Physical and Mobile Security in Corporate Environment

Questions and Answers

What is the primary aim of physical security and safety systems?

• Protecting people and assets from external threats (correct)
• Lowering insurance costs
• Improving employee satisfaction
• Enhancing the aesthetic appeal of a building

Which of the following is an example of a physical security measure?

• Data encryption software
• Firewall configuration
• Antivirus programs
• Access control systems (correct)

What does cybersecurity primarily focus on protecting?

• Employee health and well-being
• Visitors and customers
• Confidential information and digital assets (correct)
• Physical buildings and infrastructure

What is the term for tricking personnel into revealing sensitive information?

Social engineering (D)

What is a common element in physical security systems that requires digital protection?

Cloud-based security cameras (D)

What does CCTV stand for?

Closed Circuit Television (D)

Which of the following is considered an electronic security system?

Video surveillance systems (C)

What is the purpose of cable infrastructure in physical security?

To deliver power and data to security devices (C)

Which of these is a key component of IT and communications infrastructure for physical security?

Wi-Fi access points (D)

What type of system includes fire alarms and smoke detectors?

Fire alarm systems (A)

What is a typical security concern specific to educational environments?

Student safety from violence (B)

What is a primary security focus in retail environments?

Loss prevention (C)

Which security measure is particularly important in healthcare settings, particularly in the age of COVID?

Access control (B)

What is the purpose of security system design platforms?

To facilitate collaboration among stakeholders (D)

Which of the following is a key first step in designing an effective security program?

Collaborating with vendors and integrators (A)

What is the advantage of using visual aids in security system design?

They simplify complex information for stakeholders (D)

What should a proper budget estimation for a security system include?

Real-world information on all components and support materials (D)

What are the core components of physical security?

Access control and surveillance (C)

Mobile device security focuses on protecting sensitive information stored on what?

Laptops, smartphones, and tablets (A)

What is the primary goal of mobile device security?

To prevent unauthorized access to an enterprise network (B)

How can SSL pinning help secure mobile apps?

By preventing man-in-the-middle attacks (B)

What is the purpose of OAuth in mobile apps?

To manage user authentication and authorization (A)

Why is it important to avoid executing apps on rooted devices?

Rooted devices are more vulnerable to attacks (B)

What does securing application logic involve?

Protecting against reverse engineering and tampering (A)

In mobile application security, what does 'static analysis' help to pinpoint?

Security weaknesses in the decompiled code (C)

What is involved in 'dynamic analysis' and penetration testing?

Evaluating the effectiveness of security controls while the app is running (A)

Which mobile security option involves converting data into an unreadable format?

Encryption (A)

Why should you update to the latest software versions?

To patch known security vulnerabilities (C)

What is a key factor to consider when choosing the right technology for app development?

Scope of the project (C)

What accounts for about 70% of internet usage on mobile devices in the US?

Mobile apps (C)

How can hackers exploit mobile apps?

Infecting malware to get access to data and store keystrokes (C)

The cost and time required for mobile app development are key factors applicable within which part of the app design?

The initial design stages (B)

Which type of mobile app offers the best performance?

Native apps (C)

What is one advantage of native apps compared to progressive web apps (PWAs)?

Can run offline (D)

What should be tested against in order to test and remove vulnerabilities in the case of Hybrid apps?

Test for web attacks such as XSS (A)

If a mobile app is glitchy and feels poorly developed, which factor is most likely lacking?

Adequate App performance (B)

Standard web technologies are most associated with which type of App?

Hybrid App (B)

Which of the following is not one of the three types of commonly used or built apps?

System app (D)

What is the most challenging part of mobile app development?

Its Security and Vulnerability (A)

Flashcards

Physical security systems

Material or technological implementations ensuring safety of people/property in a physical space.

Cybersecurity

Protecting digital assets, data, and infrastructure from cyber threats.

Social Engineering

Attacks that exploit human psychology to gain sensitive information.

Electronic Security Systems

Systems combining video, access control, and intrusion detection for security.

Cable Infrastructure

The physical wiring supporting electronic security and IT devices.

IT Systems and Communications

IT and communication infrastructure supporting physical security systems.

Fire Alarm Systems

Systems designed to detect and alert to fires.

Building Management Systems

Building-specific technologies that enhance physical and operational security.

Mobile Device Security

Protect sensitive information stored on portable devices.

Data Storage Security

Ensure data isn't written to application logs.

IPC Mechanism Protection

Prevent sensitive data from being exposed through inter-process communication.

Data in Air Security

Ensuring data transmitted wirelessly is secure using SSL pinning.

OAuth

User Authentication and authorization are the new normal for all apps, be it B2C or B2B

Integrity Check

Avoid running apps on rooted devices to minimize vulnerability.

Secure Application Logic

Protecting app builds from tampering via reverse engineering.

Data Leak Prevention

Storing sensitive information in ways that other apps can't read.

Mobile Application Security Testing

Testing mobile applications to expose vulnerabilities.

Mobile Security Options

Using encryption, VPNs, biometrics, and strong passwords on mobile.

Developer mobile app issues

Scopes, correct development, device testing and testing

Native Apps

Applications built for a specific operating system.

