Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2008-07-15 - (ISC)2 - Mobile Phone Security, you have to let go in order t…


Published on

Key message in this talk that Mobile Security goes beyond buying the right hardware. First of all I show that BlackBerry’s architecture is fundamentally insecure and should be avoided at all costs: it introduces a very easy attackable object in the infrastructure with many credentials on board. This is in contrast to the very convincing argument of BlackBerry that the devices are secure: generally people forget the vulnerability of the entire corporate infrastructure which is being exposed through the BES. Second point is that strict control of physical devices is unnecessary and even counterproductive. By being too restrictive you see people bypassing all policies and still fill their unprotected devices with confidential data. By introducing a more liberal “bring your own toys” security policy, combined with the right kind of policies on the Exchange server, you get a grip on these rogue devices. By doing so a comany can improve overall security while reducing friction with company employees.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2008-07-15 - (ISC)2 - Mobile Phone Security, you have to let go in order t…

  1. 1. Mobile Devices You have to let them go in order to keep them Ir. Jaap van Ekris 15 July 2008
  2. 2. Jaap van Ekris <ul><li>Senior Adviseur DNV (previously CIBIT|SERC) </li></ul><ul><ul><li>Risk and reliability of ICT solutions, including security </li></ul></ul><ul><ul><li>Frequently involved in large assessments of high security infrastructures </li></ul></ul><ul><li>Owner of , focused on road warriors using mobile technology </li></ul><ul><li>Awarded Microsoft Most Valuable Professional, </li></ul><ul><ul><li>Mobile Devices Expertise </li></ul></ul><ul><ul><li>Specialized in Mobile device security </li></ul></ul><ul><ul><li>Beating Microsoft‘s development team with the security stick since 2004 </li></ul></ul>
  3. 3. Mobile devices
  4. 4. Your job <ul><li>Keep users: </li></ul><ul><li>Safe </li></ul><ul><li>Productive </li></ul><ul><li>Happy </li></ul>Slide 10 June 2011
  5. 5. The personal push towards mobile technology <ul><li>Devices are becoming extremely cheap </li></ul><ul><li>Men like new toys </li></ul><ul><li>The new generation employees expects they can take their toys to work </li></ul><ul><li>The high potentials demand to use their own tools </li></ul><ul><li>Devices have become a fashion item, or even a part of employees personality </li></ul>Slide 10 June 2011
  6. 6. The corporate push towards mobile technology <ul><li>People like to stay connected and productive </li></ul><ul><li>People like to work whenever they feel like it </li></ul><ul><li>Relieve stress </li></ul><ul><li>Mobile devices improve the availability of the user </li></ul>
  7. 7. Device risks <ul><li>Sold 18.000.000 </li></ul><ul><li>Destructed (4.500.000): </li></ul><ul><ul><li>850.000 flushed down a toilet </li></ul></ul><ul><ul><li>116.000 washed with clothes </li></ul></ul><ul><ul><li>58.500 eaten by a dog </li></ul></ul><ul><li>Lost (1.600.000) </li></ul><ul><ul><li>810.000 left in the pub </li></ul></ul><ul><ul><li>315.000 left in the taxi </li></ul></ul><ul><li>Stolen (1.300.000) </li></ul><ul><li>UK data, per year </li></ul>Slide 10 June 2011
  8. 8. Information risks? Slide 10 June 2011
  9. 9. Is this something new? Slide 10 June 2011
  10. 10. Infrastructure risks? Slide 10 June 2011
  11. 11. A strongly centralized model <ul><li>Blackberry offers a strongly centralized model </li></ul><ul><li>Clients are “dumb” terminals and strongly limited </li></ul><ul><li>Everything is sandboxed </li></ul><ul><li>Need certificates to install applications </li></ul><ul><li>Users can only use it productively…. </li></ul>Slide 10 June 2011
  12. 12. An centrally managed architecture Slide 10 June 2011
  13. 13. Vulnerabilities Slide 10 June 2011 Malformed attachment Administrative privileges Interpretation Administrative privileges Administrative privileges
  14. 14. Vulnerabilities (trojans/device exploits) Slide 10 June 2011 Tunnel Full Access
  15. 15. A centrally managed solution… <ul><li>Makes the solution well manageable </li></ul><ul><li>Also puts all your eggs in one basket </li></ul><ul><li>Might alienate the younger generation that likes the iPhone more </li></ul>Slide 10 June 2011
