1. Navigate to Settings⇒Wi-Fi on the iOS device. Make sure Wi-Fi is On.
If you don’t see any networks listed, that means you and your device aren’t close to any Wi-Fi networks. If there are Wi-Fi networks in your vicinity, those should be displayed on this page, as shown in Figure 8-1.
Figure 8-1: Browsing Wi-Fi networks on an iPhone.
2. Tap the network that you want to connect to.
If the network is open or public, you don’t need to enter a password; you should be able to connect right after you tap the network.
If the network is secure, you’re prompted to enter the password to connect.
If you don’t see a padlock symbol displayed next to the network, that network is open or insecure. You can click the blue arrow at the end of each row to find more information about the network and the encryption technique used.
3. If prompted, enter the password to connect to the network.
In most cases, the preceding steps should connect you to the nearest Wi-Fi network. If, however, you’re trying to connect to a hidden network that isn’t displayed on the device, tap Other in Wi-Fi Networks Settings to manually enter the network’s information on the screen shown in Figure 8-2.
Figure 8-2: Entering a hidden network using the Other option on an iPhone.
You need decent signal strength to connect to a Wi-Fi network. If the network isn’t close by or the signal isn’t strong enough, you may not be able to connect to it.
Many public networks require you to accept a legal agreement to use them. For example, if you connect to a Wi-Fi network in a hotel, more than likely a web page will be displayed with legal disclaimers, asking you to accept or decline the agreement. The disclaimer usually indicates that you choose to use the network at your own risk, and that the network owner isn’t liable for damages or losses that you may incur on their network. Unless you accept the agreement, the network will prevent you from browsing the Internet.
Connecting to Wi-Fi with Android devices
A number of devices on the market run the Android operating system, including the Motorola Droid, HTC Desire, and Droid Incredible.
Here are the steps that your users need to follow to connect to a Wi-Fi network from devices running the Android operating system:
1. On your Android device, tap the Settings icon.
2. Tap Wireless & Networks under Settings.
The Wireless & Network Settings screen appears, as shown in Figure 8-3.
Figure 8-3: Browsing Wi-Fi networks on an Android device.
3. Tap Wi-Fi Settings.
Note that Wi-Fi needs to be turned on for the device to be able to detect Wi-Fi networks. If necessary, tap Wi-Fi to turn it on.
When Wi-Fi is enabled, you should see a list of networks on this page. (If you don’t see any Wi-Fi networks, it simply means that you aren’t near any.)
Networks that are open and insecure appear without a padlock icon. Beware of connecting to such networks. At the very least, start up a VPN tunnel to your corporate VPN gateway as soon as you connect to such an open network.
4. Select a network to connect to.
5. If necessary, enter the password to connect.
Many public networks require you to accept a legal agreement to use their network. Be sure to glance through the disclaimer before you accept the policy offered to you.
BlackBerry devices
Users can easily configure their BlackBerry devices to connect to public and private Wi-Fi networks. Like Apple iOS and Google Android devices, BlackBerry devices can deliver the same data services over Wi-Fi as on the user’s cellular network and potentially faster download speeds. That means users can access their e-mail and browse the Internet just like on the cellular network.
Some BlackBerry device models support UMA (Unlicensed Mobile Access), which is provided by some carriers around the world. UMA allows users to make phone calls over a Wi-Fi network, allowing their friends and contacts to reach them on the same mobile number anywhere around the world. As long users are connected to a Wi-Fi network, their phone calls can be routed over it, without needing to rely on a carrier network.
Here are the steps that your users need to follow to connect to a Wi-Fi network from devices running the BlackBerry operating system:
1. Select the Manage Connections option on the main menu.
2. Select the Set Up Wi-Fi Network option.
3. Select the option to Scan for Networks.
The device should automatically detect Wi-Fi networks in the vicinity. If not, you need to manually enter the network’s information.
4. Select a network to connect to.
5. Enter a password if the network requires one.
If you connect to an open network, it won’t prompt for a password.
Implementing Wi-Fi Policies
In most cases, once a smartphone has been used to connect to a particular Wi-Fi network, it remembers the network for future use. This means that whenever that network is in the vicinity of the device in the future, the device will connect automatically.
Private Wi-Fi networks, such as home networks, are best secured using WEP or WPA/WPA2 encryption. If your users are setting up a Wi-Fi network at home, they need to be sure to use these techniques to set up a suitably secured Wi-Fi environment.
If you’re deploying a corporate Wi-Fi network for many users, you should be looking for an enterprise-grade Wi-Fi with WPA2-enterprise encryption. This form of encryption may require you to deploy other infrastructure servers, so be sure to investigate the options from your networking vendor.
For corporate Wi-Fi networks, you often need to provision policies and settings indicating the networks available in a corporate building. These policies include the name of the network and the password used to secure the network.
