SEC575: Mobile Device Security and Ethical Hacking
Now updated to cover Apple iOS 6, BlackBerry 10, Android Jelly Bean, and Windows Phone 8
Mobile phones and tablets have become essential to enterprise and government networks, from small organizations to Fortune 500 companies and large-scale agencies. Often, mobile phone deployments grow organically, adopted by multitudes of end-users for convenient email access as well as managers and executives who need access to sensitive organizational resources from their favored personal mobile devices. In other cases, mobile phones and tablets have become critical systems for a wide variety of production applications from ERP to project management. With increased reliance on these devices, organizations are quickly recognizing that mobile phones and tablets need greater security implementations than a simple screen protector and clever password.
The security risks of mobile phone and tablet device use in the workplace
Whether the device is an Apple iPhone or iPad, a Windows Phone, an Android or BlackBerry phone or tablet, the ubiquitous mobile device has become a hugely attractive and vulnerable target for nefarious attackers. The use of mobile devices introduces a vast array of new risks to organizations, including:
- Distributed sensitive data storage and access mechanisms
- Lack of consistent patch management and firmware updates
- The high probability of device loss or theft, and more.
Mobile code and apps are also introducing new avenues for malware and data leakage, exposing critical enterprise secrets, intellectual property, and personally identifiable information assets to attackers. To further complicate matters, today there simply are not enough people with the security skills needed to manage mobile phone and tablet deployments.
From mobile device security policy development, to design and deployment, and more
This course was designed to help organizations struggling with mobile device security by equipping personnel with the skills needed to design, deploy, operate, and assess a well-managed secure mobile environment. From practical policy development to network architecture design and deployment, and mobile code analysis to penetration testing and ethical hacking, this course will help you build the critical skills necessary to support the secure deployment and use of mobile phones and tablets in your organization.
You will gain hands-on experience in designing a secure mobile phone network for local and remote users and learn how to make critical decisions to support devices effectively and securely. You will also be able to analyze and evaluate mobile software threats, and learn how attackers exploit mobile phone weaknesses so you can test the security of your own deployment. With these skills, you will be a valued mobile device security analyst, fully able to guide your organization through the challenges of securely deploying mobile devices.
|SEC575.1: Mobile Device Threats, Policies, and Security Models|
In order to have a secure mobile phone deployment, you need to establish policies that define the acceptable use the technology and recognize the limitations and threats of mobile phones, tables and the associated infrastructure systems.
The first part of the course looks at the significant threats affecting mobile phone deployments and how organizations are being attacked through these systems. As a critical component of a secure deployment, we'll guide you through the process of defining mobile phone policies with sample policy language and recommendations for various vertical industries, taking into consideration the legal obligations of enterprise organizations. We'll also look at the architecture and technology behind mobile phone infrastructure systems from BlackBerry, Apple, Android and Windows as well as the platform-specific security controls available including device encryption, remote data wipe, application sandboxing and more.
CPE/CMU Credits: 6
Mobile Problems and Opportunities
Mobile Devices and Infrastructure
Mobile Device Security Models
Legal Aspects of Mobile
Policy Considerations and Development
|SEC575.2: Mobile Device Architecture Security and Management|
With an understanding of the threats, architectural components and desired security methods, we can design and implement device and infrastructure systems to defend against threats. In this part of the course we'll examine the design and deployment of network and system infrastructure to support a mobile phone deployment including the selection and deployment of Mobile Device Management (MDM) systems.
CPE/CMU Credits: 6
Wireless Network Infrastructure
Mobile Device Management System Architecture
Mobile Device Management Selection
Mitigating Stolen Devices
Unlocking, Rooting, Jailbreaking Mobile Devices
|SEC575.3: Mobile Code and Application Analysis|
One of the critical decisions you will need to make in supporting a mobile device deployment is to approve or disapprove of unique application requests from end-users in a corporate device deployment. With some analysis skills, we can evaluate applications to determine the type of access and information disclosure threats they represent. In this process, we'll use jailbreaking and other techniques to evaluate the data stored on mobile phones.
CPE/CMU Credits: 6
Mobile Phone Data Storage and Filesystem Architecture
Filesystem Application Modeling
Network Activity Monitoring
Mobile Code and Application Analysis
Automated Application Analysis Systems
Approving or Disapproving Applications In Your Organization
|SEC575.4: Ethical Hacking Mobile Networks|
An essential component of developing a secure mobile phone deployment is to perform an ethical hacking assessment. Through ethical hacking or penetration testing, we examine the mobile devices and infrastructure from the perspective of an attacker, identifying and exploiting flaws that delivery unauthorized access to data or supporting networks. Through the identification of these flaws we can evaluate the mobile phone deployment risk to the organization with practical, useful risk metrics.
CPE/CMU Credits: 6
Fingerprinting mobile devices
Wireless Network Probe Mapping
Weak Wireless Attacks
Enterprise Wireless Security Attacks
|SEC575.5: Ethical Hacking Mobile Phones, Tablets, and Applications|
Continuing our look at ethical hacking or penetration testing, we turn our focus to exploiting weaknesses on individual mobile devices including iPhones, iPads, Android phones and tablets, Windows Phones and BlackBerry devices. We'll also examine platform-specific application weaknesses and look at the growing use of web framework attacks.
CPE/CMU Credits: 6
Network Manipulation Attacks
Mobile Application Attacks
Web Framework Attacks
Back-end Application Support Attacks
|SEC575.6: Secure Mobile Phone Capture the Flag|
On the last day of class we'll pull in all the concepts and technology we've covered in the week for a comprehensive Capture the Flag (CTF) event. In the CTF event, you'll have the option to participate in multiple roles, designing a secure infrastructure for the deployment of mobile phones, monitoring network activity to identify attacks against mobile devices, extracting sensitive data from a compromised iPad and attacking a variety of mobile phones and related network infrastructure components.
In the CTF you'll use the skills you've built to practically evaluate systems and defend against attackers, simulating the realistic environment you'll be prepared to protect when you get back to the office.
CPE/CMU Credits: 6
Throughout the course, students will participate in hands-on lab exercises. Students must bring their own laptops to class that meet the requirements described below.
Students must bring a Windows 7, Windows Vista, or Windows XP laptop to class, preferably running natively on the system hardware. It is possible to complete the lab exercises using a virtualized Windows installation; however, this will result in reduced performance when running device emulators within the virtualized Windows host. If you are a Windows XP user, make sure you also have the .NET 3.5 framework installed, which can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=21 .
Administrative Windows Access
For several tools utilized in the course, students will be required to perform actions with administrative privileges. Students must have administrative access on their Windows host, including the ability to unload or disable security software such as anti-virus or firewall agents as necessary for the completion of lab exercises.
Students will use a virtualized MobiSec Linux VMware guest for several lab exercises. VMware Workstation or VMware Player is recommended. Note that there is no cost associated with the use of VMware Player, which can be downloaded from the VMware website.
While some students successfully use VMware Fusion for the exercises, the relative instability of VMware Fusion may introduce delays in exercise preparation, preventing the timely completion of lab exercises. VirtualBox and other virtualization tools are not supported at this time.
Several of the software components used in the course are hardware intensive, requiring more system resources than what might be required otherwise for day-to-day use of a system. Please ensure your laptop meets the following minimum hardware requirements:
During the course, you will install numerous tools, and make several system changes. Some students may wish to bring a clean system that is not their everyday production system, or a dedicated Windows virtual machine that meets the minimum requirements for a system, to avoid any changes that may interfere with other system software.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
|You Will Be Able To|
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.