So the first one is corporate owned personally enable. So the organization, organization basically gives you a phone and you can use it for personal reasons. They say oh just use it like it’s your own phone but we own the device. So you can install your own apps, you can take pictures, you can do your SMS with your family but keep in mind it’s owned by the business. The other one is choose your own device. So basically organization has a list and this is popular in organizations where they want to give people choices.

So they may give you a list of a few different iPhones or a few different Android phones and users can choose from that list of what they want to use in the network. And then there’s corporate owned. Corporate owned is just a single device that the organization gives out to all their users. From a security perspective this is probably the best option, right? Because you only have to manage one device. You control all aspects of the device. The problem here is that a lot of people are going to end up having multiple devices. You ever see somebody on a train or in a coffee shop and they have two phones probably because one is a company phone and they can’t do anything with it except use for company information and then they have their own personal phone. It’s a corporate owned you might have to end up carrying around two phones. The other option here is use virtual desktop infrastructure. Now, we talked about cloud, we talked about having virtual desktop.

So virtual desktops is when you have a hosted desktop in the cloud where you can connect to and use I think I showed this I can’t remember in the last part of this castle like Amazon workspaces, is basically virtual desktop known as desktop as a service. And basically you get a desktop that you remote desktop into and you just use it and it’s like a desktop that you have and if it’s remotely enabled, you can use it on your phone. So how this would help is people can use whatever the phone they like. It doesn’t matter when they’re ready to connect to the company’s corporate network they would just like remote desktop into a desktop, virtual desktop at the workplace and utilize that. It’s a good option but it doesn’t work well because these smaller screens are going to support a full desktop stop like on a Windows box. Okay, so these are different deployment options that you should be familiar with for your exam.