Abstract image of a woman sitting on books and studying on a laptop

ECE560 Wireless and Mobile Security Fall2020..pdf

T
TuulTriyason

Computer and Information Security Fall 2020 ECE560

Technology
1 of 27
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
ECE560 Computer and Information Security Fall 2020 Wireless and Mobile Security Tyler Bletsch Duke University Adapted from “Chapter 24: Wireless Network Security” by Dr. Hossein Saiedian at Univ. Kansas, which in turn was adapted from Chapter 24 of our textbook
2 Wireless Security
3 Wireless Security Overview It’s like regular security, but the communications medium is more accessible. Like if your wired network was like this:
4 Wireless Network Modes • WiFi is specified in IEEE 802.11 with various lettered suffixes • 802.11 wireless networks operate in two basic modes: ▪ Infrastructure mode • Each wireless client connects directly to a central device called Access Point (AP) • No direct connection between wireless clients • AP acts as a wireless hub that performs the connections and handles them between wireless clients ▪ Ad-hoc mode • Each wireless client connects directly with each other • No central device managing the connections • Rapid deployment of a temporary network where no infrastructure exists • Being deprecated by OS vendors (Windows 10 doesn’t support it 😢)
5 Wireless Networking Components Wireless client: WIFI-enabled laptop/tablet, cell phone, Bluetooth device, … Access point: Cell towers, WIFI hotspots, wireless routers Transmission medium: carries signals For WiFi, APs are identified by SSID: • A client must set the same SSID as the one in that particular AP to join the network • Without SSID, the client won’t be able to select and join a wireless network Figure 24.1 Wireless Networking Components Endpoint Access point
6 Wireless Network Threats • Inappropriate association (either accidental or malicious) • Identity theft (MAC spoofing) • Man-in-the middle attacks • Denial of service (DoS) • Network injection ▪ Bogus reconfiguration commands to routers/switches that degrade performance • Unique attacks on non-traditional networks ▪ Bluetooth, proprietary wireless
7 Proposed advice on securing wireless networks (some good, some okay, some bad) • Use encryption ▪ Yes, especially strong modern algorithms (WPA2) • Change router’s preset password ▪ Yes. Not having a publically known key usually helps with encryption... • Use and enable anti-virus, anti-spyware, firewall ▪ True, but unrelated to wireless. • Change default identifier on router ▪ Good idea so you know what’s-what, but does nothing for security. • Reduce signal strength ▪ Place away from windows and external walls, use directional antennas ▪ Problem: attackers can boost power, get directional antennas, etc... • Turn off SSID broadcasting ▪ Waste of time. • Apply MAC-filtering ▪ Almost entirely useless due to MAC spoofing.
8 IEEE 802.11 Wireless LAN • IEEE 802: a committee responsible for LANs • IEEE 802.11: responsible for developing wireless protocols ▪ Key standards: • 802.11b: Uses 2.4GHz spectrum, up to 11Mbps • 802.11g: Uses 2.4GHz spectrum, up to 54Mbps • 802.11n: Uses 2.4 and 5GHz spectrum, up to 288Mbps or 600Mbps • 802.11ac: Uses 5GHz spectrum, up to ~3Gbps ▪ A variant can use the frequencies formerly used in analog TV • 802.11ax: Uses 2.4GHz and 5GHz spectrum, up to 10Gbps ▪ Upcoming – not commonly deployed yet!
9 IEEE 802.11 Protocol Stack • Physical layer (encode/decode signals) • MAC layer: assembles MAC frame, disassembles frames and performs address recognition • LLC: keeps track of frame transmission
10 A MAC Frame (MPUD) • MAC protocol data unit (MPUD)
11 IEEE 802.11 Extended Service Set • BSS (Basic Service Set): the smallest building block • BSSs connected via APs ▪ APs functions as bridges • ESS (Extended Service Set): two or more BSSs
12 IEEE 802.11# Wireless Security Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) Wi-Fi Protected Access 2 (WPA2) Garbage So-so Good
13 WEP - Wired Equivalent Privacy • The original native security mechanism for WLAN • provide security through a 802.11 network • Used to protect wireless communication from eavesdropping (confidentiality) • Prevent unauthorized access to a wireless network (access control) • Prevent tampering with transmitted messages • Provide users with the equivalent level of privacy inbuilt in wireless networks.
14 How WEP works IV RC4 key IV encrypted packet original unencrypted packet checksum
