Blackberry Security Policy · Blackberry Security Policy Disclaimer: This document in no way endorses the use of a particular vendor or technology, All of ictQATAR Lab Research and

Supreme Council of Information & Communication Technology

المجلس األعلى لالتصاالت و تكنولوجيا المعلومات

Blackberry Security Policy


Cyber Security/Q-CERT

The Supreme Council of Information & Communication Technology ‘ictQATAR’

May 17th 2011




Document Reference

Table of Contents

Table of Contents ............................................................................................................... 2

Definitions ......................................................................................................................... 3

References: ........................................................................................................................ 3

1. Introduction ................................................................................................................ 4

2. Policy Objectives .......................................................................................................... 5

3. Scope and Application .................................................................................................. 5

4. Security Guidelines and Provisions, Articles or Proposals ................................................. 7

5. Blackberry and the government information classification policy ...................................... 8

6. Recommended Network Architecture ............................................................................ 8

7. BES Configuration ........................................................................................................ 9

8. Blackberry devices and Handhelds ............................................................................... 10

9. Usage Policy and Procedures ....................................................................................... 10

10. S/MIME AND PGP ................................................................................................... 11

Annex A (Network Architecture) ........................................................................................ 12

Annex B (BES Installation) ................................................................................................. 13

Annex C (BES IT Policy Setting) ........................................................................................... 14




Definitions

IctQATAR: Supreme Council of Information and Communication Technology (Qatar)

RIM: Research in Motion, A Canadian based company and makers of the Blackberry

ICT: Information and Communication Technology

Q-CERT: Qatar Computer Emergency Readiness Team, an ictQATAR initiative

GIAM: Government Information Assurance Manual

OS: Operating Systems

Agencies: State of Qatar government agencies, Ministries, Supreme Councils…etc.

LAN: Local Area Network

DMZ: Demilitarized Zone, the portion of the corporate network facing the internet

PGP: Pretty good privacy, an open source encryption platform

BES: Blackberry Enterprise Server

BIS: Blackberry Internet Service

MDS: Mobile Data Service

References:

[IAP-GOV-DCLS]: Government Information classification policy, 2009 , State of Qatar

[IAP-NAT-IAFW]: Information Assurance Framework , 2008 , State of Qatar

[IAP-GOV-INFA]: Government Information Assurance Manual, 2009, State of Qatar




1. Introduction

This document provides the ICT security policy on the installation, configuration and use of Blackberry in the Qatari Government. The information is derived from Q-CERT’s labs research into the Blackberry Enterprise Server Express edition (BES Express) and the associated Blackberry handhelds (OS 5.X and OS6.X). As well as RIM’s best practices and the Australian government guidance for the use of Blackberry developed in 2006 and 2007 by the Australian defence signals directorate. The document enhance the security and confidentiality of the Qatari government data/information as well as the personnel private data /information handled and processed and stored by the various Blackberry infrastructure components many of which reside outside the geographical boundaries of the state of Qatar, posing significant confidentiality and privacy risks.




2. Policy Objectives

Mobile communication is becoming central in almost all aspect of our lives and the benefits are clear and acknowledged. Everyday thousands of Qatari government electronic mail, private messages and confidential files are shared over the Blackberry mobile networks. All of this is stored by design outside the physical boundaries of the state. To maintain the quality of this important conduit while mitigating the risks that come with any new technology, it is the responsibility of the Government to state the principles that govern the official use of the Blackberry technology within the Qatari government. Therefore this policy aims to fulfil the following objectives:

Increase confidence and usage of the Blackberry technology, by ensuring appropriate control is being applied.

Ensure that issues regarding Blackberry Internet security and safety are addressed to prevent them acting as barriers to mobile collaboration adoption.

Protect the staff personal information and ensure that their privacy is maintained.

Provide protection to the government information stored or communicated using the device.

The basic principles that govern this policy are:

Provisions should encourage the positive development of the knowledge economy, contribute to further innovation, growth and employment by ensuring the security and quality of the mobile communication is maintained.

Individual privacy shall be respected and preserved within the boundaries of the law.

