Page 47 - Mobile Data Loss
P. 47

Developing Your Mobile Device Security Strategy  41

            be an indication that a security control or access was overlooked and
            should be refined.

               It’s important to note that the EMM console will commonly alert
            on both network and device threats. A few notables that may require
            further investigation can include:
            • An unregistered device attempting to access restricted resources
              (internal or cloud) using a legitimate account. Authentication
              failures may be an indication of brute force attacks, integrity
              failures, or MitM attacks.
            • A device that has been compromised. This presents a risk to the
              enterprise data. Ensure that the mobile device has been automati-
              cally quarantined, and follow-up with user as part of your incident
              response processes.
            • Detected malware on a mobile device. Determine the variant of the
              app with the malware, or the malware itself to make a determination
              if it stemmed from a compromised device, a malicious link, or some
              other attack vector. After examining, decide if the security controls
              should be modified. Also determine if any other devices exhibited the
              same malware to understand the extent of the infestation.

               EMM is a nice compliment to a forensics investigation. As these
            mobile devices are becoming inherently more secure, performing
            forensics on data-at-rest on a mobile device is becoming increasingly diffi-
            cult. Many mobile device forensics products require the PIN to gain
            access to the device to allow a forensic image to be created. Additionally,
            other approaches require a resident vulnerability be used to load a custom
            RAMdisk, jailbreak or root the device, access DFU mode, amongst other
            approaches. All of these create a hurdle to imaging the device and per-
            forming analysis. It’s for these reasons that EMM is becoming a more
            important part of liturgical and nonliturgical forensic investigations.



            MOBILE DATA LOSS THREATS AND
            COUNTERMEASURES FLOW

            If we model the flow of the attack vectors, we can gain insight into
            layers of defense that encompass proactive, reactive, and live monitoring
            controls. Whether we have a mobile device connecting to the Wi-Fi
            locally, or connecting remotely to target the network, we can take a
   42   43   44   45   46   47   48   49