15 WEP Flaws and Vulnerabilities • Weak keys: ▪ It allows an attacker to discover the default key being used by the Access Point and client stations ▪ This enables an attacker to decrypt all messages being sent over the encrypted channel. • IV (initialization vector) reuse and small size: ▪ There are 224 different IVs ▪ On a busy network, the IV will surely be reused, if the default key has not been changed and the original message can be retrieved relatively easily.
16 Attacks on WEP • WEP encrypted networks can be cracked in 10 minutes • Goal is to collect enough IVs to be able to crack the key • IV = Initialization Vector, plaintext appended to the key to avoid Repetition • Injecting packets generates IVs
17 WPA - WI-FI Protected Access • Standardized in 2002 • Replacement of security flaws of WEP • Improved data encryption • Strong user authentication • Because of many attacks related to static key, WPA minimize shared secret key in accordance with the frame transmission • Use the RC4 algorithm in a proper way and provide fast transfer of the data before someone can decrypt the data.
18 WPA2 - WI-FI Protected Access 2 • Based on the IEEE 802.i standard • The primary enhancement over WPA is the use of the AES (Advanced Encryption Standard) algorithm • The encryption in WPA2 is done by utilizing either AES or TKIP • Two modes: ▪ Personal mode uses a PSK (Pre-shared key) & does not require a separate authentication of users ▪ Enterprise mode requires the users to be separately authenticated by using the EAP protocol • DukeBlue is WPA2-EAP!
19 WPA2 • WPA2 has immunity against many types of attacks ▪ Man-in-the middle ▪ Authentication forging ▪ Replay ▪ Key collision ▪ Weak keys ▪ Packet forging ▪ Dictionary attacks
20 WEP vs WPA vs WPA2 WEP WPA WPA2 ENCRYPTION RC4 RC4 AES KEY ROTATION NONE Dynamic Session Keys Dynamic Session Keys KEY DISTRIBUTION Manually typed into each device Automatic distribution available Automatic distribution available AUTHENTICATION Uses WEP key as Authentication Can use 802.1x & EAP Can use 802.1x & EAP
21 Procedures to Improve Wireless Security • Enable WPA2-PSK (personal) or WPA2-EAP (enterprise) ▪ AES is more secure, use TKIP for better performance • Use a good passphrase • “Change your SSID every so often” ▪ ^ This was in the original slides and is totally nuts.
22 Wireless Network Tools • MAC Spoofing ▪ http://aspoof.sourceforge.net/ ▪ http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp ▪ http://www.klcconsulting.net/smac/ • WEP Cracking tools ▪ http://www.backtrack-linux.org/ ▪ http://www.remote-exploit.org/articles/backtrack/index.html ▪ http://wepattack.sourceforge.net/ ▪ http://wepcrack.sourceforge.net/ • Wireless Analysers ▪ http://www.kismetwireless.net/ ▪ http://www.netstumbler.com/
23 Mobile Security
24 Two ways to think about mobile security • Security against mobile devices: mindset of the sysadmin ▪ Our focus • Security for mobile devices: mindset of vendors...sometimes? ▪ We’ll leave this aside unless we have extra time. ▪ Short version: • Encryption • Per-app permissions and isolation • Sandboxing
25 Mobile Device Security Challenges • Trends: ▪ Bring Your Own Device (BYOD) • No more tight control over computing devices ▪ De-perimeterization: static network perimeter is gone • Mobile network allows Internet gateways you don’t control ▪ External business requirements (guests, third-party contractors, …) keep the above true • Resulting threats: ▪ Lack of physical security control ▪ Use of untrusted mobile devices ▪ Use of untrusted networks ▪ Use of apps created by unknown parties ▪ Interaction with other systems (e.g., cloud-based data sync) ▪ Use of untrusted content
26 Mobile Device Security • User training • Mobile device configuration: ▪ Enable auto-lock ▪ Enable password/PIN/thumbprint protection ▪ Disable/discourage auto-completion for passwords ▪ Enable remote wipe ▪ Up-to-date OS/software ▪ Encrypt sensitive data ▪ Prohibit installation of third-party apps ▪ Most of the above can be enforced by policy via e.g. Microsoft Exchange • Network/service configuration: ▪ User devices disallowed on trusted networks ▪ User devices must be registered (tied to human) to get on a network (e.g. Dukeblue) ▪ Remote access via VPN only ▪ Configure/enable SSL to prevent MITM attacks on infected endpoints
27 Mobile Device Security Elements Encrypt Configure based on policy Authenticate/ access control