Provisions should be technically neutral, fair to all parties affected by them and not adversely affect the commercial viability of ISPs and Content/Hosting Service Providers.

Provisions should provide protection to government sensitive information while being processed or stored in foreign countries.

3. Scope and Application

This document applies to all agencies and ministries in the Qatari government that use Blackberry devices and services as part of their mobile communication solutions and information technology services. Note: The Blackberry handhelds with OS versions 3.6 to 4.x may only be used for UNCLASSFIED communications.




Disclaimer:

This document in no way endorses the use of a particular vendor or technology,

All of ictQATAR Lab Research and finding are based upon the lab environment which comprised mainly of:

o Windows Server 2003 Standard Edition SP2 o Blackberry Enterprise Server (BES) Express edition 5.1 o MS Exchange server 2003 SP2 o Blackberry devices Operating system 5.x and 6.x




4. Security Guidelines and Provisions, Articles or Proposals

This document contains the following topics:

Blackberry and the Information classification manual,

Network architecture policy,

Blackberry Enterprise server Express configuration,

Blackberry handhelds,

Usage guidelines and procedures.

The document owner is ictQATAR’s Cyber Security division (Q-CERT) and is issued as a policy, ictQATAR as the information and communication technology regulator is definitely encouraging the information technology departments within the Qatari government to benefit from the controls, best practices and recommendations stated in this document.




5. Blackberry and the government information classification policy

As per the Government Information Assurance Policy [IAP-GOV-DCLS], it’s recommended that agencies SHOULD NOT use Blackberry for the transmission and/or storage of information labeled/classified as:

Confidential,

Secret,

Top Secret.

Agencies MAY use Blackberry for the transmission and/or storage of information labelled/classified as:

Unclassified,

Public,

Internal.

Agencies SHOULD NOT use Blackberry without the appropriate additional encryption requirements for the transmission and/or storage of information labelled/classified as:

Restricted. Note: the classification of the information should take into account the contact details, venue and meeting appointments which may be classified above [Internal].

6. Recommended Network Architecture

ictQATAR strongly RECOMMENDS all agencies to implement the following security best practices.

General design recommendations: a) Distributing the Blackberry system components over multiple servers will help mitigate the effects of

propagation of any future exploits on a single server

b) Hardening the servers OS as per the vendors and the Government manual [IAP-GOV-INFA]

recommendations

c) Install the Blackberry Attachment Service and the Blackberry configuration database on separate

servers to reduce the threat vector on any single server

d) Apply the latest patches, as per the agency patching policy and procedures as stated in the government

manual [IAP-GOV-INFA] to all the various Blackberry infrastructure components (Email server,

Operating systems, Internet Explorer, SQL server, BES, MDS, Attachment server…etc.)

e) Install Host Based firewall on the BES configured to limit traffic to the minimum necessary.




Blackberry router f) Install the Blackberry router in a neutral VLAN between the trusted agency LAN and the Internet.

Configuring the external firewall g) Configure the external firewall to permit only a single, out bound initiated but bi-directional connection

on port 3101 between the router and RIM.

Attachment Service h) Install the Blackberry Attachment Service which has known vulnerabilities on a separate server to the

BES.

Additional firewall i) Install an internal firewall between the BES and agency mail servers to isolate and protect the agency

mail server.

BES management j) Manage the BES via a physical console (Example: KVM) to eliminate the need for SNMP traffic to be

allowed on the server k) Configure the MDS (Mobile Data service) to use the agency proxy server.

7. BES Configuration

a) Agencies SHOULD use the Enterprise server as their Blackberry server b) Agencies SHOULD rename AND change the default IT policy on the BES to at least meet the controls

contained in this document – for reference purposes we shall rename it (QGOV-BES-IT )Policy c) Agencies SHOULD make sure that all staff are included in the (QGOV-BES-IT) Policy as the minimum

security policy at any point in time d) ictQATAR RECOMMENDS that agencies install a host based firewall on the BES, to allow minimum

traffic necessarily to perform the authorized tasks e) Agencies SHOULD NOT use the Blackberry Desktop Redirector f) ictQATAR RECOMMENDS that agencies configure the MDS to use the Agency Proxy server, since MDS

allows the BES to act as proxy between the agency internet connection and the Blackberry handheld g) Agencies SHOULD include the various BES components in their Patch Management process as stated in

the (IAP-GOV-INFA) Manual, deviations from these requirements MUST be supported with a risk assessment report showing how the associated risk will be mitigated.




