These configurations and options should be “taken with a grain of salt”; as a guideline to what features should be set to mitigate the risk of smart-phone being used as [...]]]> The policy below provides an example of security measures that should be taken towards protecting a corporate network from the threats presented by mobile devices.

These configurations and options should be “taken with a grain of salt”; as a guideline to what features should be set to mitigate the risk of smart-phone being used as un-metered gateways into the corporate network.

The 5-step process should be put into action to address security issues related to smart-phones.

1. Identify threats and vulnerabilities.
2. Measure the risk.
3. Determine what control should be put in place.
4. Implement industry best practices and standards.
5. Develop and communicate policy and awareness.

THE SAMPLE POLICY:

Device-Only Items:

Password Required: True
Allow Peer-to-Peer Messages: False (This can be set to be audited if enabled)
Minimum Password Length: 4
User Can Disable Password: False
Maximum Security Timeout: 5
Maximum Password Age: 180
User Can Change Timeout: False
Password Pattern Checks: (used to enforce complexity in passwords)
Enable Long-Term Timeout: True
Allow SMS: False (These can be set be audited if enabled)
Enable WAP Config: False

Desktop-Only Items:

Show Application Loader: False
Force Load Count: 0
Auto Backup Enabled: True
Auto Backup Include All: True
Do Not Save Sent Messages: False

Common Policy Group:

Lock Owner Info: Lock Information Text
IT Policy Notification:
Set Owner Info: (If found please return to message……)
Disable MMS: True

Password Policy Group:

Set Password Timeout: 20
Set Maximum Password Attempts: 5
Suppress Password Echo: True
Maximum Password History: 3

Security Policy Group:

Disable Untrusted Certificate Use: True
Disabled Revoked Certificate Use: True
Disable Peer-to-Peer Normal Send: True
Disable Key Store Low Security: True
Certificate Status Cache Timeout: 1
Disallow Third Party Application Download: True
Force Lock When Holstered: True
Allow Third Party Apps to Use Serial Port: False
Disable Invalid Certificate Use: True
Disable Weak Certificate Use: True
Disable Key Store Backup: True
Certificate Status Maximum Expiry Time: 4
Disable Stale Status Use: True
Disable Cut/Copy/Paste: True
Disable Radio When Cradled: True
Disable Forwarding Between Services: True
Disabled Unverified CRLs: True
Disable 3DES Transport Crypto: False
Disable Persisted Plain Text: True
Disable Unverified Certificate use: True
Disable IP Modem: True
Allow Smart Card Password Caching: False

SMIME Application Policy Group:

SMIME Minimum Strong RSA Key Length: 1024
SMIME Minimum Strong DH Key Length: 1024
SMIME Minimum Strong ECC Key Length: 163
SMIME Allowed Content Ciphers: AES (256-bit), Triple DES
SMIME Minimum Strong DSA Key Length: 1024

Memory Cleaner Policy Group:

Memory Cleaner Maximum Idle Time: 10
Force Memory Cleaner When Holstered: True

TLS Application Policy Group:

TLS Disable Weak Ciphers: Disable weak ciphers
TLS Disable Untrusted Connection: Disable untrusted connections
TLS Minimum Strong RSA Key Length: 1024
TLS Minimum Strong DH Key Length: 1024
TLS Minimum Strong ECC Key Length: 163
TLS Disable Invalid Connection: Disable invalid connections
TLS Minimum Strong DSA Key Length: 1024
TLS Device Side Only: False

WTLS Application Policy Group:

WTLS Disable Weak Ciphers: Disable weak ciphers
WTLS Disable Untrusted Connection: Disable untrusted connections
WTLS Minimum Strong RSA Key Length: 1024
WTLS Minimum Strong DH Ley Lenth: 1024
WTLS Minimum Strong ECC: 163
WTLS Disable Invalid Connection: Disable invalid connections

Browser Policy Group:

Allow BIS Browser: False

PIM Sync Policy Group:

Disable PIN Messages Wireless Sync: False
Disable SMS Messages Wireless Sync: False

Desktop Policy Group:

Desktop Password Cache Timeout: 10
Desktop Allow Desktop Add-ins: False
Desktop Allow Device Switch: False

Locking Down The Blackberry Network

Auditing SMS and PIN Messages on a BES

Now president-elect Barack [...]]]> Early last year India threatened to discontinue Blackberry service if Research In Motion (RIM), the company behind the Blackberry did not allow the Indian Government to monitor the Blackberry network traffic raising serious security concerns. Here are a few articles from PCWorld, InfoWorld, and CNet.

Now president-elect Barack Obama vows to keep his Blackberry despite hacking fears and concerns by the Secret Service.

This will not only be a headache for the Secret Service but its pretty likely that hacking attempts towards the RIM network will increase exponentially.

Generally people just don’t think about the risk that a smart-phone poses, specially if its connected to a Blackberry Enterprise Server. How could my phone be a risk to anyone? Well a smartphone is not just a phone, but rather a miniature computer that is not just capable of making calls but it also an un-metered gateway into the corporate network.

In order to understand what actions to take to protect a smart-phone, in particular the Blackberry you have to understand how it works and how it interacts with the Blackberry Enterprise Server.

Vulnerabilities:

• Lack of authentication
• Lack of encryption
• Lack of mobile code execution controls
• Difficult to enforce controls
• Peripheral devices introduce additional vulnerabilities
• Infrastructure vulnerabilities service specific operating systems, platforms, applications, etc.
• Small size is prone to theft and loss
• All devices may not be corporate owned
• Multiple configurations of the Blackberry Enterprise Server (BES) architecture
• Limited centralized update mechanisms
• Limited IT/CIO Control

Sources of Recommended Controls and Security Guidelines:

• The Vendor (Microsoft, Treo, RIM, etc.)
• SANS (www.sans.org)
• NIST has a great publication
• Other existing guidelines
• 3rd Party Solutions often fill the gaps

Once the vulnerabilities have been identified we proceed to implement controls and audits.

Controls:

Controls will include policies, standards, practices, procedures, guidelines, awareness, authentication, encryption, and asset management.

Audits:

Once the scope has been defined, allow to review the implementation of policies between the BES, servers, Blackberry devices, and Blackberry desktop agents. Audits also allow the review of configuration and options to ensure that security is not just available but implemented. Additionally configurations pushed down to end devices need to be audited as well.

The infrastructure design and configuration of network components (firewalls, routers, switches, VLANs, etc.) will need to be audited as they play an intricate part of the overall security of the system.

Risk Assessment:

Although this requires additional resources and expertise, its a must in certain environments like corporate or government. A risk assessment will identity security vulnerabilities and provide a 2nd chance to identify all “assets”.

Once this has been completed, validating the risk by performing an “ethical hack” will remove any uncertainty by proving the vulnerabilities identified actually exist.

Conclusion:

Providing documentation on the findings is vital. The documentation required will contain an executive summary, action items and details for system administrators, and a clear and concise report with both the good and the bad findings.

A couple of things that should not fall through the cracks are ensuring that the corrective actions are implementable within the organization and the next audit scheduled.

Sample Policy:

Sample Blackberry Enterprise Server Policy