Session 23 Auditing Blackberrys and other PDAs. ©2005 Lucent Technologies Auditing Blackberrys and Other PDAs (Handheld Devices) Session Number 23 George

Session 23Auditing Blackberrys and other PDAs

©2005 Lucent Technologies

Auditing Blackberrys and Other PDAs

(Handheld Devices)

Session Number 23George G. McBride

Wednesday (11/16/2005)8:30 AM to 10:00 AM


What are we covering this morning?

Identifying threats and vulnerabilities How to measure risk What controls should be in place Industry best practices and standards Policy and awareness A proven audit approach to limit the

vulnerabilities


Identifying Vulnerabilities

Need to understand the “assets” that we are reviewing– Blackberry’s– iPAQs– PalmPilots– Treos and other “Smart Phones”– USB Drives?


Is it a big deal?

$16.50 Used Blackberry purchased on E-Bay contained the following information from a former Morgan Stanley VP:– 1000+ Contacts

• Executives home contacts!

– 200+ E-Mails• Mergers and Acquisitions Discussed• Client restructuring activities


What else?

Several years ago, a Federal Reserve Board executive left his handheld in the back of a New York taxicab. It contained e-mails from Alan Greenspan and others

A disgruntled employee in Maryland used his wireless PDA to launch an attack on his former employer, allegedly a pharmacy chain.


And one of the most famous

From the Washington Post:– Utilized a flaw in the password reset page of the

service provider to reset passwords– Utilized Social Engineering to obtain access to a

password restricted customer service page– Got her user information from that page and

used the flaw to reset her password– Utilized their Sidekicks to obtain the information

in Paris Hilton’s online storage– Began a publicity campaign to gain some

notoriety– Laurence Fishburne was also targeted (Others?)


“Threats”

Release of data on device to unauthorized entities…data outside of the Firewall

Data on device not available to legitimate users

Unauthorized changes to data on the device

Don’t forget about the control “account”– And the service providers network


Vulnerabilities

Lack of authentication Lack of encryption Lack of mobile code execution controls Difficult to enforce controls Peripheral devices introduce additional

vulnerabilities Infrastructure vulnerabilities service specific

operating systems, platforms, applications, etc.


Vulnerabilities

Small size is prone to theft and loss All devices may not be corporate owned Multiple configurations of the Blackberry

Enterprise Server (BES) architecture Limited centralized update mechanisms Limited IT/CIO Control


Handheld Attacks


Blackberry Enterprise Server


Sources of Recommended Controls and Security

Guidelines The Vendor (Microsoft, Treo, RIM, etc.) SANS (www.sans.org) NIST has a great publication Other existing guidelines

– From the mobile computing world• It’s just another mobile computer!

3rd Party Solutions often fill the gaps


3rd Party Solutions

Utilizing existing corporate policies, the 3rd party solution pushes the policy enforcement down to the desktops

Desktops can be restricted from performing certain functions and hence the devices are restricted as well– Can also “force” the use of security features

Can be effective on corporate or personally owned devices


With Bluefire Mobile Security™ Suite 3.5 Features!

Authentication: Enforces power-on PIN or password requirements Encryption: Protects data stored in secure folders on the device or on removable

storage cards with AES 128-bit encryption and complies with Federal Information Processing Standards (FIPS) 140-2 policy. A "logout and encrypt" feature can be invoked to automatically encrypt data at power-off.

Integrity Manager: Monitors core system assets and automatically alerts the user of an integrity violation on the device. The Integrity Manager can be set to actively alert and log an event or to quarantine the device by blocking all incoming and outgoing network communication.

Intrusion Detection: Scans inbound network packets to identify and prohibit traditional attacks such as LAND.

Real-time Logging: Captures and retains detailed logs of security events such as successful and invalid login attempts, password resets, quarantine overrides, port scans, firewall security level changes and integrity violations. Controllable at the administrator level, administrators can determine device usage by choosing to log all network traffic to the device.

Firewall: Filters traffic to the device in compliance with administrator-controlled port and protocol policies via an integrated LAN/WAN firewall.

Anti-Virus: Bluefire offers as a bundled solution, a choice of either McAfee VirusScan PDA Enterprise™ or Symantec AntiVirus Corporate Edition PDA Software™, two of the most respected leaders in enterprise virus protection.


Credant Software’s Mobile Guardian

CREDANT Mobile Guardian Shield - provides robust on-device policy enforcement - access control, data encryption and user permissions

CREDANT Mobile Guardian Gatekeeper - automates device detection and distribution of Shield client and policies and enforces ongoing compliance to security policies

CREDANT Mobile Guardian Enterprise Server - provides centralized security policy administration, integrates with existing enterprise directories and creates audit logs and reports

CREDANT Mobile Guardian Personal Firewall - safeguards the mobile device using a combination of stateful packet inspection, intrusion detection, defense monitoring, and event logging when used to access the Internet over a wired or wireless connection

Sprite Backup Suite - provides secure backup and access recovery for Pocket PC device

Sprite Clone - allows for software imaging to simplify the deployment of Pocket PC devices across the enterprise


PDA Defense

Note: These product discussions do not constitute an endorsement and serves only to educate the reader


Controls

Policies, Standards, Practices, Procedures, Guidelines, etc.

