Mobile Security Introduction

Table of Contents

Mobile Security –Introduction ........................................................................................................ 2

Notices ............................................................................................................................................ 3

About This Class .............................................................................................................................. 4

Agenda -1 ........................................................................................................................................ 6

Agenda -2 ........................................................................................................................................ 8

Page 1 of 10

Mobile Security –Introduction

© 2015 Carnegie Mellon University

Mobile Security –Introduction

**001 Mark Williams: This is the mobile security course.

Page 2 of 10

Notices

2

Notices© 2015 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

**002 We are starting off with the requisite copyright notifications.

Page 3 of 10

About This Class

3

About This Class

This class is about mobile devices and how to secure them.

No assumptions about pre-existing knowledge are made. • Basic concepts• Theory of operation• Hands-on operations

Device agnostic – concepts will apply regardless of device. • Practical demonstrations and operations will target specific devices.

— Apple iOS— Windows Mobile— Android

**003 This course is talking about mobile security devices. We're going to be talking about how we're going to protect our smartphones. Primarily, we'll be looking at the three most popular brands of smartphones that seem to be on the market. We will be talking about how we go about protecting the Windows phones, the Apple iOS phones, and also Google's Android phones. This course starts off with a prerequisite of none. We expect that anyone who comes into the course is a brand new student. They have nothing-- no knowledge of security expect they do have a phone

Page 4 of 10

somewhere in their presence. And so, we're going to go through the basic concepts of how the mobile phones work. We'll talk about how the networks function. We will talk a little bit about how we might go about providing our own security on our devices because, as we all know, unfortunately we carry these things around on our hips. And we just expect that they are going to be secure. And the reality is they are communication devices. They are wide open for the purposes of communication. And so, we have to take it into our own hands to provide a level of security for these devices.

Page 5 of 10

Agenda -1

4

Agenda -1

Introduction to Cell Technology• Concepts, standards, and technologies behind mobile phones

Introduction to Wireless Technology• Concepts, standards, and technologies behind data services

Threats to Mobile Devices• Overview of threat landscape, attacks, and case studies

Mobile Device Security• Security implementations, models, and capabilities

**004 So, we have just a few topic to go through this week. The first topic is going to be just a basic introduction where we go through the concepts and the standards that operate, and the technologies that operate the mobile phones. Then we get into a little bit about wireless. How does a wireless system work? We talk a little bit-- we're going to focus primarily on the wireless for cellular communications, not the wireless that we use for our everyday laptop computers, although there is a little bit of that discussion going on because our mobile devices do support the same types of wireless technologies that we would use for

Page 6 of 10

laptops and our home networks. So, we'll talk a little bit about wireless technology, cellular wireless technology, and RF wireless technology for communication. And we get into what are some of the threats that are out there. As we talk about some of the threats, we'll go through the threat landscape. We will realize that this is kind of the Wild West when it comes to security. As I mentioned, we don't have a lot of security inherently in our mobile devices. And so, the bad guys, the bad actors, are taking advantage of that. And they are spending lots of their efforts developing exploit code and finding the vulnerabilities for these mobile communication devices. So, we're going to take a look at what some of those attacks are. And we have a couple of case studies that we will go through with you on that. Then we look at the, again, specifically on the devices themselves, what are some of the controls that we can turn on, what are some of the applications that we can add, what are some of the capabilities we can provide that are going to provide a little bit of security, a little bit of sense of safety. How can we start to protect the sensitive data that we have on our communication systems from a confidentiality standpoint, from an integrity standpoint, even from an availability standpoint?

Page 7 of 10

Agenda -2

5

Agenda -2

Managing and Securing Mobile Devices • Encryption, email security, auditing and secure functionality • Overview methods for managing and monitoring various platforms

Introduction to Mobile Device Forensics and Investigations • Detecting, analyzing, and responding to attacks against devices

Social Media on Mobile Devices• Overview of social media platforms and mitigating risk

Emerging Trends in Mobile Devices and Security• Trends, emerging technologies, threats and mitigation strategies

**005 We'll look at specifically things such as email security. How can I send and receive emails knowing that bad actors are not going to intercept those emails and listen in and eavesdrop on us? How can I go about establishing faith and trust in all the apps that I am downloading? We know that the apps come from many different vendors, many different suppliers. So, how do I know that they app that I've just downloaded is a safe app and that there's no malware associated with that? Then we'll talk about the forensics, the investigations. What are some of

Page 8 of 10

the things that can be done once my system does get attacked? What are some of the things that can be done- - excuse me. What are some of the things that can be done in order to find out where did the attack originate from, what changes and modifications have been made to my system, and how can I eradicate this system, eradicate this malware and get back to a known good, working, safe device? We'll also talk about social media. Social media is-- I used to say that it's the Wild West, but now I say that it is prime time. It is the location that a lot of-- many of us spend a whole lot of our time on social media sites. How do I protect myself from the dangers that are inherent in social media sites. We'll talk about what some of those dangers are and how do we go about protecting ourselves.

Page 9 of 10

And then finally, we take a look at some of the emerging trends. What are the new and upcoming technologies that are out there? And how are we going to use them? And how are the bad actors going to try to take advantage of them? So, what are the threats, and how can mitigate against those threats?

Page 10 of 10