Chapter13.pdf

Full Transcript

Chapter 13
Wireless and Mobile Security
 THE COMPTIA SECURITY+ EXAM OBJECTIVES
COVERED IN THIS CHAPTER INCLUDE:

Domain 2.0: Threats, Vulnerabilities, and
Mitigations
2.3. Explain various types of vulnerabilities.
Mobile device (Side loading, Jailbreaking)
Domain 3.0: Security Architecture
3.3. Compare and contrast concepts and strategies to
protect data.
General data considerations (Geolocation)
Domain 4.0: Security Operations
4.1. Given a scenario, apply common security techniques
to computing resources.
Hardening targets (Mobile devices, Workstations,
Switches, Routers, Cloud infrastructure, Servers,
ICS/SCADA, Embedded systems, RTOS, IoT devices).
Wireless devices (Installation considerations (Site
surveys, Heat maps))
Mobile solutions (Mobile device management (MDM),
Deployment models (Bring your own device (BYOD),
Corporate-owned, personally enabled (COPE), Choose
your own device (CYOD)), Connection methods
(Cellular, Wi-Fi, Bluetooth))
Wireless security settings (Wi-Fi Protected Access 3
(WPA3), AAA/Remote Authentication Dial-in User
Service (RADIUS), Cryptographic protocols,
Authentication protocols)

Significant portions of the networks in most organizations are now
wireless, and wireless networks have a number of security challenges
that wired networks don't. They broadcast their signals and they are
frequently accessible from outside of the spaces that organizations
own and manage. Most cellular and point-to-point commercial
wireless networks aren't even in the control of customers at all,
which means that the traffic they carry may need to be treated as if it
is traversing a potentially hostile network path.
In this chapter, you will learn about common wireless connectivity
options—ranging from Bluetooth and cellular to Wi-Fi—and the
network models and technologies they most often use. With that in
mind, you will explore best practices for wireless network design and
security. Along the way, you will also learn about wireless
authentication, how EAP is used for wireless authentication, and
how wireless controllers and access points are kept secure.
The latter portion of the chapter focuses on mobile device
management. Mobile device deployment models like bring your own
device (BOYD), choose your own device (CYOD), and corporate-
owned, personally enabled (COPE) are key parts of organizational
decisions about how to get devices into the hands of end users. Once
those devices are deployed, you also need to manage them, and you
will learn about mobile device management tools, common features,
and important control capabilities. With careful planning, you can
ensure that devices are secure when they are issued or enrolled, that
they are well managed throughout their life cycles, and that you can
handle theft, loss, or the end of their useful life cycle.

Building Secure Wireless Networks
Wireless networks are found throughout our organizations. From
enterprise networks that authenticate users and that are managed
and monitored using powerful tools, to simple wireless routers used
in homes and small businesses to provide connectivity to residents,
customers, or guests, Wi-Fi is everywhere. Wi-Fi networks aren't the
only type of network that you will encounter, however—Bluetooth,
cellular, Zigbee, and other types of connectivity are also found in
organizations. Unlike wired networks, these wireless networks don't
stop outside the walls of your organization, making wireless network
security a very different challenge to secure. The fact that many
devices have the ability to create ad hoc wireless networks or to
bridge their wired and wireless network connections means that
devices throughout your organization may also end up being paths to
the network or the device itself for malicious actors.

Connection Methods
Designing a secure network often starts with a basic understanding
of the type of network connectivity that you will be deploying or
securing. The Security+ exam outline lists a range of wireless
connection types, which are covered in the following sections.

Cellular
Cellular networks provide connectivity for mobile devices like cell
phones by dividing geographic areas into “cells” with tower coverage
allowing wireless communications between devices and towers or
cell sites. Modern cellular networks use technologies like LTE (long-
term evolution) 4G and related technology and new 5G networks,
which have been deployed widely in many countries. 5G requires
much greater antenna density but also provides greater bandwidth
and throughput. Whereas cellular providers and organizations that
wanted cellular connectivity tended to place towers where coverage
was needed for 4G networks, 5G networks require much more
attention to antenna deployment, which means that organizations
need to design around 5G antenna placement as part of their
building and facility design efforts over time.
Cellular connectivity is normally provided by a cellular carrier rather
than an organization, unlike Wi-Fi or other technologies that
companies may choose to implement for themselves. That means
that the cellular network is secure, managed, and controlled outside
of your organization, and that traffic sent via a cellular connection
goes through a third-party network. Cellular data therefore needs to
be treated as you would an external network connection rather than
your own corporate network.

Wi-Fi
The term Wi-Fi covers a range of wireless protocols that are used to
provide wireless networking. Wi-Fi primarily relies on the 2.4 GHz
and 5 GHz radio bands and uses multiple channels within those
bands to allow multiple networks to coexist. Wi-Fi signals can reach
to reasonably long ranges, although the frequencies Wi-Fi operates
on are blocked or impeded by common obstacles like walls and trees.
Despite those impediments, one of the most important security
concerns with Wi-Fi networks is that they travel beyond the spaces
that organizations own or control.
Table 13.1 lists current and historical Wi-Fi standards, ranging from
802.11b, which was the first broadly deployed Wi-Fi standard, to
802.11ac and 802.11ax, two recently broadly deployed standards. In
many environments, 802.11n, 802.11g, or even older standards may
still be encountered.

The earlier generations of Wi-Fi, including 802.11b
to 802.11g, were not branded as Wi-Fi 1, Wi-Fi 2, and so on. More
modern versions of Wi-Fi have been as the standard continues to
evolve. You may hear more modern versions of Wi-Fi referred to
by the standard or the generation name, depending on the
context you're working in.

