Wireless and Internet of Things

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi there. Welcome to our next lesson,
00:00
mobile, wireless,
00:00
and Internet of Things devices.
00:00
By the end of this lesson, we'll have
00:00
discussed mobile computing,
00:00
bring your own devices,
00:00
or BYOD, Internet access on mobile devices,
00:00
wireless networks, and the Internet of Things, or IoT.
00:00
Let's begin. Mobile computing is a very general term,
00:00
but it basically covers devices that are
00:00
transported or moved during normal usage.
00:00
This can include tablets, smartphones, laptops,
00:00
USB devices, so it's very broad ranging.
00:00
Now, mobile has one key issue,
00:00
that it makes logical and physical
00:00
access controls very difficult.
00:00
Previously, with workstations and within organizations,
00:00
they would generally sit on desks.
00:00
Even laptops were probably not
00:00
considered as mobile as what devices are today,
00:00
because traditionally they did
00:00
require some form of network connectivity,
00:00
but the advent of mobile computing,
00:00
as well as wireless,
00:00
has certainly made these far more mobile.
00:00
Previously, it was very easy to lock
00:00
down and to control the devices that access the network,
00:00
but with the advent of
00:00
these new devices such as tablets and smartphones,
00:00
that is a little bit more difficult.
00:00
Mobile computing risks.
00:00
Let's talk a little bit about that.
00:00
Data access via an insecure wireless network.
00:00
Basically, the mobile devices are
00:00
designed to hook up to ad hoc Wi-Fi networks,
00:00
so whatever Wi-Fi networks is available,
00:00
and there can be lots of threats through
00:00
insecure wireless networks in
00:00
coffee shops or other public access areas.
00:00
Mobile users will leave the enterprise boundary.
00:00
The physical control is very
00:00
difficult when the actual device that
00:00
contains a sensitive organizational data
00:00
is actually walking out in the user's pocket.
00:00
Now, Bluetooth devices.
00:00
When originally Bluetooth came out,
00:00
the general advice was to turn it
00:00
off unless you're using it.
00:00
But now with the ubiquity of various Bluetooth devices,
00:00
it's very uncommon to see
00:00
Bluetooth actually turned off on a device.
00:00
This can potentially let an attacker gain
00:00
access into the device via an attack using Bluetooth.
00:00
Unencrypted information can be stored on the device.
00:00
Now, a lot of common mobile devices
00:00
today are encrypted by default,
00:00
but it is still possible to get
00:00
unencrypted information stored on the device.
00:00
If this data gets lost or the device gets lost,
00:00
then the data can get lost,
00:00
or compromised, or accessed by an adversary.
00:00
Authentication requirements
00:00
are difficult on mobile devices.
00:00
Often cases, mobile devices are designed to
00:00
be accessed quickly and easily on the move,
00:00
and they don't support
00:00
traditional authentication methods such as username,
00:00
password, or sometimes even multi-factor authentication.
00:00
General device management is
00:00
also a little bit more difficult.
00:00
If the mobile device is moving around,
00:00
then that potentially might not necessarily be
00:00
connected directly to the organizational network,
00:00
it's very hard to actually push out policies that would
00:00
be traditionally used to manage
00:00
devices such as workstations.
00:00
That also leads into application control on the device.
00:00
Usually with traditional workstations,
00:00
users are restricted into
00:00
what software they can install on the device.
00:00
Mobile computing doesn't necessarily
00:00
have this same levels of controls built in.
00:00
Now, where there is a security vulnerability,
00:00
there is usually a way to mitigate them.
00:00
Certainly with the ubiquity of
00:00
mobile devices in organizations today,
00:00
there are a number of different things
00:00
that can be employed within
00:00
your organization to basically
00:00
control and manage the risk around mobile devices.
00:00
Here are just a few of them,
00:00
but certainly there is basically a wide range of options
00:00
available to remove some
00:00
of the risk out of mobile devices today.
00:00
Bringing your own device.
00:00
Now, this was certainly very popular about 10 years ago.
00:00
It's still around, but it's
00:00
certainly less of a conversation,
00:00
at least within the Australian market.
00:00
This was basically a trend where
00:00
personal communication devices were being
00:00
used to conduct work-related tasks.
