WEBVTT 00:00.000 --> 00:03.810 >> Enterprise mobility security Part 2. 00:03.810 --> 00:06.570 The learning objectives for this lesson are to 00:06.570 --> 00:08.939 explore mobile deployment scenarios, 00:08.939 --> 00:11.700 to explain mobile security concerns, 00:11.700 --> 00:14.775 and to define key mobile digital forensics items. 00:14.775 --> 00:19.245 Let's get started. Continuing on from Lesson 1, 00:19.245 --> 00:21.300 we're going to go into a deeper dive 00:21.300 --> 00:22.740 into mobile security. 00:22.740 --> 00:24.150 Also, we're going to discuss some 00:24.150 --> 00:25.650 of the issues that may bring 00:25.650 --> 00:26.970 to a company that 00:26.970 --> 00:29.625 chooses to deploy different mobile devices. 00:29.625 --> 00:31.620 Beginning with that, we're going to go over 00:31.620 --> 00:33.675 mobile device deployment scenarios. 00:33.675 --> 00:36.525 The first is bring your own device or BYOD. 00:36.525 --> 00:39.090 This is when the device is owned by the employee. 00:39.090 --> 00:41.030 But the device needs to meet 00:41.030 --> 00:42.590 a certain corporate standard for 00:42.590 --> 00:45.605 specs and also allow for some level of auditing. 00:45.605 --> 00:48.290 This is the most difficult to secure 00:48.290 --> 00:51.325 because the corporation does not own the device. 00:51.325 --> 00:53.785 The next scenario would be the corporate-owned. 00:53.785 --> 00:56.155 This is when the device is owned by the company and 00:56.155 --> 00:59.909 device could only be used for corporate purposes. 01:00.580 --> 01:03.335 The next scenario is the corporate-owned, 01:03.335 --> 01:05.080 personally enabled or COPE. 01:05.080 --> 01:06.920 This is where the device is supplied 01:06.920 --> 01:08.465 and owned by the corporation, 01:08.465 --> 01:11.270 but it allows for a personal access to email, 01:11.270 --> 01:12.995 social media, and related. 01:12.995 --> 01:14.660 These are all accessible to 01:14.660 --> 01:16.625 the employee and they can use them on their own, 01:16.625 --> 01:17.930 but they have to do so within 01:17.930 --> 01:20.749 the corporations' acceptable use policies. 01:20.749 --> 01:24.055 Then finally, we have choose your own device or CYOD. 01:24.055 --> 01:25.490 This is similar to COPE, 01:25.490 --> 01:28.700 but where the corporation will supply 01:28.700 --> 01:29.810 employees with a list of 01:29.810 --> 01:33.480 approved devices that the employee can choose from. 01:34.660 --> 01:37.580 Mobile device, digital forensics. 01:37.580 --> 01:39.455 Now, mobile devices because they've 01:39.455 --> 01:41.570 become so embedded in our lives, 01:41.570 --> 01:43.100 really contain a lot of 01:43.100 --> 01:45.950 information that would be useful to investigators. 01:45.950 --> 01:48.665 We can find out where a device was, 01:48.665 --> 01:49.910 how it was used, 01:49.910 --> 01:52.715 and how the data was used on the device, 01:52.715 --> 01:58.055 as along with many other valuable pieces of information. 01:58.055 --> 01:59.320 We're going to go over those in more 01:59.320 --> 02:00.400 detail in the next slide. 02:00.400 --> 02:02.440 But keep this in mind that because 02:02.440 --> 02:04.090 so many things have been 02:04.090 --> 02:06.834 pushed to our own mobile devices, 02:06.834 --> 02:08.740 just not dimension banking 02:08.740 --> 02:10.210 and shopping and that type of thing. 02:10.210 --> 02:12.520 But most of our communications are 02:12.520 --> 02:15.010 done this way through messaging apps. 02:15.010 --> 02:17.770 But we also take a lot of pictures and we use a lot 02:17.770 --> 02:20.775 of apps on a wide variety of topics. 02:20.775 --> 02:23.500 Because of that, our devices are collecting 02:23.500 --> 02:27.410 more and more information about us in our daily lives. 