Web Apps

Browser-based applications that mimic native apps.

Hybrid Apps

Mix of native and web apps that have cross-platform compatibility.

Securing mobile apps

Apps secured with Risk-Based Scoring,Two-Factor Authentication etc

Native mobile app security

Choose right tech, plan well and test

Study Notes

Physical Security and Mobile Security in Corporate Environment

• Businesses and organizations aim to protect visitors and reduce risks using physical security and safety systems.
• It's crucial to design and maintain these systems to safeguard people and assets from external dangers while lowering risk.

Physical Security and Safety Systems

• Any material or technological implementation in a physical space is for the safety of people/property.
• Examples are video surveillance, cameras, physical security measures, and access control.
• Public and private sectors use a mix of security guards/human personnel and technology.
• They mitigate risks like loss prevention in retail and manage access to sensitive/ restricted areas.

Physical vs. Cyber Security

• Physical and safety systems differ from cybersecurity efforts but are connected.
• Cybersecurity protects confidential info, digital assets, and infrastructure from cyber threats.
• Many digital threats don't involve physical attacks, but rather social engineering.
• Digital attacks can require physical access to critical assets or cloud-based IP endpoints.
• These systems must be protected digitally and from physical security threats.

Key Physical Security Components

• Electronic security includes:
  • Video surveillance (CCTV)
  • Access control systems
  • Intrusion detection
• Cable infrastructure is a vital element
  • Consider cabling for each device, lengths needed, and structural complications.
• IT systems/communications are also needed
  • This includes Wi-Fi access points and network/telecom jacks
• Fire alarm systems are part of security and safety
  • Includes fire/smoke/carbon monoxide detectors and sprinklers
• Building management encompass industry-specific technologies.
  • Includes panic button, nurse call systems, motion detectors, and equipment guard posts

Physical Security Risks in Various Industries

• Systems integrators face complexities due to varying needs/risks based on client orgs.
• Education, healthcare, and government clients have unique needs unlike corporate campuses.
• Large campuses aren't monolithic, but have varying security needs and risk tolerances.
• Planning must be customized based on audience and use cases.
• Universities accommodate seasonal budgets and labor, and have student safety concerns.
• Retail is concerned with loss prevention via cameras, alarms, barriers, and parking lot safety.

Effective Security System Design

• Crucial for combating physical security and safety risks
• Requires collaboration with vendors, integrators, and partners at a deep level
• System Surveyor is a collaborative system design platform for shared visual space and cloud access
• Visualization helps get stakeholders involved since traditional methods feel abstract
• Proper budget estimation is crucial, based on real-world information.
• System Surveyor provides built-in budget estimation tools

Physical Security Needs

• Physical security is as important as online security.
• Physical security is about access control and surveillance.
• Mobile Device Security protects sensitive data stored/transmitted by portable devices.
• The purpose is unauthorized users accessing enterprise networks.
• Equipment includes electronic security systems.

Mobile Security

• Due to changing habits, mobile apps dominate this era, integrating into everyday life.
• Many companies turn to mobile apps due to increased smartphone/tablet use.
• 90% of mobile device time is spent on apps, so mobile app security and vulnerability are crucial.

Data Storage Security

• Data Storage secures validation
  • Sensitive data should not be written on the application log
  • Sensitive data must not be shared with third parties unless necessary
  • The keyboard cache must be disabled
  • Sensitive data should not be exposed through the IPC mechanism
  • User credential is via Key Chain or SQLChipher.
• SSL pinning plays a significant part in building secure mobile apps used on insecure networks.
• Ensure the application uses certificate pinning to avoid man-in-the-middle attacks
• User authentication/authorization is a requirement for all apps (B2C or B2B) for security.
• The execution of an app shouldn't run on a rooted device.
• Secured App Logic means a build should not be able to be reverse engineered.

Mobile Application Security

• More users rely on mobile apps for digital media time, so apps need protection from unauthorized access.
• Mobile platforms provide security controls, but developers must choose from options.
• Common issues:
  • Leaking sensitive data
  • Poor authentication
  • Vulnerable encryption
  • Unencrypted data transmission

Mobile Application Security Testing

• Testing involves attacking a mobile app like a malicious user.
• Security testing understands the application's purpose and data
• Testing with static analysis, dynamic analysis, and penetration testing results in an efficient assessment.
• Testing Includes
  • Interacting with the application and understanding how it stores, receives, and transmits data.
  • Decrypting encrypted parts of the application.
  • Decompiling the application and analyzing the resulting code.
  • Using static analysis to pinpoint security weaknesses in the decompiled code.

Mobile Application Security Tools

• Applying reverse engineering and static analysis to drive dynamic analysis and penetration testing.
• Utilizing dynamic analysis/penetration testing to evaluate security control effectiveness, like authentication.
• Free/commercial tools assess applications using static/dynamic testing.
• A combination of static/dynamic testing with manual review is required
• This mobile application security testing ensures that security controls work as expected.
• It can help discover unexpected edge cases.

