Chapter 78 Β· Tricks

Securing Wireless and Mobile β€” Exam Tricks

High-yield distinctions, common traps, and pattern recognition for wireless and mobile security questions on the Security+ exam.

Trick 1 Wireless Survey Tool Sees Wi-Fi Only. Spectrum Analyzer Sees Everything. Use the Right One.

The exam tests the distinction between these two tools. The key difference is not brand or feature set β€” it is what the tool can see. A wireless survey tool (even an advanced one like Ekahau) sees only 802.11 Wi-Fi devices. A spectrum analyzer sees all RF energy regardless of source. When a question describes unexplained interference that standard tools cannot find, the answer is spectrum analyzer.

Pattern Recognition
"List all nearby Wi-Fi access points, channels, SSIDs, signal strength"
β†’ Wireless survey tool (NetSpot, Ekahau, inSSIDer)
"Survey tool shows no problems but interference persists"
β†’ Spectrum analyzer (non-Wi-Fi source β€” microwave, cordless phone, etc.)
"Identify ALL RF sources, not just Wi-Fi"
β†’ Spectrum analyzer
"Generate a heat map of signal coverage"
β†’ Wireless survey tool (walk the space; tool records signal; generates heat map)
Memory anchor: Survey tool = Wi-Fi only. Spectrum analyzer = everything. If the interference is invisible to a survey tool, it is not a Wi-Fi device β€” get the spectrum analyzer.
Trick 2 BYOD = Employee Owns. COPE = Company Owns, Personal Allowed. CYOD = Company Owns, Employee Chooses.

These three acronyms appear together on the exam, often as matching questions or scenario-based MCQ. The discriminator is always: who owns the device, and how much control does the organization have? Device ownership determines organizational control. Learn the ownership β†’ control relationship for each.

Pattern Recognition
"Employee's personal phone used for work" / "company manages work profile only" / "privacy tension at device disposal"
β†’ BYOD (employee owns; org manages corporate partition only)
"Company buys the device" / "personal use permitted" / "org can wipe entire device any time"
β†’ COPE (company owns; full organizational control; personal use allowed)
"Company buys the device; employee picks from approved list" / "user preference within company-approved models"
β†’ CYOD (company owns; employee selects from approved options)
"Organization needs full wipe capability including personal data β€” which model?"
β†’ COPE or CYOD (not BYOD β€” can't force wipe of personal data on employee-owned device)
Memory anchor: BYOD = bring (yours). COPE = company owns, personally enabled. CYOD = company pays, you choose. Ownership determines control.
Trick 3 Three Wi-Fi Attacks: Capture (Eavesdrop), On-Path (Rogue AP), DoS (Deauth). Know the Scenario for Each.

Wi-Fi attack questions describe a scenario and ask you to identify the attack type or the defense. The three types have distinct scenario signatures. Learn the distinguishing detail: data capture is passive (attacker reads traffic), on-path requires the client to connect to the attacker (rogue AP or ARP poisoning), deauth causes repeated disconnections without the attacker being on the network.

Pattern Recognition
"Attacker reads wireless traffic without interacting with the network" / "passive capture"
β†’ Data capture / eavesdropping β†’ Defense: encrypt (WPA3, TLS, VPN)
"Rogue AP with same SSID" / "attacker intercepts and forwards traffic" / "clients connect to attacker's AP"
β†’ On-path / evil twin attack β†’ Defense: WPA3 Enterprise with certs; avoid auto-connect
"Clients repeatedly disconnect" / "APs are functioning normally" / "attacker doesn't need network access"
β†’ Deauthentication DoS β†’ Defense: 802.11w management frame protection; WPA3
"What does 802.11w protect against?"
β†’ Deauthentication attacks (authenticates management frames; forged deauth frames are rejected)
Memory anchor: Capture = passive read. On-path = connect to me. Deauth = disconnect disconnect disconnect. 802.11w stops the deauth; WPA3 + certs stops the rogue AP; encryption stops the capture.
Trick 4 MDM Remote Wipe Requires a Procedure β€” the Capability Alone Does Nothing.

The exam tests MDM capabilities individually, but scenario questions often require understanding that having a capability and having a procedure to use it are different things. Remote wipe is the classic example: the technology exists, but if there is no policy requiring employees to notify IT before selling their device, the wipe never gets triggered. When a scenario describes a gap in BYOD data protection at device disposal, the answer involves both the MDM remote wipe capability AND the offboarding procedure that ensures it is used.

Pattern Recognition
"Employee sold phone; corporate data may have been exposed" β€” what was missing?
β†’ BYOD offboarding procedure requiring IT-triggered MDM remote wipe before disposal
"Which MDM capability protects data when a device is lost or stolen?"
β†’ Remote wipe (plus screen lock/PIN for immediate physical access prevention)
"MDM creates a work profile on employee's personal phone β€” what data can the org wipe?"
β†’ Only the corporate partition / work profile β€” personal data is outside organizational control in BYOD
"Which ownership model allows the org to wipe the entire device including personal data?"
β†’ COPE (company-owned; no personal data privacy protection obligation)
Memory anchor: Remote wipe = capability. Offboarding procedure = what makes it happen. The gap in BYOD security is usually a missing process, not a missing technology.
Practice Scenarios β€” Apply the Tricks
Scenario A: A law firm uses a wireless survey tool during a scheduled quarterly site survey. The tool shows no new access points, no channel conflicts, and normal signal strength throughout the office. However, attorneys on the 4th floor have been reporting wireless drops during the lunch hour every day for the past two weeks. What should be done next, and what is the likely cause?
Scenario B: A financial services company is implementing a mobile device policy. They want employees to have devices they can also use personally, but they need to be able to completely wipe any device β€” including personal data β€” if an employee is terminated for cause or if a device is lost. What ownership model should they choose, and why would BYOD not work?
Scenario C: At a corporate training event in a hotel conference room, participants are repeatedly disconnected from the hotel Wi-Fi. Reconnecting works briefly, then drops again. The hotel's IT team confirms the access points are operating normally and the internet connection is up. An IT security analyst with participants recognizes the pattern. What is happening and what would stop it?