By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective 2.7: Explain common methods for securing mobile and embedded devices. Mobile devices have evolved to the point that they can hold as much valuable data as any workstation. Add to this their compact and easy-to-conceal design and the high cost of the devices, and it becomes clear why mobile devices pose a serious security threat. The following sections cover methods and practices that can mitigate mobile device threats. Note: For the 220-1102 exam, be familiar with these concepts: - Screen locks - Remote wipes - Locator applications - Remote backup applications - Failed login attempt restrictions - Antivirus/anti-malware - Patching/OS updates - Biometric authentication - Full device encryption - Multifactor authentication - Authenticator applications - Trusted sources vs. untrusted sources - Firewalls - Policies and procedures Screen Locks The first step in securing a mobile device is to set a numeric passcode or another type of screen lock. Such a passcode locks the device, making it inaccessible to everyone except those who know the passcode—and experienced hackers. A screen lock can be a pattern that is drawn on the display, a PIN (passcode lock), or a password. A very strong password is usually the strongest form of screen lock. The screen lock setting can be accessed on an Android device by going to Settings Security. On iPhone 12, go to Settings FaceID & Passcode (enter the current passcode). The navigation varies between Android and iPhone versions, but the settings here apply to both types of phones, unless otherwise noted. You can select how long the phone waits after inactivity to lock; this is usually set to 3 or 5 minutes, but in a confidential environment, it might be appropriate to set this to Immediate. To enable Auto-Lock, go to Settings General Auto-Lock and select a number of minutes. If this is set to Never, the device will never sleep, negating the security of the passcode and using valuable battery power. The default setting is 2 minutes. On an iPhone, Auto Lock is available under the Display Settings area. In addition to the default timeout, devices can be locked by quickly pressing the power button. If this is configured, the passcode must be supplied whenever a mobile device comes out of a sleep or lock state and whenever it is first booted. Some devices support other types of screen locking, including a fingerprint lock (in which the user’s fingerprint is matched against a list of authorized user fingerprints) and a face lock (in which the user’s face is matched against a list of authorized user faces). Windows Hello, a Windows feature supported on some devices, is an example of a face lock. Face ID is the Apple version that is supported on newer versions of iPhone and iPad Pro. A swipe lock app immediately locks a device when the user swipes the display to one side. The next option on the Security screen is Visible Passwords. If this option is checked, the device shows the current letter of the password being typed by the user. This type of setting is vulnerable to shoulder surfers (people looking over your shoulder to find out your password) and should be deselected so that only asterisks (*) are shown when the user types a password. A Credential Storage option also is available. By default, secure credentials are dropped when a session is finished. (An exception to this rule is a Gmail or other similar login.) However, if Use Secure Credentials is checked and a user accesses a website or an application that requires a secure certificate, the credentials are stored on the device. A user can set a password here so that only he or she can view or clear credentials or install credentials from a memory card. The use of secure credentials is usually configured only if a user needs access to confidential company information on the Internet. Passcode locking can be accessed on iPad and iPhone devices by going to Settings Passcode and tapping Passcode Lock to display the Passcode Lock screen. Tap Turn Passcode On to set a passcode. Remote Wipes A lost or missing mobile device is a serious security threat. A hacker can get past passcodes and other screen locks, which means it’s just a matter of time before the hacker has access to the data. An organization with confidential information should consider enabling a remote wipe of a device. As long as the mobile device still has access to the Internet, the remote wipe program can be initiated from a desktop computer to delete all the contents of the remote mobile device. Some devices (such as the iPhone) have a setting that causes the device to be erased after a certain number of incorrect password attempts (10, in the case of the iPhone). Third-party apps also are available for download for most mobile devices and can wipe the data after a specified number of attempts. Some apps configure a device to automatically take a picture after three failed attempts and email the picture to the device owner. Examples of software that can accomplish this include Google Sync, Google Apps Device Policy, Apple Data Protection, and third-party apps such as Mobile Defense. In some cases, such as with Apple Data Protection, the command that starts the remote wipe must be issued from an Exchange server or mobile device management (MDM) server. Of course, you should have a backup plan in place as well so that data on the mobile device is backed up to a secure location at regular intervals. This way, if the data needs to be wiped, you know that you can recover most or all of the data. The type of remote wipe program, backup program, and policies on how these are implemented can vary among organizations. Locator Applications By installing or enabling a locator application or service such as Android Device Manager, Lookout for iOS or Android, or Find My iPhone (or Find My App and AirTag), a user can track down a lost device. These apps can be operated from any other phone that has a similar app installed, as long as the power is on and geolocation is working. Remote Backup Applications A mobile device is backed up in two ways: using a USB connection to a desktop or laptop computer, or to the cloud by using a remote backup application. The Apple iCloud offers a free cloud backup service for a limited amount of data (currently, 5GB), with more space available by subscription. iTunes, which can be used for USB-based backup, backs up the entire device to a hard drive at no additional cost. Android users have free backup for email, contacts, and other