As an enterprise administrator managing policies for many users, you want to set policies that push out names and security keys of secure Wi-Fi networks that you want users to connect to, which may include your corporate Wi-Fi networks worldwide. When users bring their devices into the work environment, their devices will then detect and connect to the network, without needing the user’s intervention. This setup is ideal because it forces users to be on the corporate Wi-Fi network whenever available. When users move out of reach of the Wi-Fi network, their devices fall back to the carrier network.
In the following list, we look at the choices available to deploy Wi-Fi policies to smartphones from an enterprise perspective:
iPhone and iPad: An application called iPhone Configuration Utility, shown in Figure 8-4, enables you to configure policies to enforce on corporate users’ iOS devices. These policies include Wi-Fi configuration as well. When you create a policy, the iPhone Configuration Utility produces a profile that can be sent out to all users at once. Users need to install the profile from their iOS devices to activate the policies and settings you’ve set up.
Figure 8-4: The iPhone Config-uration Utility allows configuration of Wi-Fi policies for iPhones and iPads.
Mobile Device Management (MDM) vendors offer the feature of deploying such policies to Apple iOS devices centrally. You can utilize an MDM solution to define Wi-Fi policies, passcode settings, and many other policies, and deploy them centrally to all iOS devices with one click. We discuss these solutions in more detail in Chapter 15.
BlackBerry: The BlackBerry Enterprise Server manages the configuration and deployment of Wi-Fi policies across all BlackBerry devices used in an enterprise.
The BlackBerry Enterprise Server supports a variety of policies, including device encryption, passcode compliance, and browsing preferences. You can centrally administer these policies and deploy them to all BlackBerry devices at once.
Android and Windows Phone 7 smartphones: Google and Microsoft provide no solutions to manage corporate Wi-Fi policies. If you need to configure policies for all types of mobile devices, including iPhones, iPads, and Android devices, look for Mobile Device Management (MDM) solutions, which are av
ailable from vendors such as Juniper, Good Technology, and MobileIron. For a detailed review of MDM solutions, be sure to read Chapter 15.
Part IV
Securing Each Smart Device
In this part . . .
It’s time to roll out the policies, programs, and technologies to encrypt, protect, and back up the devices in your network. We walk down the thorny road together until you’re comfortable being in charge of access and control.
Chapter 9 gives an overview of everything you can do. Chapter 10 tells you about device-based solutions, and Chapters 11, 12, and 13 suggest solutions you can implement both on the device (hard), in the brain of the device user (harder), or system-wide using the network tools in your arsenal (easy). AcmeGizmo is doing it, and doing it right, so catch the case study in the chapters.
You’re just a few chapters away from reclaiming your network’s integrity.
Chapter 9
Device Security Component Overview
In This Chapter
Identifying the various components of device security
Protecting devices with on-device Anti-X protection
Knowing in advance your backup and restore capabilities
Incorporating loss or theft protection
Controlling user behaviors (yeah, right)
Managing devices in the enterprise
This chapter introduces the various on-device security components that provide a fairly robust security envelope when used smartly. You (and your users) need to understand these various components to be well equipped to harness the capabilities of these features, making your collective lives easier and more manageable.
Knowing Smartphone Security Components
Each of this chapter’s smartphone security components brings with it a unique and distinct capability that, when used wisely, provides you with ammunition to counter the various nefarious forces that are battling to gain access and compromise these devices.
We call to your attention to six discrete areas: device-based Anti-X protection, backup and restore capabilities, loss or theft protection, application control and monitoring, enforceable encryption, and enterprise management.
These six components are different enough in the type of protection that they provide that it’s not just a question of whether to use one or the other, but how to use them all. This chapter helps you understand specifically what type of protection these components provide so you can turn and twist their dials and create something that makes sense to your organization. Not to mention what to implement first.
Note that this book uses the phrase implement first, which literally means that you need to prioritize the rollout of these components. Make no mistake, you need to eventually arrive at a complete security strategy when all are part of your security arsenal, but let’s be real. You need a horse in front of the cart to get things rolling.
Consider these six components of device security (shown in Figure 9-1):
Figure 9-1: Smartphone security components.
On-device Anti-X protection: The security software actually running on the smartphone device itself
Backup and restore capabilities: The ability to back up the information resident on the smartphone, including applications and data and their configurations
Loss or theft protection: The remediation and recovery capabilities in the event of loss or theft of the smartphone itself
Application control and monitoring: The enforcement of corporate policy as it relates to the usage of applications by users of smartphones
Enforceable encryption: The ability to compel obfuscation of data — both resident on the smartphone as well as in-transit to the enterprise
Enterprise management: The overall provisioning, troubleshooting, upgrade and monitoring of these smartphones
Understanding On-Device Anti-X Protection
When you are responsible for the device in the enterprise, this includes all of the associated applications, data, and the security posture of the smartphone or device. One of the key security components that is relevant to the security on the physical smartphone device is the “Anti-X” protection on the device. Anti-X refers to the family of security components that includes antispyware, antivirus, antiphishing, and antispam, as shown in Figure 9-2, and as the name suggests, can be extended to other threats that may arise in the future. So what exactly are these various subcomponents? Let’s delve into each one. You’re probably familiar what they are in terms of laptops and desktop computers, but mobility changes everything, including the equation that X equals security risk.