8. Blackberry devices and Handhelds

a) Agencies SHOULD NOT allow privately owned Blackberry devices to connect to the Agency systems

b) Agencies SHOULD ensure that any new devices are configured to use the (QGOV-BES-IT) policy before

activating the Blackberry service

c) All unused handhelds SHOULD be kept in a safe and secure storage in a controlled and monitored area

d) Agencies SHOULD ensure that only devices with OS 5.x and above to be allowed on the system

e) Agencies and Blackberry Assigned staff SHOULD disable the wireless functionality of the Blackberry

devices in areas processing or discussing [Confidential, Secret or Top Secret] classified information by

following these steps:

1. Turning off the RF wireless function

2. Or, removing the battery.

f) Bluetooth: Agencies SHOULD ensure that users are clearly instructed that only [Unclassified, Public or

Internal] Conversations maybe conducted using a Bluetooth-enabled peripheral

g) Bluetooth: Agencies SHOULD NOT allow the Bluetooth serial port connection on any Blackberry

handheld allowed to deal with [Confidential, Secret or Top Secret] classified information.

9. Usage Policy and Procedures

a) Agencies providing Blackberry services SHOULD endorse a policy for Blackberry acceptable usage and

ensure that eligible staff acknowledges and accepts the policy before allowed to use the service

b) Agencies SHOULD train the Blackberry eligible staff before they are allowed to use the service, the

training SHOULD cover topics like (Security risks and how to report device related incidents like theft)

c) Agencies SHOULD ensure that the devices comply with the password requirements in Annex C

d) Agencies SHOULD be able to use the” Remote Wipe” feature in case the device was reported stolen or

missing.




10. S/MIME AND PGP

IctQATAR strongly RECOMMENDS the use of secure multipurpose Internet Mail Extension (S/MIME) or PGP, since these technologies would ensure an additional layer of end-to-end encryption that is independent from RIMs infrastructure. IctQATAR strongly RECOMMENDS that encryption is applied to all emails exchanged between the agency users regardless of the message/content information classification. IMPORTANT: The use of S/MIME or PGP in the agency messaging infrastructure would significantly mitigate many of the confidentiality and integrity risks associated with the use of the Blackberry system. Please check Annex C (BES IT Policy Settings) for more details on the recommended S/MIME or PGP encryption settings.




Annex A (Network Architecture)




Annex B (BES Installation)

RIM provides a comprehensive guide on preparing and installing the Blackberry system

o URL: http://www.Blackberry.com/knowledgecenterpublic

Check and apply the latest security patches issued by RIM on this portal o URL: http://us.Blackberry.com/support/downloads/

A complete List of Blackberry IT policy rules and rationale o URL: http://docs.Blackberry.com/es-es/admin/deliverables/25765/Desc_IT_policy_rules_1331311_11.jsp

http://www.blackberry.com/knowledgecenterpublic

http://us.blackberry.com/support/downloads/

http://docs.blackberry.com/es-es/admin/deliverables/25765/Desc_IT_policy_rules_1331311_11.jsp




Annex C (BES IT Policy Setting)

The BES management console contains more than 180 IT security controls to provide security

granularity and general usability

ictQATAR reviewed the controls most applicable to and with direct impact on security

Some specific controls were left to the agency to match their own unique risk appetite Blackberry Messenger policy group