Awareness Technical controls that require the use of

Authentication– And Encryption– Any other security enhancing control

IT and Purchasing details can provide a partial inventory– Asset management systems can provide information on

other by looking for Blackberry, Good Technology, or other Sync software


Connectivity Controls

Disable Wi-Fi, Bluetooth, and IR (yep, still around!) when not in use. It helps the battery as well

Use strong (and as long as possible) pin codes for authentication

Minimize time in “discoverable” mode– The Cabir virus infected systems only when users

accepted its incoming message and then chose to install the attached file

Avoid the “discoverable” mode altogether and specify connections by name

Any number of “Best Practices” provide guidance on Wi-Fi security


A Very Effective Control

Host a “Tune-Up” Session with the mobile device owners / operators

Don’t discriminate between company and employee owned– Rather, offer “trials” from vendors

Review all of the settings and offer suggestions Provide software and BIOS updates. Tune the

device configurations Offer the service during an “amnesty” period to

encourage participation. Don’t punish persons who violate corporate policies. (The first time!)


Auditing Approaches

Like any Audit: Agree On Scope– Handhelds, BES, Infrastructure, Policies– Expectations, Limitations, Scope

Blackberry Infrastructure Review– Operating system, platform, patches– Access Control, Management and

Administration– Back-Ups, Business Continuity


Auditing Approaches

BES - Integration to Application Servers– Access Controls– Application authentication and encryption– Data Segregation

• Between BES and Mail Servers and Web Services– Customized Applications and data

• Where to start? How deep to go?


Auditing the BES

Review implementation of policies between the BES, servers, Blackberry devices, and Blackberry desktop agents

Review all configurations and options to ensure that available security is implemented..not just available

Review configurations of options pushed down to the devices


Auditing the Desktop Software

Review configurations of the Blackberry Desktop software configurations

Review “Standard Desktop” configuration and sampling of desktops

Identification and review of applications that are part of the desktop software chain (providing input or processing output)


Infrastructure Review

Review the configuration of the network supporting the BES– Routers, switches, VLANs, etc

Review the changes required to support the BES functionality– Firewalls, router changes, etc– Validate that only the required

ports/addresses have been opened to support the service


Risk Assessment

Utilizing commercial or open source tools Identify host and infrastructure IT

Security vulnerabilities 2nd chance to identify all “assets” May also be an application security

assessment of customized software code


How about an “Ethical Hack”?

Validates the risk– Exploit the identified vulnerabilities

• Likely to identify additional vulnerabilities (that’s OK!)

– Scope must be the same as the Audit– Requires stronger talent and expertise

• And a lot more time– Removes the uncertainty…Proves the

vulnerability exists– Significantly more legal exposure– Need the “Get out of jail letter”– Document EVERYTHING


USB “Thumb” Drives

Can be used as a PGP Volume Can require authentication via hardware enabled biometrics Can use built in “lite” encryption tools

– Good enough! Can be enabled with “Autorun” to launch a tool Is easier to lose than your keys 2 Gigabyte sizes are quite common Super Gluing the USB Ports doesn’t work Desktop software can be utilized to disable USB Ports Policies are virtually ineffective Offer up awareness and solutions that employees want to

use


Audit Checklist

Know what “Risk” is

Our “Asset” can be the device or the entire infrastructure that makes up the service.


Audit Checklist (Contracts)

Good Contract Management:– Review “Statement of Work”– Agree upon timeframes– Define time and resource commitments of IT,

Security, and BU staff to support the audit– Review expected deliverables including the

report format and presentations as well as the final audience(s)

– Understand restrictions or inhibitors for the corrective actions that will be identified such as budgetary constraints or migrations to new technologies


Audit Checklist (Assets)

Assets identified:– Corporate Owned

• Centrally managed through IT or decentralized and supported at the BU level?