02:27.920 --> 02:31.510 Here are some of the specific items that would be 02:31.510 --> 02:33.804 very interesting to an investigator 02:33.804 --> 02:35.305 about a mobile device. 02:35.305 --> 02:36.999 We want to look at the subscriber 02:36.999 --> 02:38.550 and the equipment identifiers, 02:38.550 --> 02:40.160 but also the date and time and 02:40.160 --> 02:42.065 language and the system settings, 02:42.065 --> 02:44.195 the contacts that are on the device. 02:44.195 --> 02:47.315 This is very telling for us. Calendar data. 02:47.315 --> 02:49.910 This may be information that we can make 02:49.910 --> 02:52.250 sure where someone might have 02:52.250 --> 02:54.905 been or where they confirmed you have met with someone. 02:54.905 --> 02:57.880 Also text messages, the call logs, 02:57.880 --> 03:02.090 email, any media files such as photo, video or audio. 03:02.090 --> 03:05.120 Messaging apps are a big thing similar to text messaging, 03:05.120 --> 03:07.670 but a lot of people have shifted more towards this. 03:07.670 --> 03:09.125 This could be WhatsApp 03:09.125 --> 03:12.005 or Facebook Messenger, those types of things. 03:12.005 --> 03:13.760 Also, we want to look at their web browsing, 03:13.760 --> 03:15.785 their web history to see what's going on. 03:15.785 --> 03:18.815 Any documents that may be stored on the device, 03:18.815 --> 03:20.655 their social media data, 03:20.655 --> 03:22.330 all the data from the apps that 03:22.330 --> 03:24.010 are installed on the device. 03:24.010 --> 03:28.045 Geolocation data that would show where the person was. 03:28.045 --> 03:29.530 A lot of people aren't aware of this, 03:29.530 --> 03:30.850 but this data is stored for 03:30.850 --> 03:32.320 very long periods of time so you 03:32.320 --> 03:35.890 can really go back and find where a device has been. 03:35.890 --> 03:38.590 Also, many devices we carry 03:38.590 --> 03:40.990 the biographic health data because of 03:40.990 --> 03:44.930 the push to using health apps on mobile devices. 03:45.920 --> 03:47.650 Which brings us to 03:47.650 --> 03:50.095 the security implications for wearables. 03:50.095 --> 03:51.430 Wearables are designed to 03:51.430 --> 03:53.935 be personal data-enabled accessories. 03:53.935 --> 03:55.345 These could be smartwatches, 03:55.345 --> 03:57.715 smart rings, bracelets, or glasses. 03:57.715 --> 04:00.325 They will collect a great deal of data 04:00.325 --> 04:03.420 about the user, including health information. 04:03.420 --> 04:05.780 Because this information is 04:05.780 --> 04:08.360 such a private nature it 04:08.360 --> 04:12.050 presents security issues as well as privacy issues. 04:12.050 --> 04:13.925 But what ends up happening with this data 04:13.925 --> 04:15.710 as it's shared with various apps. 04:15.710 --> 04:17.000 A lot of times people aren't aware 04:17.000 --> 04:18.800 that the app you're using 04:18.800 --> 04:20.195 is collecting that information 04:20.195 --> 04:22.490 to in turn share with other apps. 04:22.490 --> 04:23.930 Because of that, we do have 04:23.930 --> 04:26.750 potential health privacy issues. 04:26.750 --> 04:29.405 In addition, we have geo-location problems 04:29.405 --> 04:31.340 because these devices will 04:31.340 --> 04:33.110 track the location of where they were used. 04:33.110 --> 04:35.780 After all, they're often used for tracking, 04:35.780 --> 04:37.430 running schedules, and running paths, 04:37.430 --> 04:38.270 that type of thing. 