Name Value Notes

Allow BBM (Peer to Peer Messages) True Allow BBM

Bluetooth policy group

Name Value Notes

Allow outgoing calls 1 Allow

Disable Address book transfer True Prevent bulk contact transfer over Bluetooth

Disable Bluetooth Agency Preference

Note: To be prevented on devices with Top Secret information classification

Disable Bluetooth desktop connectivity True

Disable Bluetooth dial-up networking True

Disable Discoverable Mode Agency Preference


Disable File Transfer Agency Preference


Disable Hands free Profile Agency Preference


Disable Headset Profile Agency Preference


Disable serial port profile True

Disable Pairing Agency Preference





Bluetooth policy group - Continued

Name Value Notes

Disable wireless bypass True

Require encryption True Peripheral must support encryption

Require LED connector indication True

Require Password for Enabling Bluetooth Support

True

Require Password for Discoverable Mode True

Browser policy group

Name Value Notes

Disable execution on java script on handheld browser

True

Allow IBS browser False Will remove the search bar in Blackberry browser that offers search in Wikipedia and dictionary.com, These search services are offered by the wireless service provider and do not exist by default

Disable Auto synchronization in Browser True

MDS Browser java script enabled False

Camera policy group

Name Value Notes

Disable Camera Agency Decision

No device with a camera should be brought into an area used to process classified information of Restricted and above

CMIME Application policy group

Name Value Notes

Allow auto attachment download False Only from known and trusted sources




Common policy group

Name Value Notes

Blackberry server version Null The server version may allow attackers to determine the patch level of the server

Disable Kodiak PTT True Not applicable in Qatar

Disable MMS True The MMS does not go through BES and the agency has no control over it

Disable Voice Activated Dialing Agency decision

IT policy notification True Letting users know whether the policy setting have changed

Lock Owner Info 3 Lock down the owner information with as little information as possible

Set Owner info change Change to : If Found please return to Agency Po Box XXX or call Tel :12345678

Set Owner Name change Change to: government device [Asset Number if applicable]

Desktop policy group

Name Value Notes

Desktop password cache time out 10 min

Desktop allow desktop add-ins False Desktop manager software to be managed by the agency and to be included in the patch management program

Desktop allow device switch False Users Not allowed to switch the device contents to another device

Desktop-only items

Name Value Notes

Auto backup enabled True

Auto backup include all True

Do not save sent messages False Save a copy of all sent emails

Message conflict mailbox wins True

Force load count 0 To force updates (-1 to turn off updates)

Show application loader False




Device-only items

Name Value Notes

Allow peer to peer messages Agency decision

Allow SMS Agency decision

SMS cannot be logged by BES, only unclassified messages may be sent

Default browser UID Null Only RIMs browser will be used

Enable long term timeout True This rule specifies whether a Blackberry device locks after a predefined period of time, regardless

of user activity

Enable WAP configuration False Forcing all internet browsing to go through BES

Maximum password age 90 days

Maximum security timeout 5 min

Minimum password length 8

Password pattern check 3 Checks the last 3 passwords

Password required True

User can change timeout False

User can disable passwords False

Global items

Name Value Notes

Allow browser True Its recommended that the agency only allows internet through the certified RIM browser and not any third party browsers this all also allow that access is controlled by the MDS service of

the BES

Allow phone True

Auto Signature Change Agency should ensure that no identifiable information such as version number or model or that the email was sent from a Blackberry device

a message such as (Sent while Mobile) is recommended




Location Based services

Name Value Notes

Disable Blackberry maps Agency decision

There is a risk that Maps can be used to trace back saved destinations

Enable enterprise location tracking False This feature allow users tracking every 15 minutes and might be a violation for users privacy outside working hours

MDS Policy Group

Name Value Notes

Disable activation with public MDSS True Users should not be allowed to configure the MDS settings

Disable user initiated activation with MDSS

True

Verify MDSS certificate True

Password policy group

Name Value Notes

Forbidden passwords Agency Decision

ictQATAR recommends that a list of popular and easy passwords is denied such as

(p@ssword,12345678)

