Upload
morgan-hampton
View
219
Download
1
Embed Size (px)
Citation preview
Session 23Auditing Blackberrys and other PDAs
©2005 Lucent Technologies
Auditing Blackberrys and Other PDAs
(Handheld Devices)
Session Number 23George G. McBride
Wednesday (11/16/2005)8:30 AM to 10:00 AM
©2005 Lucent Technologies
What are we covering this morning?
Identifying threats and vulnerabilities How to measure risk What controls should be in place Industry best practices and standards Policy and awareness A proven audit approach to limit the
vulnerabilities
©2005 Lucent Technologies
Identifying Vulnerabilities
Need to understand the “assets” that we are reviewing– Blackberry’s– iPAQs– PalmPilots– Treos and other “Smart Phones”– USB Drives?
©2005 Lucent Technologies
Is it a big deal?
$16.50 Used Blackberry purchased on E-Bay contained the following information from a former Morgan Stanley VP:– 1000+ Contacts
• Executives home contacts!
– 200+ E-Mails• Mergers and Acquisitions Discussed• Client restructuring activities
©2005 Lucent Technologies
What else?
Several years ago, a Federal Reserve Board executive left his handheld in the back of a New York taxicab. It contained e-mails from Alan Greenspan and others
A disgruntled employee in Maryland used his wireless PDA to launch an attack on his former employer, allegedly a pharmacy chain.
©2005 Lucent Technologies
And one of the most famous
From the Washington Post:– Utilized a flaw in the password reset page of the
service provider to reset passwords– Utilized Social Engineering to obtain access to a
password restricted customer service page– Got her user information from that page and
used the flaw to reset her password– Utilized their Sidekicks to obtain the information
in Paris Hilton’s online storage– Began a publicity campaign to gain some
notoriety– Laurence Fishburne was also targeted (Others?)
©2005 Lucent Technologies
“Threats”
Release of data on device to unauthorized entities…data outside of the Firewall
Data on device not available to legitimate users
Unauthorized changes to data on the device
Don’t forget about the control “account”– And the service providers network
©2005 Lucent Technologies
Vulnerabilities
Lack of authentication Lack of encryption Lack of mobile code execution controls Difficult to enforce controls Peripheral devices introduce additional
vulnerabilities Infrastructure vulnerabilities service specific
operating systems, platforms, applications, etc.
©2005 Lucent Technologies
Vulnerabilities
Small size is prone to theft and loss All devices may not be corporate owned Multiple configurations of the Blackberry
Enterprise Server (BES) architecture Limited centralized update mechanisms Limited IT/CIO Control
©2005 Lucent Technologies
Handheld Attacks
©2005 Lucent Technologies
Blackberry Enterprise Server
©2005 Lucent Technologies
Sources of Recommended Controls and Security
Guidelines The Vendor (Microsoft, Treo, RIM, etc.) SANS (www.sans.org) NIST has a great publication Other existing guidelines
– From the mobile computing world• It’s just another mobile computer!
3rd Party Solutions often fill the gaps
©2005 Lucent Technologies
3rd Party Solutions
Utilizing existing corporate policies, the 3rd party solution pushes the policy enforcement down to the desktops
Desktops can be restricted from performing certain functions and hence the devices are restricted as well– Can also “force” the use of security features
Can be effective on corporate or personally owned devices
©2005 Lucent Technologies
With Bluefire Mobile Security™ Suite 3.5 Features!
Authentication: Enforces power-on PIN or password requirements Encryption: Protects data stored in secure folders on the device or on removable
storage cards with AES 128-bit encryption and complies with Federal Information Processing Standards (FIPS) 140-2 policy. A "logout and encrypt" feature can be invoked to automatically encrypt data at power-off.
Integrity Manager: Monitors core system assets and automatically alerts the user of an integrity violation on the device. The Integrity Manager can be set to actively alert and log an event or to quarantine the device by blocking all incoming and outgoing network communication.
Intrusion Detection: Scans inbound network packets to identify and prohibit traditional attacks such as LAND.
