If you’re planning to take the Security+ exam, you should have a basic understanding of mobile device security methods available to reduce risks associated with mobile devices.
For example, can you answer this question?
Q. Your company provides electrical and plumbing services to homeowners. Employees use tablets during service calls to record activity, create invoices, and accept credit card payments. Which of the following would BEST prevent disclosure of customer data if any of these devices are lost or stolen?
A. Mobile device management
B. Disabling unused features
C. Remote wiping
D. GPS tracking
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Securing Mobile Devices
Mobile devices are smartphones, tablets, and laptop computers. Because they are mobile, they are more susceptible to some threats such as theft, and data security is one of the primary concerns with mobile devices.
There are many methods available to reduce risks associated with mobile devices. Some methods focus on securing the device, while others focus on application security.
Some general security concepts include:
- Encryption. Encryption protects against loss of confidentiality on multiple platforms, including workstations, servers, mobile devices, and data transmissions. Encryption methods such as full device encryption provide device security, application security, and data security.
- Authentication and device access control. Authentication methods such as usernames and passwords ensure only authorized personnel can access devices. Laptops support multifactor authentication, which is especially useful when the laptop includes valuable data. Smartphones and tablets typically have short passcodes, but users can be forced to use more secure authentication methods when they access the organization’s network.
- Device access control. Authentication methods protect access to devices. Without proper authentication methods, attackers can bypass device access controls.
Mobile Device Security Concepts
The primary scenario that concerns mobile device users and administrators is loss or theft of a device. For example, if a thief steals Homer’s smartphone or tablet, Homer will have two primary concerns. He’ll want to locate the device and prevent the thief from accessing any data on the device. Several tools address both of these concerns.
Here are some device security concepts and concerns:
- Removable storage. USB thumb drives and other removable storage devices are a source of data leakage and malware distribution so security policies often restrict the use of USB thumb drives and other portable devices such as music players. Disabling removable storage capabilities makes it more difficult for users to copy data to and from the devices and protects them from malware. When using external USB hard drives, encryption can be effective at protecting the confidentiality of the data. However, it’s important to use strong access controls to ensure attackers cannot bypass the encryption and access the data.
- Storage segmentation. In some mobile devices, it’s possible to segment storage of data. For example, users might be required to use external storage for any corporate data to reduce the risk of data loss if the device is lost or stolen.
- Remote wiping. This is similar to the Erase iPad feature. It sends a remote signal to the device to wipe or erase all the data. Remote wipe capabilities are useful if the phone is lost. The owner can send a remote wipe signal to the phone to delete all the data on the phone. This also deletes any cached data, such as cached online banking passwords, and provides a complete sanitization of the device by removing all valuable data.
- Disabling unused features. Basic hardening practices for desktop and server systems apply to mobile devices, too. If ports and protocols aren’t needed, they should be disabled or removed. Similarly, if mobile devices have any features that are not needed, they should be disabled. A side benefit of disabling unused features is that it reduces the drain on the battery and helps the battery to last longer.
Q. Your company provides electrical and plumbing services to homeowners. Employees use tablets during service calls to record activity, create invoices, and accept credit card payments. Which of the following would BEST prevent disclosure of customer data if any of these devices are lost or stolen?
A. Mobile device management
B. Disabling unused features
C. Remote wiping
D. GPS tracking
Answer is C. Remote wiping sends a signal to a device and erases all data, which would prevent disclosure of customer data.
Mobile device management helps ensure devices are kept up to date with current patches.
Disabling unused features is a basic hardening step for mobile devices, but doesn’t help if the device is lost.
Global positioning system (GPS) tracking helps locate the device, but doesn’t necessarily prevent data disclosure if the device cannot be retrieved.