Mobile Workforce: Secure Wireless Access to Government Applications and Information 2008 NYS Cyber Security Conference Presented by Sean T Murray, NYSTEC John Mounteer, NYSTEC
Overview of Wireless Data Network Technology
Overview of Mobile Devices
Organizational Risks Associated With Mobile Computing
Data in Transit Encryption Options
Security of Data on the Mobile Device
User Identity and Access Management
Remote Administration of Mobile Devices
NYSTEC’s Top Ten Things Government Agencies Should Consider When Deploying Wireless Access to Agency Data
Part One Overview of Wireless Data Network Technology
Wireless Network Access
Wireless 101 (part 1)
Wavelength - The distance traveled in one cycle in meters, centimeters, etc.
Frequency - The number of cycles repeated during a unit of time (usually 1 second) is the frequency, usually expressed as hertz (cycles per second).
Wavelength and frequency are inversely proportional.
As frequency increases, potential data throughput increases, but signal propagation decreases. Typically 2 Ghz and up are used for data apps.
Amplitude – Maximum displacement of the wave from zero
Phase - The phase of a wave is the amount by which the cycle has progressed from a specified origin, usually expressed in degrees of a circle, and relative to that of some other wave. For example, two waves having crests 1/4 cycle apart are said to be 90° “out of phase.”
Wireless 101 (part 2)
The amount of data (bits per second) carried on one hertz (cycle per second) of bandwidth; varies with encoding (modulation) techniques.
Licensed versus Unlicensed
Licensed frequencies generally have exclusive use and in general allow for much higher transmit power than unlicensed frequencies.
For example. maximum transmit power allowed for AM radio is 50 thousand watts, for a WiFi access point is1watt.
Minimum receive power is also important, determined by a number of factors such as encoding/decoding scheme and hardware, antennas. Can be as low as 1 pico-watt (trillionth of a watt)
The new 4.9Ghz Public Safety band is an exception in that it is shared among Public Safety entities and has maximum transmit power closer to many unlicensed band.
Wireless Data: What’s Important?
Wireless Broadband Data
Broadband Wireless Data:
Any wireless communication with transmission rates greater than 256 kbps
No single technology will become dominant or ubiquitous; they all meet unique user requirements in a wirelessly connected world.
The best wireless solutions (systems) may involve a combination of technologies to allow increased mobility (and ultimately seamless roaming)
Three Categories of Wireless Data - Range
Wide Area (miles)– Cellular
GSM – AT&T and T-Mobile
CDMA – Verizon and Sprint
EVDO rev (x)
Local Area (feet) – WiFi
Personal Area – Bluetooth
Range & Throughput - Cellular ~16 mi 0.94 1.89 GSM EDGE Evolution 0.034 ~16 mi 0.47 0.47 GSM EDGE type 2 0.014 ~16 mi 0.04 0.09 GSM GPRS Class 10 ~18 mi 1.8 4.9 CDMA EV-DO Rev. B ~18 mi 1.8 3.1 CDMA EV-DO Rev. A 0.75 ~18 mi 0.15 2.5 CDMA EV-DO Rev. 0 0.125 ~18 mi 0.15 0.31 CDMA RTT 1x Typical Download Mbps Range Max Upload Mbps Max Download Mbps Standard
Range & Throughput - WiFi 40 ~50 meters 200 200 WiFi: 802.11n 10 ~30 meters 54 54 WiFi: 802.11g 2 ~30 meters 11 11 WiFi: 802.11b 54 54 WiFi: 802.11a Typical Download Mbps Range Max Upload Mbps Max Download Mbps Standard
Range & Throughput - Bluetooth 375 3 Bluetooth 2.0+EDR Class 1 - 100mW – 100 meters Class 2 – 2.5mW – 10 meters Class 3 – 1mW – 1 meter 125 1 Bluetooth 1.1 Range Max Uplink Kbps Max Downlink Mbps Standard
Cost of Wireless Data
Wide Area (miles) – Cellular
Phone or cellular modem purchase cost or free
Monthly Recurring Charge – $20-$50 or per byte
Local Area (feet) – WiFi
Built into phone, PDA or laptop
Usage free, per use, or monthly subscription
T-Mobile DayPass – 9.99 for 24 hrs
19.99 to 39.99 monthly depending on plan
Personal Area – Bluetooth
Device purchase price
Over the Air Security of Wireless Data
Wide Area (miles) – Cellular
Security built into cellular wireless over the air portion – encryption, spread spectrum/frequency hopping (always on, no end user choice)
