MODULE 4

Transport Layer Security (TLS)

Transport Layer Securities (TLS) are designed to provide security at the
transport layer. TLS was derived from a security protocol called Secure
Socket Layer (SSL). TLS ensures that no third party may eavesdrop or
tampers with any message.
There are several benefits of TLS:

 Encryption:
TLS/SSL can help to secure transmitted data using encryption.
 Interoperability:
TLS/SSL works with most web browsers, including Microsoft Internet
Explorer and on most operating systems and web servers.
 Algorithm flexibility:
TLS/SSL provides operations for authentication mechanism,
encryption algorithms and hashing algorithm that are used during
the secure session.
 Ease of Deployment:
Many applications TLS/SSL temporarily on a windows server 2003
operating systems.
 Ease of Use:
Because we implement TLS/SSL beneath the application layer, most
of its operations are completely invisible to client.

Working of TLS:
The client connect to server (using TCP), the client will be something.
The client sends number of specification:
1. Version of SSL/TLS.
2. which cipher suites, compression method it wants to use.

The server checks what the highest SSL/TLS version is that is

supported by them both, picks a cipher suite from one of the clients
option (if it supports one) and optionally picks a compression method.
After this the basic setup is done, the server provides its certificate.
This certificate must be trusted either by the client itself or a party that
the client trusts. Having verified the certificate and being certain this
server really is who he claims to be (and not a man in the middle), a
key is exchanged. This can be a public key, “PreMasterSecret” or
simply nothing depending upon cipher suite.
Both the server and client can now compute the key for symmetric
encryption. The handshake is finished and the two hosts can
communicate securely. To close a connection by finishing. TCP
connection both sides will know the connection was improperly
terminated. The connection cannot be compromised by this through,
merely interrupted.

Websites are always to prone to security risks. Cyber crime impacts your business by hacking
your website. Your website is then used for hacking assaults that install malicious software or
malware on your visitor’s computer.
Hackers may also steal important customer data such as credit card information, destroy your
business and propagate illegal content to your users.

Web Security Considerations

Updated Software
It is mandatory to keep you software updated. It plays vital role in keeping your website secure.
SQL Injection
It is an attempt by the hackers to manipulate your database. It is easy to insert rogue code into
your query that can be used to manipulate your database such as change tables, get information
or delete data.
Cross Site Scripting (XSS)
It allows the attackers to inject client side script into web pages. Therefore, while creating a form
It is good to endure that you check the data being submitted and encode or strip out any HTML.
Error Messages
You need to be careful about how much information to be given in the error messages. For
example, if the user fails to log in the error message should not let the user know which field is
incorrect: username or password.
Validation of Data
The validation should be performed on both server side and client side.
Passwords
It is good to enforce password requirements such as of minimum of eight characters, including
upper case, lower case and special character. It will help to protect user’s information in long
run.
Upload files
The file uploaded by the user may contain a script that when executed on the server opens up
your website.
SSL
It is good practice to use SSL protocol while passing personal information between website and
web server or database.

Top Web Security Threats :

Web security threats are constantly emerging and evolving, but many threats
consistently appear at the top of the list of web security threats. These include:
 Cross-site scripting (XSS)
 SQL Injection
 Phishing
 Ransomware
 Code Injection
 Viruses and worms
 Spyware
 Denial of Service

SSL Secure Socket Layer TLS Transport Layer Security.

SSL stands for Secure Socket Layer while TLS stands for Transport Layer Security. Both
Secure Socket Layer and Transport Layer Security are the protocols used to provide security
between web browsers and web servers. The main difference between Secure Socket Layer and
Transport Layer Security is that, in SSL (Secure Socket Layer), the Message digest is used to
create a master secret and It provides the basic security services which
are Authentication and confidentiality. while In TLS (Transport Layer Security), a Pseudo-
random function is used to create a master secret.
There are some differences between SSL and TLS which are given below:

SSL TLS

SSL stands for Secure Socket Layer. TLS stands for Transport Layer Security.
 SSL TLS

SSL (Secure Socket Layer) supports TLS (Transport Layer Security) does not
the Fortezza algorithm. support the Fortezza algorithm.

TLS (Transport Layer Security) is the 1.0

SSL (Secure Socket Layer) is the 3.0 version. version.

