Mobile Device Security


Published on

Microsoft ExchangeConnections, Orlando, 2008

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Microsoft ASP.NET Connections Updates will be available at _06/ASP_Connections
  • Mobile Device Security

    1. 1. Mobile Device Security John Rhoton Hewlett Packard [email_address]
    2. 2. But just what is mobility ? <ul><ul><li>Devices: </li></ul></ul><ul><ul><ul><li>Mobility = Mobile phones? </li></ul></ul></ul><ul><ul><ul><li>Mobility = Smart phones? </li></ul></ul></ul><ul><ul><ul><li>Mobility = PDAs ? </li></ul></ul></ul><ul><ul><li>Wireless: </li></ul></ul><ul><ul><ul><li>Mobility = Wireless LANs? </li></ul></ul></ul><ul><ul><ul><li>Mobility = GSM/GPRS? </li></ul></ul></ul><ul><ul><li>Applications: </li></ul></ul><ul><ul><ul><li>Mobility = Form-factor adaptation? </li></ul></ul></ul><ul><ul><ul><li>Mobility = Synchronisation? </li></ul></ul></ul>
    3. 3. Mobility: Challenges
    4. 4. Where is confidential data most vulnerable? Source: ESG Research Report
    5. 5. Facets of Mobile Security management devices air transmissions PAN LAN WAN public networks private networks applications mobility wireless traditional security 1 2 3 VPN 4
    6. 6. Agenda <ul><ul><li>Mobile devices </li></ul></ul><ul><ul><li>Air interfaces </li></ul></ul><ul><ul><ul><li>Bluetooth, 802.11b, WWAN </li></ul></ul></ul><ul><ul><li>Remote Access </li></ul></ul><ul><ul><ul><li>Tunnels (VPNs), Roaming </li></ul></ul></ul><ul><ul><li>Perimeter Security </li></ul></ul><ul><ul><ul><li>Compartmentalization, Access Controls </li></ul></ul></ul>1 2 3 4
    7. 7. Device Security (Windows Mobile)
    8. 8. Threats to Mobile Devices <ul><li>Stolen information </li></ul><ul><ul><li>Host intrusion, stolen device </li></ul></ul><ul><li>Unauthorized network/application access </li></ul><ul><ul><li>Compromised credentials, host intrusion </li></ul></ul><ul><li>Virus propagation </li></ul><ul><ul><li>Virus susceptibility </li></ul></ul><ul><li>Lost information </li></ul><ul><ul><li>Lost, stolen or damaged device </li></ul></ul>Source: Trend Micro
    9. 9. Windows Mobile Content Protection Access Control Approaches <ul><li>Simple Lock-out </li></ul><ul><li>Encryption </li></ul><ul><ul><li>Private key storage? </li></ul></ul><ul><ul><li>Smartcard / TPM </li></ul></ul><ul><ul><li>Hash private key (dictionary attack) </li></ul></ul><ul><ul><ul><li>Couple with strong password policies </li></ul></ul></ul><ul><li>Prevent insecure boot </li></ul><ul><ul><li>Analogous to BIOS password and Drivelock </li></ul></ul><ul><li>Choice depends on </li></ul><ul><ul><li>Sensitivity of data </li></ul></ul><ul><ul><li>Sustainable impact on usability and performance </li></ul></ul><ul><ul><li>Trust in user password selection </li></ul></ul>
    10. 10. iPAQ Content Protection Access Control Solutions <ul><li>Native Pocket PC </li></ul><ul><li>Biometric Authentication </li></ul><ul><li>HP ProtectTools </li></ul><ul><li>Pointsec </li></ul><ul><li>Credant </li></ul><ul><li>TrustDigital </li></ul><ul><li>Utimaco </li></ul><ul><li>Bluefire </li></ul>Centralized Provisioning and Configuration
    11. 11. Enterprise Requirements <ul><li>Integrated Management Console </li></ul><ul><ul><li>Directory (AD/LDAP) integration </li></ul></ul><ul><li>Centralized Policies </li></ul><ul><ul><li>Policy polling </li></ul></ul><ul><ul><li>User cannot remove </li></ul></ul><ul><ul><li>Screen-lock / Idle-lock </li></ul></ul>