Very expensive to impersonate base station to create Man in the Middle Attack (MITM)
Local Area (feet) – WiFi
Security built into WiFi over the air portion - encryption (sometimes)
Radio Waves and Safety What Are the Risks? “ It was found that users who spend more than an hour a day talking on a mobile phone have a close to one-third higher risk of developing a rare form of brain tumor. Most frequently, the cancers were found on the side of the head that the user held the phone up to. ” International Journal of Oncology, February 2003;22(2):399-407 "There is currently insufficient scientific basis for concluding either that wireless communication technologies are safe or that they pose a risk to millions of users.... FCC radio frequency radiation guidelines are based on protection from acute injury from thermal effects of RFR exposure and may not be protective against any non-thermal effects of chronic exposures." U.S. Food and Drug Administration, February 2000 NYSTEC has been studying this issue with the US Air Force at Rome Labs
Radio Waves and Safety What Are the Risks? Subject before testing
Radio Waves and Safety What Are the Risks? NYSTEC TOP SECRET Subject after testing Effect was not permanent
Part Two Overview of Mobile Devices
The traditional stand-alone PDA is being supplanted by new smartphone-style PDAs:
Stand-alone PDA sales fell 43.5% from 2006 to 2007 (Wikipedia).
Approximately 4 million PDAs are sold per year.
WiFi, Bluetooth, Infrared radio options (no Wide Area – Cellular voice or data option)
Smartphones combine a full-featured mobile phone with personal computer-like functionality (and processing power):
Users can make phone calls, run applications, and access, store, and manipulate data.
Data storage devices (i.e. memory cards) that work with smartphones are approaching 8 GB capacity.
Cellular voice and data, WiFi, Bluetooth, GPS radios
Smartphones and PDAs
Current smartphones and Personal Digital Assistants (PDAs) have as much processing power and memory as laptops had a few years ago!
Year 1992 - IBM Thinkpad 700C
Year 2007 - Samsung Blackjack 2
256 MB ROM
Smartphone: What is it?
There is no agreement in the industry about what a smartphone actually is and definitions have changed over time (silicon.com).
Most smartphones support full featured e-mail capabilities with the functionality of a complete personal organizer.
Other functionality might include:
an additional interface such as a miniature QWERTY keyboard, a touch screen or a D-pad,
a built-in camera,
built-in GPS navigation hardware and software,
the ability to read business documents in a variety of formats such as PDF and Microsoft Office,
media software for playing music, browsing photos and viewing video clips,
Smartphones and PDAs
Mobile devices may improve productivity and efficiency—but they also introduce new risks:
Confidential corporate and personal data can be lost when mobile devices are misplaced or stolen
Other risks include malware infections, spam, and hacking of mobile devices
The most common Operating Systems (OS’s) used on smartphones are:
Symbian OS from Symbian Ltd. (65% Market Share Sales Q4 2007) (Nokia)
Windows Mobile from Microsoft (12% Market Share Sales Q4 2007) (Samsung, Motorola, Carrier branded – Verizon)
RIM (Research in Motion) BlackBerry operating system (11% Market Share Sales Q4 2007) (Blackberry)
iPhone OS from Apple Inc. (7% Market Share Sales Q4 2007) (Apple iPhone)
Linux operating system (5% Market Share Sales Q4 2007) (Motorola)
Palm OS developed by PalmSource (now a subsidiary of ACCESS) (Treo).
Operating Systems Security
SIM card Lock (GSM)
“Platform Security” covers
OS and drivers
Applications (must be “signed”)
Third party Apps enhance security (e.g. DataViz RoadSync to allow MS Exchange server central management
Operating Systems Security (cont.)
Windows Mobile 6
Can be managed with Exchange server
Password length and complexity
Allow or disallow attachments, and size limits
Built –in storage card encryption
Supports security certificates (SSL)
Operating Systems Security (cont.)