information via Google Cloud. However, backing up photos, music, and other content and documents must be performed either manually via USB or with a file sync to the cloud, using a service such as Dropbox or another third-party app. Both iOS and Android users can use popular third-party, cloud-based backups that are also supported for macOS and Windows, such as Carbonite (carbonite.com) and iDrive (idrive.com). Failed Login Attempts Restrictions Most mobile devices include failed login attempt restrictions. If a person fails to enter the correct passcode after a certain number of attempts, the device locks temporarily and the person must wait a certain amount of time before attempting the passcode again. If the person fails to enter the correct passcode again, on most devices, the timeout increases. As mentioned earlier, multiple failed logins can result in a remote wipe of the hard drive. Antivirus/Anti-malware Just as there is antivirus software for PCs, antivirus/anti-malware software exists for mobile devices. These are third-party applications that need to be paid for, downloaded, and installed to the mobile device. Some common examples for Android include McAfee VirusScan Mobile, AVG, Lookout, Dr. Web, and NetQin. iOS works a bit differently than Android. iOS is a tightly controlled operating system. One benefit of being a closed-source OS is that writing viruses for it can be more difficult, making it somewhat more difficult to compromise. But no OS is truly safe from compromise. For the longest time, no antivirus software existed for iOS, but Apple now allows the download of previously unavailable applications and software that Apple did not authorize. Patches and OS Updates Patches and OS updates help protect mobile devices from the latest vulnerabilities and threats. By default, you are notified automatically about available updates on Android and iOS-based devices. However, you should know where to go to manually update these devices as well: - For Android, go to Settings General About Device Software Update or Settings System About Device Software Update Check for Updates. - For iOS, go to Settings General Software Update. Large organizations that have many mobile devices should use a mobile device management (MDM) suite. McAfee and many other companies have MDM software suites that can take push updates and configure many mobile devices from a central location. Decent-quality MDM software secures, monitors, manages, and supports multiple different mobile devices across the enterprise. Biometric Authentication Both current and older Android and iOS devices can use biometric authentication through the use of add-on fingerprint readers or iris readers. Recent and current iOS devices have built-in support for fingerprint reading with all Touch ID feature–enabled phones and iPad versions. Face locks, such as Microsoft Windows Hello and Apple Face ID, are also considered a type of biometric authentication. Full-Device Encryption With full-device encryption, your data is not accessible to would-be thieves unless they know the passcode. Apple iOS devices feature full-device encryption that is activated when a passcode is assigned to the device. For more about this and other iOS security, Apple provides an iOS Security guide at https://support.apple.com/guide/security/welcome/web. Android 12 supports both full-disk encryption and file-based encryption. File-based encryption is encryption on individual files, meaning that each file has a separate encryption key so that all the phone resources do not have to be tied up in the encryption process. Firewalls Android does not include a firewall, so third-party apps must be used to provide protection against unwanted Internet traffic. Google Play offers many free firewall apps for Android. Apple does not include a firewall because the design of iOS uses a feature called sandboxing that runs apps in a separate protected space. Policies and Procedures Many individually owned mobile devices are now being used on corporate networks. Because these devices were not configured by the corporation, they can potentially present security threats. To prevent threats, organizations need to address these issues in their policies and procedures. BYOD vs. Corporate-Owned Devices The following are benefits of bring your own device (BYOD) policies: - No hardware cost to the organization - Higher usage because employees are satisfied with their selected device - Greater productivity Potential drawbacks include the following: - Hidden costs of management and security - Possibility that some employees will not want to buy their own devices Corporate-owned personally enabled (COPE) is a model in which the company owns the device and sometimes allows the employee to use it for personal use. This model is of great benefit to the organization because the devices are preapproved and are typically similar in model. They are thus easier to manage and control with mobile device management (MDM) or mobile application management (MAM) policies. Profile Security Requirements Whether an organization uses corporate-owned mobile devices, BYOD, or a mixture, setting and following profile security requirements is important for achieving increased productivity without incurring significant risks. Issues involved include specifying approved devices and operating system versions, requiring passwords and lock screens, requiring device encryption, addressing support issues, and determining when and how to remove company information when an employee leaves the organization. Internet of Things Internet of Things (IoT) devices, such as smart home devices, security cameras, and AI assistants such as Alexa and Google Home, have become so pervasive that they can be found in almost every household and SOHO. These devices might be useful or fun, but they come with risks to your network if precautions are not taken. IoT devices do not have industry standards for security, so each device opens a different door to a hacker. Because the devices tend to be insecure, the best solution is to secure them when they join the network.
Steps that can make IoT devices safer are similar to other security practices mentioned elsewhere in this guide: - Enabling authentication and/or changing default passwords to make them more secure - Keeping the devices updated to the latest software or firmware - Isolating them on their own subnet or network, to control access to servers and other devices that hackers might seek out
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.