2.7 Explain common methods for securing mobile and embedded devices.
- Screen Locks
- Facial Recognition
- PIN Codes
- Fingerprint
- Pattern
- Swipe
- Remote Wipes
- Locator Applications
- OS Updates
- Device Encryption
- Remote Backup Applications
- Failed Login Attempts Restrictions
- Antivirus / Anti-Malware
- Firewalls
- Policies and Procedures
- BYOD vs Corporate Owned
- Profile Security Requirements
- Internet of Things (IoT)
Mobile Device Screen Lock
There are several ways to secure a mobile device
- Fingerprint
- A fingerprint scanner built into the phone is not as sophisticated as a fingerprint scanner used by an enterprise (for example at a military base)
- Phone fingerprint scanners create a mathematical approximation (a summary) of the fingerprint. Many different fingerprints can generate the same approximation. Therefore, there is a 1 in 50,000 chance that the fingerprint can be broken.
- Fingerprints (on phones) are less accurate than passwords.
- That’s why a phone might require a password instead of a fingerprint when rebooting or during other scenarios, or might require a password if the wrong fingerprint has been entered too many times
- A fingerprint scanner built into the phone is not as sophisticated as a fingerprint scanner used by an enterprise (for example at a military base)
- Some phones don’t have fingerprint scanners
- Face Lock
- Uses facial recognition
- Face Lock is a new technology, and its accuracy hasn’t been established
- It has been shown that it can be tricked
- It allows you to unlock the phone just by looking at it
- Uses facial recognition
- Swipe Lock
- The swipe lock lets you unlock your phone by swiping your finger across the screen
- It does not provide any security
- The swipe lock lets you unlock your phone by swiping your finger across the screen
- Pattern Lock
- The phone displays a grid of dots, and you must connect the dots to unlock the phone
- Effectively as secure as a passcode, but may be easier to remember because the dots might form a meaningful shape
- Passcode Lock / PIN Lock
- Requires you to enter a passcode to unlock the phone
- Passcode can be 4-digits, 6-digits, or a longer alphanumeric password
- Requires you to enter a passcode to unlock the phone
Other Policies to Protect Your Phone
Some mobile phone best practices include Remote Wipe, Locators, Backups, and Antivirus.
Remote Wipe
- Allows an administrator to erase the content of the device remotely
- The phone must be connected to the internet for the remote wipe to work
Locator Applications
- Displays the location/GPS coordinates of the phone
- Can be integrated into a different App such as Google Apps or Norton Security
- If the phone is lost/stolen, you can use the locator app to find the last location of the phone
- Requires the phone to be connected to the internet and have location sharing enabled
Remote Backup Applications
- Backs up the content of the phone to the cloud automatically
- An application may back up specific content (for example Google Photos) or the entire phone
Failed Login Attempts Restrictions
- If the wrong password is entered multiple times, the phone is automatically erased
- The number of failed login attempts is typically 10, but the number of attempts can be configured by the user
- After a shorter number of failed login attempts (such as 5), the phone prevents additional log ins for a period. For example, after 5 failed login attempts, you can’t try another password for 30 minutes
Antivirus/Anti-malware
- Norton and other antivirus apps are available for Android phones
- Blackberry phones have a built-in anti-malware program
- iOS phones don’t have antivirus
Patching/OS Updates
- OS updates are released regularly for Android and iOS devices
- Updates provide additional features and fix security issues
- The updates typically download automatically and can be installed at the user’s option
- Updates for apps are also made available by each app developer
- An Android phone may automatically update Apps
- An Android phone may automatically update Apps
Biometric Applications
- Allows a user to log in to their device through a fingerprint, facial recognition or other biometric (as previously mentioned)
Full Device Encryption
- Encrypts the contents of the device
- Enabled by default on newer Android and iOS devices
- If device encryption is not enabled, a hacker can bypass the lock screen password and access the data directly
Firewall
- A firewall can prevent unauthorized access to your mobile device
- Firewall Apps are not common on mobile devices
Deployment Models
There are several ways to deploy mobile devices
- Bring Your Own Device (BYOD). With BYOD, an employee can use their own personal device and not have to carry two devices. They can use a device of their choice.
The organization must be able to provide technical support for a wide range of manufacturers and models. The organization may limit the support that they provide for BYOD devices to only basic technical support.
We might use MDM to separate the user’s apps and data from the company’s apps and data.
There may be legal restrictions on what the organization can do with an employee-owned device (such as GPS tracking, data erasing, encryption).
The organization may be required to reimburse employees for the use of their phones. - Corporate-Owned Personally Enabled (COPE). The organization supplies and owns the mobile devices, but employees are permitted to use them for non-work purposes. This is good because people do not want to carry two phones. The company can choose which phones employees will use and can enforce policies through MDM.
The company might allow the user to keep their phone (for free or for a fee) when they leave. The company should require the user to erase any company data from the phone at this time.
The company must be careful to keep each user’s personal activities private. - Choose Your Own Device (CYOD). CYOD is like COPE, except that a user can choose any type of phone that they want. This can create a headache for the IT department because they will have to support a wide variety of devices. Also, some of those devices might not meet the company’s security or performance standards.
- Corporate-Owned. The organization supplies and owns the mobile devices. The company enforces its policies on all the devices and employees are prohibited from using them for personal activities.
Profile Security Requirements
We can enforce different requirements on a mobile device. As discussed in a previous section, we can use Mobile Device Management to enforce policies across our mobile devices.
Examples of policies that can be applied
- Password/lock screen/minimum password complexity
- Remote wipe
- Inability to install applications
- Automatically install specific apps
- Connect only to specific Wi-Fi networks
- Enable/disable specific items such as the camera, location services, etc.