Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 04/12/10 NYSTEC Proprietary
  • 04/12/10 NYSTEC Proprietary
  • 04/12/10 NYSTEC Proprietary
  • NYSTEC PPT Template

    1. 1. Mobile Workforce: Secure Wireless Access to Government Applications and Information 2008 NYS Cyber Security Conference Presented by Sean T Murray, NYSTEC John Mounteer, NYSTEC
    2. 2. Overview <ul><li>Overview of Wireless Data Network Technology </li></ul><ul><li>Overview of Mobile Devices </li></ul><ul><li>Organizational Risks Associated With Mobile Computing </li></ul><ul><li>Data in Transit Encryption Options </li></ul><ul><li>Security of Data on the Mobile Device </li></ul><ul><li>User Identity and Access Management </li></ul><ul><li>Remote Administration of Mobile Devices </li></ul><ul><li>NYSTEC’s Top Ten Things Government Agencies Should Consider When Deploying Wireless Access to Agency Data </li></ul>
    3. 3. Part One Overview of Wireless Data Network Technology
    4. 4. Wireless Network Access
    5. 5. Wireless 101 (part 1) <ul><li>Wave characteristics </li></ul><ul><ul><li>Wavelength - The distance traveled in one cycle in meters, centimeters, etc. </li></ul></ul><ul><ul><li>Frequency - The number of cycles repeated during a unit of time (usually 1 second) is the frequency, usually expressed as hertz (cycles per second). </li></ul></ul><ul><ul><ul><li>Wavelength and frequency are inversely proportional. </li></ul></ul></ul><ul><ul><ul><li>As frequency increases, potential data throughput increases, but signal propagation decreases. Typically 2 Ghz and up are used for data apps. </li></ul></ul></ul><ul><ul><li>Amplitude – Maximum displacement of the wave from zero </li></ul></ul><ul><ul><li>Phase - The phase of a wave is the amount by which the cycle has progressed from a specified origin, usually expressed in degrees of a circle, and relative to that of some other wave. For example, two waves having crests 1/4 cycle apart are said to be 90° “out of phase.” </li></ul></ul><ul><ul><li>Reflection </li></ul></ul><ul><ul><li>Refraction </li></ul></ul>
    6. 6. Wireless 101 (part 2) <ul><li>Spectral efficiency </li></ul><ul><ul><li>The amount of data (bits per second) carried on one hertz (cycle per second) of bandwidth; varies with encoding (modulation) techniques. </li></ul></ul><ul><li>Licensed versus Unlicensed </li></ul><ul><ul><li>Licensed frequencies generally have exclusive use and in general allow for much higher transmit power than unlicensed frequencies. </li></ul></ul><ul><ul><ul><li>For example. maximum transmit power allowed for AM radio is 50 thousand watts, for a WiFi access point is1watt. </li></ul></ul></ul><ul><ul><ul><li>Minimum receive power is also important, determined by a number of factors such as encoding/decoding scheme and hardware, antennas. Can be as low as 1 pico-watt (trillionth of a watt) </li></ul></ul></ul><ul><ul><li>The new 4.9Ghz Public Safety band is an exception in that it is shared among Public Safety entities and has maximum transmit power closer to many unlicensed band. </li></ul></ul>
    7. 7. Wireless Data: What’s Important? <ul><li>Range </li></ul><ul><li>Throughput </li></ul><ul><li>Cost </li></ul><ul><li>Security </li></ul>
    8. 8. Wireless Broadband Data <ul><li>Broadband Wireless Data: </li></ul><ul><ul><li>Any wireless communication with transmission rates greater than 256 kbps </li></ul></ul><ul><ul><li>No single technology will become dominant or ubiquitous; they all meet unique user requirements in a wirelessly connected world. </li></ul></ul><ul><ul><li>The best wireless solutions (systems) may involve a combination of technologies to allow increased mobility (and ultimately seamless roaming) </li></ul></ul>