In TLS(Transport Layer Security), a Pseudo-

In SSL( Secure Socket Layer), the Message random function is used to create a master
digest is used to create a master secret. secret.

In SSL( Secure Socket Layer), the Message In TLS(Transport Layer Security), Hashed
Authentication Code protocol is used. Message Authentication Code protocol is used.

SSL (Secure Socket Layer) is more complex

than TLS(Transport Layer Security). TLS (Transport Layer Security) is simple.

SSL (Secure Socket Layer) is less secured as TLS (Transport Layer Security) provides high
compared to TLS(Transport Layer Security). security.

TLS is highly reliable and upgraded. It

SSL is less reliable and slower. provides less latency.

SSL has been depreciated. TLS is still widely used.

TLS uses protocol to set up implicit

SSL uses port to set up explicit connection. connection.

SSH Meaning SSH Protocol Definition

SSH stands for Secure Shell or Secure Socket Shell. It is a cryptographic network protocol that
allows two computers to communicate and share the data over an insecure network such as the
internet. It is used to login to a remote server to execute commands and data transfer from one
machine to another machine.

The SSH protocol was developed by SSH communication security Ltd to safely communicate
with the remote machine.
Secure communication provides a strong password authentication and encrypted communication
with a public key over an insecure channel. It is used to replace unprotected remote login
protocols such as Telnet, rlogin, rsh, etc., and insecure file transfer protocol FTP.

Its security features are widely used by network administrators for managing systems and
applications remotely.

The SSH protocol protects the network from various attacks such as DNS spoofing, IP source
routing, and IP spoofing.

A simple example can be understood, such as suppose you want to transfer a package to one of
your friends. Without SSH protocol, it can be opened and read by anyone. But if you will send it
using SSH protocol, it will be encrypted and secured with the public keys, and only the receiver
can open it.

Before SSH:

After SSH:
Usages of SSH protocol

The popular usages of SSH protocol are given below:

o It provides secure access to users and automated processes.

o It is an easy and secure way to transfer files from one system to another over an insecure
network.
o It also issues remote commands to the users.
o It helps the users to manage the network infrastructure and other critical system
components.
o It is used to log in to shell on a remote system (Host), which replaces Telnet and
rlogin and is used to execute a single command on the host, which replaces rsh.
o It combines with rsync utility to backup, copy, and mirror files with complete security
and efficiency.
o It can be used for forwarding a port.
o By using SSH, we can set up the automatic login to a remote server such as OpenSSH.
o We can securely browse the web through the encrypted proxy connection with the SSH
client, supporting the SOCKS protocol.
How does SSH Works?

The SSH protocol works in a client-server model, which means it connects a secure shell client
application (End where the session is displayed) with the SSH server (End where session
executes).

As discussed above, it was initially developed to replace insecure login protocols such as Telnet,
rlogin, and hence it performs the same function.

Wireless security revolves around the concept of securing the wireless network from malicious
attempts and unauthorized access.

The wireless security can be delivered through different ways such as:

1. Hardware-based: where routers and switches are fabricated with encryption measures
protects all wireless communication. So, in this case, even if the data gets compromised
by the cybercriminal, they will not be able to decrypt the data or view the traffic's
content.
2. Wireless setup of IDS and IPS: helps in detecting, alerting, and preventing wireless
networks and sends an alarm to the network administrator in case of any security breach.
3. Wireless security algorithms: such as WEP, WPA, WPA2, and WPA3. These are
discussed in the subsequent paragraphs.

Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP) is the oldest security algorithm of 1999. It uses the
initialization vector (IV) method. The first versions of the WEP algorithm were not
predominantly strong enough, even when it got released. But the reason for this weak release
was because of U.S. limits on exporting different cryptographic technologies, which led the
manufacturing companies to restrict their devices to 64-bit encryption only. As the limitation was
withdrawn, the 128 bit and 256 bit WEP encryption were developed and came into the wireless
security market, though 128 became standard.
Wi-Fi Protected Access (WPA)

Wi-Fi Protected Access (WPA) was the next Wi-Fi Alliance's project that replaced the WEP
standard's increasingly noticeable vulnerabilities. WPA was officially adopted in the year 2003,
one year before the retirement of WEP. WPA's most common configuration is with WPA-PSK,
which is abbreviated as Pre-Shared Key. WPA uses 256-bit, which was a considerable
enhancement above the 64-bit as well as 128-bit keys.