TABLE 13.1 Wi-Fi standards, maximum theoretical speed, and
frequencies
Wi-Fi Generation Maximum Frequencies
standard name speed
802.11b 11 Mbit/s 2.4 GHz
802.11a 54 Mbit/s 5 GHz
802.11g 54 Mbit/s 2.4 GHz
802.11n Wi-Fi 4 600 Mbit/s 2.4 GHz and 5
GHz
802.11ac Wi-Fi 5 6.9 Gbit/s 5 GHz
802.11ax Wi-Fi 6 and Wi- 9.6 Gbit/s 2.4 GHz, 5 GHz, 6
Fi 6E GHz
802.11be Wi-Fi 7 40+ Gbit/s 2.4 GHz, 5 GHz, 6
GHz
Fortunately, Wi-Fi protocols like WPA2 and WPA3 provide security
features and functionality to help keep wireless signals secure. Those
features include encryption options, protection for network frames,
and authentication options.
Wi-Fi devices are most commonly deployed in either ad hoc mode,
which allows devices to talk to each other directly, or infrastructure
mode, which sends traffic through a base station, or access point. Wi-
Fi networks use service set identifiers (SSIDs) to identify their
network name. SSIDs can be broadcast or kept private.

Bluetooth
Bluetooth is another commonly used wireless technology. Like Wi-Fi
and many other technologies, it operates in the 2.4 GHz range, which
is used for many different wireless protocols. Bluetooth is primarily
used for low-power, short-range (less than 100 meters and typically
5–30 meters) connections that do not have very high bandwidth
needs. Bluetooth devices are usually connected in a point-to-point
rather than a client-server model. A typical Bluetooth connection is
done by pairing, a process that searches for devices that are looking
to connect. Once you connect, you may be asked for a PIN to validate
the connection.
Bluetooth uses four security modes:

Security Mode 1: No security (non-secure)
Security Mode 2: Service-level enforced security
Security Mode 3: Link-level enforced security
Security Mode 4: Standard pairing with Security Simple Pairing
(SSP)

Since Bluetooth is designed and implemented to be easy to discover,
configure, and use, it can also be relatively easy to attack. Bluetooth
does support encryption, but the encryption relies on a PIN used by
both devices. Fixed PINs for devices like headsets reduce the security
of their connection. Attacks against authentication, as well as the
negotiated encryption keys, mean that Bluetooth may be susceptible
to eavesdropping as well as other attacks.
RFID
Radio frequency identification (RFID) is a relatively short-range
(from less than a foot of some passive tags to about 100 meters for
active tags) wireless technology that uses a tag and a receiver to
exchange information. RFID may be deployed using active tags,
which have their own power source and always send signals to be
read by a reader; semi-active tags, which have a battery to power
their circuits but are activated by the reader; or passive tags, which
are entirely powered by the reader.
RFID tags also use one of three frequency ranges. Low-frequency
RFIDs are used for short-range, low-power tags and are commonly
used for entry access and identification purposes, where they are
scanned by a nearby reader. Low-frequency RFID is not consistent
around the world, meaning that tags may not meet frequency or
power requirements in other countries. High-frequency RFID tags
have a longer readable range at up to a meter under normal
circumstances and can communicate more quickly. In fact, high-
frequency RFID is used for near-field communication, and many tags
support read-only, write-only, and rewritable tags. The final
frequency range is ultra-high-frequency RFID, the fastest to read and
with the longest range. This means that ultra-high-frequency RFID
tags are used in circumstances where readers need to be farther
away. High-frequency tags have found broad implementation for
inventory and antitheft purposes as well as a multitude of other uses
where a tag that can be remotely queried from meters away can be
useful.
Because of their small size and flexible form factor, RFID tags can be
embedded in stickers, small implantable chips like those used to
identify pets, and in the form of devices like tollway tags. RFID tags
can be attacked in a multitude of ways, from simple destruction or
damage of the tag so that it cannot be read to modification of tags,
some of which can be reprogrammed. Tags can be cloned, modified,
or spoofed; readers can be impersonated; and traffic can be
captured.
 Rewriting RFID Tags

As RFID-based tolling systems spread across the United States,
security researchers looked into vulnerabilities in the technology.
In 2008, in California they discovered that the RFID tags used for
the toll road system had not been locked after they were written,
meaning that tags could be read and reprogrammed, changing
the transponder ID. Since the RFID tag could be rewritten at a
distance, this opened up a wide number of potential attacks. If
this vulnerability was used for malicious purposes, it would have
been possible for attackers to rewrite transponders, charge tolls
to other vehicles, and otherwise wreak havoc on the toll system.
This type of research emphasizes the need to understand the
capabilities and implications of configuration choices used in any
device deployment, and particularly with RFID tags. You can read
more about the issue here:
www.technologyreview.com/2008/08/25/96538/road-tolls-hacked.

GPS
Global Positioning System (GPS), unlike the other technologies
described so far, is not used to create a network where devices
transmit. Instead, it uses a constellation of satellites that send out
GPS signals, which are received by a compatible GPS receiver. While
the U.S. GPS system is most frequently referred to, other systems,
including the Russian GLONASS system and smaller regional
systems, also exist. GPS navigation can help position devices to
within a foot of their actual position, allowing highly accurate
placement for geofencing and other GPS uses. GPS also provides a
consistent time signal, meaning that GPS receivers may be integrated
into network time systems.
Like other radio frequency–based systems, GPS signals can be
jammed or spoofed, although attacks against GPS are uncommon in
normal use. GPS jamming is illegal in the United States, but claims
have been made that GPS spoofing has been used to target military
drones, causing them to crash, and real-world proof-of-concept
efforts have been demonstrated.
GPS technology is a major part of geolocation capabilities used to
determine where a device is. Geolocation is used for location-aware
authentication, geofencing, and many other functions. GPS is often
combined with other location-centric data like Wi-Fi network names
and Bluetooth connections. This can provide rich data about the
location of devices and is increasingly leveraged by device
manufacturers. Tools like Apple's Find My uses GPS, Wi-Fi,
Bluetooth, and cellular as well as sensor information to locate
devices, while Apple's AirTags leverage other Apple devices to help
find them.

Exam Note

The following technologies are not on the Security+ exam outline
as topics, but remain in the glossary or have related items on the
exam. We've included them because they're important in the
context of overall wireless security practices and considerations,
but you shouldn't have to know technical details of NFC and
infrared for the exam.

