Lake Point Consulting Services (LPCS) provides security consulting and assurance

Question

Lake Point Consulting Services (LPCS) provides security consulting and assurance services to over 500 clients across a wide range of enterprises in more than 20 states. A new initiative at LPCS is for each of its seven regional offices to provide internships to students who are in their final year of the security degree program at the local college.

The Carlyle-Stedman Museum provides patrons with mobile devices that contain prerecorded information that can be listened to while viewing the museum's artifacts. Recently an incident occurred in which a patron circumvented the security on the device and, because it was not examined after it was turned in, the next patron who tried to use it was exposed to inappropriate content. The executive board of Carlyle-Stedman decided that something must be done to prevent this from reoccurring, and wants to ensure that all employee mobile devices are also secure. They have asked LPSC to make a presentation about mobile device security, and you have been given this assignment.

1. Create a PowerPoint presentation for the staff about the security risks of mobile technology and steps to be taken to secure mobile devices. Be sure to cover these from the perspective of the organization, the IT department, and the end user. Your presentation should contain at least 8 slides.

2. After the presentation, the IT director at Peabody has asked LPCS for recommendations on using MDM, MAM, and MCM for the museum. Write a onepage memo listing the features of these tools and how they could be used to help Peabody.

Explanation / Answer

Q1) Create a PowerPoint presentation for the staff about the security risks of mobile technology and steps to be taken to secure mobile devices. Be sure to cover these from the perspective of the organization, the IT department, and the end user. Your presentation should contain at least 8 slides.

Security Risks of Mobile Technology are:-

1. Mobile devices often do not have passwords enabled.- Mobile devices often lack passwords to authenticate users and control access to data stored on the devices. Many devices have the technical capability to support passwords, personal identification numbers (PIN), or pattern screen locks for authentication. Some mobile devices also include a biometric reader to scan a fingerprint for authentication. However, anecdotal information indicates that consumers seldom employ these mechanisms. Additionally, if users do use a password or PIN they often choose passwords or PINs that can be easily determined or bypassed, such as 1234 or 0000. Without passwords or PINs to lock the device, there is increased risk that stolen or lost phones' information could be accessed by unauthorized users who could view sensitive information and misuse mobile devices.

2. Two-factor authentication is not always used when conducting sensitive transactions on mobile devices. According to studies, consumers generally use static passwords instead of two-factor authentication when conducting online sensitive transactions while using mobile devices. Using static passwords for authentication has security drawbacks: passwords can be guessed, forgotten, written down and stolen, or eavesdropped.

3.  Wireless transmissions are not always encrypted.- Information such as e-mails sent by a mobile device is usually not encrypted while in transit. In addition, many applicationsdo not encrypt the data they transmit and receive over the network, making it easy for the data to be intercepted. For example, if an application is transmitting data over an unencrypted WiFi network using http (rather than secure http), the data can be easily intercepted. When a wireless transmission is not encrypted, data can be easily intercepted.

4. Mobile devices may contain malware.- Consumers may download applications that contain malware. Consumers download malware unknowingly because it can be disguised as a game, security patch, utility, or other useful application. It is difficult for users to tell the difference between a legitimate application and one containing malware. For example, an application could be repackaged with malware and a consumer could inadvertently download it onto a mobile device. the data can be easily intercepted. When a wireless transmission is not encrypted, data can be easily intercepted by eavesdroppers, who may gain unauthorized access to sensitive information.

5. Mobile devices often do not use security software - . Many mobile devices do not come preinstalled with security software to protect against malicious applications, spyware, and malware-based attacks. Further, users do not always install security software, in part because mobile devices often do not come preloaded with such software. While such software may slow operations and affect battery life on some mobile devices, without it, the risk may be increased that an attacker could successfully distribute malware such as viruses, Trojans, spyware, and spam to lure users into revealing passwords or other confidential information.

6. Software on mobile devices may be out-of-date - . Security patches for third-party applications are not always developed and released in a timely manner. In addition, mobile third-party applications, including web browsers, do not always notify consumers when updates are available. Unlike traditional web browsers, mobile browsers rarely get updates. Using outdated software increases the risk that an attacker may exploit vulnerabilities associated with these devices.