Wi-Fi Protected Access II (WPA2)

Wi-Fi Protected Access II (WPA2) became official in the year 2006 after WPA got outdated. It
uses the AES algorithms as a necessary encryption component as well as uses CCMP (Counter
Cipher Mode - Block Chaining Message Authentication Protocol) by replacing TKIP.

Wi-Fi Protected Access 3 (WPA3)

Wi-Fi Protected Access 3 (WPA3) is the latest and the third iteration of this family developed
under Wi-Fi Alliance. It has personal and enterprise security-support features and uses 384-bit
Hashed Message Authentication Mode, 256-bit Galois / Counter Mode Protocol (GCMP-256)
well as Broadcast/Multicast Integrity Protocol of 256-bit. WPA3 also provides perfect forward
secrecy mechanism support.

Secure Socket Layer (SSL)

Secure Socket Layer (SSL) provides security to the data that is
transferred between web browser and server. SSL encrypts the link
between a web server and a browser which ensures that all data
passed between them remain private and free from attack.
Secure Socket Layer Protocols:
 SSL record protocol
 Handshake protocol
 Change-cipher spec protocol
 Alert protocol

SSL Protocol Stack:

SSL Record Protocol:
SSL Record provides two services to SSL connection.
 Confidentiality
 Message Integrity
In the SSL Record Protocol application data is divided into fragments.
The fragment is compressed and then encrypted MAC (Message
Authentication Code) generated by algorithms like SHA (Secure Hash
Protocol) and MD5 (Message Digest) is appended. After that encryption
of the data is done and in last SSL header is appended to the data.

Handshake Protocol:
Handshake Protocol is used to establish sessions. This protocol allows
the client and server to authenticate each other by sending a series of
messages to each other. Handshake protocol uses four phases to
complete its cycle.
 Phase-1: In Phase-1 both Client and Server send hello-packets to
each other. In this IP session, cipher suite and protocol version are
exchanged for security purposes.
 Phase-2: Server sends his certificate and Server-key-exchange. The
server end phase-2 by sending the Server-hello-end packet.
 Phase-3: In this phase, Client replies to the server by sending his
certificate and Client-exchange-key.
 Phase-4: In Phase-4 Change-cipher suite occurred and after this
Handshake Protocol ends.

SSL Handshake Protocol Phases diagrammatic representation

HTTPS

Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed,

collaborative, hypermedia information systems. This is the foundation for data communication
for the World Wide Web (i.e. internet) since 1990. HTTP is a generic and stateless protocol
which can be used for other purposes as well using extensions of its request methods, error
codes, and headers.
Basically, HTTP is a TCP/IP based communication protocol, that is used to deliver data (HTML
files, image files, query results, etc.) on the World Wide Web. The default port is TCP 80, but
other ports can be used as well. It provides a standardized way for computers to communicate
with each other. HTTP specification specifies how clients' request data will be constructed and
sent to the server, and how the servers respond to these requests.

Basic Features

There are three basic features that make HTTP a simple but powerful protocol:
 HTTP is connectionless: The HTTP client, i.e., a browser initiates an HTTP request and
after a request is made, the client waits for the response. The server processes the request
and sends a response back after which client disconnect the connection. So client and
server knows about each other during current request and response only. Further requests
are made on new connection like client and server are new to each other.
 HTTP is media independent: It means, any type of data can be sent by HTTP as long as
both the client and the server know how to handle the data content. It is required for the
client as well as the server to specify the content type using appropriate MIME-type.
 HTTP is stateless: As mentioned above, HTTP is connectionless and it is a direct result
of HTTP being a stateless protocol. The server and client are aware of each other only
during a current request. Afterwards, both of them forget about each other. Due to this
nature of the protocol, neither the client nor the browser can retain information between
different requests across the web pages.
HTTP/1.0 uses a new connection for each request/response exchange, where as HTTP/1.1
connection may be used for one or more request/response exchanges.

