BẢO MẬT HỆ ĐIỀU HÀNH DI ĐỘNG

1.      Tổng quan khóa học

Khóa học bảo mật hệ điều hành di động cung cấp cho học viên những kỹ năng kinh nghiệm cần thiết để giảm thiểu các điểm yếu, các rủi ro đối với hệ điều hành di động. Hạn chế những cuộc tấn công  thông qua dịch vụ hệ điều hành di động. Khóa học tập trung vào phương pháp thiết lập an toàn trên hệ điều hành di động dựa trên nền tảng kỹ thuật của điện thoại di động, cách khắc phục, chính sách an toàn, giải pháp trên nhiều thiết bị di động, các thiết bị thông minh trên nền tảng IOS ( IPhone, IPad, Android, Blackberry và Windows Phone.

2.      Đối tượng tham gia

Đối tượng là các chuyên gia công nghệ thông tin, các lập trình viên phần mềm, các chuyên gia bảo mật và các nhà quản lý  công nghệ thông tin

3.      Thời gian đào tạo

Thời lượng: 5 ngày

4.      Nội dung đào tạo

Mobile Security Infrastructure

• Implement Vulnerability Assessment Tools and Techniques
• Scan for Vulnerabilities
• Mitigation and Deterrent Techniques
• Mobile Security Threats and Vulnerabilities
• Social Engineering
• Physical Threats and Vulnerabilities
• Network-Based Threats
• Wireless Threats and Vulnerabilities
• Software Based Threats

Mobile  Security Fundamentals

• Information Security Cycle
• Information Security Controls
• Authentication Methods
• Cryptography Fundamentals
• Security Policy Fundamentals
• Mobile computing trends and threats
• Best practices in mobile device management (MDM)
• Mobile Device Management (MDM)
• Centralizing device administration
• Enabling BYOD in the organization
• Confronting BYOD challenges
• Fortifying device synchronization
• Modifying policies to work with each mobile OS
• Handling lost or stolen devices
• Securing the mobile application in the organization
• Open Web Application Security Project (OWASP)
• Mobile phone forensics and its implications
• Mobile Network Security
• Network Devices and Technologies
• Concepts behind GSM, 3G, LTE and LTE-Advanced Security
• Concepts behind WiFi, Bluetooth  and NFC Security
• Mobile Security Frameworks
• Network Design Elements and Components
• Implement Networking Protocols
• Access Control, Authentication, and Account Management
• Data Security
• Apply Network Security Administration Principles
• Secure Wireless Traffic
• Managing Application, Data and Host Security
• Establish Device/Host Security

iOS SDK, APIs, and Security Features

• Code signing
•  Sandbox
•  Data at rest encryption
•  Generic native exploit mitigation features
• Non executable memory
•  Stack smashing protection
• iOS Data protection API
• Various levels of protection, driven by developer
•  Complete protection
•  Protected unless open
•  Protected until first user authentication
•  No protections
• iOS  Security Framework
•  Common Crypto Libraries
•  Symmetric encryption
•  HMAC
•  Digests
•  Generating secure random numbers
• Security and limitations of the keychain
•  Keychain access groups
•  Managing certificates and keys

Web Service and Network Security

• Clear text transmission of data
•  Man-in-the-middle attacks
•  Cellular proxy attack (provisioning profile)
•  Insufficient validation of certificates / certificate chain
•  SSL compromise
•  DNS hijacking
• SSL session with validation
•  Validate originated from a trusted CA
•  Validate the certificate has not been revoked
•  Describe how to implement / validate client-side certificates
•  SSL pinning

Common threats to Web services

•  Information disclosure
•  Brute forcing
•  Fuzzing
•  SQL injection
•  Directory traversal

Implementation of session security

•  Highly random token
•  Expire on timeout or exit
•  Store in memory not in data
•  Avoid static user token
•  UDID deprecation

Data Security and Implementing Encryption

• Key storage and retention
• Master keys
•  Key strength
•  Cipher Specifications
•  Forensic trace
•  Storage of data in protected APIs
•  Built-in encryption vs. custom encryption
•  File permissions and using strong passwords for database security
•  How to hash sensitive data and seed of passwords
•  Storing more data externally on servers
•  Not storing data outside of the applications security
•  Do not store sensitive data, if you can avoid it
•  Protecting data at rest while the device is locked

Implementation of encryption in iOS

•  Common cryptor
• Logic in applications
•  Certificate and key exchange
•  Authentication and authorization
•  Session management
•  Decryption as authentication, not after

Data Encryption APIs

•  PIN vs. complex passphrase
•  Data protection APIs
•  Keychain and vulnerabilities
•  Demonstrate knowledge of Apple’s encrypted file system
•  Journal

Android SDK, APIs and Security Features

• System and kernel level security
•  Application sandbox
•  Application signing
•  Purpose
•  Key management
•  Permissions
•  File system
•  Application-defined
•  URI permissions

Android permission model

•  Protected APIs
•  Requesting permissions
•  Defining permissions
•  Use of signatures
•  Protection levels
•  Summarize the Device Administration API
•  Purpose and appropriate use
•  Letting the user control access to sensitive data
•  Start the contacts activity to let the user select a contact for use by
• the application rather than require permission to access all contacts
•  Start the camera application to let the user take a picture for use in
• the application without requiring camera permissions

Secure inter-process communication in Android

•  Public and private components
•  Protecting access to
•  Services
•  Broadcast receivers
•  Activities
•  Content providers
•  Databases
•  Securely accessing third-party components with IPC
•  Types of attacks
•  Confused deputy
•  Intent sniffing
•  Intent hijacking
•  Data disclosure

Application Hardening Principles

• Apple Digital Rights Management
•  Mach-O object format
•  Symbol table definitions
•  Class-dump
•  Dumping memory
•  Binary stripping
• Process trace checks
•  Tamper response
•  Counter-debugging techniques
•  Code obfuscations
•  Optimizations
•  Inline functions
•  Encrypted payloads

Managing Public Key Infrastructure (PKI)

• Install a Certificate Authority (CA) Hierarchy
• Back Up a CA
• Restore a CA

Managing Certificates

• Enroll Certificates
• Renew Certificates
• Revoke Certificates
• Back Up Certificates and Private Keys
• Restore Certificates and Private Keys

Compliance and Operational Security

• Physical Security
• Legal Compliance
• Security Awareness and Training

Managing Risk

• Risk Analysis
• Implement Risk Mitigation Strategies

Workshops

• Developing a Mobile Security Strategy
• Creating the mobile threat matrix model
• Creating a security policy framework
• Evaluating vulnerabilities
• Creating a mobile security assessment plan
• Assessing mobile network and device vulnerabilities