7.  Mobile devices often do not limit Internet connections. Many mobile devices do not have firewalls to limit connections. When the device is connected to a wide area network it uses communications ports to connect with other devices and the Internet. A hacker could access the mobile device through a port that is not secured. A firewall secures these ports and allows the user to choose what connections he wants to allow into the mobile device. Without a firewall, the mobile device may be open to intrusion through an unsecured communications port, and an intruder may be able to obtain sensitive information on the device and misuse it.

STEPS TAKEN TO SECURE MOBILE DEVICES:-

1. SECURE YOUR NETWORK CONNECTIONS ON THE BACK END - Servers and cloud servers that an app’s APIs are accessing (your own, or third-party) should have security measures in place to protect data and prevent unauthorized access. APIs and those accessing them should be verified to prevent eavesdropping on sensitive information passing from the client back to the app’s server and database.

2. PUT IDENTIFICATION, AUTHENTICATION, AND AUTHORIZATION MEASURES IN PLACE - As with APIs, authentication and authorization technology help users prove to an app who they are, adding another layer of security to the login process.

3. BE MINDFUL OF HOW CUSTOMER DATA IS SECURED AND IMPLEMENT A GOOD MOBILE ENCRYPTION POLICY - As mentioned above, more of a mobile app’s code and data has to be stored on a device than with a traditional web app because you’re accounting for the varying performance, bandwidth, and quality of devices. The more data that’s stored locally on a device (whether that’s permanently, or just temporarily), the more vulnerable it is. “Leaky” apps can release customer data without users knowing it—mobile data points that are entered or collected in the background like age, location, device usage habits.

4. IF YOU’RE AN ENTERPRISE ORGANIZATION WITH A BYOD (BRING YOUR OWN DEVICE) POLICY, USE EXTRA CAUTION - For companies that allow employees to use their own devices, this can also open up the network to hacking vulnerabilities and make it harder for the IT department to regulate access to data on their backend systems. Mobile device management (MDM) products are often a worthy investment, like Airwatch and MobileIron. These can give employees the convenience of working on the go, but also give companies peace of mind when it comes to security.

5. TEST YOUR APP SOFTWARE—THEN TEST AGAIN - Testing app code is usually crucial in an app’s development process. Apps are being produced so rapidly, what should be an important step in the process often falls to the wayside to speed up time to market. When testing for functionality and usability, experts advise to also test for security, whether your app is a native, hybrid, or web app. You’ll be able to detect vulnerabilities in the code so you can correct them before publishing your app out.

6. USERS: PROTECT YOUR DEVICES - App makers can’t do a lot to ensure users have secure devices when they’re downloading apps, but here are a few pointers for users who want to avoid security issues, or identity theft or fraud if a device is lost or stolen.

Q2) After the presentation, the IT director at Peabody has asked LPCS for recommendations on using MDM, MAM, and MCM for the museum?

MDM - Most mobile device management solutions provide organizations with end-to-end security — meaning the mobile apps, network and data used by the mobile device (in addition to the mobile device itself) are managed by an organization's IT department with a single mobile device software product. Some enterprise MDM solutions combine mobile security and expense management in a single product. So in the museum, we can provide Wifi network connections which will be end to end encrypted and before connecting any device to the network, we can run a scan on the users mobile to detect any threats and prevent such connections so as to avoid network issues.

MAM - MAM deemphasizes the device and instead sets policy at the application level, which can often align more effectively with BYOD use cases. MAM products require applications to be packaged or "wrapped" to manage them. Wrapping an application typically involves taking the unsigned original application package and compiling it with management code from the MAM vendor. Gaining access to unsigned applications is difficult because it requires cooperation with the app vendor. So for our museum, we can have a special app being developed and the visitors can use the App to gain info, have a look at the images, search for any artifacts that they feel important, etc, instead of having to download leaky apps from other unrestricted sites.

MCM = The main component of a mobile content management system is a file storage and file sharing service. Some services are entirely based in the cloud; others take a middleware approach that connect existing data repositories, such as network file shares, to a mobile-friendly front end. MCM should also incorporate identity management, giving IT and/or business leaders control over end user access to specific sets of data. So for our museum, we can have a private cloud setup and share all common info, documents, images, locations, etc so that visitors can have easy access to it in a secured manner. Also uploading facility will be restricted from backend and users can only download the content that they feel is important. This was secured access to files can be achieved.

Please let me know in case of any clarifications required. Thanks!

Related Questions

Navigate

• Browse (All)
• Browse L
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.