Basic Architecture

The following diagram shows a very basic architecture of a web application and depicts where
HTTP sits:
The HTTP protocol is a request/response protocol based on the client/server based architecture
where web browsers, robots and search engines, etc. act like HTTP clients, and the Web server
acts as a server.
Client
The HTTP client sends a request to the server in the form of a request method, URI, and protocol
version, followed by a MIME-like message containing request modifiers, client information, and
possible body content over a TCP/IP connection.
Server
The HTTP server responds with a status line, including the message's protocol version and a
success or error code, followed by a MIME-like message containing server information, entity
meta information, and possible entity-body content.

HTTP header fields

HTTP header fields provide required information about the request or response, or about the
object sent in the message body. There are four types of HTTP message headers:
  General-header: These header fields have general applicability for both request and
response messages.
 Client Request-header: These header fields have applicability only for request messages.
 Server Response-header: These header fields have applicability only for response
messages.
 Entity-header: These header fields define meta information about the entity-body or, if
no body is present, about the resource identified by the request.

Message Body
The message body part is optional for an HTTP message but if it is available, then it is used to
carry the entity-body associated with the request or response. If entity body is associated, then
usually Content-Type and Content-Length headers lines specify the nature of the body
associated.
A message body is the one which carries the actual HTTP request data (including form data and
uploaded, etc.) and HTTP response data from the server ( including files, images, etc.). Shown
below is the simple content of a message body:
<html>
<body>

<h1>Hello, World!</h1>

</body>
</html>

HTTP security
HTTP is used for communications over the internet, so application developers, information
providers, and users should be aware of the security limitations in HTTP/1.1. This discussion
does not include definitive solutions to the problems mentioned here but it does make some
suggestions for reducing security risks.

Personal Information Leakage

HTTP clients are often privy to large amount of personal information such as the user's name,
location, mail address, passwords, encryption keys, etc. So you should be very careful to prevent
unintentional leakage of this information via the HTTP protocol to other sources.
 All the confidential information should be stored at the server in encrypted form.
 Revealing the specific software version of the server might allow the server machine to
become more vulnerable to attacks against software that is known to contain security
holes.
 Proxies that serve as a portal through a network firewall should take special precautions
regarding the transfer of header information that identifies the hosts behind the firewall.
  The information sent in the 'From' field might conflict with the user's privacy interests or
their site's security policy, and hence, it should not be transmitted without the user being
able to disable, enable, and modify the contents of the field.
 Clients should not include a Referer header field in a (non-secure) HTTP request, if the
referring page was transferred with a secure protocol.
 Authors of services that use the HTTP protocol should not use GET based forms for the
submission of sensitive data, because it will cause the data to be encoded in the Request-
URI.

File and Path Names Based Attack

The document should be restricted to the documents returned by HTTP requests to be only those
that were intended by the server administrators.
For example, UNIX, Microsoft Windows, and other operating systems use '..' as a path
component to indicate a directory level above the current one. On such a system, an HTTP server
MUST disallow any such construct in the Request-URI, if it would otherwise allow access to a
resource outside those intended to be accessible via the HTTP server.

DNS Spoofing

Clients using HTTP rely heavily on the Domain Name Service, and are thus generally prone to
security attacks based on the deliberate mis-association of IP addresses and DNS names. So
clients need to be cautious in assuming the continuing validity of an IP number/DNS name
association.
If HTTP clients cache the results of host name lookups in order to achieve a performance
improvement, they must observe the TTL information reported by the DNS. If HTTP clients do
not observe this rule, they could be spoofed when a previously-accessed server's IP address
changes.

Location Headers and Spoofing

If a single server supports multiple organizations that do not trust one another, then it MUST
check the values of Location and Content Location headers in the responses that are generated
under the control of said organizations to make sure that they do not attempt to invalidate
resources over which they have no authority.

Authentication Credentials

Existing HTTP clients and user agents typically retain authentication information indefinitely.
HTTP/1.1 does not provide a method for a server to direct clients to discard these cached
credentials which is a big security risk.
There are a number of work around to the parts of this problem, and so it is recommended to
make the use of password protection in screen savers, idle time-outs, and other methods that
mitigate the security problems inherent in this problem.
Proxies and Caching

HTTP proxies are men-in-the-middle, and represent an opportunity for man-in-the-middle

attacks. Proxies have access to security-related information, personal information about
individual users and organizations, and proprietary information belonging to users and content
providers.
Proxy operators should protect the systems on which proxies run, as they would protect any
system that contains or transports sensitive information.
Caching proxies provide additional potential vulnerabilities, since the contents of the cache
represent an attractive target for malicious exploitation. Therefore, cache contents should be
protected as sensitive information.

