CompTIA CASP+ CAS-004 – Chapter 04 – Implementing Security for Systems, Applications, and Storage Part 4
- Physical Security Options
There are some physical security options that we want to keep in mind. ant tamper technology, for instance, is designed to prevent access to sensitive information and encryption keys on a device. Special processors, for example, will store and process private or sensitive information like private keys, electronic money, credit. And those chips are designed so that the information is not accessible through external means. It can only be then accessible by embedded software.
And that embedded software should contain the appropriate security measures like requiring authentication credentials. Some of them have the ability to zero out sensitive data automatically if they detect penetration to the security. The NOx Applet or application excuse me, in Samsung Galaxy Phones is an example of that. EFUs can be used to help secure stolen devices. Again, in Samsung Phones, EFUs uses a particular EFUs to indicate when an untrusted, ie.
Non Samsung path is discovered. And then once it’s set, the device can’t read the the data that’s previously stored. And some devices actually have trusted platform module chips, and so we know about those from previous sections. And those can be used to store cryptographic keys and encrypt and decrypt data, as well as detect attempts to tamper with the hardware.
- Additional Mobile Device Concepts
There are a number of additional mobile device concepts that CompTIA expects us to be familiar with for the CASP exam. Some of these may be familiar and others will not be. The first is something that typically most of us have heard. Routing or jailbreaking. A device is when a user has gotten in at a root level in order to remove some of the restrictions of the device. And that certainly presents some security issues. Issues jailbreaking is specific to iPhones or iPads. Routing is a term in conjunction with Android devices, but in both cases it means that apps are then given access to the core functions of the phone and normally that would require user approval.
For Apple, you have to do this just to install apps not found in the Apple App Store. For Android, it’s usually to get a little bit more administrative control. One of the big problems with this is once it’s been done, the mobile device can no longer receive any security updates. And so very quickly that makes it very vulnerable. Push notification services is another concept. This one allows unsolicited messages to be sent by an application to a mobile device, and that occurs even when the application is not open on the device. Now these can be really handy, but there are some security best practices that are associated with them. You don’t want to send any company confidential data or intellectual property in the message payload.
You don’t want to store SSL certificates or a list of device tokens in your web route. And you also don’t want to inadvertently expose Apple push notification certificates or device token. Geotagging is the process for adding geographic identification metadata, which just means additional attributes to various media. It’s enabled by default on many smartphones, and that often shocks some people. But it’s location tracking in this case. In many cases, the location information can then be used to locate specifically where images, videos, text messages originated. At a minimum, this could be used by an attacker to carry out a social engineering attack. Now, the information has been used for good purposes. Obviously it’s used for good purposes all the time, but it’s also used for nefarious purposes, and so that’s what we have to be aware of. One of the most used features on a smartphone is texting. Many sensitive exchanges place take place through text.
A lot of people text more than they speak to other individuals. Encrypted texting may not be provided on a lot of mobile devices, but it’s something to look into. There are a number of applications that will do that and many of them are free. Tokenization is an emerging standard for mobile transactions. It uses numeric tokens to protect sensitive credit and debit card information. That’s a great security feature that can be enabled on phones. OEM carrier android fragmentation. This refers to the overwhelming number of versions of Android that have been sold. You have all these devices and there’s all different flavors of Android, and this is a security headache.
The issue is that many users are actually not updating. Not only do you have multiple versions, which is difficult from a support scenario, but a lot of users don’t update and so they’re running older versions and there aren’t even security patches available anymore. Typically the fault lies with the phone manufacturer. The phone manufacturers either maintaining the use of an old operating system even though a new one is available, or they’re customizing their operating system. Remember, Android is open source, so phone manufacturers can do really whatever they want. Then we have NFC near field communication. This is a relatively newer security issue. It faces both merchants and customers. How secure are these payment cards?
Apple, Pay, Google Wallet, et cetera. Now, one thing you could say is, well, NFC is really short range, right? It’s a couple of inches, so it’s more difficult to capture. But interception is still possible if somebody knows what they do, what they’re doing. Typically these payments are encrypted, but in a lot of cases, some additional measures can help to secure it. So locking the mobile device, because the device has to actually be turned on or unlocked before it can make a payment, turning it off when it’s not in use, frequently scanning devices for unwanted apps or spyware that might be kind of siphoning off information from the mobile payment apps.