04:38.270 --> 04:42.125 It can really show where a device was. 04:42.125 --> 04:43.520 Keep in mind it doesn't always 04:43.520 --> 04:44.420 mean that's where the person 04:44.420 --> 04:46.910 was because the device could be used by someone else, 04:46.910 --> 04:48.695 but it shows where that device was, 04:48.695 --> 04:53.320 and most often that is where the person was as well. 04:53.680 --> 04:56.330 Here's a good example of that. 04:56.330 --> 04:58.400 In 2017, Strava, 04:58.400 --> 05:00.710 which was a run and tracking app company, 05:00.710 --> 05:02.180 they released the heat maps 05:02.180 --> 05:04.070 showing where their users were running. 05:04.070 --> 05:06.680 Well, unfortunately, this revealed the locations of 05:06.680 --> 05:09.590 many secret military bases around the world. 05:09.590 --> 05:11.600 Some of these were used by the United States, 05:11.600 --> 05:13.990 Russia, and Taiwanese forces. 05:13.990 --> 05:16.480 You'd be able to see these running maps, 05:16.480 --> 05:18.725 and then people were able to take those and 05:18.725 --> 05:23.280 locate previously unknown installations. 05:23.540 --> 05:27.890 Eavesdropping. Now, this is a broad category, 05:27.890 --> 05:29.315 but it basically means 05:29.315 --> 05:32.480 to listen to devices that are transmitting. 05:32.480 --> 05:35.495 This could be anything from Wi-Fi to Bluetooth, 05:35.495 --> 05:37.565 NFC, or even cellular. 05:37.565 --> 05:41.570 Eavesdropping is a constant threat and anything that 05:41.570 --> 05:45.215 you do not want to be intercepted must be encrypted. 05:45.215 --> 05:47.780 Bluetooth devices are especially 05:47.780 --> 05:49.070 vulnerable and they can be attacked 05:49.070 --> 05:51.140 using tools such as ramble. 05:51.140 --> 05:54.490 This can be located. 05:54.490 --> 05:56.510 Even hidden devices stored in 05:56.510 --> 05:58.895 the car can be located in stolen. 05:58.895 --> 06:01.370 With RaMBLE, you can locate 06:01.370 --> 06:04.145 a device that is out of sight. 06:04.145 --> 06:06.260 Often, like I said, in the back of a car, 06:06.260 --> 06:09.560 if you keep your phone or your mobile device, 06:09.560 --> 06:10.850 it's tucked away somewhere, 06:10.850 --> 06:12.515 that RaMBLE would be able to locate it. 06:12.515 --> 06:13.940 Because of that, thieves have been able to 06:13.940 --> 06:15.590 break the back windows of cars and steal 06:15.590 --> 06:17.510 things that people thought 06:17.510 --> 06:20.430 were probably pretty safe because they were out of sight. 06:22.040 --> 06:25.170 Device hardware and software security. 06:25.170 --> 06:27.320 First thing we're going to go over is jailbreaking. 06:27.320 --> 06:29.390 These are exploits that enable 06:29.390 --> 06:32.645 a user to become root on an iOS device. 06:32.645 --> 06:35.375 This would allow the user to install apps, 06:35.375 --> 06:37.820 change carriers, and to customize the system 06:37.820 --> 06:40.535 in ways that they wouldn't normally be able to do. 06:40.535 --> 06:44.120 The equivalent for this on the Android side is routing. 06:44.120 --> 06:46.205 Android runs a version of Linux, 06:46.205 --> 06:47.840 and routing refers to obtaining 06:47.840 --> 06:50.540 the system level or root access to the device. 06:50.540 --> 06:52.640 System list refers to obtain 06:52.640 --> 06:55.700 the same access without modifying the system partitions. 06:55.700 --> 06:57.515 This is harder to detect. 06:57.515 --> 06:59.855 When individuals do this, 06:59.855 --> 07:01.369 they would be able to circumvent 07:01.369 --> 07:03.920 any security that corporations may be have placed 07:03.920 --> 07:06.050 on the devices and it does make 07:06.050 --> 07:08.690 the devices more prone to being hacked. 07:08.690 --> 07:10.790 If you're getting around the security that 07:10.790 --> 07:12.995 the manufacturers have installed on the devices, 07:12.995 --> 07:16.290 it makes it easier for attackers to do the same thing. 