    9. 9. Three Categories of Wireless Data - Range <ul><li>Wide Area (miles)– Cellular </li></ul><ul><ul><li>GSM – AT&T and T-Mobile </li></ul></ul><ul><ul><ul><li>GPRS </li></ul></ul></ul><ul><ul><ul><li>EDGE </li></ul></ul></ul><ul><ul><ul><li>3G (UMTS/HSDPA) </li></ul></ul></ul><ul><ul><li>CDMA – Verizon and Sprint </li></ul></ul><ul><ul><ul><li>RTT 1x </li></ul></ul></ul><ul><ul><ul><li>EVDO </li></ul></ul></ul><ul><ul><ul><li>EVDO rev (x) </li></ul></ul></ul><ul><li>Local Area (feet) – WiFi </li></ul><ul><ul><li>802.11a/b/g/n </li></ul></ul><ul><li>Personal Area – Bluetooth </li></ul>
    10. 10. Range & Throughput - Cellular ~16 mi 0.94 1.89 GSM EDGE Evolution 0.034 ~16 mi 0.47 0.47 GSM EDGE type 2 0.014 ~16 mi 0.04 0.09 GSM GPRS Class 10 ~18 mi 1.8 4.9 CDMA EV-DO Rev. B ~18 mi 1.8 3.1 CDMA EV-DO Rev. A 0.75 ~18 mi 0.15 2.5 CDMA EV-DO Rev. 0 0.125 ~18 mi 0.15 0.31 CDMA RTT 1x Typical Download Mbps Range Max Upload Mbps Max Download Mbps Standard
    11. 11. Range & Throughput - WiFi 40 ~50 meters 200 200 WiFi: 802.11n 10 ~30 meters 54 54 WiFi: 802.11g 2 ~30 meters 11 11 WiFi: 802.11b 54 54 WiFi: 802.11a Typical Download Mbps Range Max Upload Mbps Max Download Mbps Standard
    12. 12. Range & Throughput - Bluetooth 375 3 Bluetooth 2.0+EDR Class 1 - 100mW – 100 meters Class 2 – 2.5mW – 10 meters Class 3 – 1mW – 1 meter 125 1 Bluetooth 1.1 Range Max Uplink Kbps Max Downlink Mbps Standard
    13. 13. Cost of Wireless Data <ul><li>Wide Area (miles) – Cellular </li></ul><ul><ul><li>Phone or cellular modem purchase cost or free </li></ul></ul><ul><ul><li>Monthly Recurring Charge – $20-$50 or per byte </li></ul></ul><ul><li>Local Area (feet) – WiFi </li></ul><ul><ul><li>Built into phone, PDA or laptop </li></ul></ul><ul><ul><li>Usage free, per use, or monthly subscription </li></ul></ul><ul><ul><li>T-Mobile DayPass – 9.99 for 24 hrs </li></ul></ul><ul><ul><li>19.99 to 39.99 monthly depending on plan </li></ul></ul><ul><li>Personal Area – Bluetooth </li></ul><ul><ul><li>Device purchase price </li></ul></ul>
    14. 14. Over the Air Security of Wireless Data <ul><li>Wide Area (miles) – Cellular </li></ul><ul><ul><li>Security built into cellular wireless over the air portion – encryption, spread spectrum/frequency hopping (always on, no end user choice) </li></ul></ul><ul><ul><li>Very expensive to impersonate base station to create Man in the Middle Attack (MITM) </li></ul></ul><ul><li>Local Area (feet) – WiFi </li></ul><ul><ul><li>Security built into WiFi over the air portion - encryption (sometimes) </li></ul></ul><ul><ul><ul><li>WEP Wireless Equivalency Protocol. Static key, sniffed </li></ul></ul></ul><ul><ul><ul><li>WPA, WPA2 Wireless Protected Access, stronger encryption, dynamic keys </li></ul></ul></ul><ul><ul><li>Man in the Middle (MITM) attack more likely with WiFi because hardware is cheap, easy to impersonate an access point </li></ul></ul><ul><li>Personal Area – Bluetooth </li></ul><ul><ul><li>PIN and Encryption </li></ul></ul><ul><ul><li>Frequency Hopping Spread Spectrum (FSHH) changes over 79 channels in a “pseudo-random” pattern 1600 times per second. Devices must be synchronized with hop pattern </li></ul></ul>
    15. 15. WiFi - Man in the Middle Attack