Those are all really good ideas. Inductance is the process that’s used in NFC to transmit information from the device to the reader. And so an inducted enabled device would be one that supports that mobile payment system. It’s something that you could turn off if you’re not going to use that. An alternative technology used in mobile payments is the mobile wallet. This is used by Amazon, it’s used by PayPal. In those systems, the user registers a credit card number and then has issued a Pin. At that point, the Pin identifies the user in the card and enables the merchant to charge the card, but they’re still using the same functionality, just not built in apps. Tethering is one way that many mobile devices can still connect to other devices. So you might just call this your mobile hotspot.
That’s pretty common today. It used to be connecting via USB or even way back when it was serial type connections. But now you can just turn on a mobile hotspot on your device and that enables a separate connection through the data network. And so it’s potential security risk because it allows somebody to possibly connect a computer through a mobile device to bypass security features that you have on your network.
- Authentication Options
Now, there are a number of different ways to authenticate to a mobile device. We need to be familiar with these and we need to be aware of all the options that are available and choose the one that’s right for your particular scenario. Some of them are a little bit more advanced than others. Swipe patterns, which are presumably only known to the user, can be used to turn off the screen lock.
The main problem with swipe patterns is that it it’s somebody who’s standing right next to you might be viewing the swipe pattern. There’s been some different types of research done and some recent research has shown it may be more difficult to actually observe the entry of a pin than the application of a swipe pattern over the shoulder. So if you do use swipe patterns, you want to be careful with that. In gesture authentication, the user is shown a picture and that’s a guide, and then they apply a pattern of gestures on the photo. The gesture pattern as well as the picture would be something that’s chosen ahead of time and stored on the device.
And there are some security issues with that as well. Again, a user may observe the gesture pattern over the shoulder. The second one would be if Malware installs a keylogger on the mobile device which can capture the pattern. And then the final one is actually referred to as a smudge attack where the attacker recovers the pattern from oily residue on the touchscreen. And we all know that that is there. And so it’s almost like a fingerprint type of capture.
Of course, the most common method for authentication is just a pin. Like with any password or pin, social engineering attacks, brute force attacks can occur and so those are generally deemed as kind of a less secure way of doing it. But most mobile devices today will have biometric capabilities. Facial scans, fingerprint scans on the start button, iris scans. Those are very common on your higher end mobile devices today, which includes most of what your users are going to be using on a daily basis. Facial scan is recording facial characteristics. Fingerprint scan is usually scanning the ridges of the finger for matching and then Irish scan is scanning the colored portion of the eye. So those are very secure methods because it is the who you are factor of authentication.
- Mobile Devices
Just a few more features and components that we need to be familiar with. The first one is baseband radio system on a chip that’s become pretty typical inside mobile device electronics because it helps to reduce energy use. So it’s got a special processor and a network interface that manages all of your radio functions. It usually has its own Ram, its own firmware, and it’s usually proprietary. It’s, it’s also though a possibility for backdoors into the software of certain phones. Augmented Reality, or AR, is a view of the real world environment where elements are augmented by computer generated or even extracted real world sensory input like sound, video, graphics, GPS data.
A lot of your mobile devices today will support AR when the proper apps are installed. Short message service or SMS is the text messaging service component of most of your phones. Mobile devices, MMS handles messages that include graphics or video. Both of these are going to present us with security challenges because the messages are sent in clear text, so they are susceptible to spoofing and spamming. And we already talked about the possibility of installing an app to allow this in an encrypted fashion. Now we have new digital technology which we refer to as wearable technology.
That of course, is the digital devices that we play somewhere on our body. In the beginning, they were just fitness trackers. The device was basically a heart monitor with a wireless connection to the computer. But now they’re almost fully functional computer systems. So wearable cameras are often used by the police and anybody else who needs a hand free camera. It can be worn on your head, on your arm, on your chest, depending on how you want to utilize this.
A smartwatch, of course, is something that everybody’s familiar with at this point, essentially a computer on your wrist. Early devices were limited in what they could perform, but today’s devices, I mean, they run a mobile OS, they’re fully functioning computers, they just have a really small screen. They run either proprietary operating systems or Android. The smartwatch is then typically paired to a smartphone, which gives me the ability to access phone calls and messages. It also has GPS.
There are some security issues with those watches. The data connection to a smartphone is usually Bluetooth. That makes the watch susceptible to any attacks on the paired mobile device, as well as the information on the smartphone being transmitted in plain text. While many smartwatches can also act as fitness monitors, some devices are specialized in tracking your movement. They read your body temperature, your heart rate, your blood pressure, and it’s all really about determining how long you’ve run or walked and how long it took to do so.
They can track that information and then they communicate it wirelessly to an application on a computer. Some of the more sophisticated units will have straps that go around your chest and it collects information gathered by the sensors in that particular band. By now, everybody’s heard, probably seen Google Glass. This is the most recognizable computing device worn as glasses. Just in case you haven’t, you could go out and look for them. It was announced in early 2015 that sales to individuals would cease for a little while till the technology was improved. But in July of 2017, it was announced that the enterprise edition of Google Glass was going to be released.