07:16.840 --> 07:19.835 Unauthorized application stores. 07:19.835 --> 07:21.485 We can use sideloading, 07:21.485 --> 07:24.380 and this refers to the installation of apps that from 07:24.380 --> 07:26.330 any third-party management suites 07:26.330 --> 07:28.790 can be configured not to allow this. 07:28.790 --> 07:30.815 We make sure that we don't want 07:30.815 --> 07:32.570 individuals to install apps that are not 07:32.570 --> 07:34.040 approved and we don't want them 07:34.040 --> 07:36.380 downloading them from other unapproved sites. 07:36.380 --> 07:39.020 Third-party app stores would be a good example of this. 07:39.020 --> 07:40.430 Sites that are other 07:40.430 --> 07:43.790 than Apple's App Store and Google's Play Store. 07:43.790 --> 07:46.685 Examples would be F-Droid in Aurora. 07:46.685 --> 07:51.195 These are app stores that you can download apps. 07:51.195 --> 07:52.565 Sometimes they're the same ones that are 07:52.565 --> 07:54.470 in the Google Play Store, 07:54.470 --> 07:56.540 but oftentimes they are 07:56.540 --> 07:58.415 apps that are not available there. 07:58.415 --> 08:01.490 By using this, you could download different apps that 08:01.490 --> 08:04.400 are not available and install those on your device. 08:04.400 --> 08:06.440 Oftentimes, corporations would not want 08:06.440 --> 08:08.990 these apps installed on their corporate-owned devices. 08:08.990 --> 08:11.120 Because it maybe would introduce 08:11.120 --> 08:12.590 an aspect of security that 08:12.590 --> 08:14.270 they don't have to worry about. 08:14.270 --> 08:16.595 It doesn't mean that these are bad stores. 08:16.595 --> 08:19.025 They're not. I use both of these actually for my phone. 08:19.025 --> 08:21.170 But it does introduce 08:21.170 --> 08:23.105 things that as a security practitioner, 08:23.105 --> 08:24.680 you're going to have to take into account 08:24.680 --> 08:26.390 when you're trying to secure your network, 08:26.390 --> 08:28.145 you don't want anything on there that 08:28.145 --> 08:31.530 isn't necessary for the corporate mission. 08:32.540 --> 08:37.355 Containerization. This divides the device into profiles. 08:37.355 --> 08:40.085 One container profile can be for work purposes, 08:40.085 --> 08:42.245 while the other can be for personal needs. 08:42.245 --> 08:44.660 These containers are isolated from each other and 08:44.660 --> 08:47.375 the apps cannot access each container. 08:47.375 --> 08:50.720 DLP can also make sure of this and then it can 08:50.720 --> 08:52.280 prevent tagged data from being 08:52.280 --> 08:54.365 moved to a non-approved container. 08:54.365 --> 08:57.080 Again, since one part is being used for personal then 08:57.080 --> 08:59.720 the user is able to have all their personal things there, 08:59.720 --> 09:02.900 such as email and their social media there. 09:02.900 --> 09:04.265 But on the worksite, 09:04.265 --> 09:06.620 it's strictly limited to only the apps that are 09:06.620 --> 09:09.050 necessary for work and any documents or 09:09.050 --> 09:11.390 data that's used on that work profile would 09:11.390 --> 09:12.770 not be able to be moved over 09:12.770 --> 09:15.170 to the personal and vice versa. 09:16.280 --> 09:19.150 Hardware manufacturer concerns. 09:19.150 --> 09:22.025 Device manufacturing is a worldwide system. 09:22.025 --> 09:24.440 Parts are made in one place and 09:24.440 --> 09:25.625 then shipped to other vendors, 09:25.625 --> 09:26.945 and then they're assembled. 09:26.945 --> 09:29.600 Original equipment manufacturers or OEM, 09:29.600 --> 09:31.100 are the final sellers of 09:31.100 --> 09:33.890 the device and all support comes from them. 09:33.890 --> 09:34.970 It doesn't come from the people who 09:34.970 --> 09:36.830 manufacture the individual parts. 