NFC
Near-field communication (NFC) is used for very short-range
communication between devices. You've likely seen NFC used for
payment terminals using Apple Pay or Google Pay with cell phones.
NFC is typically limited to less than 4 inches of range and often far
shorter distances, meaning that it is not used to build networks of
devices and instead is primarily used for low-bandwidth, device-to-
device purposes. That doesn't mean that NFC can't be attacked, but it
does mean that threats will typically be in close proximity to an NFC
device. Intercepting NFC traffic, replay attacks, and spoofing attacks
are all issues that NFC implementations need to account for. At the
same time, NFC devices must ensure that they do not respond to
queries except when desired so that an attacker cannot simply bring
a receiver into range and activate an NFC transaction or response.

Infrared
Unlike the other wireless technologies in this chapter, infrared (IR)
network connections only work in line of sight. IR networking
specifications support everything from very low-bandwidth modes to
gigabit speeds, including the following:

SIR, 115 Kbit/s
MIR, 1.15 Mbit/s
FIR, 4 Mbit/s
VFIR, 16 Mbit/s
UFIR, 96 Mbit/s
GigaIR, 512 Mbit/s-1 Gbit/s

Since IR traffic can be captured by anything with a line of sight to it,
it can be captured if a device is in the area. Of course, this also means
that unlike Wi-Fi and Bluetooth traffic, devices that are outside of
the line of sight of the device typically won't be able to capture IR
traffic.
Infrared connections are most frequently used for point-to-point
connections between individual devices, but IR technologies that
exist to create networks and groups of devices do exist. Despite this,
infrared connectivity is less frequently found in modern systems and
devices, having largely been supplanted by Bluetooth and Wi-Fi.

Wireless Network Models
The wireless technologies we have described operate in one of four
major connection models: point-to-point, point-to-multipoint, mesh,
or broadcast. Figure 13.1 shows both a point-to-point network
between two systems or devices, and a point-to-multipoint network
design that connects to multiple devices from a single location.
Each of these design models is simple to understand. A point-to-
point network connects two nodes, and transmissions between them
can only be received by the endpoints. Point-to-multipoint networks
like Wi-Fi have many nodes receiving the information sent by a
node. Broadcast designs send out information on many nodes and
typically do not care about receiving a response. GPS and radio are
both examples of broadcast models.

Exam Note

The Security+ exam outline considers three major connection
models: cellular, Wi-Fi, and Bluetooth. Make sure that you're
aware of the major features, advantages, and disadvantages of
each, and think about what they mean for the security of your
organization.

FIGURE 13.1 Point-to-point and point-to-multipoint network
designs

Attacks Against Wireless Networks and Devices
One of the first things you need to consider when designing a secure
network is how it could be attacked. Attackers may pose as legitimate
wireless networks, add their own wireless devices to your network,
interfere with the network, use protocol flaws or attacks, or take
other steps to attack your network.

Evil Twins and Rogue Access Points
An evil twin is a malicious illegitimate access point that is set up to
appear to be a legitimate, trusted network. Figure 13.2 shows an evil
twin attack where the client wireless device has opted for the evil
twin access point (AP) instead of the legitimate access point. The
attacker may have used a more powerful AP, placed the evil twin
closer to the target, or used another technique to make the AP more
likely to be the one the target will associate with.
Once a client connects to the evil twin, the attacker will typically
provide Internet connectivity so that the victim does not realize that
something has gone wrong. The attacker will then capture all of the
victim's network traffic and look for sensitive data, passwords, or
other information that they can use. Presenting false versions of
websites, particularly login screens, can provide attackers who have
successfully implemented an evil twin with a quick way to capture
credentials.
Evil twins aren't the only type of undesirable access point that you
may find on your network. Rogue access points are APs added to
your network either intentionally or unintentionally. Once they are
connected to your network, they can offer a point of entry to
attackers or other unwanted users. Since many devices have built-in
wireless connectivity and may show up as an accessible network, it is
important to monitor your network and facilities for rogue access
points.
FIGURE 13.2 Evil twin pretending to be a legitimate access point
Most modern enterprise wireless controller systems have built-in
functionality that allows them to detect new access points in areas
where they are deployed. In addition, wireless intrusion detection
systems or features can continuously scan for unknown access points
and then determine if they are connected to your network by
combining wireless network testing with wired network logs and
traffic information. This helps separate out devices like mobile
phones set up as hotspots and devices that may advertise a setup Wi-
Fi network from devices that are plugged into your network and that
may thus create a real threat.

Bluetooth Attacks
There are two common methods of Bluetooth attack: bluejacking and
bluesnarfing. Bluejacking sends unsolicited messages to Bluetooth-
enabled devices. Bluesnarfing is unauthorized access to a Bluetooth
device, typically aimed at gathering information like contact lists or
other details the device contains. Unfortunately, there aren't many
security steps that can be put in place for most Bluetooth devices.
Many simply require pairing using an easily guessed code (often
0000), and then proceed to establish a long-term key that is used to
secure their communications. Unfortunately, that long-term key is
used to generate session keys when combined with other public
factors, thus making attacks against them possible.

Bluetooth Impersonation Attacks

Bluetooth impersonation attacks (BIAs) take advantage of
weaknesses in the Bluetooth specification, which means that all
devices that implement Bluetooth as expected are likely to be
vulnerable to them. They exploit a lack of mutual authentication,
authentication procedure downgrade options, and the ability to
switch roles. Although BIAs have not yet been seen in the wild, as
of May 2020 information about them had been published,
leading to widespread warnings that exploits were likely to be
developed. You can read more about BIAs in the Health-ISAC's
advisory here: h-isac.org/bluetooth-impersonation-attacks-
bias.

Despite years of use of Bluetooth in everything from mobile devices
to medical devices, wearables, and cars, the security model for
Bluetooth has not significantly improved. Therefore, your best option
to secure Bluetooth devices is to turn off Bluetooth if it is not
absolutely needed and to leave it off except when in use. In addition,
if devices allow a pairing code to be set, change it from the default
pairing code and install all patches for Bluetooth devices.
Unfortunately, this will leave many devices vulnerable, particularly
those that are embedded or that are no longer supported by the
software or hardware manufacturer.

