pace-it, security+ 4.2: mobile security concepts and technologies (part 1)

Mobile security concepts and technologies I.

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.


– Mobile device security.

– Mobile application security.

PACE-IT.

Mobile device security.Mobile security concepts and technologies I.

Mobile device security.

Since the introduction of the mobile device, loss and theft have been a concern.

Just about everyone has either lost a mobile device or had one stolen. In the early years, the major concern was that a cell phone was going to be used to call some foreign country or toll number and the owner would get stuck with a large bill. Now—with the rise in popularity of smartphones and tablets and the greater portability of data—much more may be at stake. This is especially true with the advent of bring your own device (BYOD) policies in the workplace.



– Screen locks.» All mobile devices (e.g., phones, tablets, and laptops)

should have the screen lock set. The timer should be set for a relatively short period of time.

– Lockout settings.» In the case of loss or theft, configuring lockouts will

help to prevent unauthorized access to the device. After a specified number of attempts to log in, the device will not allow any further attempts until administrative action is taken.

– GPS.» Many mobile devices have GPS capabilities, allowing

the device to be located if it is lost or stolen.• Asset tracking utilizes GPS capabilities to pinpoint a

device’s location.

– Remote wiping.» Some mobile devices allow for the device to be wiped

(all data and applications are removed) remotely. This can be used if a device is unrecoverable.



– Full device encryption.» Whenever possible, full device encryption should be

used to prevent a malicious entity from reading the contents of the device. This is especially vital for laptops.

– Disabling unused features.» Unused features may represent a security risk and

should be disabled to prevent their exploitation.

– Removable storage.» In some situations, it may be necessary to disable a

mobile device’s ability to use removable storage capabilities.

– Application controls.» Many mobile applications attempt to access

unnecessary user information (e.g., the location of the device). Controls should be used to limit the data that applications can access and to restrict the actions that applications may undertake.



– Storage segmentation.» Some mobile devices allow for the segmentation of

storage, which allows for controls to be put in place to limit how data can be accessed on the device.

– Inventory control.» All mobile devices should be inventoried and tracked.

– Mobile device management.» Software that is used to manage features that are

available on mobile devices.• It usually also has a feature that will remotely wipe a

device.

– Device access control.» Implement any device access controls that can be used

to restrict who can access the mobile device and/or any features on the mobile device.


Mobile application security.Mobile security concepts and technologies I.

Mobile application security.

– Encryption.» Ensure that mobile applications are encrypting

sensitive data that is stored on the device.• Encryption keys must also be created and stored

securely.

– Credentials management.» Security credentials used by applications must be

implemented in a secure manner, including storing the credentials in an encrypted format.

– Authentication.» A best practice is for the mobile application to

authenticate the user and to base access to data on the user’s authentication level.



– Geotagging.» Some mobile applications store geographical

information when they are used. A determination must be made as to whether or not to allow it.

• Geotagging may present a privacy concern.

– Application whitelisting.» Some mobile applications allow for whitelisting—a list

of allowed applications that can access features in the original application.

• Any whitelisting capabilities should be managed.

– Transitive trust/authentication.» An application will trust an unknown security

environment if it is trusted by a security environment that the application trusts.

• For example, application Z trusts environment T. Environment T trusts environment U. Application Z, therefore, trusts environment U.

• This may or may not represent a security issue.


What was covered.Mobile security concepts and technologies I.

As the popularity of mobile devices has increased, so has the security concerns for those devices. Some steps that can be taken to secure mobile devices include: screen locks, lockout settings, GPS, remote wiping, full device encryption, disabling unused features, disabling removable storage, application controls, storage segmentation, inventory control, mobile device management, and device access controls.

Topic


Summary

Security controls should be put in place on applications that either reside on mobile devices or are accessed by mobile devices. Some of these controls include: encryption, credentials management, authentication, geotagging, application whitelisting, and transitive trust/authentication controls.


THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.