Chapter 12 - 04 - Discuss Security Risks and Guidelines Associated with Enterprises Mobile Usage Policies_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Mobile Device Security Module Flow © Limmavemsyane O...

Certified Cybersecurity Technician Exam 212-82 Mobile Device Security Module Flow © Limmavemsyane O cone e Discuss Security Risks and Understand Various Mobile Guidelines Associated with Device Connection Methods oVEao o 5 Enterprises Enterprises Mobile Mobile Usage Usage Policies Policies Discuss and Implement 0 Discuss Mobile Device Enterprise-level Mobile Security Management Concepts Slsmagement Concapts Management Solutions o Discuss and Implement General e Discuss Common Mobile Security Guidelines and Best Usage Policies in Enterprises Usage Policies in Enterprises Practices on Mobile Platforms L. All Rights Reserved. Reproduction Reproductioniss Strictly Prohibited Discuss Security Risks and Guidelines Associated with Enterprises Mobile Usage Policies Creating a mobile usage policy that will enable smooth functioning and ensure security of the corporate assets is a major challenge. The objective of this section is to explain the security risks and challenges associated with the enterprise mobile usage policies. It describes the risks associated with the BYOD, CYOD, COPE, and COBO policies in detail along with the security guidelines to be implemented for them. Module 12 Page 1511 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Mobile Device Security Enterprise Mobile Device Security Risks and Challenges A Security Risks @ Security Challenges v The use of mobile devices in a work environment v" Mobile devices are harder to track and secure has changed the approach of organizational security. Mobile usage in enterprises has created v" Mobile device are portable enough that they can a new set of security risks and challenges be easily lost or stolen v'v Hence, enterprise mobile device security v It is difficult to ensure that mobile software encounters additional security challenges besides patches and security settings are updated the mobile device-level security risks that include weak security systems and insufficient configuration of mobile devices and platforms v" Mobile devices are moving targets that can be used outside an organization and its security system, thereby defeating the purpose of preventing security attacks when organizations allows mobile devices at the workplace e j— All Rights Reserved. Reproduction Reproduction isis Strictly Prohibited Enterprise Mobile Device Security Risks and Challenges The use of mobile devices in work environments has changed the security approach of organizations. It has given rise to a new set of security risks and challenges in organizational security. In addition to the mobile device security risks that include weak security systems and insufficient configuration of mobile devices and platforms, enterprise mobile device security faces additional security challenges. Mobile devices are moving targets that can be used outside an organization and its security system, thereby defeating the purpose of preventing security attacks when organizations allow mobile devices at the workplace. These challenges can be divided into the following categories: = Physical Risks and Challenges This includes the loss or theft of aa mobile device owing to their portability and lightweight. Attackers can perform malicious actions if they get physical access to a device such as flashing the device with a malicious system image that is connected to a computer to install a malicious application or conduct data extraction. Therefore, the devices should not be left unattended. Security measures such as device authentication and encryption must be enforced. Instead of using a simple password, enforce multiple forms of authentication to prevent unauthorized access to mobile devices. = Network-based Risks and Challenges Mobile devices that use common wireless network interfaces (Wi-Fi, Bluetooth) for connectivity are vulnerable to wireless eavesdropping attempts. Module 12 Page 1512 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Mobile Device Security Therefore, employees should connect to trusted networks using WPA21 or use secured network protocols (IPsec, SSL, SSH, HTTPS, Kerberos, etc.) to prevent mobile devices from network-based threats. Moreover, they can use special gateways with customized firewalls and security controls to direct the mobile traffic. For example, content filtering and data loss prevention tools. = System-based Risks and Challenges Manufacturers may unintentionally introduce vulnerabilities in devices; for example, vulnerabilities in SwiftKey keyboards or mobile OSes. Therefore, the devices should be regularly updated to reduce threats. = Application-based Risks and Challenges Vendors may not release timely app updates and support for older OS versions or users may not update their apps regularly. Attackers can exploit the vulnerabilities in applications and attempt to steal data, download other malware, or control the device remotely, thereby resulting in financial loss and risk the reputation of an organization. Thus, strict controls must be enforced regarding downloading and installing applications on a device and using mobile anti-virus. Additionally, strong policies must be established to limit or block the use of third-party applications on devices. Module 12 Page 1513 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Mobile Device Security Risk Associated with BYOD, CYOD, COPE, and COBO Sharing confidential data on 1. i Lost or stolen devices unsecured networks i ‘ Data Iealfage leakage and endpoint P —— Lack of awareness v security issues ‘ N | Ability to bypass the network VvV vV ‘ Improperly disposing of devices | policy rules of the organization VvV { Supporting various devices Infrastructure issues V VvV ‘ Mixing personal and private data Disgruntled employees Risk Associated with BYOD, CYOD, COPE, and COBO Employees connecting to a corporate network or accessing corporate data using their own mobile devices pose security risks to an organization. Following are some security risks associated with the BYOD, CYOD, COPE, and COBO policies: = Sharing confidential data on an unsecured network: Employees might access corporate data via a public network. These connections may not be encrypted and sharing confidential data via an unsecured network may lead to data leakage. = Data leakage and endpoint security issues: In this cloud-computing era, mobile devices are insecure endpoints with cloud connectivity. By synchronizing with organizational email or other apps, these mobile devices carry confidential information. If a device is lost, it could potentially expose all corporate data. = Improperly disposing of devices: An improperly disposed of device could contain a wealth of information such as financial information, credit card details, contact numbers, and corporate data. Therefore, it is important to ensure that devices do not contain any data before they are disposed or passed on to others. = Support of many different devices: Organizations allow employees to access their resources from anywhere in the world, thereby enhancing productivity and driving employee satisfaction. Support for different devices and processes can increase the cost. Employee-owned devices have limited security that operate on different platforms. This deters the capabilities of the IT department to manage and control devices in aa company. Module 12 Page 1514 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Mobile Device Security * Mixing personal and private data: Control over isolating business use from personal use is difficult. For example, managing employees that shop on compromised websites, use public Wi-Fi connections, or given their device to others. = Lost or stolen devices: Owing to their small size, mobile devices are often lost or stolen. When an employee loses their mobile device that is used for both personal and official purposes, the organization might face a security risk because the corporate data on the lost device may be compromised. * Lack of awareness: Failing to educate employees regarding these policy and security issues may compromise the corporate data stored in mobile devices. = Ability to bypass organizational network policy rules: According to requirements, the policies imposed may differ for wired and wireless networks. The devices connected to wireless networks can bypass the network policies enforced only on wired LANSs. * Infrastructure issues: These policies involve dealing with various platforms and technologies. Not all employees carry the same device. Different devices, each running different OSes and programs, have security loopholes. This can be problematic for an IT department to set up and maintain an infrastructure that supports the requirements of different devices such as managing data, security, back up, and compatibility among devices. * Disgruntled employees: Disgruntled employees in an organization can misuse the corporate data stored on their mobile devices. They may also leak sensitive information to competitors. Module 12 Page 1515 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Mobile Device Security Security Guidelines for BYOD, CYOD, COPE, and COBO a 2] For Security Professional For Employee «+ Secure organizational data centers with multi- “* Use the encryption mechanism to store data layered protection systems * Maintain a clear separation between business and personal data +* Educate employees about the COPE policy “* Register devices with a remote locate and wipe facility

Use Quizgecko on...
Browser
Browser