RF and Protocol Attacks
Attackers who want to conduct evil twin attacks, or who want
systems to disconnect from a wireless network for any reason, have
two primary options to help with that goal: disassociation attacks
and jamming.
Disassociation describes what happens when a device disconnects
from an access point. Many wireless attacks work better if the target
system can be forced to disassociate from the access point that it is
using when the attack starts. That will cause the system to attempt to
reconnect, providing an attacker with a window of opportunity to set
up a more powerful evil twin or to capture information as the system
tries to reconnect.
The best way for attackers to force a system to disassociate is
typically to send a deauthentication frame, a specific wireless
protocol element that can be sent to the access point by spoofing the
victim's wireless MAC address. When the AP receives it, it will
disassociate the device, requiring it to then reconnect to continue.
Since management frames for networks that are using WPA2 are
often not encrypted, this type of attack is relatively easy to conduct.
WPA3, however, requires protected management frames and will
prevent this type of deauthentication attack from working.
Another means of attacking radio frequency networks like Wi-Fi and
Bluetooth is to jam them. Jamming will block all the traffic in the
range or frequency it is conducted against. Since jamming is
essentially wireless interference, jamming may not always be
intentional—in fact, running into devices that are sending out signals
in the same frequency range as Wi-Fi devices isn't uncommon.
 Wi-Fi Jammers vs. Deauthers

Wi-Fi deauthers are often incorrectly called jammers. A deauther
will send deauthentication frames, whereas a jammer sends out
powerful traffic to drown out traffic. Jammers are generally
prohibited in the United States by FCC regulations, whereas
deauthers are not since they operate within typical wireless
power and protocol norms. You can learn more about both in
Seytonic's video: www.youtube.com/watch?v=6m2vY2HXU60.

Sideloading and Jailbreaks
Sideloading is the process of transferring files to a mobile device,
typically via a USB connection, a MicroSD card, or via Bluetooth in
order to install applications outside of the official application store.
While this is more common for Android devices, it is possible for
both Android and iOS devices. Sideloading can allow users to install
applications that are not available in their region, which are
developed by the organization or others, or which aren't signed.
Sideloading itself is not necessarily malicious and has legitimate
uses, but it is often prohibited or prevented by organizations as part
of their security policies.
Jailbreaking takes advantage of vulnerabilities or other weaknesses
in a mobile device's operating system to conduct a privilege
escalation attack and root the system, providing the user with more
access than is typically allowed. Once a device is jailbroken, the user
can perform actions like installing additional applications not
available via the application store, changing settings or options that
are not normally available to users, or installing custom elements of
the operating system.
Both of these techniques can be used for malicious purposes, and we
will revisit them in the context of mobile device management-based
controls later in the chapter.
 Exam Note

As you consider this section, you'll want to focus on sideloading
and jailbreaks. The current version of the Security+ exam outline
focuses on protection methods, but knowing the attacks you may
face is an important part of understanding wireless security and
wireless security settings, which we cover next.

Designing a Network
Designing your Wi-Fi network for usability, performance, and
security requires careful wireless access point (WAP) placement as
well as configuration. Tuning and placement are critical, because
wireless access points have a limited number of channels to operate
within, and multiple wireless access points using the same channel
within range of each other can decrease the performance and overall
usability of the network. At the same time, organizations typically
don't want to extend signal to places where they don't intend their
network to reach. That means your design may need to include AP
placement options that limit how far wireless signal extends beyond
your buildings or corporate premises.
An important part of designing a wireless network is to conduct a site
survey. Site surveys involve moving throughout the entire facility or
space to determine what existing networks are in place and to look at
the physical structure for the location options for your access points.
In new construction, network design is often included in the overall
design for the facility. Since most deployments are in existing
structures, however, walking through a site to conduct a survey is
critical.
Site survey tools test wireless signal strength as you walk, allowing
you to match location using GPS and physically marking your
position on a floorplan or map as you go. They then show where
wireless signal is, how strong it is, and what channel or channels
each access point or device is on in the form of a heatmap. Figure
13.3 shows an example of a heatmap for a building. Note that access
points have a high signal area that drops off and that the heat maps
aren't perfect circles. The building's construction and interference
from other devices can influence how the wireless signal behaves.

FIGURE 13.3 A wireless heatmap showing the wireless signal
available from an access point
Determining which channels your access points will use is also part
of this process. In the 2.4 GHz band, each channel is 20 MHz wide,
with a 5 MHz space between. There are 11 channels for 2.4 GHz Wi-
Fi deployments, resulting in overlap between channels in the 70
MHz of space allocated, as shown in Figure 13.3. In most uses, this
means that channels 1, 6, and 11 are used when it is possible to
control channel usage in a space to ensure that there is no overlap
and thus interference between channels. In dense urban areas or
areas where other organizations may have existing Wi-Fi
deployments, overlapping the channels in use onto your heatmap
will help determine what channel each access point should use.
Figure 13.4 shows the 2.4 GHz channels in use in North America.
Additional channels are available in Japan, Indonesia, and outside of
the United States, with those areas supporting channels 12 and 13 in
addition to the 11 channels U.S. networks use. Note the overlap
between the channels, which can cause interference if access points
use overlapping channels within reach of each other.

FIGURE 13.4 Overlap map of the North American 2.4 GHz Wi-Fi
channels
Many access points will automatically select the best channel when
they are deployed. Wireless network management software can
monitor for interference and overlap problems and adjust your
network using the same capabilities that they use to determine if
there are new rogue access points or other unexpected wireless
devices in their coverage area. These more advanced enterprise Wi-
Fi controllers and management tools can also adjust broadcast power
to avoid interference or even to overpower an unwanted device.
Figuring out what access points and other devices are already in
place and what networks may already be accessible in a building or
space that you intend to deploy a wireless network into can be a
challenge. Fortunately, Wi-Fi analyzer software is used to gather all
the data you need to survey and plan networks, create heatmaps,
identify the best channel mapping to use in 2D and 3D models,
conduct speed tests, and perform wireless client information, among
other tasks. Although each analyzer tool may have different
functionality and features, they are a critical part of the toolkit that
network engineers and security professionals use to assess wireless
networks.

Exam Note

You'll need to be aware and able to explain the purpose of both
heatmaps and site surveys for the exam.