    16. 16. Wireless Data – on the Horizon <ul><li>Wide Area (miles) – WiMax </li></ul><ul><ul><li>Sprint and Clearwire </li></ul></ul><ul><ul><li>Compete with cellular data services, voice? </li></ul></ul><ul><li>Personal Area – </li></ul><ul><ul><li>Near Field Radio (NFR) </li></ul></ul><ul><ul><ul><li>Similar to RFID built into cell phones for payment </li></ul></ul></ul><ul><ul><li>Ultrawideband (UWB) features part of Bluetooth 3.0? </li></ul></ul><ul><ul><ul><li>FCC authorizes the unlicensed use of UWB in 3.1–10.6 GHz. </li></ul></ul></ul>
    17. 17. Broadband Wireless Technologies TBD Sprint: 2-4 Mbps Down Down: 75 (d) 46 (e) Mbps Up: 7 Mbps 1.25, 5, 7, 8.25, 10, 20 MHz 10-66 GHz (a) 2-11 GHz (d) <3.5 GHz (e) TDD MIMO 3GPP Internetworking Clearwire Sprint Nextel (07) 802.16-2001 802.16d (2004) 802.16e (2005) IEEE (WiMAX) 1.2 Mbps (Downlink—Mobile) Down/Up: 10 Mbps 1, 5, 10, 20 MHz 2400 4900-licensed Meshing Standard (802.11s) 42+ Nets Municipal or Public Safety 802.11a/b IEEE (WiFi) 800 Kbps (Downlink) Down: 3.1 (4.9) Mbps Up: 1.8 Mbps 2 X 1.25 MHz 450-500 824-894 1850-1990 700, FDD Rev B. Bundling Multiple Chans. (1.25 & 5 MHz) Verizon Sprint Nextel Alltel CDMA2000 1xEV-DO Rev A 3GPP2 800 Kbps (Downlink) Down: 3.6 (14) Mbps Up: 384 Kbps 2 X 5 MHz 824-894 830-885 1710-1880 1850-1990 1920-2170, FDD HSDPA HSUPA MIMO AT&T NTT DoCoMo Vodaphone UMTS WCDMA Release 5.0 3GPP Down: 1.2 Mbps (8 Mbps DL, R7) Up: 500 Kbps Down: 8 Mbps (31.8 Mbps, R7) Up: 1.8 Mbps 5, 10, 20 MHz 700, 800 1900-1920 2000, 2100 2500-2700 3400-3600 TDD Rel. 6+, 7 HSDPA HSUPA MIMO T-Mobile Woosh Orange NYC DoITT UMTS TD-CDMA Release 5.0+ 3GPP Average Data Rate Peak Sector Data Rate Channel Bandwidth Frequency Range & Duplexing Upgrade Path Current Operators Technology & Standard
    18. 18. Radio Waves and Safety What Are the Risks? “ It was found that users who spend more than an hour a day talking on a mobile phone have a close to one-third higher risk of developing a rare form of brain tumor. Most frequently, the cancers were found on the side of the head that the user held the phone up to. ” International Journal of Oncology, February 2003;22(2):399-407 &quot;There is currently insufficient scientific basis for concluding either that wireless communication technologies are safe or that they pose a risk to millions of users.... FCC radio frequency radiation guidelines are based on protection from acute injury from thermal effects of RFR exposure and may not be protective against any non-thermal effects of chronic exposures.&quot; U.S. Food and Drug Administration, February 2000 NYSTEC has been studying this issue with the US Air Force at Rome Labs
    19. 19. Radio Waves and Safety What Are the Risks? Subject before testing
    20. 20. Radio Waves and Safety What Are the Risks? NYSTEC TOP SECRET Subject after testing Effect was not permanent
    21. 21. Part Two Overview of Mobile Devices
    22. 22. PDA <ul><li>The traditional stand-alone PDA is being supplanted by new smartphone-style PDAs: </li></ul><ul><ul><li>Stand-alone PDA sales fell 43.5% from 2006 to 2007 (Wikipedia). </li></ul></ul><ul><ul><li>Approximately 4 million PDAs are sold per year. </li></ul></ul><ul><li>WiFi, Bluetooth, Infrared radio options (no Wide Area – Cellular voice or data option) </li></ul>
    23. 23. Smartphone <ul><li>Smartphones combine a full-featured mobile phone with personal computer-like functionality (and processing power): </li></ul><ul><ul><li>Users can make phone calls, run applications, and access, store, and manipulate data. </li></ul></ul><ul><ul><li>Data storage devices (i.e. memory cards) that work with smartphones are approaching 8 GB capacity. </li></ul></ul><ul><li>Cellular voice and data, WiFi, Bluetooth, GPS radios </li></ul>