Real-time Logging: Captures and retains detailed logs of security events such as successful and invalid login attempts, password resets, quarantine overrides, port scans, firewall security level changes and integrity violations. Controllable at the administrator level, administrators can determine device usage by choosing to log all network traffic to the device.
Firewall: Filters traffic to the device in compliance with administrator-controlled port and protocol policies via an integrated LAN/WAN firewall.
Anti-Virus: Bluefire offers as a bundled solution, a choice of either McAfee VirusScan PDA Enterprise™ or Symantec AntiVirus Corporate Edition PDA Software™, two of the most respected leaders in enterprise virus protection.
©2005 Lucent Technologies
Credant Software’s Mobile Guardian
CREDANT Mobile Guardian Shield - provides robust on-device policy enforcement - access control, data encryption and user permissions
CREDANT Mobile Guardian Gatekeeper - automates device detection and distribution of Shield client and policies and enforces ongoing compliance to security policies
CREDANT Mobile Guardian Enterprise Server - provides centralized security policy administration, integrates with existing enterprise directories and creates audit logs and reports
CREDANT Mobile Guardian Personal Firewall - safeguards the mobile device using a combination of stateful packet inspection, intrusion detection, defense monitoring, and event logging when used to access the Internet over a wired or wireless connection
Sprite Backup Suite - provides secure backup and access recovery for Pocket PC device
Sprite Clone - allows for software imaging to simplify the deployment of Pocket PC devices across the enterprise
©2005 Lucent Technologies
PDA Defense
Note: These product discussions do not constitute an endorsement and serves only to educate the reader
©2005 Lucent Technologies
Controls
Policies, Standards, Practices, Procedures, Guidelines, etc.
Awareness Technical controls that require the use of
Authentication– And Encryption– Any other security enhancing control
IT and Purchasing details can provide a partial inventory– Asset management systems can provide information on
other by looking for Blackberry, Good Technology, or other Sync software
©2005 Lucent Technologies
Connectivity Controls
Disable Wi-Fi, Bluetooth, and IR (yep, still around!) when not in use. It helps the battery as well
Use strong (and as long as possible) pin codes for authentication
Minimize time in “discoverable” mode– The Cabir virus infected systems only when users
accepted its incoming message and then chose to install the attached file
Avoid the “discoverable” mode altogether and specify connections by name
Any number of “Best Practices” provide guidance on Wi-Fi security
©2005 Lucent Technologies
A Very Effective Control
Host a “Tune-Up” Session with the mobile device owners / operators
Don’t discriminate between company and employee owned– Rather, offer “trials” from vendors
Review all of the settings and offer suggestions Provide software and BIOS updates. Tune the
device configurations Offer the service during an “amnesty” period to
encourage participation. Don’t punish persons who violate corporate policies. (The first time!)
©2005 Lucent Technologies
Auditing Approaches
Like any Audit: Agree On Scope– Handhelds, BES, Infrastructure, Policies– Expectations, Limitations, Scope
Blackberry Infrastructure Review– Operating system, platform, patches– Access Control, Management and
Administration– Back-Ups, Business Continuity
©2005 Lucent Technologies
Auditing Approaches
BES - Integration to Application Servers– Access Controls– Application authentication and encryption– Data Segregation
• Between BES and Mail Servers and Web Services– Customized Applications and data
• Where to start? How deep to go?
©2005 Lucent Technologies
Auditing the BES
Review implementation of policies between the BES, servers, Blackberry devices, and Blackberry desktop agents
Review all configurations and options to ensure that available security is implemented..not just available
Review configurations of options pushed down to the devices
©2005 Lucent Technologies
Auditing the Desktop Software
Review configurations of the Blackberry Desktop software configurations
Review “Standard Desktop” configuration and sampling of desktops
Identification and review of applications that are part of the desktop software chain (providing input or processing output)
©2005 Lucent Technologies
Infrastructure Review
Review the configuration of the network supporting the BES– Routers, switches, VLANs, etc
Review the changes required to support the BES functionality– Firewalls, router changes, etc– Validate that only the required
ports/addresses have been opened to support the service
©2005 Lucent Technologies
Risk Assessment
Utilizing commercial or open source tools Identify host and infrastructure IT
Security vulnerabilities 2nd chance to identify all “assets” May also be an application security
assessment of customized software code
©2005 Lucent Technologies
How about an “Ethical Hack”?