Controller and Access Point Security
Enterprise networks rely on wireless local area network (WLAN)
controllers to help manage access points and the organization's
wireless network. They offer additional intelligence and monitoring;
allow for software-defined wireless networks; and can provide
additional services, such as blended Wi-Fi and 5G wireless roaming.
Wireless controllers can be deployed as hardware devices, as a cloud
service, or as a virtual machine or software package.
Not all organizations will deploy a wireless controller. Small and
even mid-sized organizations may choose to deploy stand-alone
access points to provide wireless network access.
In both of these scenarios, properly securing controllers and access
points is an important part of wireless network security. Much like
other network devices, both controllers and APs need to be
configured to be secure by changing default settings, disabling
insecure protocols and services, setting strong passwords, protecting
their administrative interfaces by placing them on isolated VLANs or
management networks, and ensuring that they are regularly patched
and updated. In addition, monitoring and logging should be turned
on and tuned to ensure that important information and events are
logged both to the wireless controller or access point and to central
management software or systems.
More advanced WLAN controllers and access points may also have
advanced security features, such as threat intelligence, intrusion
prevention, or other capabilities integrated into them. Depending on
your network architecture and security design, you may want to
leverage these capabilities, or you may choose to disable them
because your network infrastructure implements those capabilities in
another location or with another tool, or they do not match the needs
of the network where you have them deployed.

Wi-Fi Security Standards
Wi-Fi networks rely on security and certification standards to help
keep them secure. In fact, modern wireless devices can't even display
the Wi-Fi trademark without being certified to a current standard
like WPA2 or WPA3.
WPA2, or Wi-Fi Protected Access 2, is a widely deployed and used
standard that provides two major usage modes:

WPA2-Personal, which uses a pre-shared key and is thus often
called WPA2-PSK. This allows clients to authenticate without an
authentication server infrastructure.
WPA2-Enterprise relies on a RADIUS authentication server as
part of an 802.1X implementation for authentication. Users can
thus have unique credentials and be individually identified.

WPA2 introduced the use of the Counter Mode Cipher Block
Chaining Message Authentication Code Protocol (CCMP). CCMP
uses Advanced Encryption Standard (AES) encryption to provide
confidentiality, delivering much stronger encryption than older
protocols like the Wired Equivalent Privacy (WEP) protocol, which
was used prior to WPA2. In addition to confidentiality, CCMP
provides authentication for the user and access control capabilities.
You'll note that user authentication is provided but not network
authentication—that is an important addition in WPA3.
Wi-Fi Protected Access 3 (WPA3), the replacement for WPA2, has
been required to be supported in all Wi-Fi devices since the middle
of 2020. WPA3 deployments are increasingly common as WPA3
supplants WPA2 in common usage. WPA3 improves on WPA2 in a
number of ways depending on whether it is used in Personal or
Enterprise mode. WPA3-Personal provides additional protection for
password-based authentication, using a process known as
Simultaneous Authentication of Equals (SAE). SAE replaces the pre-
shared keys used in WPA2 and requires interaction between both the
client and the network to validate both sides. That interaction slows
down brute-force attacks and makes them less likely to succeed.
WPA3-Personal also implements perfect forward secrecy, which
ensures that the traffic sent between the client and network is secure
even if the client's password has been compromised.

Perfect Forward Secrecy

Perfect forward secrecy uses a process that changes the
encryption keys on an ongoing basis so that a single exposed key
won't result in the entire communication being exposed. Systems
using perfect forward secrecy can refresh the keys they are using
throughout a session at set intervals or every time a
communication is sent.

WPA3-Enterprise provides stronger encryption than WPA2, with an
optional 192-bit security mode, and adds authenticated encryption
and additional controls for deriving and authenticating keys and
encrypting network frames. WPA3 thus offers numerous security
advantages over existing WPA2 networks.
 As WPA3 slowly expands in usage, it is important to
note the security improvements it brings. WPA3-Personal
replaces the WPA2-PSK authentication mode SAE (simultaneous
authentication of equals) and implements perfect forward secrecy
to keep traffic secure. WPA3-Enterprise continues to use
RADIUS but improves the encryption and key management
features built into the protocol, and provides greater protection
for wireless frames. Open Wi-Fi networks also get an upgrade
with the Wi-Fi Enhanced Open certification, which uses
opportunistic wireless encryption (OWE) to provide encrypted
Wi-Fi on open networks when possible—a major upgrade from
the unencrypted open networks used with WPA2.

Wireless Authentication
Although the security protocols and standards that a network uses
are important, it is also critical to control access to the network itself.
Organizations have a number of choices when it comes to choosing
how they provide access to their networks:

Open networks, which do not require authentication but that
often use a captive portal to gather some information from users
who want to use them. Captive portals redirect traffic to a
website or registration page before allowing access to the
network. Open networks do not provide encryption, leaving user
data at risk unless the traffic is sent via secure protocols like
HTTPS.
Use of preshared keys (PSKs) requires a passphrase or key that
is shared with anybody who wants to use the network. This
allows traffic to be encrypted but does not allow users to be
uniquely identified.
Enterprise authentication relies on a RADIUS server and utilizes
an Extensible Authentication Protocol (EAP) for authentication.
 We talked about RADIUS more in Chapter 8's
coverage of identity and access management, if you want to
review RADIUS more in this context.

Wireless Authentication Protocols
802.1X is an IEEE standard for access control and is used for both
wired and wireless devices. In wireless networks, 802.1X is used to
integrate with RADIUS servers, allowing enterprise users to
authenticate and gain access to the network. Additional actions can
be taken based on information about the users, such as placing them
in groups or network zones, or taking other actions based on
attributes once the user has been authenticated.
Wi-Fi enterprise networks rely on IEEE 802.1X and various versions
of Extensible Authentication Protocol (EAP). EAP is used by 802.1X
as part of the authentication process when devices are authenticating
to a RADIUS server. There are many EAP variants because EAP was
designed to be extended, as the name implies. Here are common
EAP variants that you should be aware of:

