I welcome back to the course. So in the last video, we talked about IOS architecture. Er I wish Joe breaking and then also some IOS malware.
In this video, we're gonna go over Indiana Mobile Device Management
B Y o d. Or bring your own device. And then also, we're gonna briefly talk about the Iowa's pen testing framework. So basically a framework that you can use for a pen penetration test for IOS.
So let's go ahead and get started. So MGM against Dance for Mobile device management some of the features of it, and it's mostly used by corporations that kind of managed mobile devices. Now they started out with, like, phones, but a lot of companies were going towards like laptops as well, and then also other hand held devices like your iPad and stuff like that.
So some of the future is it offers data segregation so we could segregate that corporate data from, like your personal data, email, security, securing corporate documents. We can also enforce policies. So if your company doesn't want you to go looking at like YouTube videos, for example, we could send certain things on there to prevent you from going to certain websites.
We can also set it on. You know, is the data gonna be stored on premise on the actual device? Or it's gonna be a cloud based George.
And then, as I mentioned it incorporates nowadays that incorporates mobile laptops and hand held on another advantage of it. It helps reduce support costs and also reduces the business risk
because we're able to control, like configuration settings and everything like that on these devices.
So different times of MDM solutions out there on these air. Once that I actually grabbed off comparison Well, we'll take a look at that screen shot in a second year but managed engines Mobile Device Manager plus V M, where the air watch sodium Zen Mobile, IBM, the mosque 360 which incorporates a Watson, Microsoft in Tune,
Apotex 360 Enterprise Mobile Device Manager and Bear Mundi
So here's a good little kind of comparison done by PC mag on these different ones, so you'll see a lot of the features out there. You know how it supports these different platforms. We can also do it for when Windows phone android IOS, many of them support blackberry, some of them don't
and, Ah, A lot of companies are moving away from Black Bear. I think there's a few
companies that I know about. They're still using some of those, But most people are going to just IOS devices
So many may manage. Engine Excuse me, mobile device manager. Plus, this guy's just what the website looks like. They're
same with VM, where Air watch You could go grab it here. If you want to play around with it
and you'll see here, they offer a 30 day trial for you.
So T mobile control. You can check that out as well. Now, I will say, And there's a free trial and I won't say with any type of tool, especially if you're like a student someplace. Or if you're trying to learn certain concepts, just reach out to the vendor and see if you can get some kind of free things like, Well, I'm not going to school at the university right now, but I'm self teaching myself.
I'm willing to sign, you know, non disclosure to say, and I'm not going to share,
you know, whatever I find with these particular people or whatever in most places offer sometime kind of free trial, and they also offer, like, educational videos for you that you can learn the tools. So if there's any of these that interest you throughout this entire course, if they're not free, there's usually a free trial. Or you could just reach out to the vendor and just ask him like, Hey, can I try it out for a little bit?
Citrix and Mobile You know, in a lot of organizations, you Citrix in some capacity and not necessarily that mobile, but they use, like Zen nap and stuff like that.
IBM Austria's as I mentioned it comes with Watson. Uh uh, eh, I stuff.
And so Microsoft into
and then app Tech 360 Enterprise Mobility Management.
You'll see here just a lot of different options out there. Bare mundi management suite. Now, uh, this ah kind of ninja kick slide thing going on with this guy here. If you get this software, just make sure you tell anyone working in your knock center that this is what they have to do is showing this picture and say, you have to do this if you want this software.
So that's just a little joke.
All right, B Y o B d s o Bring your own device, you know, And you might have heard of B Y o b bring your own beer type of stuff. We're not covering that in this course, but bring your own device. You should hear about this. The term is used and sometimes over used in industry. But basically what it means is that
the users so like all the employees, they can bring their own device, right, hence the name.
So I bring in my phone and I can use that for business purposes along with, you know, doing my personal stuff in my phone where I can have a tab later or what not and I'm using it for both. Essentially
one advantage of that has produced I t cost for the organization, right? So I don't have to buy everybody a mobile phone now. Now I can just have them users and install our app or something like that.