    24. 24. Smartphones and PDAs <ul><li>Current smartphones and Personal Digital Assistants (PDAs) have as much processing power and memory as laptops had a few years ago! </li></ul><ul><li>Year 1992 - IBM Thinkpad 700C </li></ul><ul><ul><li>25Mhz CPU </li></ul></ul><ul><ul><li>4Mb RAM </li></ul></ul><ul><ul><li>120MB HD </li></ul></ul><ul><li>Year 2007 - Samsung Blackjack 2 </li></ul><ul><ul><li>260Mhz CPU </li></ul></ul><ul><ul><li>128MB RAM </li></ul></ul><ul><ul><li>256 MB ROM </li></ul></ul>
    25. 25. Smartphone: What is it? <ul><li>There is no agreement in the industry about what a smartphone actually is and definitions have changed over time (silicon.com). </li></ul><ul><li>Most smartphones support full featured e-mail capabilities with the functionality of a complete personal organizer. </li></ul><ul><li>Other functionality might include: </li></ul><ul><ul><li>an additional interface such as a miniature QWERTY keyboard, a touch screen or a D-pad, </li></ul></ul><ul><ul><li>a built-in camera, </li></ul></ul><ul><ul><li>contact management, </li></ul></ul><ul><ul><li>built-in GPS navigation hardware and software, </li></ul></ul><ul><ul><li>the ability to read business documents in a variety of formats such as PDF and Microsoft Office, </li></ul></ul><ul><ul><li>media software for playing music, browsing photos and viewing video clips, </li></ul></ul><ul><ul><li>internet browsers. </li></ul></ul>
    26. 26. Smartphones and PDAs <ul><li>Mobile devices may improve productivity and efficiency—but they also introduce new risks: </li></ul><ul><ul><li>Confidential corporate and personal data can be lost when mobile devices are misplaced or stolen </li></ul></ul><ul><ul><li>Other risks include malware infections, spam, and hacking of mobile devices </li></ul></ul>
    27. 27. Operating Systems <ul><li>The most common Operating Systems (OS’s) used on smartphones are: </li></ul><ul><ul><li>Symbian OS from Symbian Ltd. (65% Market Share Sales Q4 2007) (Nokia) </li></ul></ul><ul><ul><li>Windows Mobile from Microsoft (12% Market Share Sales Q4 2007) (Samsung, Motorola, Carrier branded – Verizon) </li></ul></ul><ul><ul><li>RIM (Research in Motion) BlackBerry operating system (11% Market Share Sales Q4 2007) (Blackberry) </li></ul></ul><ul><ul><li>iPhone OS from Apple Inc. (7% Market Share Sales Q4 2007) (Apple iPhone) </li></ul></ul><ul><ul><li>Linux operating system (5% Market Share Sales Q4 2007) (Motorola) </li></ul></ul><ul><ul><li>Palm OS developed by PalmSource (now a subsidiary of ACCESS) (Treo). </li></ul></ul>Source: Canalys
    28. 28. Operating Systems Security <ul><li>Typical </li></ul><ul><ul><li>Device Lock </li></ul></ul><ul><ul><li>SIM card Lock (GSM) </li></ul></ul><ul><li>Symbian OS </li></ul><ul><ul><li>“Platform Security” covers </li></ul></ul><ul><ul><ul><li>OS and drivers </li></ul></ul></ul><ul><ul><ul><li>User interface </li></ul></ul></ul><ul><ul><ul><li>Applications (must be “signed”) </li></ul></ul></ul><ul><ul><li>Third party Apps enhance security (e.g. DataViz RoadSync to allow MS Exchange server central management </li></ul></ul>Source: Canalys