    12. 12. Air Interfaces: Bluetooth
    13. 13. Pairing & Authentication <ul><li>Access to both devices </li></ul><ul><li>Manual input of security code </li></ul><ul><li>No need to store or remember </li></ul>Pairing Based on stored keys No user intervention Authentication
    14. 14. Bluetooth Security <ul><li>Acceptable Security Algorithms </li></ul><ul><ul><li>Initialization </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><li>Prevention of </li></ul><ul><ul><li>Discoverability, Connectability and Pairing </li></ul></ul><ul><li>Proximity Requirement </li></ul>K AD A B C D M K MC K MA K MD K MB
    15. 15. Multi-tiered security
    16. 16. <ul><li>PIN Attack </li></ul><ul><ul><li>Often hard-coded </li></ul></ul><ul><ul><li>Usually short (4-digit) </li></ul></ul><ul><li>Bluejacking </li></ul><ul><li>Bluesnarfing </li></ul><ul><li>Virus Propagation </li></ul><ul><li>Centralized Policy Management is critical in the Enterprise !! </li></ul>Bluetooth vulnerability
    17. 17. Air Interfaces: WLAN
    18. 18. Needs determine security SSID MAC Filter WEP WPA/802.11i
    19. 19. <ul><li>Requires management of authorized MAC addresses </li></ul><ul><li>LAA (Locally Administered Address) can override UAA (Universally Administered Address) </li></ul>MAC Filters
    20. 20. Equipment of a Wi-Fi freeloader <ul><li>Mobile device </li></ul><ul><ul><li>Linux </li></ul></ul><ul><ul><li>Windows </li></ul></ul><ul><ul><li>Pocket PC </li></ul></ul><ul><li>Wireless card </li></ul><ul><ul><li>Orinoco card </li></ul></ul><ul><ul><li>Prism 2 card </li></ul></ul><ul><li>Driver for promiscuous mode </li></ul><ul><li>Cantenna and wireless MMCX to N type cable </li></ul>
    21. 21. Increasing the transmission range DEFCON 2005 WiFi Shootout <ul><li>Large dishes </li></ul><ul><li>High power levels </li></ul><ul><li>Line-of-sight </li></ul>200 km
    22. 22. Bringing the “War” to War Driving
    23. 23. Tools <ul><li>NetStumbler—access point reconnaissance </li></ul><ul><ul><li> </li></ul></ul><ul><li>WEPCrack—breaks 802.11 keys </li></ul><ul><ul><li> </li></ul></ul><ul><li>AirSnort—breaks 802.11 keys </li></ul><ul><ul><li>Needs only 5-10 million packets </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>chopper </li></ul><ul><ul><li>Released August 2004 </li></ul></ul><ul><ul><li>Reduces number of necessary packets to 200-500 thousand </li></ul></ul><ul><li>Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner… </li></ul>
    24. 24. Ten-minute WEP crack <ul><li>Kismet </li></ul><ul><ul><li>reconnaissance </li></ul></ul><ul><li>Airodump </li></ul><ul><ul><li>WEP cracking </li></ul></ul><ul><li>Void11 </li></ul><ul><ul><li>deauth attack </li></ul></ul><ul><li>Aireplay </li></ul><ul><ul><li>replay attack </li></ul></ul>Source: tom’s networking
    25. 25. Wireless LAN security evolution 1999 2003 2005+ WEP WPA 802.11i / WPA2 Timeline Privacy: 40 bit RC4 with 24 bit IV Auth: SSID and Shared key Integrity: CRC Privacy: Per packet keying (RC4) with 48 bit IV Auth: 802.1x+ EAP Integrity: MIC Privacy: AES Auth: 802.1x+ EAP Integrity: MIC Security