More Related Content

PDF
wi-fi technology
tardeep
 
PPT
Wifi
TheSmit Chheda
 
PPTX
Chương 2_2_Final (1).pptxfffffffffffffffffffffff
tranviethung30503
 
PPTX
Wireless and how safe are you
Marcus Dempsey
 
PPTX
Wi fi security
Virendra Thakur
 
PPTX
TOPIC 4 WIRELESS TECHNOLOGIES AND BASIC SECURITY (1).pptx
nafisahabdullah6
 
PPTX
Wireless Security null seminar
Nilesh Sapariya
 
PPT
254460979-ishant abcd-098765432222-1.ppt
zainabsaiyad566
 
wi-fi technology
tardeep
 
Wifi
TheSmit Chheda
 
Chương 2_2_Final (1).pptxfffffffffffffffffffffff
tranviethung30503
 
Wireless and how safe are you
Marcus Dempsey
 
Wi fi security
Virendra Thakur
 
TOPIC 4 WIRELESS TECHNOLOGIES AND BASIC SECURITY (1).pptx
nafisahabdullah6
 
Wireless Security null seminar
Nilesh Sapariya
 
254460979-ishant abcd-098765432222-1.ppt
zainabsaiyad566
 

Similar to ECE560 Wireless and Mobile Security Fall2020..pdf (20)

PPTX
Wireless lan electronics and communication engineering
eceb9198
 
PPTX
Wifi- technology_moni
MD MONIRUZZAMAN
 
PPTX
Wireless Security Best Practices for Remote Monitoring Applications
cmstiernberg
 
PPTX
Security standard
lyndyv
 
PPS
Workshop on Wireless Security
amiable_indian
 
PPS
Sheetal - Wirelesss Hacking - ClubHack2008
ClubHack
 
PPTX
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
cmstiernberg
 
PDF
Airheads vail 2011 pci 2.0 compliance
Aruba, a Hewlett Packard Enterprise company
 
PPTX
Wirless Security By Zohaib Zeeshan
Zaibi Gondal
 
PDF
wirelesssecurity materialwirelesssecurity materialwirelesssecurity material
Nune SrinivasRao
 
PDF
Airheads dallas 2011 wireless security
Aruba, a Hewlett Packard Enterprise company
 
PDF
Talk2 esc2 muscl-wifi_v1_2b
Sylvain Martinez
 
PPTX
Wifi cracking Step by Step Using CMD and Kali Linux 2018
Mohammad Fareed
 
PPTX
Wireless Network security
Fathima Rahaman
 
PPTX
Wifi Security
Shital Kat
 
PPT
chapter 7 -wireless network security.ppt
abenimelos
 
PPTX
Wifi cannerddddddddddddddddddddddddddddddddddddddddddddd
rodainaelhady1
 
PPT
Security Issues of 802.11b
guestd7b627
 
PPT
Security Issues of IEEE 802.11b
Sreekanth GS
 
PPTX
WLAN Security-2new.pptxmmmmmmmmmmmmmmmmmmmmmmmmmmm
iit2022057
 
Wireless lan electronics and communication engineering
eceb9198
 
Wifi- technology_moni
MD MONIRUZZAMAN
 
Wireless Security Best Practices for Remote Monitoring Applications
cmstiernberg
 
Security standard
lyndyv
 
Workshop on Wireless Security
amiable_indian
 
Sheetal - Wirelesss Hacking - ClubHack2008
ClubHack
 
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
cmstiernberg
 
Airheads vail 2011 pci 2.0 compliance
Aruba, a Hewlett Packard Enterprise company
 
Wirless Security By Zohaib Zeeshan
Zaibi Gondal
 
wirelesssecurity materialwirelesssecurity materialwirelesssecurity material
Nune SrinivasRao
 
Airheads dallas 2011 wireless security
Aruba, a Hewlett Packard Enterprise company
 
Talk2 esc2 muscl-wifi_v1_2b
Sylvain Martinez
 
Wifi cracking Step by Step Using CMD and Kali Linux 2018
Mohammad Fareed
 
Wireless Network security
Fathima Rahaman
 
Wifi Security
Shital Kat
 
chapter 7 -wireless network security.ppt
abenimelos
 
Wifi cannerddddddddddddddddddddddddddddddddddddddddddddd
rodainaelhady1
 
Security Issues of 802.11b
guestd7b627
 
Security Issues of IEEE 802.11b
Sreekanth GS
 
WLAN Security-2new.pptxmmmmmmmmmmmmmmmmmmmmmmmmmmm
iit2022057
 
Ad

Recently uploaded (20)

PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
PDF
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PPTX
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
PPTX
TEXTILE technology diploma scope and career opportunities
kriti38
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
PDF
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
TEXTILE technology diploma scope and career opportunities
kriti38
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Improvisation in detection of pomegranate leaf disease using transfer learni...
IAESIJAI
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Modernising the Digital Integration Hub
Daniel Toomey
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Ad