Maximum password history 3 No reuse within 9 month

Periodic challenge time 60 min

Set maximum password attempts 5

Set password timeout 5 min This rule specifies the number of minutes of inactivity before the security timeout occurs and a Blackberry device user must type the password

to unlock the Blackberry device

Suppress password echo True This rule specifies whether, after a given number of incorrect password attempts, the characters that a user types in the Password

dialog box appear on the screen




PGP Application policy group

Name Value Notes

PGP allowed content ciphers 0,1,2,5 Allow AES(128),AES(192),AES(256) and 3DES

PGP blind copy address Agency Decision

This rule specifies an email address that is added as a BCC recipient to all encrypted PGP messages

that a Blackberry device sends-agencies must check with their legal departments before

enabling this control

PGP Minimum strong DH key length 1024

PGP Minimum strong DSA key length 1024

PGP Minimum strong RSA key length 1024

S/MIME application policy group

Name Value Notes

S/MIME allowed content ciphers 0,1,2,5 Allow AES(128),AES(192),AES(256) and 3DES

S/MIME blind copy address Agency Decision

This rule specifies an email address that is added as a BCC recipient to all

encrypted S/MIME messages that a Blackberry device sends-agencies must check with

their legal departments before enabling this control

S/MIME Minimum strong DH key length 1024

S/MIME Minimum strong DSA key length 1024

S/MIME Minimum strong RSA key length 1024

S/MIME Minimum strong ECC key length 163

Security policy group: These controls affect various aspects of security

Name Value Notes

Allow external connections True Allow 3rd party apps to connect to the internet

Allow Internal connections True Allow 3rd party apps to connect to the MDS for example

Allow outgoing call when locked False

Allow smart card password caching False

Allow split pipe connections False Opening internal and external connections simultaneously might present a security issue

because applications can collect data from inside the firewall and send it outside the firewall




without any auditing

Allow 3rd party apps to use the persistent store API

True

Allow 3rd party apps to use serial port False

Application download control True Only allows the download of certified applications

Certificate status cache timeout 1 day

Message classification title 1 This rule specifies the set of message classifications that are available to apply to email

messages sent using the BES

Disable 3DES transport crypto True Use AES

Disable external memory False

Disable email normal send Notes If agencies have not implemented S/MIME or PGP then set to false

Disable invalid certificate use True

Disable IP modem True

Disable key store backup True

Disable key store low security True

Disable Media Manager False Change to true for devices with information classified as and/or equivalent to secret

Disable persistent plain text True Ensure data store in nonvolatile memory is encrypted

Disable revoked certificates True

Disable unverified CRLs True

Disable USB mass storage False Change to true for devices with information classified as and/or equivalent to secret

FIPS Level 2

Force include address book in content protection

True

Force LED blinking when microphone is ON

True

Forced lock when holstered True

Minimal encryption key store security level

2

Minimal signing key store security level 2

Secure wipe delay after IT policy received False BES periodically sends policy updates to the handsets, this setting can wipe the handset if a new policy has not been received within a time frame, Change to true (2 days) for devices with information classified as and/or equivalent to

secret




Service exclusivity policy group

Name Value Notes

Allow other browser services False Force all web browsing to go through BES

Allow other message services False Force all email to go through the BES

Allow public AIM services False

Allow Google talk services False

Allow ICQ services False

Allow Yahoo! Messenger services False

TLS policy group

Name Value Notes

TLS device side False This rule specifies whether a Blackberry device and the BES can use proxy

mode TLS or proxy mode HTTPS

TLS disable invalid connection 0 0=true and 1=false

TLS disable untrusted connection 0 0=true and 1=false

TLS disable weak ciphers 0 0=true and 1=false

TLS Minimum strong DH key length 1024

TLS Minimum strong DSA key length 1024

TLS Minimum strong RSA key length 1024

TLS Minimum strong ECC key length 163

TLS restrict FIPS ciphers True

WTLS policy group: Note: Wireless transport layer security allows users to bypass the agency gateway infrastructure

Name Value Notes

WTLS disable invalid connection 0 Disabled

WTLS disable untrusted connection 0 Disabled

WTLS disable weak ciphers 0 Disabled

WTLS Minimum strong DH key length 1024

WTLS Minimum strong RSA key length 1024

WTLS Minimum strong ECC key length 163

WTLS restrict FIPS ciphers True

Documents

Blackberry Security Policy · Blackberry Security Policy Disclaimer: This document in no way endorses the use of a particular vendor or technology, All of ictQATAR Lab Research and