00:00
The idea was, there was
00:00
increased productivity and satisfaction for the employee.
00:00
Instead of having a controlled,
00:00
standard run-of-the-mill device that's
00:00
issued by their IT department,
00:00
they can choose whatever device they want,
00:00
and have all their data and
00:00
software that they feel comfortable using.
00:00
Of course, from an organizational perspective,
00:00
this initially produced some significant cost savings.
00:00
However, it also could introduce risks,
00:00
and BYOD brought with it some risks.
00:00
Basically, organizations lost a bit of
00:00
access controls and control over the device security.
00:00
In other words, there was not
00:00
necessarily a guarantee that
00:00
username or password policies could be employed,
00:00
and also they didn't own the device,
00:00
so therefore the physical control
00:00
of the device was limited.
00:00
There was a lack of ability to
00:00
eliminate sensitive company information from the device,
00:00
at least initially, although there are
00:00
some solutions which do that.
00:00
Users could basically be storing
00:00
company information on their own personal device,
00:00
and if the user wants to leave the organization,
00:00
there was limited capability for the organization to
00:00
ensure that that sensitive information was removed.
00:00
Support for multiple different device types.
00:00
BYOD, at least initially,
00:00
could have meant that any number
00:00
of devices were brought into
00:00
the organization depending upon user preferences,
00:00
and this would introduce risks
00:00
in terms of management, maintenance,
00:00
vulnerability, and
00:00
vulnerability maintenance and patching.
00:00
Backup is also difficult.
00:00
If the data is stored locally on the device,
00:00
then that might not necessarily be part of
00:00
the corporate backup routine.
00:00
Also, acceptable use policy.
00:00
Mixing personal computer usage with
00:00
business usage could lead
00:00
to certain problems depending upon
00:00
the nature of the personal use involved.
00:00
Now again, obviously controls
00:00
were introduced to mitigate this.
00:00
Basically the key area there was protection
00:00
of sensitive data and intellectual property,
00:00
protection of connected networks,
00:00
and responsibility and accountability
00:00
for the device and information.
00:00
These were the key areas that were
00:00
looked at in terms of control,
00:00
and the focus there was removal of
00:00
organizational data and malware protection.
00:00
Eventually, devices under
00:00
the BYOD approach were able to have policies
00:00
pushed out to them in certain ways to
00:00
provide some level of
00:00
assurance to those risks for the organization.
00:00
There's a couple of issues around the Internet
00:00
access on mobile devices.
00:00
We could see interception of sensitive information,
00:00
theft or loss of the device,
00:00
which could result in
00:00
a legitimate corporate endpoint
00:00
being in the hands of an attacker,
00:00
loss of any data contained in the device,
00:00
distractions caused by the device,
00:00
such as working remotely or working while driving,
00:00
health effects of the device usage,
00:00
misuse of the device,
00:00
vulnerabilities within the operating system that can't
00:00
be managed by the corporate IT department,
00:00
different applications that could be downloaded by
00:00
the user, wireless user authentication,
00:00
file security, and
00:00
Wireless Equivalent Privacy or
00:00
other LEAP wireless protocols.
00:00
Now, wireless networks. Basically,
00:00
it enables one or more devices to
00:00
communicate without physical connection.
00:00
Today, that's usually done via a Wi-Fi connection
00:00
or via a connection to a telecom provider.
00:00
In terms of the
00:00
different wireless networks that are available,
00:00
there's a few varieties.
00:00
We have wireless wide area networks.
00:00
These link different networks
00:00
over large geographical area,
00:00
and will generally use things such as radio,
00:00
satellite, or mobile phone technologies.
00:00
This is particularly useful in
00:00
environments where laying cable would be too expensive,
00:00
so in remote areas or areas that are inaccessible.
00:00
Basically, it's consideration of
00:00
design and cost here are important.
00:00
Wireless local area networks.
00:00
This provides greater flexibility than wired LANS.
00:00
An organization is able
00:00
to reconfigure its office without having to
00:00
worry about cabling requirements
00:00
being moved within the office.
00:00
Devices are all connected to what's referred to as
00:00
wireless access point or WAP.
00:00
The coverage in this types of devices
00:00
can be up to about 300 feet or 100 meters,
00:00
and multiple WAPs can be used to
00:00
provide larger areas of cover.