ECE560 Wireless and Mobile Security Fall2020..pdf

  • 1. ECE560 Computer and Information Security Fall 2020 Wireless and Mobile Security Tyler Bletsch Duke University Adapted from “Chapter 24: Wireless Network Security” by Dr. Hossein Saiedian at Univ. Kansas, which in turn was adapted from Chapter 24 of our textbook
  • 3. 3 Wireless Security Overview It’s like regular security, but the communications medium is more accessible. Like if your wired network was like this:
  • 4. 4 Wireless Network Modes • WiFi is specified in IEEE 802.11 with various lettered suffixes • 802.11 wireless networks operate in two basic modes: ▪ Infrastructure mode • Each wireless client connects directly to a central device called Access Point (AP) • No direct connection between wireless clients • AP acts as a wireless hub that performs the connections and handles them between wireless clients ▪ Ad-hoc mode • Each wireless client connects directly with each other • No central device managing the connections • Rapid deployment of a temporary network where no infrastructure exists • Being deprecated by OS vendors (Windows 10 doesn’t support it 😢)
  • 5. 5 Wireless Networking Components Wireless client: WIFI-enabled laptop/tablet, cell phone, Bluetooth device, … Access point: Cell towers, WIFI hotspots, wireless routers Transmission medium: carries signals For WiFi, APs are identified by SSID: • A client must set the same SSID as the one in that particular AP to join the network • Without SSID, the client won’t be able to select and join a wireless network Figure 24.1 Wireless Networking Components Endpoint Access point
  • 6. 6 Wireless Network Threats • Inappropriate association (either accidental or malicious) • Identity theft (MAC spoofing) • Man-in-the middle attacks • Denial of service (DoS) • Network injection ▪ Bogus reconfiguration commands to routers/switches that degrade performance • Unique attacks on non-traditional networks ▪ Bluetooth, proprietary wireless
  • 7. 7 Proposed advice on securing wireless networks (some good, some okay, some bad) • Use encryption ▪ Yes, especially strong modern algorithms (WPA2) • Change router’s preset password ▪ Yes. Not having a publically known key usually helps with encryption... • Use and enable anti-virus, anti-spyware, firewall ▪ True, but unrelated to wireless. • Change default identifier on router ▪ Good idea so you know what’s-what, but does nothing for security. • Reduce signal strength ▪ Place away from windows and external walls, use directional antennas ▪ Problem: attackers can boost power, get directional antennas, etc... • Turn off SSID broadcasting ▪ Waste of time. • Apply MAC-filtering ▪ Almost entirely useless due to MAC spoofing.
  • 8. 8 IEEE 802.11 Wireless LAN • IEEE 802: a committee responsible for LANs • IEEE 802.11: responsible for developing wireless protocols ▪ Key standards: • 802.11b: Uses 2.4GHz spectrum, up to 11Mbps • 802.11g: Uses 2.4GHz spectrum, up to 54Mbps • 802.11n: Uses 2.4 and 5GHz spectrum, up to 288Mbps or 600Mbps • 802.11ac: Uses 5GHz spectrum, up to ~3Gbps ▪ A variant can use the frequencies formerly used in analog TV • 802.11ax: Uses 2.4GHz and 5GHz spectrum, up to 10Gbps ▪ Upcoming – not commonly deployed yet!
  • 9. 9 IEEE 802.11 Protocol Stack • Physical layer (encode/decode signals) • MAC layer: assembles MAC frame, disassembles frames and performs address recognition • LLC: keeps track of frame transmission
  • 10. 10 A MAC Frame (MPUD) • MAC protocol data unit (MPUD)
  • 11. 11 IEEE 802.11 Extended Service Set • BSS (Basic Service Set): the smallest building block • BSSs connected via APs ▪ APs functions as bridges • ESS (Extended Service Set): two or more BSSs
  • 12. 12 IEEE 802.11# Wireless Security Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) Wi-Fi Protected Access 2 (WPA2) Garbage So-so Good
  • 13. 13 WEP - Wired Equivalent Privacy • The original native security mechanism for WLAN • provide security through a 802.11 network • Used to protect wireless communication from eavesdropping (confidentiality) • Prevent unauthorized access to a wireless network (access control) • Prevent tampering with transmitted messages • Provide users with the equivalent level of privacy inbuilt in wireless networks.
  • 14. 14 How WEP works IV RC4 key IV encrypted packet original unencrypted packet checksum
