Security+: Deploying Mobile Devices Securely - 5 Top Tips [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.
Introduction
The Security+ cert is one of the most well regarded and entry-level types of credentials that a Cybersecurity specialist can obtain. The exam covers a wide spectrum of topics, which include the following:
- The ability to deploy and configure a wide number of security applications;
- The general concepts behind network infrastructure design and installation;
- How to perform a basic survey of the Cybersecurity threat landscape;
- How to respond to actual Cyber-attacks with the right and appropriate countermeasures;
- The keen awareness of being up to date with the latest tools to combat Cyber threats;
- An overall understanding of the various legislations, mandates, laws, as well as mandates that are in existence and enforced in the overall Cybersecurity
- A good grasp of the fundamentals of the principles of Confidentiality, Availability, and Integrity (the CIA Triad)
As we all know, mobile devices have become not an integral part of the workplace, but even in society. Therefore, the safe deployment of these devices is of paramount importance not just for individuals, but businesses and corporations, government agencies, as well as other entities. In fact, the topics that are covered by the Security+ cert are very relevant to mobile devices.
For example:
- Mobile devices have indeed become an integral part of any corporate network; as many employees, these days now log in from their Smartphone to access shared files and other types of resources.
- In fact, mobile devices have become the prime target for the Cyber attacker today. Thus, an understanding of the risks and threats that are out there and how to combat them proactively is a must.
- In some industries, such as that of healthcare, employees use their Smartphone to access confidential patient information. Thus, the need to understand the federal laws surrounding the protection of this data is very important, especially that of HIPAA.
How to Secure Mobile Devices in Your Environment – 5 Top Tips
There are a number of key strategies that the Security+ cert holder can take to secure the mobile devices in that are used in their organization. In this section, we outline some of these major steps:
1. You must formulate and implement a Mobile Device Security Policy
This should be a part of the overall Security Policy of any business or corporation, and should include the following elements:
- The specific types of resources that can be accessed via a mobile device;
- The degree to which mobile devices can be used to access these resources remotely;
- How Mobile Device Management software should be installed and configured not only in the devices themselves but also on the servers that are synched up with them.
- How firmware and software upgrades/patches should be installed on the mobile devices, and the frequency for checking these upgrades on the wireless vendor’s websites.
2. Create a Cyber threat model landscape for your specific Mobile Device environment
By designing such a model, your organization will have a much better understanding of the threat landscape from a visual perspective, especially when quantitative weights are assigned to each kind of associated threat. Thus, you will not only be able to ascertain the security requirements for your mobile devices expediently but also the controls that are needed to safeguard them from employee misuse (in fact, employee negligence is deemed to be the weakest link in the proverbial security chain).
3. Always test your mobile security policy and threat landscape before implementing it
Before you start to implement and enforce your policies, it is always important to evaluate them first in a test environment to see how they will work in a real-world environment. Some technical examples of what needs to be tested include the following:
- The connectivity of the wireless devices that will be issued to each employee;
- Checking the safety of the functionalities of the mobile apps that will be installed and used on the wireless devices;
- Checking out the performance of each wireless device (obviously, wireless that does not live up to the performance metrics that have been set forth could prove to be a security vulnerability at a subsequent point in time);
- Making sure that the wireless devices that you will be acquiring and issuing to your employees are very difficult to jailbreak or be rooted;
- Making sure that the wireless device does not accidentally revert to the vendor settings; but rather to the default settings that you have outlined in your mobile device security policy.
4. Secure each and every mobile device before they are issued to your employees
Once you, the IT staff, as well as the CIO, is satisfied with the results with the test results from the procedures conducted in the test environment, then the next step is to make sure that the wireless devices that you will be distributing to your employees have all the security functionalities installed onto them. Obviously, this will vary from business to business, and in a specific way, the employees will be using them. But, in general:
- Make sure that the initial password you establish is hard to guess but easy enough for your employee to remember. This can be a lot trickier to do than it sounds. Thus you may want to consider using a mobile-based Password Manager in this regard.
- Make sure that Two Factor Authentication (also known as “2FA”) is installed. The first layer of security will obviously be the password, but the second layer could be a challenge/response question.
- Check the website of each wireless vendor from whom your organization will be procuring the wireless devices for the latest firmware and software upgrades/patches. Make sure they are installed and configured once again, on each and every wireless device before they are issued to your employees.
