Archive for the ‘policy’ tag
Sample Blackberry Enterprise Server Policy
The policy below provides an example of security measures that should be taken towards protecting a corporate network from the threats presented by mobile devices.
These configurations and options should be “taken with a grain of salt”; as a guideline to what features should be set to mitigate the risk of smart-phone being used as un-metered gateways into the corporate network.
The 5-step process should be put into action to address security issues related to smart-phones.
- Identify threats and vulnerabilities.
- Measure the risk.
- Determine what control should be put in place.
- Implement industry best practices and standards.
- Develop and communicate policy and awareness.
THE SAMPLE POLICY:
Device-Only Items:
Password Required: True
Allow Peer-to-Peer Messages: False (This can be set to be audited if enabled)
Minimum Password Length: 4
User Can Disable Password: False
Maximum Security Timeout: 5
Maximum Password Age: 180
User Can Change Timeout: False
Password Pattern Checks: (used to enforce complexity in passwords)
Enable Long-Term Timeout: True
Allow SMS: False (These can be set be audited if enabled)
Enable WAP Config: False
Desktop-Only Items:
Show Application Loader: False
Force Load Count: 0
Auto Backup Enabled: True
Auto Backup Include All: True
Do Not Save Sent Messages: False
Common Policy Group:
Lock Owner Info: Lock Information Text
IT Policy Notification:
Set Owner Info: (If found please return to message……)
Disable MMS: True
Password Policy Group:
Set Password Timeout: 20
Set Maximum Password Attempts: 5
Suppress Password Echo: True
Maximum Password History: 3
Security Policy Group:
Disable Untrusted Certificate Use: True
Disabled Revoked Certificate Use: True
Disable Peer-to-Peer Normal Send: True
Disable Key Store Low Security: True
Certificate Status Cache Timeout: 1
Disallow Third Party Application Download: True
Force Lock When Holstered: True
Allow Third Party Apps to Use Serial Port: False
Disable Invalid Certificate Use: True
Disable Weak Certificate Use: True
Disable Key Store Backup: True
Certificate Status Maximum Expiry Time: 4
Disable Stale Status Use: True
Disable Cut/Copy/Paste: True
Disable Radio When Cradled: True
Disable Forwarding Between Services: True
Disabled Unverified CRLs: True
Disable 3DES Transport Crypto: False
Disable Persisted Plain Text: True
Disable Unverified Certificate use: True
Disable IP Modem: True
Allow Smart Card Password Caching: False
SMIME Application Policy Group:
SMIME Minimum Strong RSA Key Length: 1024
SMIME Minimum Strong DH Key Length: 1024
SMIME Minimum Strong ECC Key Length: 163
SMIME Allowed Content Ciphers: AES (256-bit), Triple DES
SMIME Minimum Strong DSA Key Length: 1024
Memory Cleaner Policy Group:
Memory Cleaner Maximum Idle Time: 10
Force Memory Cleaner When Holstered: True
TLS Application Policy Group:
TLS Disable Weak Ciphers: Disable weak ciphers
TLS Disable Untrusted Connection: Disable untrusted connections
TLS Minimum Strong RSA Key Length: 1024
TLS Minimum Strong DH Key Length: 1024
TLS Minimum Strong ECC Key Length: 163
TLS Disable Invalid Connection: Disable invalid connections
TLS Minimum Strong DSA Key Length: 1024
TLS Device Side Only: False
WTLS Application Policy Group:
WTLS Disable Weak Ciphers: Disable weak ciphers
WTLS Disable Untrusted Connection: Disable untrusted connections
WTLS Minimum Strong RSA Key Length: 1024
WTLS Minimum Strong DH Ley Lenth: 1024
WTLS Minimum Strong ECC: 163
WTLS Disable Invalid Connection: Disable invalid connections
Browser Policy Group:
Allow BIS Browser: False
PIM Sync Policy Group:
Disable PIN Messages Wireless Sync: False
Disable SMS Messages Wireless Sync: False
Desktop Policy Group:
Desktop Password Cache Timeout: 10
Desktop Allow Desktop Add-ins: False
Desktop Allow Device Switch: False
Locking Down The Blackberry Network
Auditing SMS and PIN Messages on a BES
Educause 2008
This years Educause conference took place in Orlando, Florida.
Educause is a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology. Membership is open to institutions of higher education, corporations serving the higher education information technology market, and other related associations and organizations.