Started as enterprise solution
End to End encryption standard when using Blackberry Enterprise Server
Lotus Notes encryption support
FIPS 140-2 validation for embedded encryption technology.
Meet the Department of Defense requirements for S/MIME (Secure/Multipurpose Internet Mail Extensions) and PKI (Public Key Infrastructure).
Remote management of security features, passwords, data wipe
Part Three Organizational Risks Associated With Mobile Computing
Mobile Devices are Easy Targets!
PDAs and Smartphones are small and easy to lose:
24% of US business professionals experienced loss or theft of at least one PDA (Pepperdine)
In recent years Smartphones have gone from embedded CPU-specific microcode to full featured multi-services Operating Systems
Users are not as wary as they are using PCs and laptops
There are many network-borne infections and exploits:
There have been hundreds of mobile viruses and worms since June 2004. Infection vectors include Bluetooth, MMS (SMS), OS API’s, OS vulnerabilities, email
Mobile users frequently install unknown code
Mobile Devices Present Unique Challenges
Windows laptop security programs may not run “as-is” on stripped down Windows Mobile 5.0 for Pocket PC and Windows Mobile 6 Classic
Wireless creates new data network attack opportunities…
Many PDAs and Smartphones have 3+ wireless services (cellular, Wi-Fi, Bluetooth)
The default security mechanisms in mobile devices are turned off (for ease of use)
Many users use these devices without the knowledge of IT Departments
Forward email and/or store calendar information (synch with PC using products like BitPIM)
Use as an external storage device
http://www.flexispy.com (“Download FlexiSPY spyphone software directly onto a mobile phone and receive copies of SMS, Call Logs, Emails, Locations and listen to conversations within minutes of purchase” )
Theft of organizational data off the device. This can lead to non-compliance issues-- HIPAA, State Disclosure Laws (for example, NYS Information and Security Breach Notification Act, CSCIC Policies, Federal Policies )
Theft of data when the device is transmitting/ receiving data
Loss of organizational data off the device. Think of the cost (i.e., amount of time it would take to replace the data) if the data is lost or corrupted. This data includes phone book and calendar information.
The device is extending the organizational network, when the device interacts with the corporate infrastructure:
End point on the network (wireless LAN, VPN)
Synching with a PC (cabled or Bluetooth)
Accessing corporate applications
Accessing corporate email servers
Acting as a VPN end point
This can pose several risks to the organizational infrastructure:
SMS phishing attacks seen in August 2004
Email, VPN, Internet facing applications
Part Four Encryption Options
Securing Data in Transit
Just like other data networks, mobile data needs to be secured during transmission
Even if the device’s data is encrypted “over-the-air” (OTR), it may not be encrypted end-to-end
Flaws have been found in GSM and CDMA authentication and encryption algorithms and carriers may not implement all controls
As with wired networks, there are various alternatives for securing mobile data in transit:
Using Secure Socket Layer (SSL) protocol over a secure Web connection
Using Virtual Private Network (VPN) solutions
Using end-to-end secure mail protocols like S/MIME, PGP
Using SMS/MMS filters to block unsolicited spam, phishing
SSL VPNs are a good option for mobile devices that have a browser to support them.
SSL VPNs are fairly open solutions, requiring less configuration and management on the client side, but more configuration on the server side.
SSL VPNs support multiple modes of operation:
Basic Browser access
The mode of operation has an impact on the client dependencies and applications (must ensure that the chosen mode supports your target applications)
Mobile VPNs extend data protection by encrypting traffic between the mobile device and a VPN gateway at the edge of the LAN.
Mobile VPNs are more proprietary solutions that require installation and management on the mobile device.
Smartphones and vehicle-mounted laptops roam among WLANs and/or cellular network “dead spots” that often cause breaks in IPSEC tunnel connectivity
Smartphones may also “go to sleep” that would interrupt IPSEC and SSL based VPN sessions
To stay connected, mobile VPNs rely on client software and specialized VPN gateways:
Create a “persistent session” that will spoof client-server connectivity in order to hold a session open during loss of signal, etc.