    29. 29. Operating Systems Security (cont.) <ul><li>Windows Mobile 6 </li></ul><ul><ul><li>Can be managed with Exchange server </li></ul></ul><ul><ul><ul><li>Device timeout </li></ul></ul></ul><ul><ul><ul><li>Password length and complexity </li></ul></ul></ul><ul><ul><ul><li>Allow or disallow attachments, and size limits </li></ul></ul></ul><ul><ul><ul><li>Remote wipe </li></ul></ul></ul><ul><ul><li>Built –in storage card encryption </li></ul></ul><ul><ul><li>Supports security certificates (SSL) </li></ul></ul>Source: Canalys
    30. 30. Operating Systems Security (cont.) <ul><li>Blackberry OS </li></ul><ul><ul><li>Started as enterprise solution </li></ul></ul><ul><ul><li>End to End encryption standard when using Blackberry Enterprise Server </li></ul></ul><ul><ul><li>Lotus Notes encryption support </li></ul></ul><ul><ul><li>FIPS 140-2 validation for embedded encryption technology. </li></ul></ul><ul><ul><li>Meet the Department of Defense requirements for S/MIME (Secure/Multipurpose Internet Mail Extensions) and PKI (Public Key Infrastructure). </li></ul></ul><ul><ul><li>Remote management of security features, passwords, data wipe </li></ul></ul>Source: Canalys
    31. 31. Part Three Organizational Risks Associated With Mobile Computing
    32. 32. Mobile Devices are Easy Targets! <ul><li>PDAs and Smartphones are small and easy to lose: </li></ul><ul><ul><li>24% of US business professionals experienced loss or theft of at least one PDA (Pepperdine) </li></ul></ul><ul><li>In recent years Smartphones have gone from embedded CPU-specific microcode to full featured multi-services Operating Systems </li></ul><ul><li>Users are not as wary as they are using PCs and laptops </li></ul><ul><li>There are many network-borne infections and exploits: </li></ul><ul><ul><li>There have been hundreds of mobile viruses and worms since June 2004. Infection vectors include Bluetooth, MMS (SMS), OS API’s, OS vulnerabilities, email </li></ul></ul><ul><ul><li>Mobile users frequently install unknown code </li></ul></ul>
    33. 33. Mobile Devices Present Unique Challenges <ul><li>Windows laptop security programs may not run “as-is” on stripped down Windows Mobile 5.0 for Pocket PC and Windows Mobile 6 Classic </li></ul><ul><li>Wireless creates new data network attack opportunities… </li></ul><ul><ul><li>Many PDAs and Smartphones have 3+ wireless services (cellular, Wi-Fi, Bluetooth) </li></ul></ul><ul><li>The default security mechanisms in mobile devices are turned off (for ease of use) </li></ul><ul><li>Many users use these devices without the knowledge of IT Departments </li></ul><ul><ul><li>Forward email and/or store calendar information (synch with PC using products like BitPIM) </li></ul></ul><ul><ul><li>Use as an external storage device </li></ul></ul><ul><li>http://www.flexispy.com (“Download FlexiSPY spyphone software directly onto a mobile phone and receive copies of SMS, Call Logs, Emails, Locations and listen to conversations within minutes of purchase” ) </li></ul>
    34. 34. Organizational Risk <ul><li>Theft of organizational data off the device. This can lead to non-compliance issues-- HIPAA, State Disclosure Laws (for example, NYS Information and Security Breach Notification Act, CSCIC Policies, Federal Policies ) </li></ul><ul><li>Theft of data when the device is transmitting/ receiving data </li></ul><ul><li>Loss of organizational data off the device. Think of the cost (i.e., amount of time it would take to replace the data) if the data is lost or corrupted. This data includes phone book and calendar information. </li></ul>