00:00
This is particularly useful for
00:00
organizations that may be in, for example,
00:00
historic buildings where there are limitations
00:00
with wiring and modifications to the premises itself.
00:00
Wireless personal area networks is another form.
00:00
This is essentially a short-range network that
00:00
connects wireless devices to each other.
00:00
This could be something like
00:00
a Bluetooth keyboard being connected to a tablet,
00:00
and they will generally commonly use Bluetooth.
00:00
Wireless ad hoc networks are essentially using
00:00
wireless capabilities to connect
00:00
to generally remote devices.
00:00
This could be basically connecting
00:00
two laptops together in a meeting to
00:00
transfer data and files
00:00
from one laptop to another, for example.
00:00
They're generally referred to as
00:00
ad hoc as they're created and
00:00
connected for the sole purpose
00:00
of doing what they need to do,
00:00
and then are disconnected.
00:00
Now, wireless security threats.
00:00
Basically errors and omissions,
00:00
so fraud and theft,
00:00
employee sabotage, loss of
00:00
physical and infrastructure support, malicious hackers,
00:00
industrial espionage, so
00:00
wireless security threats will often
00:00
be a key point that
00:00
an attacker will try to look to leverage,
00:00
malicious code being transmitted
00:00
over the wireless systems,
00:00
foreign government espionage,
00:00
and threats to personal privacy.
00:00
Security requirements that you need to look for,
00:00
basically authenticity, for any wireless networks.
00:00
Non-repudiation.
00:00
Ensuring that basically there
00:00
is evidence that of a connection occurring,
00:00
when it occurred, and who actually made that connection.
00:00
Accountability. In other words,
00:00
logging and ensuring that there's records kept
00:00
about what traffic and
00:00
what connections are made on the wireless network.
00:00
Network availability.
00:00
Ensuring that the network is available to
00:00
users and there isn't
00:00
a denial of service to spur an attack.
00:00
Wireless network risks.
00:00
Basically, with wireless networks,
00:00
you can count on all the vulnerabilities
00:00
present in conventional wired networks.
00:00
You can add to that potential weaknesses in
00:00
wireless protocols or
00:00
vulnerabilities that are discovered.
00:00
Access by malicious entities,
00:00
so depending upon the nature of the network,
00:00
attacker doesn't necessarily need to be physically on
00:00
your premises to attack the network.
00:00
Sensitive information not encrypted.
00:00
Denial of service attacks,
00:00
so a wireless network could be knocked off
00:00
the air by an attacker.
00:00
Malicious entities stealing identities
00:00
of legitimate users,
00:00
corruption of sensitive data
00:00
as it's transmitted over the network,
00:00
malicious entities attacking legitimate users,
00:00
use of unauthorized equipment,
00:00
theft of mobile devices,
00:00
which not only lead to
00:00
the loss of data that's on the device,
00:00
but also potentially an
00:00
access point which an attacker can now use,
00:00
exfiltration of data, viruses and malware,
00:00
and networks used as an attack point for another target.
00:00
A wireless network could be
00:00
not necessarily the end target,
00:00
but it could be just used to
00:00
leverage an attack on
00:00
another wireless network or another system,
00:00
which hides the actual origin of the attacker itself.
00:00
Internet of Things is relatively recent,
00:00
but it's certainly becoming more common,
00:00
and it's something that you'll come across as an auditor.
00:00
These are basically physical objects
00:00
with embedded network,
00:00
computing elements that communicate over a network.
00:00
Now, these could be basically anything ranging from
00:00
certainly heating and cooling senses,
00:00
fridges, microwaves, even fish tanks, for example.
00:00
Anything that can actually have
00:00
a computing environment attached to it,
00:00
can be hooked up to the internet.
00:00
This basically will introduce a number of risks.
00:00
Business risk obviously, operational,
00:00
and technical risk,
00:00
can all be introduced via the Internet of Things devices.
00:00
That is basically our lesson.
00:00
We've covered mobile computing,
00:00
issues around BYOD or bring your own devices,
00:00
internet access on mobile devices,
00:00
wireless networking, and Internet of Things.
00:00
I hope you enjoyed the lesson.
00:00
I will see you in the next one.
Up Next