232 lines
6 KiB
Markdown
232 lines
6 KiB
Markdown
# SEC-8: Mobile Device Security
|
|
|
|
Status: not started
|
|
|
|
Domain:
|
|
- 2.0 Security
|
|
|
|
Objective alignment:
|
|
- 2.8 Mobile device security
|
|
|
|
## What You Need To Know
|
|
|
|
Mobile devices are easy to lose, easy to steal, and often already signed in to email, files, password resets, cloud storage, and work apps.
|
|
|
|
The exam wants you to know how to protect:
|
|
- The device
|
|
- The data on the device
|
|
- The user account connected to the device
|
|
- The company network if the phone is used for work
|
|
|
|
## Memory Trick
|
|
|
|
Use **L-E-A-S-H**:
|
|
|
|
- **L**ock the screen
|
|
- **E**ncrypt the device
|
|
- **A**pply updates and app controls
|
|
- **S**ecure with MDM/BYOD policy
|
|
- **H**ave backup, location, and remote wipe ready
|
|
|
|
Shortcut:
|
|
- **Lost phone = lock, locate, backup, wipe if needed.**
|
|
|
|
## Screen Locks
|
|
|
|
Common unlock methods:
|
|
- PIN
|
|
- Password
|
|
- Pattern
|
|
- Fingerprint
|
|
- Face recognition
|
|
- Swipe
|
|
|
|
Exam priority:
|
|
- A plain swipe is weak because it does not really authenticate the user.
|
|
- PIN, password, fingerprint, and face unlock are stronger choices.
|
|
- Biometrics are convenient, but the device still needs a PIN/password fallback.
|
|
|
|
Failed login controls:
|
|
- Devices can delay login attempts after repeated failures.
|
|
- Some environments can erase or wipe the device after too many failed attempts.
|
|
- This protects stolen devices from repeated guessing attempts.
|
|
|
|
## Encryption
|
|
|
|
Full device encryption protects stored data if the device is lost or stolen.
|
|
|
|
What to remember:
|
|
- Modern iOS devices use strong built-in encryption when a passcode is configured.
|
|
- Modern Android devices commonly support file-based or full-device encryption.
|
|
- Encryption is strongest when paired with a real lock method, not swipe-only access.
|
|
|
|
Exam clue:
|
|
- If the question says the phone was stolen and contains sensitive data, think encryption and remote wipe.
|
|
|
|
## MDM and Configuration Profiles
|
|
|
|
Mobile Device Management, or MDM, lets an organization centrally manage phones and tablets.
|
|
|
|
Common MDM actions:
|
|
- Require a passcode
|
|
- Require encryption
|
|
- Push Wi-Fi, VPN, or email settings
|
|
- Install or restrict apps
|
|
- Block camera, copy/paste, or cloud sync in some environments
|
|
- Enforce OS update requirements
|
|
- Locate, lock, or wipe a managed device
|
|
|
|
Common tools and terms:
|
|
- Microsoft Intune
|
|
- Apple Configurator
|
|
- Apple configuration profiles
|
|
- Android Enterprise
|
|
|
|
BYOD means Bring Your Own Device.
|
|
|
|
BYOD policy questions usually care about:
|
|
- Who owns the device
|
|
- What company data is allowed
|
|
- Whether the company can wipe only work data or the entire device
|
|
- Minimum OS version
|
|
- Screen lock requirements
|
|
- What happens when employment ends
|
|
|
|
## Updates and Patching
|
|
|
|
Mobile updates include:
|
|
- Operating system updates
|
|
- Security patches
|
|
- App updates
|
|
|
|
Why they matter:
|
|
- Updates fix vulnerabilities.
|
|
- App updates can fix security bugs in messaging, browsers, email, banking, and work apps.
|
|
|
|
Exam clue:
|
|
- If the question says a device is missing critical security fixes, update the OS or app.
|
|
|
|
## Anti-Malware
|
|
|
|
iOS:
|
|
- More closed app ecosystem.
|
|
- Apps are more isolated.
