Quiz: Mobile and IoT Security

Twenty-five self-check questions: multiple choice, true/false-with-justification, and short answer. Several are tagged with the certification domain they map to — [Sec+] for CompTIA Security+ and [CISSP] for (ISC)² CISSP. Answer before opening the key. For true/false items, a correct justification matters more than the verdict.

Multiple Choice

1. [Sec+] Which control most directly enables an organization to remove corporate data from a lost BYOD phone without touching the employee's personal photos and apps? - A. Full-device remote wipe - B. Containerization with selective wipe - C. A stronger device passcode policy - D. Jailbreak detection

2. [Sec+] A camera ships with the username admin and password admin, both printed in its online manual. The most accurate statement is: - A. The camera is vulnerable only if an attacker can guess the password. - B. The credentials are secret until the manual is leaked. - C. On a reachable network, the camera is effectively already open to anyone. - D. Default credentials are only a problem for industrial devices.

3. [CISSP] The persistent, low-level code stored on an embedded device that controls its hardware and is often never updated after the product ships is called: - A. Middleware - B. Firmware - C. A hypervisor - D. A bootloader exploit

4. [Sec+] Which capability lets an MDM/UEM allow only healthy devices (encrypted, current OS, not jailbroken) to reach corporate resources? - A. Selective wipe - B. Conditional access - C. Application sandboxing - D. Network address translation

5. An unmanageable IoT device cannot be patched and cannot run an endpoint agent. The chapter's recommended primary strategy is: - A. Remove it from the network entirely in all cases. - B. Accept the risk and document it. - C. Contain it with segmentation and watch it with monitoring. - D. Replace it immediately regardless of cost.

6. [CISSP] The OS-enforced isolation that confines each mobile app to its own storage and memory, mediating access to anything outside, is: - A. Mobile app sandboxing - B. Containerization - C. A demilitarized zone - D. Role-based access control

7. [Sec+] Which ownership model gives the organization the most control and forbids personal use, typically for high-sensitivity roles? - A. BYOD - B. COPE - C. CYOD - D. COBO

8. Why are IoT devices, despite being hard to harden, often easy to monitor? - A. They run full endpoint agents that report richly. - B. Their legitimate behavior is narrow and predictable, so deviations are glaring. - C. Vendors provide centralized monitoring dashboards. - D. They generate no network traffic when idle.

9. [Sec+] The single most-exploited weakness in IoT, and the one behind the chapter's lobby-camera story, is: - A. Buffer overflows in firmware - B. Unchanged default credentials - C. Weak Wi-Fi encryption - D. Cross-site scripting

10. [CISSP] Which best explains why IoT insecurity persists structurally? - A. Attackers are uniquely skilled against IoT. - B. The buyer rarely bears the cost of the insecurity (a negative externality), so the market rewards cheap over secure. - C. IoT devices are too new for standards to exist. - D. Encryption is illegal on embedded devices.

11. On the contained IoT segment of Figure 14.2, the default rule between segments is: - A. Allow all, then deny known-bad - B. Deny all, then allow only specific business-justified paths (default-deny) - C. Allow internal, deny only the internet - D. There is no rule; segments are physically separate

12. [Sec+] Shadow IoT is best defined as: - A. IoT devices that operate only at night - B. Unauthorized, unmanaged, often unknown connected devices attached without IT's knowledge - C. IoT devices placed in a screened subnet - D. Decommissioned devices awaiting disposal

13. An ATM is described as combining "the worst of both worlds" because it is: - A. Both wireless and wired - B. Both a high-value, regulated system and a rigid embedded device that cannot be freely patched - C. Both owned by the bank and the vendor - D. Both indoor and outdoor

14. [CISSP] Which is the correct stacking of terms from broadest to most specific? - A. Firmware → embedded device → IoT - B. IoT → embedded device → firmware - C. Embedded device → IoT → firmware - D. IoT → firmware → embedded device

15. [Sec+] The best first move when securing any device population — mobile or IoT — is: - A. Buy an MDM license - B. Build a complete, current inventory of what is actually on the network - C. Change all default passwords - D. Segment everything

True / False (justify)

16. [Sec+] True or False: Installing full-device MDM on an employee's personally owned phone is the best way to satisfy both corporate security and employee privacy in a BYOD program. Justify.

17. True or False: Because an unpatchable IoT device's vulnerability can never be fixed, there is nothing a defender can do to reduce the risk it poses. Justify.

18. [CISSP] True or False: A BYOD program's security depends more on the written policy than on the specific MDM product chosen. Justify.

19. True or False: A jailbroken phone is no more dangerous than a stock phone, as long as it still has a passcode and encryption. Justify.

20. [Sec+] True or False: Placing an IoT device on its own segment with a default-deny allow-list eliminates the device's vulnerability. Justify.

Short Answer

21. [Sec+] In two or three sentences, explain conditional access and what device attributes it typically checks before granting access to corporate data.

22. [CISSP] Name and briefly describe the four ownership models (BYOD, COPE, CYOD, COBO), ordered from least to most organizational control.

23. The chapter calls the IoT-segment detection rule "alert when a device talks off its allow-list" one of the highest-signal alerts a defender will write. Explain why it produces so few false positives, contrasting it with detection on a human's laptop.

24. [Sec+] A device cannot have its default credentials changed (the vendor hard-coded them). State the two most important compensating controls and what each one limits.

25. Why is shadow IoT uniquely dangerous during an incident? Answer in terms of inventory, segmentation, and what responders will and won't think to check.