You also have medical sensors and devices. Just like sensors connected to networks have changed, the management of plants, buildings have changed as well. And these in the medical field, this is for monitoring patient well being. They’re used for delivery of drugs, for surgery, robotic surgery, therapeutic uses, et cetera. And the security issues that revolve around those mainly focus on communicating the information wirelessly to other devices or systems.
And especially when you’re dealing with personal health information, privacy is of the utmost importance. There is another type of wearable device that’s not based on glasses, but around a headset format was developed by a company named Zebra. It can respond to voice commands and body movements as well. So with all of these, as with other mobile devices, we just simply have certain security implications. You always want to make sure that you’re enabling any and all security features on those devices to protect the data stored on them, as well as the data being transmitted to and from them.
- Wearable Security Implications
As a quick recap for wearable security devices. Let’s talk about a few of these implications. In some cases, unsecured devices may be activated or deactivated. Features may be enabled or disabled in an unauthorized fashion or by unauthorized users. OK, so for example, we’ve got a Bluetooth device and it’s left in a Discoverable mode. Well, it’s going to be more vulnerable to Bluetooth attacks. How do we prevent that? We make sure or Bluetooth is disabled or we turn off automatic discovery. We talked earlier about encryption in relation to fitness devices, medical sensors, a lot of the stuff’s transmitted in an unencrypted format and it’s very sensitive information. So we want to turn that off or we want to enable encryption if it’s possible. In many cases, you’ve got physical reconnaissance.
Somebody can just observe a user in the process of using the device that’s going to help them obtain information that they can use, then later to compromise it like the pin number. You have personal data theft, just stealing the device or grabbing information that’s sent in plain text.
We have health privacy. As we mentioned, there are a lot of implications. And then the final one digital forensics. Several unique challenges are presented to those who are collecting collecting digital forensics information from a mobile device. And that’s that mobile devices frequently are changing form factors the operating system, the structure of files, services, peripherals. They even change pin connectors and cables. And so forensic examiners need to use different forensic processes with mobile devices than they would with desktop computers.
- Topic C: Software Security Controls
In this topic, we’re going to be looking at software security controls. We’ll cover application security design considerations. So how do you architect security into software products? And the different approaches to that? Secure by design, secure by default, secured by deployment. We’ll also discuss some specific application issues. The concept of sandboxing and other technology.
- Application Security Design Considerations
Security initiatives really shouldn’t stop with the operating system. Applications are going to present their own particular vulnerabilities. And so it’s important for us to understand those web applications are around us everywhere. And they’re designed to use a web server as a platform and to respond and communicate with the browsers that the user happens to be using. Because web browsers are wide, widely used, then they are widely attacked. In fact, the Open Web Application Security Project or OWASP, maintains a list of the top ten errors found in web applications.
The challenge is that those who write the code that make the applications work often don’t have security as their main goal. Right? They’re just trying to have a functional application and in many cases there’s a rush to get it out for the company. And so we really need to understand the importance here in a security professionals work with those developers, we’re not the developers, but work with those developers to have a secure deployment.
So let’s consider a few concepts here and they are secured by design, by default and by deployment. And in reality an application ought to be secure in all of these areas. Well, what exactly do they mean? Well, secure by design means the application was designed with security in mind. Security wasn’t just an afterthought.
An application is truly secure if you give someone the details of the application security system and they still can’t break it, if they still can’t defeat security with knowledge of it, then it’s secure. Applications should not rely on the lack of knowledge on the part of the hacker in order to determine whether it’s secure. That is sometimes called security by obscurity. Secure by default means that without changes to any of the default settings, the application is already secure. And so if you’ve been in it very long, you’ve seen this. Some server products have certain security capabilities, but they’re not all enabled, they’re not turned on by default. And so if they’re not turned on, then they’re not protecting it. I always go way back, but the old Windows Server 2003, way back when installed with IIS, the web services installed by default in the base installation.
Now, Microsoft has clearly fixed that and they did so very quickly. But that would just be one example and that’s an operating system. I understand, but there are applications that don’t have security functions turned on. We would like them to be secure by default, not have to go in and jump through a bunch of hoops to make it secure.
And then you have secure by deployment, which means the environment into which the applications introduced was considered from a security standpoint. All right? So for example, it might be advisable to disable all unused interfaces on one server, but that may not be critical on another server. So we have to have this security and it has to occur in multiple places in order to be successful.