  16. 16. Decentralized solutions <ul><li>Decentral solution </li></ul><ul><ul><li>SyncML, </li></ul></ul><ul><ul><li>Microsoft Exchange, </li></ul></ul><ul><ul><li>Lotus Notes </li></ul></ul><ul><li>Supports many platforms at the same time </li></ul><ul><ul><li>Nokia </li></ul></ul><ul><ul><li>Windows Mobile (HTC, Samsung, etc.) </li></ul></ul><ul><ul><li>Apple iPhone* </li></ul></ul><ul><li>The company decides on a case-to-case basis: </li></ul><ul><ul><li>Buys devices </li></ul></ul><ul><ul><li>Grants specific mobile access to the user </li></ul></ul>Slide 10 June 2011
  17. 17. What users get Slide 10 June 2011
  18. 18. An decentralized architecture Slide 10 June 2011
  19. 19. Vulnerabilities (trojans/device exploits) Slide 10 June 2011 HTTP User Access
  20. 20. Rogue/Backdoor devices Slide 10 June 2011
  21. 21. Rogue devices in the enterprise <ul><li>Windows Mobile </li></ul><ul><li>Nokia </li></ul><ul><li>SonyEricsson </li></ul><ul><li>Apple iPhone </li></ul>Slide 10 June 2011
  22. 22. Did you know? <ul><li>86% of all devices in the corporate environment are privately owned </li></ul>Slide 10 June 2011
  23. 23. Can you trust users? <ul><li>75% of all users do not activate their password protection </li></ul><ul><li>79% gives their password in exchange for a bar of chocolate </li></ul>Slide 10 June 2011
  24. 24. <ul><li>Strictly not your responsibility </li></ul><ul><li>But it will become your corporate problem! </li></ul>Slide 10 June 2011
  25. 25. Rogue devices Slide 10 June 2011
  26. 26. Open Decentralized solutions <ul><li>Think Jericho: </li></ul><ul><ul><li>Device may not be yours </li></ul></ul><ul><ul><li>Information on it is yours </li></ul></ul><ul><li>Allow everyone to use the central Exchange server, regardless of physical ownership </li></ul><ul><li>Push policies onto the device </li></ul>Slide 10 June 2011
  27. 27. Supported devices Slide 10 June 2011
  28. 28. An open decentralized architecture Slide 10 June 2011
  29. 29. It is all about… <ul><li>Sticks and carrots </li></ul>Slide 10 June 2011
  30. 30. Carrots <ul><li>37% of all users already use their phone to retrieve corporate e-mail </li></ul><ul><li>79% of all executives want mobile corporate e-mail </li></ul><ul><li>Around 11.000.000 people are addicted to e-mail </li></ul><ul><li>People love to do online calendering </li></ul>Slide 10 June 2011
  31. 31. Important sticks <ul><li>Block devices that do not offer on-device security </li></ul><ul><li>Turn on the password protection </li></ul><ul><ul><li>Minimum length </li></ul></ul><ul><ul><li>Require alphanumeric password </li></ul></ul><ul><li>Turn on encryption on the device </li></ul><ul><ul><li>On device itself </li></ul></ul><ul><ul><li>On the storage card </li></ul></ul><ul><li>Turn on autodestruct on the device </li></ul>Slide 10 June 2011
  32. 32. Important, but less popular sticks <ul><li>Turn off MMS </li></ul><ul><li>Block HTML e-mail </li></ul><ul><li>Block unsigned application installs </li></ul><ul><li>Disable desktop sync </li></ul>Slide 10 June 2011
  33. 33. Sticks that will cause revolt <ul><li>Disable IMAP/POP e-mail </li></ul><ul><li>Disable SMS </li></ul><ul><li>Disable Camera </li></ul><ul><li>Disable WiFi </li></ul><ul><li>Disable Bluetooth </li></ul><ul><li>Block unapproved applications </li></ul>Slide 10 June 2011
  34. 34. Parenting: coach your “children” <ul><li>You have to trust users at some level </li></ul><ul><li>You can audit your user base from Exchange </li></ul><ul><li>You can educate users </li></ul><ul><ul><li>Make them aware of the threats </li></ul></ul><ul><ul><li>Stimulate them to use good applications (to store passwords etc.) </li></ul></ul>Slide 10 June 2011
  35. 35. Conclusion <ul><li>You have to let go some control to gain it </li></ul><ul><li>Centrally managed solutions tend to cause major central headaches </li></ul><ul><li>Closed decentralized solutions still push people outside the managed groups </li></ul><ul><li>Open synchronization solutions </li></ul><ul><ul><li>Enable users to use what they like </li></ul></ul><ul><ul><li>States your responsibilities clearly </li></ul></ul><ul><ul><li>You get a grip on all mobile information in the enterprise </li></ul></ul>Slide 10 June 2011