What is HTTP?
An HTTP stands for Hypertext Transfer Protocol. The HTTP protocol provides
communication between different communication systems. When the user
makes an HTTP request on the browser, then the webserver sends the
requested data to the user in the form of web pages. In short, we can say
that the HTTP protocol allows us to transfer the data from the server to the
client.

An HTTP

is an application layer protocol that comes above the TCP layer

. It has provided some standard rules to the web browsers and servers, which they can use to
communicate with each other.

An HTTP

is a stateless protocol as each transaction is executed separately without having any knowledge of the
previous transactions, which means that once the transaction is completed between the web browser
and the server, the connection gets lost.

Main difference between the HTTP and HTTPS

The major difference between the HTTP

and HTTPS is the SSL certificate. The HTTPS protocol is an extended version of the HTTP protocol with an
additional feature of security.

This additional feature of security is very important for those websites which
transmit sensitive data such as credit card information.
The HTTPS protocol is secured due to the SSL protocol. The SSL protocol
encrypts the data which the client transmits to the server. If someone tries to
steal the information which is being communicated between the client and
the server, then he/she would not be able to understand due to the
encryption. This is the main difference between the HTTP and HTTPS that the
HTTP does not contain SSL, whereas the HTTPS contains SSL that provides
secure communication between the client and the server.

HTTP vs HTTPS performance

The speed of HTTP

is faster than the HTTPS as the HTTPS contains SSL protocol, while HTTPS does not contain an SSL
protocol. This additional feature of SSL in HTTPS makes the page loading slower.

Differences between HTTP and HTTPS

The following are the differences between the HTTP and HTTPS:

o Protocol

The HTTP protocol stands for Hypertext Transfer Protocol, whereas the
HTTPS stands for Hypertext Transfer Protocol Secure.

o Security

The HTTP protocol is not secure protocol as it does not contain SSL (Secure
Sockets Layer), which means that the data can be stolen when the data is
transmitted from the client to the server. Whereas, the HTTPS protocol
contains the SSL certificate that converts the data into an encrypted form, so
no data can be stolen in this case as outsiders do not understand the
encrypted text.

o Port numbers

The HTTP transmits the data over port number 80, whereas the HTTPS
transmits the data over 443 port number. Under the documentation issued
by Tim Berners-Lee, he stated that "if the port number is not specified, then
it will be considered as HTTP".

When RFC 1340 was announced, then the IETF (Internet Engineering Task
Force) provided port number 80 to the HTTP. When the new RFC was
released in the year 1994, the HTTPS is assigned with a port number 443.

o Layers
 The HTTP protocol works on the application layer while the HTTPS protocol
works on the transport layer. As we know that the responsibility of the
transport layer is to move the data from the client to the server, and data
security is a major concern. HTTPS operates in the transport layer, so it is
wrapped with a security layer.

o SSL Certificates

When we want our websites to have an HTTPS protocol, then we need to

install the signed SSL certificate. The SSL certificates can be available for
both free and paid service. The service can be chosen based on business
needs.

The HTTP does not contain any SSL certificates, so it does not decrypt the
data, and the data is sent in the form of plain text.

o SEO Advantages

The SEO advantages are provided to those websites that use HTTPS as
GOOGLE gives the preferences to those websites that use HTTPS rather than
the websites that use HTTP.

o Online Transactions

If we are running an online business, then it becomes necessary to have

HTTPS. If we do not use the HTTPS in an online business, then the customers
would not purchase as they are scared that their data can be stolen by the
outsiders.

Let's understand the differences in a tabular form.

ADVERTISING

HTTP HTTPS

The full form of HTTP is the Hypertext Transfer Protocol. The full form of HTTPS is Hypertext Transfer Protocol Secure.

It is written in the address bar as http://. It is written in the address bar as https://.

The HTTP transmits the data over port number 80. The HTTPS transmits the data over port number 443.
It is unsecured as the plain text is sent, which can be accessible by the It is secure as it sends the encrypted data which hackers cannot understan
hackers.

It is mainly used for those websites that provide information like blog It is a secure protocol, so it is used for those websites that require to tran
writing. numbers.

It is an application layer protocol. It is a transport layer protocol.