Answer Key

Click to reveal answers and explanations **1. B** — Containerization isolates corporate data in a work profile that can be selectively wiped, leaving personal data untouched. Full-device wipe (A) would destroy personal data. *(Sec+: Mobile solutions / BYOD.)* **2. C** — Documented default credentials are public; a reachable device with unchanged defaults can be logged into by anyone in milliseconds — effectively already open, not merely "guessable." *(Sec+: IoT/ embedded vulnerabilities.)* **3. B** — Firmware. Middleware and hypervisors are higher-level; a bootloader exploit is an attack, not the code class. *(CISSP: Security Architecture / embedded systems.)* **4. B** — Conditional access gates resource access on device compliance/health. *(Sec+: Mobile device management.)* **5. C** — When you cannot harden or patch, contain (segment) and watch (monitor). Full removal (A) and immediate replacement (D) are not always feasible; silent acceptance (B) ignores available controls. **6. A** — Mobile app sandboxing. Containerization is a related but policy-level boundary between work and personal; sandboxing is the per-app OS isolation. *(CISSP.)* **7. D** — COBO (Corporate-Owned, Business-Only) gives the most control and forbids personal use. *(Sec+: deployment models.)* **8. B** — IoT devices have narrow, predictable legitimate behavior (a camera talks to one server), so a baseline is trivial and deviations are obvious. **9. B** — Unchanged default credentials are the most exploited IoT weakness. *(Sec+.)* **10. B** — The harm is largely a negative externality borne by third parties, so buyers optimize for price and the market under-supplies security. *(CISSP: risk / economics of security.)* **11. B** — Default-deny: deny all between segments, then allow only specific business-justified paths. **12. B** — Unauthorized, unmanaged, often unknown connected devices attached without IT's knowledge. *(Sec+.)* **13. B** — High-value, regulated (PCI) system *and* rigid embedded device that resists on-demand patching. **14. B** — IoT (category) → embedded device (the computer inside) → firmware (the code on it). *(CISSP.)* **15. B** — You cannot secure what you have not inventoried; a complete current inventory precedes every other control. Changing passwords (C) and segmenting (D) require first knowing what exists. **16. False** — Full-device MDM on a personal phone gives the employer control over and visibility into the *whole* device, violating privacy and discouraging honest enrollment. Containerization (managing only a work profile) satisfies both. *(Sec+.)* **17. False** — Even when the vulnerability can't be removed, you reduce *risk* (likelihood × impact) by shrinking impact/reach: segment the device to a tiny allow-list, deny it internet/lateral paths, and monitor it so exploitation is detected and contained. **18. True** — The policy makes the decisions (eligibility, minimum requirements, what the company may see/wipe, offboarding); the MDM product merely enforces them. Two products can enforce the same good policy, but a bad/absent policy makes any product ineffective. *(CISSP: governance.)* **19. False** — Jailbreaking/rooting dismantles the OS's built-in restrictions and the app sandbox, so malware can escape containment and reach data and system functions regardless of passcode/encryption; such a device should be blocked from corporate data by conditional access. **20. False** — Segmentation reduces the *blast radius* of a compromise; it does not remove the underlying vulnerability. The device can still be exploited — it simply has almost nowhere to go afterward, which is the point. **21.** Conditional access is the policy gate that allows a device to reach corporate resources only if it meets compliance requirements; it typically checks device encryption, screen-lock/passcode, OS version/patch level, and jailbreak/root status (and may check enrollment and management state). *(Sec+.)* **22.** Least → most control: **BYOD** (employee-owned; company manages a slice) → **CYOD** (company-owned; employee picks from an approved list) → **COPE** (company-owned; personal use permitted) → **COBO** (company-owned; business-only, no personal use). (COPE and CYOD are close; the key contrast is BYOD's employee ownership vs. COBO's total corporate control.) *(CISSP.)* **23.** A camera's legitimate behavior is essentially one destination, all day, forever, so any new destination is almost certainly misconfiguration or compromise — near-zero false positives. A human's laptop legitimately contacts thousands of changing destinations, so "normal" is a moving target and any simple rule generates heavy false positives. Constrained, predictable behavior makes monitoring cheap and reliable. **24.** (1) **Segmentation** — isolate the device to a tiny default-deny allow-list so its near-certain compromise can reach almost nothing (limits lateral movement and outbound C2). (2) **Monitoring** — alert on any off-allow-list or anomalous traffic so exploitation is detected fast (limits dwell time and impact). Together they shrink what the unchangeable weakness is worth. **25.** Shadow IoT is, by definition, missing from the inventory — so it was never segmented, is not monitored, and is not patched. During an incident, responders work from the asset inventory and the known network map; a device nobody documented is one they won't think to check, isolate, or examine, giving an attacker a hiding place and a foothold that the response process is blind to.

Topics to review by question

  • Q1, 16, 18, 22: BYOD, ownership models, containerization, policy-as-control (§14.3)
  • Q2, 9, 10, 24: default credentials and why IoT insecurity persists (§14.4)
  • Q3, 14: IoT / embedded device / firmware vocabulary (§14.1)
  • Q4, 6, 19, 21: MDM/UEM, conditional access, sandboxing, jailbreak/root (§14.2)
  • Q5, 8, 11, 17, 20, 23: contain-and-watch, segmentation, monitoring (§14.4–14.5)
  • Q7, 13: deployment models and ATMs as worst-of-both-worlds (§14.3, §14.6)
  • Q12, 25: shadow IoT (§14.5)
  • Q15: inventory-first (§14.1, §14.5, project checkpoint)