Built-in Mobile VPNs
Many mobile Operating Systems include VPN clients:
Palm OS 6: PPTP supplied with Wi-Fi card
Windows Mobile 5.0: PPTP, L2TP over IPsec
Blackberry: proprietary OTA encryption
Traffic (processing) overhead
Compatibility with existing agency VPN
Part Five Security of Data on the Mobile Device
Protect Data at Rest
Encryption is the most effective (only?) way to protect data stored on the mobile device
Many laptop encryption vendors offer solutions for mobile Operating Systems.
Encryption should extend to the files on the storage media used in the mobile device
Encryption solutions should be flexible and include support for standard encryption algorithms (for example AES) with 128 bit, 192 bit, and 256 bit encryption keys.
There is a relationship between the strength of the encryption key and power consumption…
The more powerful the key, the more it reduces battery life
Recommendations for Mobile Data Device Data Encryption
Will need to ensure that the data encryption method chosen meets security policies, but does not over tax CPU, memory and battery resources
Want to select the minimum encryption necessary to comply with the security policy and the sensitivity of the data (See NIST SP 800-57)
Use solutions that encrypt “in place” rather than containers that require the user to save files in folders (which creates an opportunity for abuse and user error)
Certified products that conform to FIPS 140-2 requirements ensure that data protection meets robust federal requirements
Access Control and key management are essential for encryption to be effective
Part Six User Identity and Access Management
Access Control: Is It Used?
Access Control issues
Access to data on device
Access to applications and data on back-end systems
Access to carrier network (device access). This cannot be relied upon to authenticate user.
Allow/prohibit features or applications on the device
Many mobile device Operating Systems include access control mechanisms…
But they need to be enabled (and often are not)
May be inconvenient for the user
May not be enforced by the organization
Access control must be used in conjunction with encryption to protect data on the device.
Common Access Controls
Some common mobile device access controls:
SIM card lock
Recommendations: Access Controls
Use stronger, more convenient authentication technologies (like biometrics, smart cards, tokens). BlackBerry and Windows CE have smartcard readers available.
Establish policies and enforce them using 3 rd party Central Management and Enforcement tools
Define and provide a process for mobile password reset that is convenient and safe for road warriors
Part Seven Remote Administration of Mobile Devices
Why Centralized Management?
Reduces complexity and cost (of managing multiple devices)
Ensures that all mobile devices contain the same versions of the same software
Allows for centralized software distribution and control (e.g. can remove unauthorized software applications)
Essential Functions of a Mobile Security Central Management System
The Central Management System should provide (at a minimum):
Ability to centralize provisioning of settings and policies
Ability to install the mobile security applications on the mobile devices
Ability to push software patch updates, security and pattern file updates to the mobile devices
Ability to lock mobile security settings on the devices (to prevent users from changing them)
Part Eight NYSTEC’s Top Ten Things Government Agencies Should Consider When Deploying Wireless Access to Agency Data
Top Ten List
Develop and enforce mobile device policies. Stop Ad Hoc use of mobile devices to store data and train staff on risk of these devices
Consider adding centralized management tools (Can help enable and manage all other items on this list)
Develop and maintain an inventory of mobile devices used by your employees (specific make, model, OS)
If the sensitivity of the data require it, encrypt data stored on mobile devices, including the removable media in the devices
Enable and enforce mobile device access control mechanisms
Top Ten List (Cont.)
Use VPNs to ensure security of data in transit
If you are using a service for email, messaging or other service, know where this data is stored and ensure correct SLA’s are in place to secure those locations
Start with conventional network defenses. Know what devices are connecting to your WLAN, VPN, etc.
Add device defenses like mobile firewalls, limiting what applications can run on the device, and/or using specific mobile antivirus software on mobile devices
If the data is important, ensure that it is being backed-up
Examples of Mobile Device Security Vendors
This is a list to show the diversity of solutions being offered today. No recommendation of any of these solutions is implied:
BlackBerry- has device management, OTA encryption, device encryption, rules on what programs can be loaded and executed, remote wipe
Sprint,-- offers device management (Nokia Intellisync) and encryption, firewall, mobile VPN and anti-virus
Kapersky– remote data wipe (using SMS, anti-theft component, anti-malware and a built-in firewall)
Utimaco SafeGuard PDA Enterprise– Management, encryption at rest, authentication