It does not use SSL. It uses SSL that provides the encryption of the data.

Google does not give the preference to the HTTP websites. Google gives preferences to the HTTPS as HTTPS websites are secure web

The page loading speed is fast. The page loading speed is slow as compared to HTTP because of the addit

Wireless Local Area Network

Wireless Local Area Network

A Wireless Local Area Network (WLAN) is a type of local area network that uses
high frequency radio waves rather than wires to communicate between network-
enabled devices.

Access Point

A wireless access point (AP) is a hardware device that allows wireless

communication devices, such as PDAs and mobile computers, to connect to a
wireless network. Usually, an AP connects into to a wired network, and provides a
bridge for data communication between wireless and wired devices.

Service Set Identifier

A Service Set Identifier (SSID) is a configurable identification that allows wireless

clients to communicate with an appropriate access point. With proper
configuration, only clients with correct SSID can communicate with the access
points. In effect, the SSID acts as a single shared password between access points
and clients.

Open System Authentication

Open System Authentication is the default authentication protocol for the 802.11
wireless standard. It consists of a simple authentication request containing the
station ID and an authentication response containing success or failure data. Upon
successful authentication, both stations are considered mutually authenticated. It
can be used with WEP (Wired Equivalent Privacy) protocol to provide better
communication security, however it is important to note that the authentication
management frames are still sent in clear text during authentication process. WEP
is used only for encrypting data once the client is authenticated and associated.
Any client can send its station ID in an attempt to associate with the AP. In effect,
no authentication is actually done.

Shared Key Authentication

Shared Key Authentication is a standard challenge and response mechanism that

makes use of WEP and a shared secret key to provide authentication. Upon
encrypting the challenge text with WEP using the shared secret key, the
authenticating client will return the encrypted challenge text to the access point for
verification. Authentication succeeds if the access point decrypts to the same
challenge text.

Ad-Hoc Mode

Ad-hoc mode is one of the networking topologies provided in the 802.11 standard.
It consists of at least two wireless stations where no access point is involved in
their communication. Ad-hoc mode WLANs are normally less expensive to run, as
no APs are needed for their communication. However, this topology cannot scale
for larger networks and lack of some security features like MAC filtering and
access control.

Infrastructure Mode

Infrastructure mode is another networking topology in the 802.11 standard, in

addition to ad-hoc mode. It consists of a number of wireless stations and access
points. The access points usually connect to a larger wired network. This network
topology can scale to form large-scale networks with arbitrary coverage and
complexity.

Wired Equivalent Privacy Protocol

Wired Equivalent Privacy (WEP) Protocol is a basic security feature in the IEEE
802.11 standard, intended to provide confidentiality over a wireless network by
encrypting information sent over the network. A key-scheduling flaw has been
discovered in WEP, so it is now considered as unsecured because a WEP key can
be cracked in a few minutes with the aid of automated tools. Therefore, WEP
should not be used unless a more secure method is not available.

Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) is a wireless security protocol designed to address

and fix the known security issues in WEP. WPA provides users with a higher level
of assurance that their data will remain protected by using Temporal Key Integrity
Protocol (TKIP) for data encryption. 802.1x authentication has been introduced in
this protocol to improve user authentication
Mobile Device Security
Mobile Device Security refers to the measures designed to protect sensitive information stored
on and transmitted by laptops, smartphones, tablets, wearables, and other portable devices. At the
root of mobile device security is the goal of keeping unauthorized users from accessing the
enterprise network. It is one aspect of a complete enterprise security plan.

Why is Mobile Device Security important?

With more than half of business PCs now mobile, portable devices present distinct challenges
to network security, which must account for all of the locations and uses that employees require
of the company network. Potential threats to devices include malicious mobile apps, phishing
scams, data leakage, spyware, and unsecure Wi-Fi networks. On top of that, enterprises have to
account for the possibility of an employee losing a mobile device or the device being stolen. To
avoid a security breach, companies should take clear, preventative steps to reduce the risk.
What are the benefits of Mobile Device Security?

Mobile device security, or mobile device management, provides the following:

 Regulatory compliance
 Security policy enforcement
 Support of “bring your own device” (BYOD)
 Remote control of device updates
 Application control
 Automated device registration
 Data backup
Above all, mobile device security protects an enterprise from unknown or malicious outsiders
being able to access sensitive company data.
How does Mobile Device Security work?