Protected EAP (PEAP) authenticates servers using a certificate
and wraps EAP using a TLS tunnel to keep it secure. Devices on
the network use unique encryption keys, and Temporal Key
Integrity Protocol (TKIP) is implemented to replace keys on a
regular basis.
EAP-Flexible Authentication via Secure Tunneling (EAP-FAST)
is a Cisco-developed protocol that improved on vulnerabilities in
the Lightweight Extensible Authentication Protocol (LEAP).
EAP-FAST is focused on providing faster reauthentication while
devices are roaming. EAP-FAST works around the public key
exchanges that slow down PEAP and EAP-TLS by using a shared
secret (symmetric) key for reauthentication. EAP-FAST can use
either preshared keys or dynamic keys established using public
key authentication.
 EAP-Transport Layer Security (EAP-TLS) implements
certificate-based authentication as well as mutual authentication
of the device and network. It uses certificates on both client and
network devices to generate keys that are then used for
communication. EAP-TLS is used less frequently due to the
certificate management challenges for deploying and managing
certificates on large numbers of client devices.
EAP-Tunneled Transport Layer Security (EAP-TTLS) extends
EAP-TLS, and unlike EAP-TLS, it does not require that client
devices have a certificate to create a secure session. This
removes the overhead and management effort that EAP-TLS
requires to distribute and manage endpoint certificates while
still providing TLS support for devices. A concern for EAP-TTLS
deployments is that EAP-TTLS can require additional software
to be installed on some devices, whereas PEAP, which provides
similar functionality, does not. EAP-TTLS does provide support
for some less secure authentication mechanisms, meaning that
there are times where it may be implemented due to specific
requirements.

When organizations want to work together, RADIUS (Remote
Authentication Dial-in User Service) servers can be federated to
allow individuals from other organizations to authenticate to remote
networks using their home organization's accounts and credentials.
Federating RADIUS servers like this requires trust to be established
between the RADIUS servers as part of a federation. Many higher
education institutions provide a federated authentication service for
wireless called eduroam, which allows students, faculty, and staff
from any eduroam institution (https://eduroam.org) to authenticate
and use the networks at any other eduroam supporting organization.
Of course, RADIUS servers can be federated in a single organization
as well if there are multiple RADIUS domains.
 Exam Note

The Security+ exam outline focuses on WPA3, RADIUS,
cryptographic protocols, and authentication protocols without
going into specifics about cryptographic protocols and
authentication protocols. As you prepare for the exam, you
should consider the new security features of WPA3 as well as its
newer security features over WPA2. You'll also want to have a
general understanding of RADIUS and authentication protocols
like PEAP and EAP.

Managing Secure Mobile Devices
Organizations use a wide variety of mobile devices, ranging from
phones and tablets to more specialized devices. As you consider how
your organization should handle them, you need to plan for your
deployment and management model, whether you will use a mobile
device management tool, and what security options and settings you
will put in place.

Mobile Device Deployment Methods
When organizations use mobile devices, one important design
decision is the deployment and management model that will be
selected. The most common options are BYOD, or bring your own
device; CYOD, or choose your own device; COPE, or corporate-
owned, personally enabled; and fully corporate owned.
Each of these options has advantages and disadvantages, as outlined
in Table 13.2.
TABLE 13.2 Mobile device deployment and management options
Who owns Who Description
the device controls
and
maintains
the device
BYOD
Bring your The user The user The user brings their own
own personally owned device.
device This provides more user
freedom and lower cost to
the organization, but greater
risk since the organization
does not control, secure, or
manage the device.
CYOD
Choose The The The organization owns and
your own organization organization maintains the device, but
device allows the user to select it.
COPE
Corporate- The The Corporate-provided devices
owned, organization organization allow reasonable personal
personally use while meeting enterprise
enabled security and control needs.
Corporate- The The Corporate-owned provides
owned organization organization the greatest control but least
flexibility.
These options boil down to a few common questions. First, who
owns, chooses, and pays for the device and its connectivity plans?
Second, how is the device managed and supported? Third, how are
data and applications managed, secured, and protected?
BYOD places the control in the hands of the end user since they
select and manage their own device. In some BYOD models, the
organization may use limited management capabilities, such as the
ability to remotely wipe email or specific applications, but BYOD's
control and management model is heavily based on the user. This
option provides far less security and oversight for the organization.
In CYOD models, the organization pays for the device and typically
for the cellular plan or other connectivity. The user selects the device,
sometimes from a list of preferred options, rather than bringing
whatever they would like to use. In a CYOD design of this type,
support is easier since only a limited number of device types will be
encountered, and that can make a security model easier to establish
as well. Since CYOD continues to leave the device in the hands of the
user, security and management is likely to remain less standardized,
although this can vary.
In a COPE model, the device is company-owned and -managed.
COPE recognizes that users are unlikely to want to carry two phones
and thus allows reasonable personal use on corporate devices. This
model allows the organization to control the device more fully while
still allowing personal use.
A fully corporate-owned and -managed device is the most controlled
environment and frequently more closely resembles corporate PCs
with a complete control and management suite. This is the least
user-friendly of the options since a corporate-chosen and -managed
device will meet corporate needs but frequently lacks the flexibility of
the more end user–centric designs.
Although these are common descriptions, real-world
implementations vary significantly, and the lines between each of
these solutions can be blurry. Instead of hard-and-fast rules, these
are examples of starting places for organizational mobile device
deployment models and can help drive security, management, and
operational practice discussions. The best way to look at these
practices in real-world use is as part of a spectrum based on
organizational needs, capabilities, and actual usage.
 There's one more acronym you are likely to
encounter that the Security+ exam outline doesn't use: COBO, or
company-owned business only. COBO is most frequently used to
describe company-owned devices used only for business work.
Devices used to scan tickets at events, tablets used by
maintenance supervisors for work tracking, or inventory control
devices all fit the COBO description. COBO doesn't leave a carve-
out for personal use at all, so you should think of these as
organization-purpose-specific mobile devices.

One key technology that can help make mobile device deployments
more secure is the use of virtual desktop infrastructure (VDI) to
allow relatively low-security devices to access a secured, managed
environment. Using VDI allows device users to connect to the remote
environment, perform actions, and then return to normal use of their
device. Containerization tools can also help split devices between
work and personal-use environments, allowing a work container or a
personal container to be run on a device without mixing data and
access.