It helps increase productivity just cause people are used to their own device, so they know how to navigate in stuff like that. It also reduces operating costs. It improves the mobility of employees, and then it's another you know, just one of those appeal things again. Most companies were doing this nowadays, so it's not Doesn't have that appeal
of like, hey, come on board with us because we offer B y o d B y o d
stuff. But it still has some appeal to it of like, Okay, you can use your own stuff and use it on our network.
So some of the security guidelines you just want to think about, you know, like who's gonna actually pay for these devices on the data coverage in most cases that come into the employees, depending on the company or working at what kind of regulations are in place. So if we're letting our employees used this device, are we having to follow something like hip? Right, So
we have to protect patient data. So we need to put things in place to say, Well, you can't access any patient data
on your personal device, right? We want to make sure of that because otherwise, if we don't do anything like that and the employees down, those patient data, you know, protected information on their device, and then they get caught that's coming back on us. to write because we didn't set that standard out there.
We can also measure, you know, how are we gonna measure the devices for security? So are we gonna require certain configuration settings on the devices for the employees to do if they want to use it on our network?
And then where's the data stored? Are we gonna make sure that that they deceive the store Local here in the cloud Do we want to store it locally? Because it's not our actual device that we own as the company
Do we need some kind of agreement in place In most places, have an agreement with employees of the B A B Y O d. Policy.
What are the safeguards against a device being compromised? You know, how are we controlling the user actions of
Don't go to these websites. You don't click this link
and then support, like, who's supporting this stuff? You know what happens when the device breaks for the user are weak candling some of that or they just strictly going to their men in the manufacturer. You know, where the service provider to get support on that and then privacy issues again, you know, are we
potentially harvesting data from their phone? That's her private data, you know? So all these things were things that you need to think about and many more as well about when you're when you're gonna implement a B y o d. Policy in your organization.
So some different tips for securing devices and also helping us as an organization reducing to bring your own device risk.
So, of course, password protecting act s and access control. So you know that the key code to get into your phone, protecting all of your other items with the password, controlling the white list network and activities. So basically telling people like, Hey, when you're not using it, turn your blue to ah, your Bluetooth off, Turn off your wireless You know, just sit there at your desk,
but then, when you want to use it, just turn that stuff that gone. It helps reduce the attack service
controlling the application access so controlling what the applications can actually access. Keeping yourself were up to date. You'll see that's a common theme again in security.
Back up your device data.
Remote wiping service is so again, you know if my phone stolen, I can just log on online real quick and wipe the phone. That way, the attacker can't get any of my actual information location tracking. So if it is stolen, I can track it down. Make sure that no personal financial information is being used on these devices.
Make sure employees aren't gonna download free APS Or at least if they're free app store reputable
make sure they use mobile, anti virus or anti male. We're scanning, and then also, we're gonna make sure that everyone's using the mobile device management.
So this year is just kind of a generalized framework from a lost on Iowa's pen testing. So we start out with, like, Okay, we need to do an IOS assessment. Then we're gonna do all our mapping, right? So basically our scanning and reconnaissance type of stuff, and then we're gonna do some enumeration and then we're gonna figure out the vulnerabilities here,
and then eventually we're gonna be exploiting those right so likely through a method swizzle
or something like that.
So just a couple of post assessment questions. I just want to make sure you understand a couple of these items here. So which one of these is not a way to jailbreak IOS on this screen?
All right, so if you guessed, answer be rescue route, you are correct. And that's actually away on the exam. If you happen to see something like that asked about android job breaking If you see anything with root in the name, that's probably more than likely gonna be the answer.
So our second question here, all the following are on the old lost top 10 mobile risk Except which one?
All right, so if you guess the answer, do you are correct? Correct there. And we hope that your network operations center is actually secure. But the ones that are part of that list are insecure data storage and secure communication, and then also client code quality.
So in this video, we wrapped up our discussion on mobile hacking with our IOS module.
In the next module, much of 14 we're gonna talk about intrusion detection and prevention systems, firewalls and then also honey pots