Validates the risk– Exploit the identified vulnerabilities
• Likely to identify additional vulnerabilities (that’s OK!)
– Scope must be the same as the Audit– Requires stronger talent and expertise
• And a lot more time– Removes the uncertainty…Proves the
vulnerability exists– Significantly more legal exposure– Need the “Get out of jail letter”– Document EVERYTHING
©2005 Lucent Technologies
USB “Thumb” Drives
Can be used as a PGP Volume Can require authentication via hardware enabled biometrics Can use built in “lite” encryption tools
– Good enough! Can be enabled with “Autorun” to launch a tool Is easier to lose than your keys 2 Gigabyte sizes are quite common Super Gluing the USB Ports doesn’t work Desktop software can be utilized to disable USB Ports Policies are virtually ineffective Offer up awareness and solutions that employees want to
use
©2005 Lucent Technologies
Audit Checklist
Know what “Risk” is
Our “Asset” can be the device or the entire infrastructure that makes up the service.
©2005 Lucent Technologies
Audit Checklist (Contracts)
Good Contract Management:– Review “Statement of Work”– Agree upon timeframes– Define time and resource commitments of IT,
Security, and BU staff to support the audit– Review expected deliverables including the
report format and presentations as well as the final audience(s)
– Understand restrictions or inhibitors for the corrective actions that will be identified such as budgetary constraints or migrations to new technologies
©2005 Lucent Technologies
Audit Checklist (Assets)
Assets identified:– Corporate Owned
• Centrally managed through IT or decentralized and supported at the BU level?
• Through SMS, Inventory Systems, Purchasing– Personally Owned
• Looking for “Sync” software• Review of message traffic – Traffic to RIM or Good
End Goal:– Understand what types of assets we are
concerned about– Know how many of each assets are in use
©2005 Lucent Technologies
Audit Checklist (Assets)
Also as part of the “Assets”– Identify the BES/Good/Sync Software
solution– Know the solution specific components– Know what the supporting
infrastructure is and what it does– Know what operating systems,
applications, and services are in use
©2005 Lucent Technologies
Audit Checklist (Assets)
Review the asset database:– How is configuration management and
change management handled– Are exact model numbers stored– Serial numbers of devices– Date purchased– Assigned owner– Usage or access restrictions
©2005 Lucent Technologies
Audit Checklist (Cont’d)
Collect the documentation:– Vendor specific documentation for endpoints
and the infrastructure– Corporate policies, practices, standards,
procedures, guidelines, etc– Perform a quick review to understand what we
have– Index them on my machine to find things I need– Review on-line vulnerability databases, vendor
vulnerabilities announcements, etc and catalog known issues based on the asset base
©2005 Lucent Technologies
Policy Review
Does the organization have a clearly defined (and simple) policy regarding handheld devices?– Information allowed on the device– Types of operation allowed (including
synchronization modes)– Who has administrator level access to the
device to make changes– Required security configurations such as
patches, updates, 3rd party solutions– Returning of devices upon employment
termination
©2005 Lucent Technologies
Acceptable Usage Policy
Like e-mail, the Internet, and other company resources, is there an AUP?– Defines restrictions of data to be placed on device
(sensitive IP, account information)– Usage of passwords when not in use after a time-out– Personal usage restrictions– Device ownership– Physical loss and damage prevention measures– Reporting of loss– Restrictions on wireless usage when cradled to the
desktop– Regular updates and how they occur– Approved software (and approval process for personal
software)
©2005 Lucent Technologies
What is the Awareness Training?