    35. 35. Organizational Risk <ul><li>The device is extending the organizational network, when the device interacts with the corporate infrastructure: </li></ul><ul><ul><li>End point on the network (wireless LAN, VPN) </li></ul></ul><ul><ul><li>Synching with a PC (cabled or Bluetooth) </li></ul></ul><ul><ul><li>Accessing corporate applications </li></ul></ul><ul><ul><li>Accessing corporate email servers </li></ul></ul><ul><ul><li>Acting as a VPN end point </li></ul></ul><ul><ul><li>This can pose several risks to the organizational infrastructure: </li></ul></ul><ul><ul><li>Malware </li></ul></ul><ul><ul><li>Network Compromise </li></ul></ul><ul><ul><li>Password compromise </li></ul></ul><ul><ul><ul><li>SMS phishing attacks seen in August 2004 </li></ul></ul></ul><ul><ul><ul><li>Email, VPN, Internet facing applications </li></ul></ul></ul>
    36. 36. Part Four Encryption Options
    37. 37. Securing Data in Transit <ul><li>Just like other data networks, mobile data needs to be secured during transmission </li></ul><ul><li>Even if the device’s data is encrypted “over-the-air” (OTR), it may not be encrypted end-to-end </li></ul><ul><li>Flaws have been found in GSM and CDMA authentication and encryption algorithms and carriers may not implement all controls </li></ul><ul><li>As with wired networks, there are various alternatives for securing mobile data in transit: </li></ul><ul><ul><li>Using Secure Socket Layer (SSL) protocol over a secure Web connection </li></ul></ul><ul><ul><li>Using Virtual Private Network (VPN) solutions </li></ul></ul><ul><ul><li>Using end-to-end secure mail protocols like S/MIME, PGP </li></ul></ul><ul><ul><li>Using SMS/MMS filters to block unsolicited spam, phishing </li></ul></ul>
    38. 38. SSL VPNs <ul><li>SSL VPNs are a good option for mobile devices that have a browser to support them. </li></ul><ul><li>SSL VPNs are fairly open solutions, requiring less configuration and management on the client side, but more configuration on the server side. </li></ul><ul><li>SSL VPNs support multiple modes of operation: </li></ul><ul><ul><li>Basic Browser access </li></ul></ul><ul><ul><li>Port forwarding </li></ul></ul><ul><ul><li>Client-based tunneling </li></ul></ul><ul><li>The mode of operation has an impact on the client dependencies and applications (must ensure that the chosen mode supports your target applications) </li></ul>
    39. 39. Mobile VPNs <ul><li>Mobile VPNs extend data protection by encrypting traffic between the mobile device and a VPN gateway at the edge of the LAN. </li></ul><ul><li>Mobile VPNs are more proprietary solutions that require installation and management on the mobile device. </li></ul><ul><li>Smartphones and vehicle-mounted laptops roam among WLANs and/or cellular network “dead spots” that often cause breaks in IPSEC tunnel connectivity </li></ul><ul><li>Smartphones may also “go to sleep” that would interrupt IPSEC and SSL based VPN sessions </li></ul><ul><li>To stay connected, mobile VPNs rely on client software and specialized VPN gateways: </li></ul><ul><ul><li>Create a “persistent session” that will spoof client-server connectivity in order to hold a session open during loss of signal, etc. </li></ul></ul>
    40. 40. Built-in Mobile VPNs <ul><li>Many mobile Operating Systems include VPN clients: </li></ul><ul><ul><li>Palm OS 6: PPTP supplied with Wi-Fi card </li></ul></ul><ul><ul><li>Windows Mobile 5.0: PPTP, L2TP over IPsec </li></ul></ul><ul><ul><li>Blackberry: proprietary OTA encryption </li></ul></ul><ul><li>Concerns: </li></ul><ul><ul><li>Traffic (processing) overhead </li></ul></ul><ul><ul><li>Compatibility with existing agency VPN </li></ul></ul><ul><ul><li>Inter-network roaming </li></ul></ul>
