MODULE 4 – Mobile Devices

1. Mobile Devices (Cell Phones, IoT)
2. “The Other Computer”
3. Bigger threat than your desktop/laptop because:
   1. Harder to secure physically; can be lost or stolen more easily than a laptop or desktop.
   2. Harder to lock down digitally – cell phones are constantly collecting and constantly radiating data about you and your company. WAY more than laptop or desktop computers:
      1. KNOWLEDGE CHECK: HOW MANY SENSORS ARE IN A TYPICAL CELL PHONE?
         1. Cellular
         2. Wi-fi
         3. Camera
         4. Fingerprint
         5. Barometer
         6. Ambient Light Sensor
         7. Battery Temperature
         8. Gyroscope
         9. Accelerometer
         10. Global Positioning System (GPS)
         11. Microphone
         12. Bluetooth
         13. Near Field Communication (NFC) – ApplePay,
         14. Proximity Sensor
         15. Touchscreen
         16. Infrared Sensor

• many more apps that regularly/always deliver data about your data to corporations, third parties and unknown data customers beyond that.

1. more requests are made over cell phones than laptop/desktops (apps, voice controlled digital assistants (i.e. Siri); more avenues for capturing this information or for man in the middle attacks.
2. You take It with you everywhere you go; typically outside of corporate network security for most or all of the day.

1. 1 laptop is stolen every 53 seconds. Is the data encrypted???
2. 70 million cell phones are lost every year. Is the data encrypted???
   2. seldom have anti-virus/anti-malware security compared to laptops/desktops; user rates are far lower than laptops and desktops.

• Employees are more likely to use “workarounds” on mobile devices to send sensitive data outside of the office, leaving data more exposed than while inside the network.

1. Harder to examine suspicious emails, texts and phone calls because of small screen; much better environment to phish targets in compared to in office on desktops and laptops.

1. Mobile Location Threats
   1. Juice jacking – a power port is now often a data port too.
   2. Man in the Middle attacks – Wifi locations man in the middle attacks

Solutions:

Physical

Keep phone in physical possession or secured in a safe or locked bag when traveling.  [iphone prototype lost in a bar story]

Digital

The same anti-virus, malware, firewall, password management, and dual factor authentication software you use for your desktop & laptop usually have versions for cellphones. Use them. The data on your phone may be more sensitive than on your laptops.  The social information on your phone would give an attacker a wealth of information to support phishing attacks. Some of these programs also offer device tracking options.  If available, activate them to find your device before the data can be exploited if it’s lost or stolen. Worst case scenario; some software allows you to remotely erase everything on your phone if you believe it is gone for good.

Set a password for your cell phone to lock it.  Do not use the default password that came with your phone.  They are typically easy to guess, and are easily found online.

When you’re not using Wi-Fi or Bluetooth, turn them off.  This will make your phone less vulnerable to more sophisticated attacks in which your phone connects to malicious wi-fi hotspots automatically.  An added benefit; this will extend the life of your battery’s charge.

If you connect to a public wi-fi hotspot (e.g. coffee shop wi-fi) make sure you use a VPN throughout your entire session to prevent attackers in or near the shop from looking at your web surfing data. This avoids “man in the middle” attacks.

Delete cookies stored on phone and any other temporary information like internet searches.

Avoid unsecured public WiFi. Hackers often target important locations such as bank accounts via public WiFi that can often be unsecured due to relaxed safety standards or even none at all. Hackers can also impersonate otherwise safe wi-fi hotspots by naming them something similar. (Evil Twin router)

Bad passwords – reusing personal passwords for work accounts.

Social Engineering thru – Phishing, phone calls with voice impersonation, SMSishing

Physical device access in hotel rooms while traveling

Data leaks through a range of apps “phoning home”

Unpatched systems or odd IoT devices that are mobile that may not even allow for updates or patching

Devices that are no longer used for work should have all their old data thoroughly removed.  Devices with media that cannot be irretrievably erased should have their storage media (e.g. hard drives) removed and destroyed.  If you see that your company is simply stacking up old devices or harddrives after they’re no longer being used, inform management that that is creating a data leak hazard.  If anyone came across that storage room they could extract data or harddrives that still had sensitive corporate or personal data on them.