Hardening Mobile Devices
Mobile device hardening is often more challenging than enterprise
desktop hardening. Mobile devices are not as well designed or
prepared for central management and organizational level security in
most cases, and there are fewer security options available to
administrators. That doesn't mean they can't be hardened, however!
Much like Windows and Linux, iOS and Android hardening
benchmarks are available via the Center for Internet Security (CIS):

iOS benchmark: www.cisecurity.org/benchmark/apple_ios
Android benchmark:
www.cisecurity.org/benchmark/google_android
Hardening techniques include typical practices like updating and
patching the OS, enabling remote wipe functionality, requiring
passcodes, setting automatic screen locks, wiping the device after
excessive passcode failures, and turning off connectivity options like
Bluetooth when not in use.

The National Security Agency (NSA) provides a
mobile device best practices guide that includes tips on how to
secure mobile devices in high-security environments:
https://media.defense.gov/2021/Sep/16/2002855921/-1/-1/0/MOB
ILE_DEVICE_BEST_PRACTICES_FINAL_V3%20-%20COPY.PDF. The guide
includes details of what each suggested practice helps to prevent.

Mobile Device Management
Mobile devices can be a challenge to manage, particularly due to
operating system limitations, variability between hardware
manufacturers, carrier settings, and operating system versions.
Many mobile devices are intended to be used by individuals and
don't have the broad set of built-in controls that more business-
oriented devices and software typically have. When you add in the
wide variety of device deployment models, security practitioners face
real challenges in an increasingly mobile device–focused
environment.
Thus, when administrators and security professionals need to
manage mobile devices, they frequently turn to mobile device
management (MDM) or unified endpoint management (UEM) tools.
MDM tools specifically target devices like Android and iOS phones,
tablets, and other similar systems. UEM tools combine mobile
devices, desktops and laptops, and many other types of devices in a
single management platform.
Regardless of the type of tool you choose, there are a number of
features your organization may use to ensure that your mobile
devices and the data they contain are secure. Although the following
list isn't a complete list of every feature available in MDM, UEM, and
mobile application management (MAM) tools, you need to know
about each of them, and why you might want to have it to be ready
for the exam.

Application management features are important to allow
enterprise control of applications. These features may include
deploying specific applications to all devices; limiting which
applications can be installed; remotely adding, removing, or
changing applications and settings for them; or monitoring
application usage.
Content management (sometimes called MCM, or mobile
content management) ensures secure access and control of
organizational files, including documents and media on mobile
devices. A major concern for mobile device deployments is the
combination of organizational data and personal data on BYOD
and shared-use devices. Content management features lock
away business data in a controlled space and then help manage
access to that data. In many cases, this requires use of the
MDM's application on the mobile device to access and use the
data.
Remote-wipe capabilities are used when a device is lost or stolen
or when the owner is no longer employed by the organization. It
is important to understand the difference between a full device
wipe and wiping tools that can wipe only the organizational data
and applications that have been deployed to the device. In
environments where individuals own the devices, remote wipe
can create liability and other issues if it is used and wipes the
device. At the same time, remote wipe with a confirmation
process that lets you know when it has succeeded is a big part of
helping protect organizational data.
 Remote-wipe capabilities will work only if the
device can receive the command to perform the wipe. This
means that thieves and attackers who want to steal your data
will immediately place the device in airplane mode or will
isolate the phone using an RF-blocking bag or other
container to ensure that the device can't send or receive
Bluetooth, Wi-Fi, or cellular signals. A smart attacker can
prevent remote wipes and may be able to gain access to your
data. That's when device encryption, strong passcodes, and
the underlying security of the operating system become even
more important.

Geolocation and geofencing capabilities allow you to use the
location of the phone to make decisions about its operation.
Some organizations may only allow corporate tablets to be used
inside corporate facilities to reduce the likelihood of theft or
data access outside their buildings. Other organizations may
want devices to wipe themselves if they leave a known area.
Geolocation can also help locate lost devices, in addition to the
many uses for geolocation that we are used to in our daily lives
with mapping and similar tools.
Screen locks, passwords, and PINs are all part of normal device
security models to prevent unauthorized access. Screen lock
time settings are one of the most frequently set security options
for basic mobile device security. Much like desktops and laptops,
mobile device management tools also set things like password
length, complexity, and how often passwords or PINs must be
changed.
Biometrics are widely available on modern devices, with
fingerprints and facial recognition the most broadly adopted and
deployed. Biometrics can be integrated into mobile device
management capabilities so that you can deploy biometric
authentication for users to specific devices and leverage
biometric factors for additional security or ease of use.
Context-aware authentication goes beyond PINs, passwords,
and biometrics to better reflect user behavior. Context may
include things like location, hours of use, and a wide range of
other behavioral elements that can determine whether a user
should be able to log in.
Containerization is an increasingly common solution to
handling separation of work and personal-use contexts on
devices. Using a secure container to run applications, store data,
and otherwise keep the use of a device separate greatly reduces
the risk of cross-contamination and exposure. In many MDM
models, applications use wrappers to run them, helping keep
them separate and secure. In others, a complete
containerization environment is run as needed.
Storage segmentation can be used to keep personal and business
data separate as well. This may be separate volumes or even
separate encrypted volumes that require specific applications,
wrappers, or containers to access them. In fact, storage
segmentation and containerization or wrapper technology are
often combined to better implement application and separation.
Full-device encryption (FDE) remains the best way to ensure
that stolen or lost devices don't result in a data breach. When
combined with remote-wipe capabilities and strong
authentication requirements, FDE can provide the greatest
chance of a device resisting data theft.
Push notifications may seem like an odd inclusion here, but
sending messages to devices can be useful in a number of
scenarios. You may need to alert a user to an issue or ask them
to perform an action. Or you may want to communicate with
someone who found a lost device or tell a thief that the device is
being tracked! Thus, having the ability to send messages from a
central location can be a useful tool in an MDM or UEM system.
 UEM and MDM tools may also include features like
per-application VPN to keep application data secure when that
application is used, onboarding tools to help with BYOD
environments, and advanced threat detection and response
capabilities. Much like other classes of tools, the capabilities of
MDM and UEM tools are continuing to overlap more and more
every day, broadening the market but also making it more
confusing. If you have to choose a tool in this space, it helps to
focus on the specific requirements and features your organization
needs and to choose your tool based on how those are
implemented rather than the laundry list of features that many
tools bring.