Review the Awareness Training Program– Talk to the organization responsible for
awareness training– What metrics, reports, compliance
measurements are available?– Talk to the end-users to see what they know– Does it reinforce the commonly
misunderstood areas of the policy:• Physical Security• Acceptable usage including personal use• Acceptable information to be stored on the device?
©2005 Lucent Technologies
Audit Checklist (Vulnerabilities)
Identify Vulnerabilities– Review Architecture– Review specific BES/Good or other Sync
software solution– Identify the non-compliant or “Desktop
Sync” users:• Quantity• Reasons
©2005 Lucent Technologies
Audit Checklist (Vulnerabilities)
Authentication– Does the device authentication meet the
Organization’s policies?• What Biometric features are available?• Is unsuccessful attempts brought to the end user’s
or administrators attention?• How is the device authenticated to the client
computer or to the network? • Is device lock-out or wipe configured upon some
number of unsuccessful entries?
©2005 Lucent Technologies
Audit Checklist (AV/SpyWare)
Review the Anti-Virus and Anti-Spyware solutions:– On the BES/Good technology
infrastructure– On the client computer– On the handheld– How often are updates propagated– Measurements of compliance? Metrics
for effectiveness?
©2005 Lucent Technologies
Encryption
How is data encrypted on the device?– What data must be encrypted?
• Can the entire memory set be encrypted?– How are keys managed?– How are user accounts managed?
• Maximum allowed attempts• Password strength / Frequency of change
– How is data encrypted over the air in transit?
©2005 Lucent Technologies
Audit Checklist (Connectivity)
How is device connectivity secured?– Is there a device firewall in place?
• Administration, logging, control– Is there a Virtual Private Network (VPN)?
• Administration, logging, control, Authentication
– Device Integrity Protection• Can the device detect unauthorized changes
to data within the embedded operating system or data?
©2005 Lucent Technologies
Audit Checklist (Management)
How is the device infrastructure managed?– Logging, monitoring, maintained, operated?– Commissioning and de-commissioning– BES/Good Infrastructure– Handheld devices– User’s PC
©2005 Lucent Technologies
Audit Checklist (Connectivity)
Reviewing the connectivity options:– Over The Air (OTA) provided by the carrier– USB/Serial– Bluetooth– Infrared (IR)– CMDA/UMTS– GPRS– 1x-EvDO– 802.11a/b/g
Review:AuthenticationAdherence to PolicyEncryptionUsage RestrictionsDisabling when not in useCorporate Policies
©2005 Lucent Technologies
Audit Checklist (Endpoints)
Review of the Handhelds:– Existing vulnerabilities– How are vendor updates and patches applied
to the devices– Are there expansion slots and memory card
interfaces on the handheld?• What can they do?
– Spot check a few of the devices• Still finding passwords on masking tape on the back!
©2005 Lucent Technologies
Audit Checklist (Conclusion)
Provide documentation to the appropriate persons at the appropriate level with the right content:– Executive summary to the executives– Action items and details to the System Administrators
and management– Clear and concise report– Document good and bad findings (positive and negative)
Ensure that the corrective actions are implementable within the organization
Track items through to closure Agree on when the next audit will occur
©2005 Lucent Technologies
Where there’s a will…
©2005 Lucent Technologies
It’s not impossible. It’s just Expensive!
©2005 Lucent Technologies
Summary
Mobile Devices Can Be Secured! There is no “Silver Bullet” Different Products and Architectures require
different solutions– BES, Good Technology, Sync Tools and more
The assessor or auditor must be well versed in the architecture, technology, and solutions
Read the vendor’s documentation– Manuals, FAQs, Forums, Security Bulletins,
Updates
©2005 Lucent Technologies
Comments? Questions?
Lucent TechnologiesBell Labs Innovations
Lucent Technologies Inc.Room 1B-237A101 Crawfords Corner RoadHolmdel, NJ 07733Phone: +1.732.949.3408E-mail: [email protected]
George G. McBrideManaging Principle
Lucent Worldwide Services