Question

Several days after deploying an MDM for smartphone control, an organization began noticing anomalous behavior across the enterprise. Security analysts observed the following:

✑ Unauthorized certificate issuance
✑ Access to mutually authenticated resources utilizing valid but unauthorized certificates
✑ Granted access to internal resources via the SSL VPN
To address the immediate problem, security analysts revoked the erroneous certificates.

Which of the following describes the MOST likely root cause of the problem and offers a solution?

A. The VPN and web resources are configured with too weak a cipher suite and should be rekeyed to support AES 256 in GCM and ECC for digital signatures and key exchange.
B. A managed mobile device is rooted, exposing its keystore, and the MDM should be reconfigured to wipe these devices and disallow access to corporate resources.
C. SCEP is configured insecurely, which should be enabled for device onboarding against a PKI for mobile-exclusive use.
D. The CA is configured to sign any received CSR from mobile users and should be reconfigured to permit CSR signings only from domain administrators.

Answer 1

The most likely root cause of the unauthorized certificate issuance and access to secured resources is an insecure configuration of Simple Certificate Enrollment Protocol (SCEP). The solution is to reconfigure SCEP for secure onboarding against a Public Key Infrastructure (PKI) dedicated to mobile devices and ensure that Certificate Authority (CA) policies are strict about who can request certificates.

Step-by-step explanation:

The question revolves around an issue an organization faced after deploying a Mobile Device Management (MDM) system, where unauthorized certificates were issued and used to gain access to secure resources. The most likely cause of the problem is an insecure configuration of the Simple Certificate Enrollment Protocol (SCEP) which is used for the issuance and management of digital certificates. When SCEP is not properly secured, it can enable attackers to obtain unauthorized certificates and access network resources.

To address this issue, the SCEP should be reconfigured to be more secure. Specifically, it should be enabled for device onboarding and set up to work with a Public Key Infrastructure (PKI) dedicated to mobile devices, ensuring that only trusted devices can obtain certificates. This helps in creating a more secure environment and prevents unauthorized access.

By reconfiguring SCEP, not only will the current problem be mitigated, but it will also strengthen the organization's overall security posture against similar threats. It's essential for the organization to also review their CA (Certificate Authority) policies to ensure that only authorized personnel or systems can request and be issued certificates, thus reducing the risk of compromise through fraudulent certificate requests.