MDM and UEM tools also provide a rich set of controls for user
behaviors. They can enable closed or managed third-party
application stores or limit what your users can download and use
from the application stores that are native to the operating system or
device you have deployed. They can also monitor for firmware
updates and versions, including whether firmware over-the-air
(OTA) updates have been applied to ensure that patching occurs.
Of course, users may try to get around those controls by rooting their
devices, or jailbreaking them so that they can sideload (manually
install from a microSD card or via a USB cable) programs or even a
custom firmware on the device. MDM and UEM tools will detect
these activities by checking for known good firmware and software,
and they can apply allow or block lists to the applications that the
devices have installed.
Controlling which services and device capabilities can be used, and
even where they can be used, is also a feature that many
organizations rely on. Limiting or prohibiting use of cameras and
microphones as well as SMS, MMS, and rich communication services
(RCS) messages can help prevent data leakage from secure areas.
Limiting the use of external media and USB on-the-go (OTG)
functionality that allows devices to act as hosts for USB external
devices like cameras or storage can also help limit the potential for
misuse of devices. MDM and UEM tools also typically allow
administrators to control GPS tagging for photos and other
documents that may be able to embed GPS data about where they
were taken or created. The ability to use location data can be a useful
privacy control or may be required by the organization as part of
documentation processes.

Some organizations, such as contractors for the U.S.
Department of Defense ban cell phones with cameras from their
facilities. Although buying a cell phone without a camera used to
be easy, finding one now is very difficult. That's where MDM
features that can block camera use can be handy. Although there
may be workarounds, having a software package with the ability
to block features like a camera may be an acceptable and handy
control for some organizations.

Administrators may also want to control how devices use their
wireless connectivity. That can take the form of limiting which Wi-Fi
networks devices can connect to, preventing them from forming or
joining ad hoc wireless networks, and disabling tethering and the
ability to become a wireless hotspot. Bluetooth and NFC controls can
also help prevent the device from being used in ways that don't fit
organizational security models, such as use as a payment method or
access device.
 Exam Note

As you prepare for the exam, make sure you can outline the
differences, benefits, and challenges of BYOD, COPE, and CYOD
device models. Review hardening practices, including using
standards like the CIS benchmarks for iOS and Android, and be
prepared to leverage your understanding of mobile device
management tools and techniques to secure organizational
devices.

Summary
Building a secure network starts with an understanding of the
wireless connectivity options that organizations may choose to
deploy. Wi-Fi, cellular, and Bluetooth are found almost everywhere
and are key to how organizations connect devices and systems.
Knowing which technologies are in play and how they connect
devices is the first part of designing and securing your network.
Understanding common attacks against wireless networks and
devices helps security professionals to design a wireless network.
Network design is conducted and installation considerations are
considered, including using site surveys to understand the
environment that the network will be deployed into. Heatmaps show
signal propagation and can help with device placement. How you will
protect your controllers and access points also comes into play, with
concerns ranging from patching and maintenance to secure remote
access via protected channels or networks.
Once a network is designed, security and authentication options are
the next layer in your design. WPA3 provides simultaneous
authentication of equals (SAE) as well as enterprise models that
connect to RADIUS servers to allow the use of organizational
credentials. Authentication protocols like EAP and its many variants
allow choices based on what your hardware supports and what
specific authentication choices you need to make.
Finally, mobile devices must be secured. Deployment models range
from BYOD processes that let users bring their own devices to
entirely corporate-owned models that deploy locked-down devices
for specific purposes into your end users' hands. Devices also need to
be managed, which is where tools for mobile device management
come into play. They provide a broad range of features you need to
be aware of as a security professional.

Exam Essentials
Modern enterprises rely on many types of wireless
connectivity. There are many wireless connectivity options for
organizations and individuals. Devices may connect via cellular
networks, which place the control of the network in the hands of
cellular providers. Wi-Fi is widely used to connect devices to
organizational networks at high speed, allowing ease of mobility
while providing security using enterprise security protocols.
Bluetooth provides connectivity between many devices and cellular is
used to provide access from mobile devices and systems that can't
connect to Wi-Fi or wired networks.
Secure wireless network designs take existing networks
and physical spaces into account. Site surveys include
physical tours of a facility using tools that can identify existing
wireless networks and access points as well as signal strengths and
other details that help map the location. Network designs take into
account channel spacing, access point placement, and even the
composition of the building when placing access points.
Cryptographic and authentication protocols provide
wireless security. Both WPA2 and WPA3 are used in modern
Wi-Fi networks. These protocols provide for both simple
authentication protocols, like WPA2's preshared key mode, and for
enterprise authentication models that rely on RADIUS servers to
provide user login with organizational credentials. Both rely on
cryptographic protocols to encrypt data in transit. Devices are
frequently configured to use a variant of the Extensible
Authentication Protocol (EAP) that supports the security needs of
the organization and that is supported by the deployed wireless
devices.
Understand mobile device vulnerabilities. Sideloading
involves copying programs from an external device or system,
allowing them to be added to a device and potentially bypassing the
device's application store. Jailbreaking provides root access to
devices providing greater control but also creating security concerns
because it bypasses the device's native security model.
Securing underlying wireless infrastructure requires
strong network device administration and security
practices. Wireless controllers and access points must be
protected, and installation considerations are important to consider
for wireless devices. Like other network devices, controllers and APs
need to be regularly patched and updated and must be configured
securely. They also must have protected administrative interfaces
and should be configured to log and report on the network, their own
status, and security issues or potential problems. Heatmaps and site
surveys help administrators understand the environment they are
deploying into and operating in.
Managing mobile devices relies on both deployment
methods and administrative tools. Deployment methods
include bring your own device; choose your own device; corporate-
owned, personally enabled; and corporate owned, business only. The
risks and rewards for each method need to be assessed as
organizations choose which model to deploy their devices in. Once
that decision is made, tools like mobile device management or
unified endpoint management can be used to configure, secure,
manage, and control the devices in a wide range of ways, from
deploying applications to securely wiping devices if they are lost or
stolen. You need to understand the capabilities and limitations of
MDM and UEM products as well as the devices and operating
systems that they can manage.

Review Questions
1. Alyssa wants to harden iOS devices her organization uses. What
set of guidelines can she follow to align to common industry
security practices?
A. OWASP