|
|
- Traditional antivirus is less common.
|
|
|
|
Android:
|
|
- More open ecosystem.
|
|
- Third-party app sources increase risk.
|
|
- Anti-malware tools are more common, especially in business environments.
|
|
|
|
Best protection:
|
|
- Use official app stores.
|
|
- Keep the OS updated.
|
|
- Avoid sideloading unknown apps.
|
|
- Use MDM controls when the device handles company data.
|
|
|
|
## Content Filtering
|
|
|
|
Content filtering limits access to unsafe or inappropriate content.
|
|
|
|
Examples:
|
|
- Web filtering
|
|
- App restrictions
|
|
- Parental controls
|
|
- Enterprise browsing controls
|
|
|
|
Exam clue:
|
|
- If the goal is to block categories of websites or unsafe browsing, think content filtering.
|
|
|
|
## Locator, Remote Lock, Remote Wipe, and Backup
|
|
|
|
Locator services:
|
|
- Help find a lost device.
|
|
- Examples: Find My on iPhone, Find My Device on Android.
|
|
|
|
Remote lock:
|
|
- Locks the phone so someone else cannot use it.
|
|
|
|
Remote message or sound:
|
|
- Helps recover a misplaced phone.
|
|
|
|
Remote wipe:
|
|
- Erases data when the device is unlikely to be recovered.
|
|
- Use carefully because it removes data from the device.
|
|
|
|
Remote backup:
|
|
- Stores device data in cloud backup.
|
|
- Makes replacement and recovery easier.
|
|
|
|
Exam order for a lost phone:
|
|
1. Locate or lock if recovery is likely.
|
|
2. Confirm backup status if possible.
|
|
3. Wipe if data risk is high or recovery is unlikely.
|
|
|
|
## Mobile Firewalls
|
|
|
|
Mobile firewall apps are less common than desktop firewalls.
|
|
|
|
On mobile devices, network control is often handled by:
|
|
- MDM
|
|
- VPN apps
|
|
- Per-app network rules
|
|
- Enterprise security suites
|
|
|
|
Exam clue:
|
|
- If the question says only approved apps should access company data or network resources, think MDM, VPN, or app access control.
|
|
|
|
## Commands To Enter
|
|
|
|
This objective is mostly settings-based, so there are not many normal command-line tools for a locked-down phone. Use these commands only to open account/device-security pages from a computer browser.
|
|
|
|
Windows:
|
|
|
|
```powershell
|
|
start https://account.microsoft.com/devices
|
|
```
|
|
|
|
What it does:
|
|
- Opens the Microsoft devices page for the signed-in account in your default browser.
|
|
- Use it only to inspect registered devices.
|
|
|
|
```powershell
|
|
start https://myaccount.google.com/security
|
|
```
|
|
|
|
What it does:
|
|
- Opens the Google account security page.
|
|
- Use it to inspect signed-in devices, security alerts, and recovery options.
|
|
|
|
macOS:
|
|
|
|
```bash
|
|
open https://appleid.apple.com
|
|
```
|
|
|
|
What it does:
|
|
- Opens the Apple ID account page in the default browser.
|
|
- Use it to review trusted devices and account security settings.
|
|
|
|
Linux:
|
|
|
|
```bash
|
|
xdg-open https://myaccount.google.com/security
|
|
```
|
|
|
|
What it does:
|
|
- Opens the Google account security page in the default browser.
|
|
- Use it to inspect account security if the command is available on your Linux system.
|
|
|
|
Do not erase, wipe, unenroll, reset, or remove a device from an account during this section.
|
|
|
|
## Quick Checks
|
|
|
|
You should be able to answer:
|
|
- What protects mobile data at rest?
|
|
- What is weak about swipe-only unlock?
|
|
- What does MDM enforce?
|
|
- Why does BYOD need a policy?
|
|
- When would remote wipe be appropriate?
|
|
- Why are OS and app updates security controls?
|
|
- Why is Android anti-malware more common than iOS anti-malware?
|
|
|