    26. 26. <ul><li>Ratified June 2004 </li></ul><ul><li>AES selected by National Institute of Standards and Technology (NIST) as replacement for DES </li></ul><ul><ul><li>Symmetric-key block cipher </li></ul></ul><ul><ul><li>Computationally efficient </li></ul></ul><ul><ul><li>Can use large keys (> 1024 bits) </li></ul></ul><ul><li>Cipher Block Chaining Message Authentication Code ( CBC-MAC or CCMP) complements TKIP </li></ul><ul><ul><li>RFC 3610 </li></ul></ul><ul><li>May require equipment upgrades </li></ul><ul><ul><li>Some WPA implementations already support AES </li></ul></ul><ul><li>Update for Windows XP (KB893357) </li></ul>802.11i / WPA2
    27. 27. IEEE 802.1x Explanation <ul><li>Restricts physical access to the WLAN </li></ul><ul><li>Can use existing authentication system </li></ul>Supplicant Authentication Server Authenticator Client Access Point RADIUS Server RADIUS 802.1x EAP EAP TKIP / MIC
    28. 28. WiFi Protect Access (WPA) <ul><li>Temporal Key Integrity Protocol </li></ul><ul><ul><li>Fast/Per packet keying, Message Integrity Check </li></ul></ul><ul><li>WPA-Personal </li></ul><ul><li>WPA-Enterprise </li></ul>Require Non-Trivial Client Configuration
    29. 29. Enterprise WLAN Security Options <ul><li>WPA – Enterprise </li></ul><ul><ul><li>Transition to 802.11i </li></ul></ul><ul><ul><li>Requires WPA-compliant APs and NICs </li></ul></ul><ul><li>VPN Overlay </li></ul><ul><ul><li>Performance overhead (20-30%) </li></ul></ul><ul><ul><li>VPN Concentrator required </li></ul></ul><ul><li>RBAC </li></ul><ul><ul><li>Additional appliance and infrastructure </li></ul></ul><ul><ul><li>Most refined access </li></ul></ul><ul><li>Home WLAN: WEP/WPA key rotation, firewall, intrusion detection </li></ul><ul><li>Public WLAN: MAC address filter, secure billing, VPN passthrough </li></ul>
    30. 30. Rogue and Decoy Access Points <ul><li>Highest risk when WLANs are NOT implemented </li></ul><ul><ul><li>Usually completely unsecured </li></ul></ul><ul><ul><li>Connected by naïve (rather than malicious) users </li></ul></ul><ul><li>Intrusion Detection Products </li></ul><ul><ul><li>Manual, Sensors, Infrastructure </li></ul></ul><ul><li>Multi-layer perimeters </li></ul><ul><ul><li>802.1x </li></ul></ul><ul><ul><li>RBAC, VPN </li></ul></ul><ul><li>Decoys can be counteracted with automated configuration </li></ul>Internet Intranet Access
    31. 31. Air Interfaces: WWAN
    32. 32. Wireless WAN (Wide Area Network) <ul><ul><li>GSM, GPRS, HSCSD, EDGE, UMTS, HSDPA </li></ul></ul><ul><ul><li>CDMA 1XRTT, EV-DO, EV-DV, 3X </li></ul></ul><ul><ul><li>802.16, 802.20 </li></ul></ul><ul><ul><li>2G -> 2.5G -> 3G -> 4G </li></ul></ul><ul><ul><li>Bandwidth 9.6kbps - 2Mbps+ </li></ul></ul><ul><ul><li>Large geographical coverage </li></ul></ul><ul><ul><li>International coverage through roaming </li></ul></ul>GPRS phone GPRS iPAQ e-mail pager GSM/GPRS PC card
    33. 33. Multiple interfaces maximize flexibility 1 1 2 2 4 PAN Zone WLAN Zone 3G Zone GPRS Zone Surfing: Person 1 improves bandwidth by moving into a 3G area MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4 3 Satellite Zone At sea: Person 5 maintains coverage via satellite after leaving GPRS range 5 5 Columbitech Birdstep Ecutel
    34. 34. Unauthorized Wireless Bridge Prevented through Policy
    35. 35. Perimeter Security
    36. 36. <ul><li>Restricted Network Access </li></ul><ul><li>Role-based Access Control </li></ul><ul><li>Network Compartmentalization </li></ul>Perimeter Evolution Role Schedule Location User Access Control IP Address Port Time VLAN