  • 15. 15 WEP Flaws and Vulnerabilities • Weak keys: ▪ It allows an attacker to discover the default key being used by the Access Point and client stations ▪ This enables an attacker to decrypt all messages being sent over the encrypted channel. • IV (initialization vector) reuse and small size: ▪ There are 224 different IVs ▪ On a busy network, the IV will surely be reused, if the default key has not been changed and the original message can be retrieved relatively easily.
  • 16. 16 Attacks on WEP • WEP encrypted networks can be cracked in 10 minutes • Goal is to collect enough IVs to be able to crack the key • IV = Initialization Vector, plaintext appended to the key to avoid Repetition • Injecting packets generates IVs
  • 17. 17 WPA - WI-FI Protected Access • Standardized in 2002 • Replacement of security flaws of WEP • Improved data encryption • Strong user authentication • Because of many attacks related to static key, WPA minimize shared secret key in accordance with the frame transmission • Use the RC4 algorithm in a proper way and provide fast transfer of the data before someone can decrypt the data.
  • 18. 18 WPA2 - WI-FI Protected Access 2 • Based on the IEEE 802.i standard • The primary enhancement over WPA is the use of the AES (Advanced Encryption Standard) algorithm • The encryption in WPA2 is done by utilizing either AES or TKIP • Two modes: ▪ Personal mode uses a PSK (Pre-shared key) & does not require a separate authentication of users ▪ Enterprise mode requires the users to be separately authenticated by using the EAP protocol • DukeBlue is WPA2-EAP!
  • 19. 19 WPA2 • WPA2 has immunity against many types of attacks ▪ Man-in-the middle ▪ Authentication forging ▪ Replay ▪ Key collision ▪ Weak keys ▪ Packet forging ▪ Dictionary attacks
  • 20. 20 WEP vs WPA vs WPA2 WEP WPA WPA2 ENCRYPTION RC4 RC4 AES KEY ROTATION NONE Dynamic Session Keys Dynamic Session Keys KEY DISTRIBUTION Manually typed into each device Automatic distribution available Automatic distribution available AUTHENTICATION Uses WEP key as Authentication Can use 802.1x & EAP Can use 802.1x & EAP
  • 21. 21 Procedures to Improve Wireless Security • Enable WPA2-PSK (personal) or WPA2-EAP (enterprise) ▪ AES is more secure, use TKIP for better performance • Use a good passphrase • “Change your SSID every so often” ▪ ^ This was in the original slides and is totally nuts.
  • 22. 22 Wireless Network Tools • MAC Spoofing ▪ http://aspoof.sourceforge.net/ ▪ http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp ▪ http://www.klcconsulting.net/smac/ • WEP Cracking tools ▪ http://www.backtrack-linux.org/ ▪ http://www.remote-exploit.org/articles/backtrack/index.html ▪ http://wepattack.sourceforge.net/ ▪ http://wepcrack.sourceforge.net/ • Wireless Analysers ▪ http://www.kismetwireless.net/ ▪ http://www.netstumbler.com/
  • 24. 24 Two ways to think about mobile security • Security against mobile devices: mindset of the sysadmin ▪ Our focus • Security for mobile devices: mindset of vendors...sometimes? ▪ We’ll leave this aside unless we have extra time. ▪ Short version: • Encryption • Per-app permissions and isolation • Sandboxing
  • 25. 25 Mobile Device Security Challenges • Trends: ▪ Bring Your Own Device (BYOD) • No more tight control over computing devices ▪ De-perimeterization: static network perimeter is gone • Mobile network allows Internet gateways you don’t control ▪ External business requirements (guests, third-party contractors, …) keep the above true • Resulting threats: ▪ Lack of physical security control ▪ Use of untrusted mobile devices ▪ Use of untrusted networks ▪ Use of apps created by unknown parties ▪ Interaction with other systems (e.g., cloud-based data sync) ▪ Use of untrusted content
  • 26. 26 Mobile Device Security • User training • Mobile device configuration: ▪ Enable auto-lock ▪ Enable password/PIN/thumbprint protection ▪ Disable/discourage auto-completion for passwords ▪ Enable remote wipe ▪ Up-to-date OS/software ▪ Encrypt sensitive data ▪ Prohibit installation of third-party apps ▪ Most of the above can be enforced by policy via e.g. Microsoft Exchange • Network/service configuration: ▪ User devices disallowed on trusted networks ▪ User devices must be registered (tied to human) to get on a network (e.g. Dukeblue) ▪ Remote access via VPN only ▪ Configure/enable SSL to prevent MITM attacks on infected endpoints
  • 27. 27 Mobile Device Security Elements Encrypt Configure based on policy Authenticate/ access control