Securing mobile devices requires a multi-layered approach and investment in enterprise

solutions. While there are key elements to mobile device security, each organization needs to
find what best fits its network.

To get started, here are some mobile security best practices:

  Establish, share, and enforce clear policies and processes

Mobile device rules are only as effective as a company’s ability to properly communicate those
policies to employees. Mobile device security should include clear rules about:

1.What devices can be used

2.Allowed OS levels
3.What the company can and cannot access on a personal phone
4.Whether IT can remote wipe a device
5.Password requirements and frequency for updating passwords
 Password protection

One of the most basic ways to prevent unauthorized access to a mobile device is to create a
strong password, and yet weak passwords are still a persistent problem that contributes to the
majority of data hacks. Another common security problem is workers using the same password
for their mobile device, email, and every work-related account. It is critical that employees create
strong, unique passwords (of at least eight characters) and create different passwords for
different accounts.

Leverage biometrics

Instead of relying on traditional methods of mobile access security, such as passwords, some
companies are looking to biometrics as a safer alternative. Biometric authentication is when a
computer uses measurable biological characteristics, such as face, fingerprint, voice, or iris
recognition for identification and access. Multiple biometric authentication methods are now
available on smartphones and are easy for workers to set up and use.

 Avoid public Wi-Fi

A mobile device is only as secure as the network through which it transmits data. Companies
need to educate employees about the dangers of using public Wi-Fi networks, which are
vulnerable to attacks from hackers who can easily breach a device, access the network, and steal
data. The best defense is to encourage smart user behavior and prohibit the use of open Wi-Fi
networks, no matter the convenience.
Beware of apps

Malicious apps are some of the fastest growing threats to mobile devices. When an employee
unknowingly downloads one, either for work or personal reasons, it provides unauthorized
access to the company’s network and data. To combat this rising threat, companies have two
options: instruct employees about the dangers of downloading unapproved apps, or ban
employees from downloading certain apps on their phones altogether.

Mobile Security

Developing Secure Mobile App

Growth in smartphones and tablets has led to dramatic shift in the way general
public and corporate users interact with business.

Preventing Data Theft

At any time of day or night, a huge amount of data is being stored, retrieved and
transferred in the average company or organisation. As a responsible user, you
must know how to protect your data and prevent data theft from mobile devices.

Wireless Network Security

Low deployment costs make wireless networks attractive to both organisations and
end users. However, the easy availability of inexpensive equipment also gives
attackers the tools to launch attacks on the network. New security risks come with
the benefits of adopting wireless networks.

Playing Online Games Safely

Many computer and console video games can be played online against other
players over the Internet. Players are allowed to communicate sometimes using
text messages typed into the computer and sometimes using a microphone.

Avoiding Phone Fraud

Criminals also use the phone, and especially Internet phone systems, to trick
people.

Using QR Code Carefully

QR code is a machine-readable two-dimensional barcode which contains

information. Scanning a QR code will redirect you to a website or an application.
Due to the prevalence of mobile devices, QR codes have become popular and
widely used in advertising, promotion events and even mobile payment. Using QR
codes wisely can bring us convenience, but you may easily fall into traps if you
underestimate the risks.

Protecting Your Notebook

You have to protect your notebook computer from stealing.

Security Tips for Using Mobile Applications

Mobile devices (such as smartphones and tablet) have become an indispensable

part of our daily lives. Mobile applications would process massive information,
including personal and sensitive information. Users should exercise care when
using mobile applications and take precautions to protect themselves from the
potential security threats such as information leakage.

Securing Your Wireless Network

Before you make connection to the wireless Network, it is important to make sure
that your device is being logically protected. A mobile device can connect to your
wireless network wherever it is within range of the signal strength from your
wireless router.

Tips on Using Public Wi-Fi

Free Wi-Fi facilities are available at various local and overseas public areas such as
shopping malls, coffee shops, hotels, airports or government premises. Users
should pay attention to the security risks when using Wi-Fi services.
Protecting Mobile Devices

Examples of mobile devices include smartphones, tablets, and notebook

computers.