5. Always enforce your mobile device security policies
Once you have initially deployed all the wireless devices to your employees, the next step is to make sure that the policies you have set forth are constantly being enforced and that your employees are abiding by them. One of the best ways to do this is to, at random time periods, is to conduct a manual audit of these devices, to make sure that there is no misuse by the employees. Remember that in this regard, you have every right legally to conduct such audits because these are wireless devices that owned and facilitated by the organization that you work for. Another key issue at stake here is Bring Your Own Device, or “BYOD” for short. For example, they can be no gray area whatsoever in this regard. If you want your employees to use company-issued wireless devices strictly, then you must state so, and forbid your employees from using their own Smartphone to conduct work-related activities. But on the other hand, if you are OK with employees in using their personal Smartphones, then you must set forth and establish very clear guidelines in the way they can be used for conducting everyday job functions. Remember, BYOD brings along with it key security vulnerabilities, and you may not be easily able to conduct random security audits on them because these wireless devices are personally owned by your employees.
Other kinds of activities that should be included here include the following:
- Conducting various Pen Testing exercises to unearth any unknown anomalies and security vulnerabilities;
- Keeping an accurate inventory list of all the wireless devices that have been issued and returned (and in the case of the latter, deleting all permissions after an employee is no longer with the organization);
- Checking for firmware and software upgrades/patches at least once a week;
- Making sure that there are no rogue or unauthorized mobile apps installed on company-issued wireless devices.
Other Important Areas of Consideration
Apart from the steps just listed above, the Security+ cert holder should also be knowledgeable in the following areas, as they are also covered in the exam:
1. Biometrics
This is a technology where the identity of an end user is confirmed via their unique physiological features. This is an important aspect as well for 2FA for mobile devices, such as using Facial Recognition or Iris Recognition. Apple has been the pioneer in this regard, with its TouchID and FaceID systems, respectively.
2. Mobile Device Management
This is a software package that allows you to manage all your enterprise-wide mobile devices from a single console and a single server. All updates, modifications, changes, etc. that happen to the wireless devices are automatically synched up with the server, and vice versa.
3. Remote Wipe
This is a functionality that you, the Security+ professional, must ensure is installed on each and every wireless device that is issued. With this, you can issue a specific command that will allow you to delete all of the information and data that resides on a wireless device if it is ever lost or stolen.
4. Third Party App Stores
The common ones here are Google Play and the Apple Store. From here, mobile apps are uploaded so that end users can download them onto their Smartphone as needed. Your organization needs to be fully aware of what your employees are downloading from these app stores, as they could pose a very serious security vulnerability, some these could be rogue mobile apps created by a Cyber attacker.
5. Rooting/Jailbreaking
This is where the end user (or in this case, the employee) can bypass the default security settings of the wireless device and can gain administrative access to it. As described earlier in this article, you need to make sure that the wireless devices that are issued cannot be, as far as possible, rooted or jailbroken into.
Conclusion
Overall, this article has examined the ways that you, the Security+ cert holder can take to fortify the security of your mobile device environment. But probably one of the other key ways in which you can use your knowledge from this cert is in the securing of mobile apps. It is important to keep in mind that your organization will most likely write the source code for the mobile apps that they will be using, so here are some other areas in which you can extend your Security+ knowledge:
- Creating what is known as an “App-Wrap” environment:
This can be specifically defined as the following:
“App wrapping segments the app from the rest of the device by encapsulating it in a miniature, managed environment.” (SOURCE: 1).
This is just another step to ensure that the mobile apps your organization has created and deployed is contained in a safe environment from within the wireless device itself in case the actual hardware or OS (such as Android or iOS) is ever hacked into.
- Ensuring that the APIs which are connected to the mobile apps in the wireless devices are secure and safe, by making sure that the right levels of encryption are used and enforced:
This includes confirming the CIA of the data that is being used and the data that is at “rest” (this simply means that the data used by the wireless devices is not actively being used, but it is still stored and archived in your organization’s servers).
Sources
1) https://techbeacon.com/5-essential-steps-securing-enterprise-mobile-apps
2) https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-124r1.pdf
3) http://www.tomsitpro.com/articles/mobility-infosec-byod-it_certification-comptia,2-475-2.html
4) https://certification.comptia.org/certifications/security#examdetails