    41. 41. Part Five Security of Data on the Mobile Device
    42. 42. Protect Data at Rest <ul><li>Encryption is the most effective (only?) way to protect data stored on the mobile device </li></ul><ul><li>Many laptop encryption vendors offer solutions for mobile Operating Systems. </li></ul><ul><li>Encryption should extend to the files on the storage media used in the mobile device </li></ul><ul><li>Encryption solutions should be flexible and include support for standard encryption algorithms (for example AES) with 128 bit, 192 bit, and 256 bit encryption keys. </li></ul><ul><li>There is a relationship between the strength of the encryption key and power consumption… </li></ul><ul><ul><li>The more powerful the key, the more it reduces battery life </li></ul></ul>
    43. 43. Recommendations for Mobile Data Device Data Encryption <ul><li>Will need to ensure that the data encryption method chosen meets security policies, but does not over tax CPU, memory and battery resources </li></ul><ul><li>Want to select the minimum encryption necessary to comply with the security policy and the sensitivity of the data (See NIST SP 800-57) </li></ul><ul><li>Use solutions that encrypt “in place” rather than containers that require the user to save files in folders (which creates an opportunity for abuse and user error) </li></ul><ul><li>Certified products that conform to FIPS 140-2 requirements ensure that data protection meets robust federal requirements </li></ul><ul><li>Access Control and key management are essential for encryption to be effective </li></ul>
    44. 44. Part Six User Identity and Access Management
    45. 45. Access Control: Is It Used? <ul><li>Access Control issues </li></ul><ul><ul><li>Access to data on device </li></ul></ul><ul><ul><li>Access to applications and data on back-end systems </li></ul></ul><ul><ul><li>Access to carrier network (device access). This cannot be relied upon to authenticate user. </li></ul></ul><ul><ul><li>Allow/prohibit features or applications on the device </li></ul></ul><ul><li>Many mobile device Operating Systems include access control mechanisms… </li></ul><ul><ul><li>But they need to be enabled (and often are not) </li></ul></ul><ul><ul><li>May be inconvenient for the user </li></ul></ul><ul><ul><li>May not be enforced by the organization </li></ul></ul><ul><li>Access control must be used in conjunction with encryption to protect data on the device. </li></ul>
    46. 46. Common Access Controls <ul><li>Some common mobile device access controls: </li></ul><ul><ul><li>Power-on PIN </li></ul></ul><ul><ul><li>Auto-lock/Interactivity Timeout </li></ul></ul><ul><ul><li>Keypad lock </li></ul></ul><ul><ul><li>SIM card lock </li></ul></ul>
    47. 47. Recommendations: Access Controls <ul><li>Use stronger, more convenient authentication technologies (like biometrics, smart cards, tokens). BlackBerry and Windows CE have smartcard readers available. </li></ul><ul><li>Establish policies and enforce them using 3 rd party Central Management and Enforcement tools </li></ul><ul><li>Define and provide a process for mobile password reset that is convenient and safe for road warriors </li></ul>
    48. 48. Part Seven Remote Administration of Mobile Devices