The association provides a social networking Connect site that supports blogs, wikis, podcasts and other platforms for IT professionals to generate and find content and to engage their peers; professional development opportunities; print and electronic publications, including e-books, monographs, and the magazines Educause Quarterly (EQ) and Educause Review[1]; strategic policy advocacy; teaching and learning initiatives; applied research; special interest discussion groups; awards for leadership and transformative uses of information technology; and a Resource Center for IT professionals in higher education.
Major initiatives of Educause include the Core Data Service, the Educause Center for Applied Research (ECAR), the Educause Learning Initiative (ELI), Net@EDU (advanced networking), the Educause Policy Program, and the Educause/Internet2 Computer and Network Security Task Force. In addition, Educause manages the .edu Internet domain under a contract with the U.S. Department of Commerce.[1]
The current membership of Educause comprises more than 2,000 colleges, universities, and educational organizations, including 200 corporations, with 16,500 active members.
Below are pictures from the conference:
My schedule at the conference:
Tuesday, October 28, 2008
- Full Day Seminar – Cloud Computing Made Simple and Affordable: Using the Virtual Computing Lab (VCL) to Provide an Effective, Powerful, and Economical Rich Services Environment
Wednesday, October 29, 2008
- Discussion Session : Cloud Computing
- Emerging Technologies : Crafting a Campus Identity: First-Year Students, Residential Life, and Social Networking
- Discussion Session : Business Continuity Management
- Leadership and Management : Top-Ten “Gotchas” for the New CIO
- Networking and Infrastructure : High Availability and Server Consolidation with Virtualization
- Discussion Session : Policy and Law
Thursday, October 30, 2008
- Leadership and Management : IT Matters, but Information Resources Matter More
- Emerging Technologies : Developing Low-Cost Applications Using Offshore Companies
- Discussion Session : Network Management
- Enterprise Systems : CRM Adventures: Three Perspectives
- Networking and Infrastructure : Structuring Authentication Across the Campus Community
- Lightning Round Session : Security and Privacy Lightning Round
- Teaching and Learning : Are You Ready? A Systematic Approach to Training New Help Desk Staff
- Enterprise Systems : SOA Built on Open Source Web Service Technologies
- Networking and Infrastructure : Deployment of a Virtualized Server Grid
- Security and Privacy : Network Admission Control: A Survey of Approaches
Friday, October 31, 2008
- Enterprise Systems : IT Disaster Recovery Within the Framework of Business Continuity Planning
- Leadership and Management : Deploying an Open Source, Online Evaluation System: Multiple Experiences
Overall I thought it was an excellent conference, there weren’t as many people this year as previous ones.
The exhibit hall was fun as always. Some exhibits were great and others sucked which brings up another subject. Marketing.
There were two exhibits that stood out amongst the crowd. The first one from Bradford Networks and the other from Trapeze Networks. These guys not only gathered leads, but engaged their prospective customers allowing them to deliver their sales pitch. Two companies that I will definitely be following up with.
Other companies that did well on their marketing pitch were Turning Technologies, Novell, CDW, Zimbra, Elluminate, and Microsoft. Although the only thing Microsoft had going for itself was as great demo on a smart-board of Image Composite Editor.
Microsoft Image Composite Editor is an advanced panoramic image stitcher. The application takes a set of overlapping photographs of a scene shot from a single camera location and creates a high-resolution panorama incorporating all the source images at full resolution. The stitched panorama can be saved in a wide variety of formats, from common formats like JPEG and TIFF to multi-resolution tiled formats like HD View and Silverlight Deep Zoom.
The things that characterized the good exhibits can be summarized in a few words. They were accessible, had an inviting environment, gave away free stuff (like free iTouch and laptops every hour) and had either professionals or very seasoned sales people giving the presentations.
On the other side of the coin, were the very big and expensive exhibits which just didn’t deliver.
Some that deserve mention are AT&T which has a very expensive three environment exhibit representing campus life and U-Verse all over the place. Alcatel-Lucent had a not very inviting exhibit and their staff sat down most of the time. Citrix was just offering a $5 Starbucks card for filling out a survey. Cognos had a closed exhibit that wasn’t inviting to anyone.
Its not that these companies were cheap, which they were; but they are spending a lot of money for lead generation when they could also be qualifying the leads and delivering their product demos to a captive audience.