    37. 37. Credant OTA Sync Control Exchange 2003 Local ActiveSync HANDHELD App Servers Provides automatic network detection and remediation of mobile devices attempting to synchronize with Microsoft Exchange Gatekeeper Local Gatekeeper can detect devices which sync via local connection Internet Server ActiveSync Exchange Server OTA Sync Control OTA Sync Control detects devices which sync via Server Activesync. Based on ISAPI extension
    38. 38. Trust Digital Mobile Edge Perimeter Security <ul><li>Wireless Provisioning Portal </li></ul><ul><ul><li>Device and user registration integrated with enterprise use policy acceptance </li></ul></ul><ul><ul><li>Over-the-air (OTA) delivery of Trust Digital software and policy </li></ul></ul><ul><li>Advanced Features </li></ul><ul><ul><li>Asset, activity, and compliance reporting </li></ul></ul><ul><ul><li>Help Desk functionality including self-service portal </li></ul></ul><ul><li>Network Admission Control </li></ul><ul><ul><li>Ensures security/compliance of end-user device </li></ul></ul><ul><ul><li>Interrogates devices before allowing access </li></ul></ul><ul><ul><li>Integrated with Microsoft ISA Server </li></ul></ul>
    39. 39. HP Enterprise Mobility Suite WW Wireless Operator Networks HP Enterprise Devices HP Worldwide Hosting Facilities Enterprise HTTPS Internet HTTPS <ul><li>Device Support </li></ul><ul><li>S/W Maintenance </li></ul><ul><li>WW Network Support </li></ul><ul><li>FusionDM for Enterprise </li></ul><ul><li>Device Troubleshooting </li></ul><ul><li>Device Security </li></ul><ul><li>Policy Mgmt </li></ul><ul><li>Asset Mgmt </li></ul><ul><li>IT Dash Board </li></ul><ul><li>Exchange® </li></ul><ul><li>Domino ® </li></ul><ul><li>Groupwise® </li></ul><ul><li>Corporate Directory </li></ul><ul><li>Active Directory ® </li></ul><ul><li>Intranet </li></ul><ul><li>CRM </li></ul><ul><li>Application Portal </li></ul>Existing IT Systems FOR ENTERPRISE Leading OEM Device Manufacturers SMS TCP/IP SMS TCP/IP HTTPS
    40. 40. Mobile Device Security Management <ul><li>Provisioning security tools </li></ul><ul><li>Policy enforcement </li></ul><ul><ul><li>Passwords </li></ul></ul><ul><ul><li>Device lock </li></ul></ul><ul><ul><li>Policy updates </li></ul></ul><ul><li>User support </li></ul><ul><ul><li>Device lockout </li></ul></ul><ul><ul><li>Backup/restore </li></ul></ul>Security Usability
    41. 41. Summary <ul><li>Security concerns are the greatest inhibitor to mobility </li></ul><ul><ul><li>Wireless networks and devices introduce new risks </li></ul></ul><ul><ul><li>Some mobile security (e.g. WLAN) has been inadequate </li></ul></ul><ul><ul><li>The industry has since recognized and addressed the main threats </li></ul></ul><ul><li>The enterprise challenge: </li></ul><ul><ul><li>Systematically reassess security architecture </li></ul></ul><ul><ul><li>Standardize on security configuration </li></ul></ul><ul><ul><li>Ensure user compliance through automation and policy enforcement </li></ul></ul>
    42. 42. Questions? Contact me at:
    43. 43. Your Feedback is Important <ul><li>Please fill out a session evaluation form and either put them in the basket near the exit or drop them off at the conference registration desk. </li></ul><ul><li>Thank you! </li></ul>