Network, device, and app threats available in Local Actions
| NOTE: | To select all the actions, select the check box next to the Name field. This is a one time action and does not persist after the policy is saved. |
Local Actions Network threats
The following Network threats are available in Mobile@Work Local Actions:
|
Threat |
Mitigation when the following events occur |
|
ARP Scan |
A reconnaissance scan using the ARP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as man-in-the-middle (MITM). |
|
Captive Portal |
Detected that the device connected to a captive portal network. |
|
Danger Zone Connected |
Danger Zone Connected provides device users with information on nearby Wi-Fi networks and their potential risk. If a iOS or Android device user does connect to a malicious Wi-Fi access point, the device user will be notified: "This device has connected to a Wi-Fi network where malicious attacks have been observed. It is recommended to disconnect immediately and use an alternative network." In order to enable Danger Zone Connected, you must have the Enable the Danger Zone feature in zIPS check box selected (located in the management console > Manage > General tab.) For Android release 9.0 through the most recently released version as supported by MobileIron, if the app developer does not add the Access_Coarse_Location permission, then the following zConsole functionality is not enabled:
If zConsole cannot get the BSSID from the device, then the Danger Zone Connection threat will not work. |
|
IP Scan |
A reconnaissance scan using the IP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
|
Internal Network Access |
Detected application connecting to private, internal servers. It is uncommon for public applications to connect to internal servers. Public applications connecting to internal servers is considered suspicious behavior and should be investigated immediately for the possible threat of malware installed on the device and the risk of data leakage. |
|
MITM |
Man-in-the-Middle attack where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device. |
|
MITM-ARP |
Man-in-the-Middle attack using ARP table poisoning where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device. |
|
MITM-Fake SSL certificate |
Man-in-the-Middle attack using fake certificate where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device. |
|
MITM-ICMP Redirect |
Man-in-the-Middle attack using ICMP protocol where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device. |
|
MITM-SSL Strip |
Man-in-the-Middle attack using SSL stripping that allows a hacker to change HTTPS traffic to HTTP so they can hijack traffic and steal credentials or deliver malware to the device. |
|
Network Handoff |
Network handoff allows a device to alter routing on a network, potentially allowing for a man-in-the-middle attack. |
|
Rogue Access Point |
Rogue Access Point exploits a device vulnerability to connect to a previously known Wi-Fi network by masking preferred/known networks. |
|
Rogue Access Point: Nearby |
Rogue Access Point exploits a device vulnerability to connect to a previously known Wi-fi network by masking a nearby network. |
|
SSL/TLS Downgrade |
SSL/TLS Downgrade force apps to use old encryption protocols. These protocols may be vulnerable to attacks that allow third parties to view encrypted information. |
|
TCP Scan |
A reconnaissance scan using the TCP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
|
UDP Scan |
A reconnaissance scan using the UDP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
|
Unsecured WiFi Network |
A unsecured Wi-Fi network is vulnerable for a network attack. |
Local Actions Device threats
The following Device threats are available in Mobile@Work Local Actions:
|
Threat |
Mitigation when the following events occur |
|
Abnormal Process Activity |
Detected abnormal activity. User device is being monitored for any attacks. |
|
App Tampering |
Existing app libraries may have been modified, or a foreign library may have been injected into the app. |
|
BlueBorne Vulnerability |
MobileIron has detected this device is vulnerable to BlueBorne, an attack leveraging Bluetooth connections to penetrate and take control of targeted devices. To avoid any sort of risk from BlueBorne, it is highly recommended that the user turn off Bluetooth permanently until an update is available from the device manufacturer or wireless carrier. For those users that still require the use of Bluetooth, it is recommended that Bluetooth is turned off until it is needed and only in a trusted and secure area. |
|
DNS Change |
DNS Configuration change on the mobile device. If the DNS change happened in your own network to an unknown DNS server - it is likely to a MITM attempt. |
|
Daemon Anomaly |
Daemon Anomaly indicates abnormal system process activities which could indicate that the device has been exploited. |
|
Developer Options |
Developer Options is an advanced configuration options intended for development purposes only. When enabled, the user has the option to change advanced settings, compromising the integrity of the device settings. |
|
Device Encryption |
Device Encryption notifies an administrator when a device is not setup to use encryption to protect device content. |
|
Device Pin |
Device Pin notifies the administrator when a device is not setup to use a PIN code or password to control access to the device. |
|
Device jailbreaking/rooting |
Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may have not been readily apparent, or undermine the device's built-in security measures. |
|
EOP |
A malicious process that results in the elevation of privileges on the mobile device, which allows the attacker to take full control of the device. |
|
File system changed |
A normal file system change. |
|
Gateway Change |
Gateway configuration change on the mobile device that can be indicative of sending traffic to a non-intended destination. |
|
Proxy Change |
Proxy configuration change on the mobile device that can be indicative of sending traffic to a non-intended destination. |
|
SELinux Disabled |
Security-enhanced Linux (SELinux) is a security feature in the operating feature in the operating system that helps maintain the integrity of operating system. If SELinux has been disabled, the integrity of the operating system may be compromised and should be investigated immediately. |
|
Sideloaded App(s) |
Sideloaded apps are installed independently of an official app store and can present a security risk. |
|
Stagefright Vulnerability |
Stagefright vulnerability indicates the device is on an OS patch version susceptible to compromise. |
|
System Tampering |
System Tampering is a process of removing security limitations put in by the device manufacturer and indicates that the device is fully compromised and can no longer be trusted. |
|
USB Debugging Mode |
USB Debugging is an advanced configuration option intended for development purposes only. By enabling USB Debugging, the user device can accept commands from a computer when plugged into a USB connection. |
|
Unknown sources download config change |
Allows user to download an app not in Google Play store. |
|
Vulnerable Android Version |
MobileIron has detected that the Android version installed on your device is not up-to-date. The outdated operaing system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update the device's operating system immediately. |
|
Vulnerable iOS Version |
MobileIron has detected that the iOS version installed on your device is not up-to-date. The outdated operaing system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update the device's operating system immediately. |
|
Vulnerable, non-upgradeable Android Version |
MobileIron detected a device running a vulnerable Android version. However, the device is not eligible for an operating system upgrade at this time. |
|
Vulnerable, non-upgradeable iOS Version |
MobileIron detected a device running a vulnerable iOS version. However, the device is not eligible for an operating system upgrade at this time. |
Local Actions App threats
The following App threats are available in Mobile@Work Local Actions:
|
Threat |
Mitigation when the following events occur |
|
Suspicious Android App |
A known risky app that attempts to take control of the user device in some manner (e.g. elevate privileges, spyware, etc.) |
|
Suspicious Profile |
A suspicious profile is a new profile introduced to the environment and is not explicitly trusted or untrusted. It is recommended that the Administrator review the Profile and mark the profile as trusted or untrusted. |
|
Suspicious iOS App |
A known and risky app that attempts to take control of the device in some manner (e.g. elevate privileges, spyware, etc.) |
|
Untrusted Profile |
An untrusted profile is a new profile installed on one or more devices and is deemed unsafe to have installed on user devices. An untrusted profile installed on devices could be used to control devices remotely, monitor and manipulate user activities, and/or hijack a users' traffic. |
Next steps
Proceed to either Using zConsole to monitor threats to Android devices or Using zConsole to monitor threats to iOS devices.