Figure 9-2: Smartphone security components.
Antispyware
In the term antispyware, the anti- refers to the essential component of the protection afforded against malicious spyware that installs itself on mobile devices. As a mobile device is always on the go — and with the plethora of interfaces supported by these smartphones — the likelihood that the smartphone is connected to one or more wireless networks most of the time is very high. This constant nomadic behavior and propensity to tethering means that the exposure level to unknown networks is very high, and therefore the likelihood of intrusions that can happen on these devices is far greater than a fixed desktop.
There are some unique dimensions to mobile spyware that make it different from the traditional desktop spyware that you might be used to. For instance, there have been cases of spyware that manipulate SMS messages and expose them so that they can be read by others in the near vicinity, as shown in Figure 9-3.
Figure 9-3: Mobile spyware in operation.
In the figure, an unsuspecting user is tricked into reading an SMS message that has spyware associated with it. This could be as simple as a URL in the SMS that the user clicks, which lands him on a malware-infested website. In this instance, the spyware scrolls through the contact list on the mobile device and starts spamming the contacts using every means possible — SMS, e-mail, IM, and so on.
So any antispyware solution for mobile devices — in addition to protecting against traditional spyware, such as keyloggers, data leakage, botnet membership (membership in a group of infected devices that have been taken over surreptitiously by hackers), and so on — needs to provide specific protection against mobile threats to mobile applications (such as SMS-based spyware), contacts database protection, location information spoofing (masquerading the device location to be any place of choice), and the like. If you think that’s still science fiction, think again. Do a Google search of the word spy phone, and the top hits you’ll get undoubtedly include ads for spyphone software intending to turn innocent devices into recording devices that send the records of all activities to a designated place. Yikes.
The market is there for the asking, and that means that hackers will be coming after your users’ devices in a big way, if not now, at some point in the near future. The simple solution: Be prepared to address the future with smart devices that have an antispyware solution.
Antivirus
Antivirus is a technology that has been available for decades, and many of your users would never consider operating a computer without some antivirus solution running on it. They get it when it comes to their desktop computers. However, a majority of mobile devices — which are all derivatives of computers in one way or another — go around without any sort of antivirus protection on them whatsoever! What is even more surprising is the despite this fact, your users (and you) increasingly rely more heavily on and become more personally attached to the smartphone. It’s like wearing a sweater at home on a cold day, but ignoring your coat when you go outside.
You need to take a stand and ensure that you’re providing adequate mobile antivirus coverage to your users on their mobile (and desktop) devices. The breadth of antivirus solutions is ever-increasing. Just as with traditional antivirus solutions, you should be looking for upfront costs; per-seat license renewals; automatic signature updates; and more uniquely mobile features, such as battery life recognition, memory requirements, and bro
adest mobile operating system coverage.
One tried-and-true antivirus solution comes from the traditional client-server model. In this scenario, an antivirus agent is downloaded to the device, but a bulk of the intensive processing that antivirus demands is actually performed on the server (either locally hosted by you or by a hosted cloud service). The client collects information about the mobile device and delivers a certificate of authority. In this model, shown in Figure 9-4, there may also be a clone (or virtual smartphone, as shown in the figure) of the actual enterprise phone maintained by you in the enterprise (maybe in the form of a virtual machine), and the agent informs you of any changes to the end device, such as new applications installed, SMSs received, and so on, and then syncs with the virtual phone in the enterprise.
Figure 9-4: Virtual device antivirus solution.
This is not real-time protection of the device, but it’s reasonably close and has the advantages of not causing performance or battery drain issues. In addition, because the antivirus solution is hosted on a server, there’s a lot more horsepower than is available for antivirus checking on the device.
Antiphishing
Phishing attacks on mobile devices are likely to be far greater than they are on your standard laptops and desktops. The reasons for that, as follows, are fascinating to consider.
Unsecured wireless networks: Users are more likely to connect to unsecured wireless networks because of their nomadic nature and the ubiquity of wireless connectivity. This affords a very rich target for phishing-based attacks using a variety of attack vectors, such as browser-based, spurious proxies (rogue intermediaries that purportedly provide a legitimate function like a web proxy, but in fact are designed to steal information), SMS, and the like.
Mobile Device Security For Dummies Page 21