Page 29 - Mobile Data Loss
P. 29

Mobile Security Countermeasures  23


               The administrator can force a device check-in to check the security
            posture or location of the device. Per-device logs can be stored in the
            EMM to allow deep analysis by the administrator. While this may be
            helpful for troubleshooting, it can also be helpful for security analysis.
            Furthermore, an EMM can provide information about when a device
            is connected to a network, and to what resources.


            INCIDENT RESPONSE AND FORENSICS

            In the event of a breach or incident, investigators are quick to perform
            an acquisition on a mobile device. But on-device mobile forensics is
            becoming increasingly difficult. Many of the mobile device forensic
            acquisition tools have historically required vulnerabilities, hacks, or
            even formal jailbreak or root to bypass protections to gain access to
            the data. As previously outlined, many of these techniques may
            perform a wipe or selective wipe, even if the device is off the network
            (or in a Faraday bag).

               A blind spot for many investigators is that an EMM may hold
            some significant evidence. It also doesn’t require breaking into the
            mobile device. The following list outlines just a sampling of the EMM
            data available to the investigator:
            • Remote unlock of the mobile device
            • Device hardware and software information
            • An inventory of Apps on the device
            • Last known location of the device or a bread crumb trail of where
              the device has been
            • When the mobile device connected to the corporate email
            • When the mobile device connected to corporate app
            • What malicious apps are installed on the device that may have led
              to a breach
            • When a malicious app was installed on a device
            • If the device is compromised
            • When the device was compromised
            • Audit logs of files uploaded to personal cloud services
               As you can see, an EMM solution provides a wealth of information
            to the investigator to answers questions such as when, where, what,
            why, and how. While although on-device forensic acquisition is
            valuable, EMM may provide answers more quickly and easily. This is
   24   25   26   27   28   29   30   31   32   33   34