Synopsys' Security Testing Methodology

• Synopsys tests using static/dynamic analysis tools built for the mobile landscape.
• The tools are updated and tested to identify issues in code and platform version.
• Testing include issues in back-end services so all application aspects are covered.

Securing Mobile Apps

• Security options:
  • Device encryption
  • VPNs (Virtual Private Networks)
  • Biometrics
  • Password protection
  • Antivirus
  • Data backup
  • Mobile usage policy
  • Latest software updates
  • Strong passwords/encryption

Security Issues Developers Encounters

• Project scope
• Choosing the right technology
• Approaching an App Development Team
• Framing Different Devices
• Highly Responsive
• Approval of your App
• Compatibility Problems
• Outdated Technology Selection
• Lack of Resources and Platforms
• Poor Advertising

Mobile Application Trends

• Smartphones facilitate online activities anytime/anywhere.
• Influenced fields: banking, healthcare, IoT, shopping, and remote work
• Steady increase in mobile app usage
• More mobile phones than humans connected
• The US accounts for ~70% of internet usage via mobile apps
• Mobile apps are globally available on marketplaces such as Google Play Store.
• Organizations embrace mobile app development for employee efficiency in a youthful workforce.

Rising Mobile App Security Concerns

• 100 top google apps store have been prey of hacking
• 56% of the top 100 apple appstore have also been attacked
• Malicious malware increments are up by 163%
• Organizations pursue a BYOD approach(bring your own device), integrating work interests.
• 84% of US users use one gadget for work and personal use.
• Hacked mobile applications can result in:
  • Revenue loss
  • Brand damage
  • Unauthorized access to confidential data
  • Intellectual property theft
  • Fraud cases

Raising Mobile App Security Standards Against Malware tips

• Hackers intentions can include
  • Infect malware to devices
  • Duplicate apps for code
  • data tampering
  • Identity theft
  • Hold business assets/property
  • Take enterprise network

What to do to secure a Mobile App

• Risk-Based Scoring
• Two-Factor Authentication
• Transaction Signing
• Secure Communications
• CrontoSign Support
• Jailbreak & Root Detection
• PIN Management
• Integration with Biometrics
• Device Binding
• QR Code Support
• Secure Storage
• Device Identification
• Geolocation
• Runtime Application
• Self-Protection

Mobile App Hardships

• They include code, business rationale, databases, and APIs.
• Each plays a crucial role in mobile app security standards
• Having strong standards can be a differentiator.

Securing Code

• App security is needed from the start
• Apps are not web applications, where information exists on a server.
• Native application codes are stored directly onto the device.
• Vulnerabilities in source code and network/data security that are comprised of important components must be resolved.

Tips for Securing Code

• Secure with encryption
• Review the code for vulnerabilities or perform an audit.
• Remember file size, performance data.

Securing Sever / Network Connections

• Protect the server with safety precautions
• Verify that any user going from your client back to you through that API should be thoroughly checked.
• Containerize data with encryption
• Virtual private networks, transport layer security , and secure socker layer.

Identification / Authentication / Authorizing

• Apps should make use of technology that will enable the app with a login procedure
• Tips:
  • manage functions to be sure they use API and reduce vulnerability.
  • For encrypted data exchange, JSON web tokens.
• Use openID connective to raise mobile app security
• All data stored locally should be sure with encryption.

Secure Manage API Security tips:

• Make use of identification, authentication, and authorization are the principle safety measures that include a well- manufactured API security stack.
• To test
  • Penetration testing involves intentionally examining a system
• Emulators for browsers, OS and devices will show how to do that in the real world.

Secure Mobile App steps:

• Don’t use jail brokened device
• Try to download from authentic places like the play store.

Native Apps

• Run on a single OS (iOS, Windows, Android, etc.).
• WhatsApp and Waze are examples.
• Technologies: C++, Java, Kotlin, Objective C, Swift, Python, React Native

Pros of Developing Native Apps:

• Fast performance
• Can also perform offline

Cons of Developing Native Apps:

• Limited to single platform
• Building for separate platforms is expensive
• High maintenance.

Web App/PWA

• Web applications run on every supported browser
• Responsive design makes them app-like
• Netflix and Flipboard are examples.
• PWAs are downloadable web applications
• Technology involved HTML, CSS, JavaScript.

Pros of Web Apps

• Affordable since faster
• Easier to develop and deploy since updates are instant
• Do not need approval of any app store

Cons of Web Apps:

• These only runs on some browsers
• User needs powerfull internet connection
• limited featured

Choosing Web App Development

• Web apps are the easiest to test and deploy.
• Fastest to build.
• Use if on a very limited budget
• Use if the manage of multiple platforms is not worth it

PWA

Pros:

• they do not require installment or download
• Versatile and efficient with data
• Fast updates

Cons::

• Hardware issues
• UI may vary
• Do not always have code

Hybrid Apps

• Combine the best parts of each
• They all can be cross
• Examples: Instagram and Amazon.
• These are we apps but wrapped in native shell.
• Frameworks like React Native and Cordova are hybrid-app developers.
• These tech are bound to no platforms

Pros:

-Easy to native features

• Tech is easy
• work without internet

Cons:

• Poor User Experience
• Time is low
• Do not work with browsers