IEEE 802.11 Architecture

The components of an IEEE 802.11 architecture are as follows
1) Stations (STA) − Stations comprise all devices and equipments that are connected to the
wireless LAN. A station can be of two types:

 Wireless Access Pointz (WAP) − WAPs or simply access points (AP) are generally
wireless routers that form the base stations or access.
 Client. − Clients are workstations, computers, laptops, printers, smartphones, etc.
Each station has a wireless network interface controller.
2) Basic Service Set (BSS) −A basic service set is a group of stations communicating at
physical layer level. BSS can be of two categories depending upon mode of operation:

 Infrastructure BSS − Here, the devices communicate with other devices through access
points.
 Independent BSS − Here, the devices communicate in peer-to-peer basis in an ad hoc
manner.
3) Extended Service Set (ESS) − It is a set of all connected BSS.
4) Distribution System (DS) − It connects access points in ESS.

Advantages of WLANs
  They provide clutter free homes, offices and other networked places.
 The LANs are scalable in nature, i.e. devices may be added or removed from the network
at a greater ease than wired LANs.
 The system is portable within the network coverage and access to the network is not
bounded by the length of the cables.
 Installation and setup is much easier than wired counterparts.
 The equipment and setup costs are reduced.

Disadvantages of WLANs

 Since radio waves are used for communications, the signals are noisier with more
interference from nearby systems.
 Greater care is needed for encrypting information. Also, they are more prone to errors. So,
they require greater bandwidth than the wired LANs.
 WLANs are slower than wired LANs.

Frame Format of IEEE 802.11

The main fields of a frame of wireless LANs as laid down by IEEE 802.11 are −
 Frame Control − It is a 2 bytes starting field composed of 11 subfields. It contains
control information of the frame.
 Duration − It is a 2-byte field that specifies the time period for which the frame and its
acknowledgment occupy the channel.
 Address fields − There are three 6-byte address fields containing addresses of source,
immediate destination, and final endpoint respectively.
 Sequence − It a 2 bytes field that stores the frame numbers.
 Data − This is a variable-sized field that carries the data from the upper layers. The
maximum size of the data field is 2312 bytes.
 Check Sequence − It is a 4-byte field containing error detection information.
 

IEEE 802.11i Services

There are two characteristics of a wired LAN that are not inherent in a wireless LAN.
1. In order to transmit over a wired LAN, a station must be physically co
nnected to the LAN. On the other hand, with a wireless LAN, any station within radio
range of the other devices on the LAN can transmit. In a sense, there is a form of authentication
with a wired LAN in that it requires some
positive and presumably observable action to connect a station to a wired LAN.
2. Similarly, in order to receive a transmission from a station that is part
of a wired LAN, the receiving station also must be attached to the wired LAN. On the other
hand, with a wireless LAN, any station within radio
range can receive. Thus, a wired LAN provides a degree of privacy, limiting reception of data to
stations connected to the LAN.
These differences between wired and wireless LANs suggest the increased need for robust
security services and mechanisms for wireless LANs. The original
specification included a set of security features for privacy and authentication that were q
uite weak. For privacy, 802.11 defined the Wired Equivalent Privacy (WEP) algorithm. The p
rivacy portion of the 802.11 standard contained major weak- nesses. Subsequent to the developm
ent of WEP, the 802.11i task group has developed
a set of capabilities to address the WLAN security issues. In order to accelerate the
introduction of strong security into WLANs, the Wi-Fi Alliance promulgated Wi-Fi Protected
Access (WPA) as a Wi-Fi standard. WPA is a set of security mechanisms
that eliminates most 802.11 security issues and was based on the current state of the 802.11i
standard. The final form of the 802.11i standard is referred to
as Robust Security Network (RSN). The Wi-Fi Alliance certifies vendors in compliance with
the full 802.11i specification under the WPA2 program.

The 802.11i RSN security specification defines the following services.

• Authentication: A protocol is used to define an exchange between a user and
an AS that provides mutual authentication and generates temporary keys to
be used between the client and the AP over the wireless link.
• Access control:1 This function enforces the use of the authentication function,
routes the messages properly, and facilitates key exchange. It can work with a
variety of authentication protocols.
• Privacywith message integrity: MAC-level data (e.g.,
an LLC PDU) are encrypted along with a message integrity code that ensures that the data have
not been altered.
Figure 17.4a indicates the security protocols used to support these services, while Figure 17.4b
lists the cryptographic algorithms used for these services.