09:36.830 --> 09:38.720 When vulnerabilities are discovered, 09:38.720 --> 09:40.760 patches must come from the OEM. 09:40.760 --> 09:42.470 If the OEMs are not responsive 09:42.470 --> 09:44.135 then devices remain unpatched. 09:44.135 --> 09:45.830 This is on the Android users have had 09:45.830 --> 09:47.840 a hard time with because 09:47.840 --> 09:50.150 the patch updates have to 09:50.150 --> 09:52.900 come from the device manufacturers such as Samsung. 09:52.900 --> 09:54.830 If Samsung is slower to patch, 09:54.830 --> 09:56.840 so they have a slower patch release schedule, 09:56.840 --> 09:58.940 then that means that there are longer periods of 09:58.940 --> 10:01.635 time that those Android devices are remaining unpatched. 10:01.635 --> 10:03.265 Apple is pretty good about this. 10:03.265 --> 10:04.810 They release patches much more 10:04.810 --> 10:09.200 frequently than Android devices manufacturers do. 10:10.250 --> 10:13.470 Bootloader security. Bootloaders are 10:13.470 --> 10:17.245 the first line of mobile defense for our devices. 10:17.245 --> 10:20.710 They prevent any unauthorized operating systems 10:20.710 --> 10:22.760 from being loaded onto the device. 10:22.760 --> 10:24.930 eFuses are used to permanently 10:24.930 --> 10:27.720 write OS files to flash storage. 10:27.720 --> 10:29.935 eFuses also allow for 10:29.935 --> 10:31.495 cryptographic keys to be 10:31.495 --> 10:33.535 etched into the device for trust. 10:33.535 --> 10:35.140 Since these keys are edge that will be 10:35.140 --> 10:37.255 read-only and they cannot be altered. 10:37.255 --> 10:39.850 These keys can be used to validate software 10:39.850 --> 10:44.290 during installation. Let's summarize. 10:44.290 --> 10:47.125 We discussed mobile device deployment models 10:47.125 --> 10:49.575 and also containerization and mobile devices, 10:49.575 --> 10:51.030 bootloader security, 10:51.030 --> 10:53.270 hardware, and manufacturer concerns. 10:53.270 --> 10:55.345 We went over jailbreaking and routing, 10:55.345 --> 10:57.820 loading apps through sideloading 10:57.820 --> 10:59.740 and other third-party app stores, 10:59.740 --> 11:02.240 and security concerns of wearable devices. 11:02.240 --> 11:06.720 Let's do some example questions. Question 1. 11:06.720 --> 11:09.490 This process allows a user to gain root or 11:09.490 --> 11:13.340 super user-level access of an iOS device. 11:14.120 --> 11:17.925 Jailbreaking. Question 2. 11:17.925 --> 11:21.280 A mobile device is supplied by a company but the employee 11:21.280 --> 11:25.400 may use it to access non-corporate data such as email, 11:25.610 --> 11:29.535 corporate-owned, personally-enabled, or COPE. 11:29.535 --> 11:34.800 Question 3. F-Droid and Aurora are examples of this. 11:35.200 --> 11:38.495 Unauthorized application stores. 11:38.495 --> 11:41.450 Also, you could just say third-party application stores, 11:41.450 --> 11:42.965 but for the purposes of 11:42.965 --> 11:46.310 a corporation controlling access to a device, 11:46.310 --> 11:49.705 these would be unauthorized application stores. 11:49.705 --> 11:52.465 Finally, Question 4, true or false? 11:52.465 --> 11:56.015 Mobile devices are not forensically speaking, 11:56.015 --> 11:58.120 very interesting to investigators. 11:58.120 --> 11:59.690 This is false. They are 11:59.690 --> 12:01.220 very interesting because they contain 12:01.220 --> 12:03.110 so much information about 12:03.110 --> 12:05.060 the person that's using the device. 12:05.060 --> 12:06.740 I hope this lesson was helpful for 12:06.740 --> 12:09.060 you, and I'll see you in the next one.