• Through SMS, Inventory Systems, Purchasing– Personally Owned

• Looking for “Sync” software• Review of message traffic – Traffic to RIM or Good

End Goal:– Understand what types of assets we are

concerned about– Know how many of each assets are in use



Also as part of the “Assets”– Identify the BES/Good/Sync Software

solution– Know the solution specific components– Know what the supporting

infrastructure is and what it does– Know what operating systems,

applications, and services are in use



Review the asset database:– How is configuration management and

change management handled– Are exact model numbers stored– Serial numbers of devices– Date purchased– Assigned owner– Usage or access restrictions


Audit Checklist (Cont’d)

Collect the documentation:– Vendor specific documentation for endpoints

and the infrastructure– Corporate policies, practices, standards,

procedures, guidelines, etc– Perform a quick review to understand what we

have– Index them on my machine to find things I need– Review on-line vulnerability databases, vendor

vulnerabilities announcements, etc and catalog known issues based on the asset base


Policy Review

Does the organization have a clearly defined (and simple) policy regarding handheld devices?– Information allowed on the device– Types of operation allowed (including

synchronization modes)– Who has administrator level access to the

device to make changes– Required security configurations such as

patches, updates, 3rd party solutions– Returning of devices upon employment

termination


Acceptable Usage Policy

Like e-mail, the Internet, and other company resources, is there an AUP?– Defines restrictions of data to be placed on device

(sensitive IP, account information)– Usage of passwords when not in use after a time-out– Personal usage restrictions– Device ownership– Physical loss and damage prevention measures– Reporting of loss– Restrictions on wireless usage when cradled to the

desktop– Regular updates and how they occur– Approved software (and approval process for personal

software)


What is the Awareness Training?

Review the Awareness Training Program– Talk to the organization responsible for

awareness training– What metrics, reports, compliance

measurements are available?– Talk to the end-users to see what they know– Does it reinforce the commonly

misunderstood areas of the policy:• Physical Security• Acceptable usage including personal use• Acceptable information to be stored on the device?


Audit Checklist (Vulnerabilities)

Identify Vulnerabilities– Review Architecture– Review specific BES/Good or other Sync

software solution– Identify the non-compliant or “Desktop

Sync” users:• Quantity• Reasons


Audit Checklist (Vulnerabilities)

Authentication– Does the device authentication meet the

Organization’s policies?• What Biometric features are available?• Is unsuccessful attempts brought to the end user’s

or administrators attention?• How is the device authenticated to the client

computer or to the network? • Is device lock-out or wipe configured upon some

number of unsuccessful entries?


Audit Checklist (AV/SpyWare)

Review the Anti-Virus and Anti-Spyware solutions:– On the BES/Good technology

infrastructure– On the client computer– On the handheld– How often are updates propagated– Measurements of compliance? Metrics

for effectiveness?


Encryption

How is data encrypted on the device?– What data must be encrypted?

• Can the entire memory set be encrypted?– How are keys managed?– How are user accounts managed?

• Maximum allowed attempts• Password strength / Frequency of change

– How is data encrypted over the air in transit?


Audit Checklist (Connectivity)

How is device connectivity secured?– Is there a device firewall in place?

• Administration, logging, control– Is there a Virtual Private Network (VPN)?

• Administration, logging, control, Authentication

– Device Integrity Protection• Can the device detect unauthorized changes

to data within the embedded operating system or data?


Audit Checklist (Management)

How is the device infrastructure managed?– Logging, monitoring, maintained, operated?– Commissioning and de-commissioning– BES/Good Infrastructure– Handheld devices– User’s PC


Audit Checklist (Connectivity)

Reviewing the connectivity options:– Over The Air (OTA) provided by the carrier– USB/Serial– Bluetooth– Infrared (IR)– CMDA/UMTS– GPRS– 1x-EvDO– 802.11a/b/g

Review:AuthenticationAdherence to PolicyEncryptionUsage RestrictionsDisabling when not in useCorporate Policies


Audit Checklist (Endpoints)

Review of the Handhelds:– Existing vulnerabilities– How are vendor updates and patches applied

to the devices– Are there expansion slots and memory card

interfaces on the handheld?• What can they do?

– Spot check a few of the devices• Still finding passwords on masking tape on the back!


Audit Checklist (Conclusion)

Provide documentation to the appropriate persons at the appropriate level with the right content:– Executive summary to the executives– Action items and details to the System Administrators

and management– Clear and concise report– Document good and bad findings (positive and negative)

Ensure that the corrective actions are implementable within the organization

Track items through to closure Agree on when the next audit will occur


Where there’s a will…


It’s not impossible. It’s just Expensive!


Summary

Mobile Devices Can Be Secured! There is no “Silver Bullet” Different Products and Architectures require

different solutions– BES, Good Technology, Sync Tools and more

The assessor or auditor must be well versed in the architecture, technology, and solutions

Read the vendor’s documentation– Manuals, FAQs, Forums, Security Bulletins,

Updates


Comments? Questions?

Lucent TechnologiesBell Labs Innovations

Lucent Technologies Inc.Room 1B-237A101 Crawfords Corner RoadHolmdel, NJ 07733Phone: +1.732.949.3408E-mail: [email protected]

George G. McBrideManaging Principle

Lucent Worldwide Services

Documents

Session 23 Auditing Blackberrys and other PDAs. ©2005 Lucent Technologies Auditing Blackberrys and Other PDAs (Handheld Devices) Session Number 23 George