    49. 49. Centralized Management <ul><li>Why Centralized Management? </li></ul><ul><ul><li>Reduces complexity and cost (of managing multiple devices) </li></ul></ul><ul><ul><li>Ensures that all mobile devices contain the same versions of the same software </li></ul></ul><ul><ul><li>Allows for centralized software distribution and control (e.g. can remove unauthorized software applications) </li></ul></ul>
    50. 50. Essential Functions of a Mobile Security Central Management System <ul><li>The Central Management System should provide (at a minimum): </li></ul><ul><ul><li>Ability to centralize provisioning of settings and policies </li></ul></ul><ul><ul><li>Ability to install the mobile security applications on the mobile devices </li></ul></ul><ul><ul><li>Ability to push software patch updates, security and pattern file updates to the mobile devices </li></ul></ul><ul><ul><li>Ability to lock mobile security settings on the devices (to prevent users from changing them) </li></ul></ul>
    51. 51. Part Eight NYSTEC’s Top Ten Things Government Agencies Should Consider When Deploying Wireless Access to Agency Data
    52. 52. Top Ten List <ul><li>Develop and enforce mobile device policies. Stop Ad Hoc use of mobile devices to store data and train staff on risk of these devices </li></ul><ul><li>Consider adding centralized management tools (Can help enable and manage all other items on this list) </li></ul><ul><li>Develop and maintain an inventory of mobile devices used by your employees (specific make, model, OS) </li></ul><ul><li>If the sensitivity of the data require it, encrypt data stored on mobile devices, including the removable media in the devices </li></ul><ul><li>Enable and enforce mobile device access control mechanisms </li></ul>
    53. 53. Top Ten List (Cont.) <ul><li>Use VPNs to ensure security of data in transit </li></ul><ul><li>If you are using a service for email, messaging or other service, know where this data is stored and ensure correct SLA’s are in place to secure those locations </li></ul><ul><li>Start with conventional network defenses. Know what devices are connecting to your WLAN, VPN, etc. </li></ul><ul><li>Add device defenses like mobile firewalls, limiting what applications can run on the device, and/or using specific mobile antivirus software on mobile devices </li></ul><ul><li>If the data is important, ensure that it is being backed-up </li></ul>
    54. 54. Examples of Mobile Device Security Vendors <ul><li>This is a list to show the diversity of solutions being offered today. No recommendation of any of these solutions is implied: </li></ul><ul><ul><li>BlackBerry- has device management, OTA encryption, device encryption, rules on what programs can be loaded and executed, remote wipe </li></ul></ul><ul><ul><li>Sprint,-- offers device management (Nokia Intellisync) and encryption, firewall, mobile VPN and anti-virus </li></ul></ul><ul><ul><li>Kapersky– remote data wipe (using SMS, anti-theft component, anti-malware and a built-in firewall) </li></ul></ul><ul><ul><li>Utimaco SafeGuard PDA Enterprise– Management, encryption at rest, authentication </li></ul></ul><ul><ul><li>AirScanner ( www.airscanner.com ) --firewall, encryption, anti-malware </li></ul></ul><ul><ul><li>Aiko http://www.aikosolutions.com/ --device encryption </li></ul></ul><ul><ul><li>F-Secure Mobile Security www.f-secure.com --firewall, anti-malware </li></ul></ul><ul><ul><li>PointSec Mobile ( www.checkpoint.com ) -- Encryption </li></ul></ul><ul><ul><li>Norton SmartPhone Security ( www.symantec.com ) Antivirus, Firewall , SMS Antispam </li></ul></ul>
    55. 55. Wrap-Up <ul><li>Questions?? </li></ul>