Security in Computing – Assignment

RAM R V 2017103575

Introduction to Mobile Security

In mobile security we are concerned about the security of personal and business information
stored on smartphones.

Mobile devices typically need to support multiple security objectives. The most common
security objectives for mobile devices are as follows:

 Confidentiality -- ensure that transmitted and stored data cannot be read by

unauthorized parties
 Integrity -- detect any intentional or unintentional changes to transmitted and stored
data
 Availability -- ensure that users can access resources using mobile devices whenever
needed.

Mobile devices often need additional protection because their nature generally places them
at higher exposure to threats than other client devices (e.g., desktop and laptop devices only
used within the organization’s facilities and on the organization’s networks). Mobile devices
are typically used in a variety of locations outside the organization’s control, such as
employees’ homes, coffee shops, hotels, and conferences. Even mobile devices only used
within an organization’s facilities are often transported from place to place within the
facilities. The devices’ mobile nature makes them much more likely to be lost or stolen than
other devices, so their data is at increased risk of compromise.

There are two layers of security that can be provided in Mobile devices :

One layer involves protecting sensitive data - either encrypting the mobile device’s storage
so that sensitive data cannot be recovered from it by unauthorized parties, or not storing
sensitive data on mobile devices.

A second layer involves requiring authentication before gaining access to the mobile device
or the organization’s resources accessible through the device such as a PIN based
authentication.

Types of vulnerabilities that are common for Mobile Devices include :

Lack of Physical Security Controls

The security policy for mobile devices must be based on the assumption that any mobile
device may be stolen or at least accessed by a malicious party.

Use of Untrusted Mobile Devices

The devices may not employ encryption and either the user or a third party may have
installed a bypass to the built-in restrictions on security.
Security in Computing – Assignment
RAM R V 2017103575
Use of Untrusted Networks
Access organizational resources via Wi-Fi or cellular access to the Internet and from the
Internet to the organization involves eavesdropping or man-in-the-middle types of attacks.
Thus, the security policy must be based on the assumption that the networks between the
mobile device and the organization are not trustworthy.

Use of Applications Created by Unknown Parties

This poses the obvious risk of installing malicious software.

Interaction with Other System

A common feature found on smartphones and tablets is the ability to automatically
synchronize data, apps, contacts, photos, and so on with other computing devices and with
cloud-based storage. Unless an organization has control of all the devices involved in
synchronization, there is considerable risk of the organization’s data being stored in an
unsecured location, plus the risk of the introduction of malware.

Use of Untrusted Content

Example is a malicious QR code that could direct the mobile device to malicious Web sites.

Use of Location Services

An attacker can use the location information to determine where the device and user are
located.

To overcome these, we need to have a broad range of Security Measures such as

:

1. General policy.

The centralized technology can enforce enterprise security policies on the mobile
device such as :
A. Restrict user and application access to hardware, such as the digital camera, GPS,
Bluetooth interface, USB interface, and removable storage.
B. Restrict user and application access to the built-in web browser, email client,
application installation services, etc.
C. Manage wireless network interfaces (Wi-Fi, Bluetooth, etc.)
D. Automatically monitor, detect, and report when policy violations occur.

2. Data Communication and Storage

A. Strongly encrypt data communications between the mobile device and the
organization. This is most often in the form of a VPN, although it can be established
through other uses of encryption.
B. Strongly encrypt stored data on both built-in storage and removable media storage.
Removable media can also be “bound” to particular devices such that encrypted
information can only be decrypted when the removable media is attached to the
device, thereby mitigating the risk of offline attacks on the media.
Security in Computing – Assignment
RAM R V 2017103575
C. Remotely wipe the device (to scrub its stored data) if it is suspected that the device
has been lost, stolen, or otherwise fallen into untrusted hands and is at risk of having
its data recovered by an untrusted party. A device often can also be configured to
wipe itself after a certain number of incorrect authentication attempts.

3. User and Device Authentication

A. Require a password/passcode and/or other authentication (e.g., domain

authentication) before accessing the organization’s resources. This includes basic
parameters for password strength and a limit on the number of retries permitted
without negative consequences (e.g., locking out the account, wiping the device).
B. If device account lockout is enabled or the device password/passcode is forgotten, an
administrator can reset this remotely to restore access to the device.
C. Have the device automatically lock itself after it is idle for a period (e.g., 5 minutes).
D. Remotely lock the device, if it is suspected that the device has been left in an
unlocked state in an unsecured location.

4. Applications

A. Restrict which applications may be installed through whitelisting (preferable) or

blacklisting.
B. Install, update, and remove applications.
C. Restrict the use of synchronization services (e.g., local device synchronization, remote
synchronization services and websites).
D. Digitally sign applications to ensure that only applications from trusted entities are
installed on the device and that code has not been modified.
E. Distribute the organization’s applications from a dedicated mobile application store.
F. Limit or prevent access to the enterprise based on the mobile device’s operating
system version(including whether the device has been rooted/jailbroken) or its mobile
device management software client version (if applicable). But this information may
be spoof able.

5. Traffic Security
Traffic security is based on encryption and authentication. All traffic should be encrypted
and travel by secure means, such as SSL or IPv6. Virtual private networks (VPNs) can be
configured so that all traffic between the mobile device and the organization’s network is
via a VPN.

6. Barrier Security

The organization should have security mechanisms to protect the network from
unauthorized access. The security strategy can also include firewall policies specific to
mobile device traffic. Firewall policies can limit the scope of data and application access
for all mobile devices.

An important consideration in Mobile security is WIFI security. With even files shared over
WIFI nowadays using peer to peer networks it is of paramount importance to enforce security
controls strictly.
Security in Computing – Assignment
RAM R V 2017103575
IEEE 802.11 WLAN (WIFI) Security Mechanisms
The security in 802.11 consists of these different parts:
• WEP (Wired equivalent privacy)
• SSID (Service set identifier)
• Shared key or Open authentication
• MAC address filtering

The method for encryption that is included in 802.11 is called WEP. As the name WEP
(Wired equivalent privacy) says, the intention of the encryption is not to give a completely
secure connection but instead give a wired equivalent security. The encryption in WEP uses a
stream cipher. The key is 40 bits in the standard but a modified version with a 104-bit key is
used.

The SSID acts as a name for the network, which makes it possible for different networks to
use the same radio channel. The name is needed when you want to connect to the network
and this prevents unintentional use of other networks.

When the NIC connects to an AP the NIC has to pass an authentication to be allowed to send
any packets. The authentication is either “Open” which means that everyone will pass or it
can be “Shared key” which is a “Challenge response” authentication. Challenge response
authentication has the benefit that it does not send the key in plain text.

MAC address filtering uses the fact that all NIC(Network Interface Controller)s are given a
unique id, the MAC address, when they are manufactured. If we keep a database that holds
all MAC-addresses that are allowed to use the network then we can filter out all traffic that
comes from not trusted NICs.