If you’re planning to take the SY0-501 Security+ exam, you should understand how to deploy mobile devices securely. Many organizations want to allow employees to connect mobile devices to the network. However, they need to identify methods to manage the security related to these devices, and how to monitor the devices and enforce security policies.
For example, can you answer this question?
Q. Ziffcorp is planning to eliminate its current BYOD policy and instead implement a COPE deployment model. You’re asked to provide input for the new policy. Which of the following concepts are appropriate for this policy?
A. Encryption on employee-owned devices
B. HSM
C. ISA
D. Remote wipe
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Mobile device management (MDM) tools often manage devices differently depending on who owns them. If the organization owns the device, the MDM tool will typically download and install all required applications, and ensure they are kept up to date.
If the device is employee-owned, MDM tools will monitor them for compliance and block access to the network if the device doesn’t meet minimum requirements. For example, if the device isn’t patched or doesn’t have up-to-date antivirus software, the MDM software works with network access control (NAC) technologies to prevent the device from connecting to the network.
Hardware Control
An organization might want to control the use of some of the hardware on mobile devices and MDM tools can help. Mobile devices commonly include a camera and a recording microphone. These are useful for regular users, but can present significant risks for employees within an organization.
As an example, attackers have successfully inserted malicious code into some apps available on some third-party sites. When users install the apps, it allows an attacker to remotely connect to the phone, snap pictures, record audio, and much more.
To eliminate the risk, an organization can configure the MDM software to disable the camera and recording microphone. Ideally, the MDM tool will only disable the camera and microphone when it detects the device is within a previously configured geofence. Unfortunately, all MDM tools don’t support disabling hardware based on geolocation. If the MDM tool doesn’t support this feature, the organization may prohibit the possession of smartphones in certain areas.
MDM tools can also prevent the use of external media and Universal Serial Bus On-The-Go (USB OTG) cables. Mobile devices commonly have one or more ports where you can plug in a cable. Apple devices have a Lightning port and Android devices typically have a micro-USB or mini-USB. In some cases, it’s possible to connect external media (such as an external drive) to the device. Organizations might want to prevent this because the media presents additional risks. It could contain malware. It might also allow a malicious insider to copy a massive amount of data. USB OTG cables allow you to connect just about any device to your mobile device, including another mobile device. This includes a mouse, keyboard, Musical Instrument Digital Interface (MIDI) keyboard, and external media. Many people find this very useful to transfer photos from digital cameras to their mobile device. Again, though, because this allows connections to external media, an organization might choose to disable the feature using MDM tools.
Unauthorized Connections
Management within an organization might want to limit a mobile device’s connection. For example, if the mobile device can connect to the primary network, management might want to ensure that the mobile device cannot access the Internet using another connection.
Most smartphones support tethering, which allows you to share one device’s Internet connection with other devices. As an example, you can connect your smartphone to the Internet and then use this Internet connection with a laptop, a tablet, or any device that has a wireless connection. If employees use tethering within the organization, it allows them to bypass security such as firewalls and proxy servers. Imagine Bart wants to visit a not safe for work (NSFW) site with his work laptop. The proxy server blocks his access. However, he can tether his laptop to his smartphone and visit the site. This direct connection will also bypass any content filters in the network, and possibly allow malware onto his laptop.
Many mobile devices also support Wi-Fi Direct, which is a standard that allows devices to connect without a wireless access point, or wireless router. This is similar to a wireless ad hoc network, which allows devices to connect together without a wireless access point or wireless router. The difference is that Wi-Fi Direct uses single radio hop communication. In other words, none of the devices in a Wi-Fi Direct network can share an Internet connection. However, systems in a wireless ad hoc network use multihop wireless communications and can share an Internet connection.
Smartphones are typically locked into a specific carrier such as Verizon or AT&T. A subscriber identification module (SIM) card identifies what countries and/or networks the phone will use. In other words, if Lisa has a smartphone and a Verizon plan, the SIM card in her phone will connect her to a Verizon network instead of an AT&T network.
If Lisa purchased her phone under a two-year contract and fulfilled all the terms of her plan, she can unlock her phone (also called carrier unlocking) and use it with another carrier. An organization might want to block this capability for all COPE devices.
Q. Ziffcorp is planning to eliminate its current BYOD policy and instead implement a COPE deployment model. You’re asked to provide input for the new policy. Which of the following concepts are appropriate for this policy?
A. Encryption on employee-owned devices
B. HSM
C. ISA
D. Remote wipe
Answer is D. Remote wipe sends a remote signal to the device to wipe or erase all the data and is appropriate for a corporate-owned, personally enabled (COPE) deployment model.
None of the other answers are relevant for a COPE deployment model.
The company is eliminating the bring your own device (BYOD) policy so employee-owned devices should not be used.
A hardware security module (HSM) is a security device typically used with servers to manage, generate, and securely store cryptographic keys.
An interconnection security agreement (ISA) specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities.
See Chapter 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on deploying mobile devices securely.
Check out the Mobile Device Management blog post to know more about MDM.