Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Device Security


Published on

Microsoft ExchangeConnections, Orlando, 2008

Published in: Technology
  • Be the first to comment

Mobile Device Security

  1. 1. Mobile Device Security John Rhoton Hewlett Packard [email_address]
  2. 2. But just what is mobility ? <ul><ul><li>Devices: </li></ul></ul><ul><ul><ul><li>Mobility = Mobile phones? </li></ul></ul></ul><ul><ul><ul><li>Mobility = Smart phones? </li></ul></ul></ul><ul><ul><ul><li>Mobility = PDAs ? </li></ul></ul></ul><ul><ul><li>Wireless: </li></ul></ul><ul><ul><ul><li>Mobility = Wireless LANs? </li></ul></ul></ul><ul><ul><ul><li>Mobility = GSM/GPRS? </li></ul></ul></ul><ul><ul><li>Applications: </li></ul></ul><ul><ul><ul><li>Mobility = Form-factor adaptation? </li></ul></ul></ul><ul><ul><ul><li>Mobility = Synchronisation? </li></ul></ul></ul>
  3. 3. Mobility: Challenges
  4. 4. Where is confidential data most vulnerable? Source: ESG Research Report
  5. 5. Facets of Mobile Security management devices air transmissions PAN LAN WAN public networks private networks applications mobility wireless traditional security 1 2 3 VPN 4
  6. 6. Agenda <ul><ul><li>Mobile devices </li></ul></ul><ul><ul><li>Air interfaces </li></ul></ul><ul><ul><ul><li>Bluetooth, 802.11b, WWAN </li></ul></ul></ul><ul><ul><li>Remote Access </li></ul></ul><ul><ul><ul><li>Tunnels (VPNs), Roaming </li></ul></ul></ul><ul><ul><li>Perimeter Security </li></ul></ul><ul><ul><ul><li>Compartmentalization, Access Controls </li></ul></ul></ul>1 2 3 4
  7. 7. Device Security (Windows Mobile)
  8. 8. Threats to Mobile Devices <ul><li>Stolen information </li></ul><ul><ul><li>Host intrusion, stolen device </li></ul></ul><ul><li>Unauthorized network/application access </li></ul><ul><ul><li>Compromised credentials, host intrusion </li></ul></ul><ul><li>Virus propagation </li></ul><ul><ul><li>Virus susceptibility </li></ul></ul><ul><li>Lost information </li></ul><ul><ul><li>Lost, stolen or damaged device </li></ul></ul>Source: Trend Micro
  9. 9. Windows Mobile Content Protection Access Control Approaches <ul><li>Simple Lock-out </li></ul><ul><li>Encryption </li></ul><ul><ul><li>Private key storage? </li></ul></ul><ul><ul><li>Smartcard / TPM </li></ul></ul><ul><ul><li>Hash private key (dictionary attack) </li></ul></ul><ul><ul><ul><li>Couple with strong password policies </li></ul></ul></ul><ul><li>Prevent insecure boot </li></ul><ul><ul><li>Analogous to BIOS password and Drivelock </li></ul></ul><ul><li>Choice depends on </li></ul><ul><ul><li>Sensitivity of data </li></ul></ul><ul><ul><li>Sustainable impact on usability and performance </li></ul></ul><ul><ul><li>Trust in user password selection </li></ul></ul>
  10. 10. iPAQ Content Protection Access Control Solutions <ul><li>Native Pocket PC </li></ul><ul><li>Biometric Authentication </li></ul><ul><li>HP ProtectTools </li></ul><ul><li>Pointsec </li></ul><ul><li>Credant </li></ul><ul><li>TrustDigital </li></ul><ul><li>Utimaco </li></ul><ul><li>Bluefire </li></ul>Centralized Provisioning and Configuration
  11. 11. Enterprise Requirements <ul><li>Integrated Management Console </li></ul><ul><ul><li>Directory (AD/LDAP) integration </li></ul></ul><ul><li>Centralized Policies </li></ul><ul><ul><li>Policy polling </li></ul></ul><ul><ul><li>User cannot remove </li></ul></ul><ul><ul><li>Screen-lock / Idle-lock </li></ul></ul>
  12. 12. Air Interfaces: Bluetooth
  13. 13. Pairing & Authentication <ul><li>Access to both devices </li></ul><ul><li>Manual input of security code </li></ul><ul><li>No need to store or remember </li></ul>Pairing Based on stored keys No user intervention Authentication
  14. 14. Bluetooth Security <ul><li>Acceptable Security Algorithms </li></ul><ul><ul><li>Initialization </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><li>Prevention of </li></ul><ul><ul><li>Discoverability, Connectability and Pairing </li></ul></ul><ul><li>Proximity Requirement </li></ul>K AD A B C D M K MC K MA K MD K MB
  15. 15. Multi-tiered security
  16. 16. <ul><li>PIN Attack </li></ul><ul><ul><li>Often hard-coded </li></ul></ul><ul><ul><li>Usually short (4-digit) </li></ul></ul><ul><li>Bluejacking </li></ul><ul><li>Bluesnarfing </li></ul><ul><li>Virus Propagation </li></ul><ul><li>Centralized Policy Management is critical in the Enterprise !! </li></ul>Bluetooth vulnerability
  17. 17. Air Interfaces: WLAN
  18. 18. Needs determine security SSID MAC Filter WEP WPA/802.11i
  19. 19. <ul><li>Requires management of authorized MAC addresses </li></ul><ul><li>LAA (Locally Administered Address) can override UAA (Universally Administered Address) </li></ul>MAC Filters
  20. 20. Equipment of a Wi-Fi freeloader <ul><li>Mobile device </li></ul><ul><ul><li>Linux </li></ul></ul><ul><ul><li>Windows </li></ul></ul><ul><ul><li>Pocket PC </li></ul></ul><ul><li>Wireless card </li></ul><ul><ul><li>Orinoco card </li></ul></ul><ul><ul><li>Prism 2 card </li></ul></ul><ul><li>Driver for promiscuous mode </li></ul><ul><li>Cantenna and wireless MMCX to N type cable </li></ul>
  21. 21. Increasing the transmission range DEFCON 2005 WiFi Shootout <ul><li>Large dishes </li></ul><ul><li>High power levels </li></ul><ul><li>Line-of-sight </li></ul>200 km
  22. 22. Bringing the “War” to War Driving
  23. 23. Tools <ul><li>NetStumbler—access point reconnaissance </li></ul><ul><ul><li> </li></ul></ul><ul><li>WEPCrack—breaks 802.11 keys </li></ul><ul><ul><li> </li></ul></ul><ul><li>AirSnort—breaks 802.11 keys </li></ul><ul><ul><li>Needs only 5-10 million packets </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>chopper </li></ul><ul><ul><li>Released August 2004 </li></ul></ul><ul><ul><li>Reduces number of necessary packets to 200-500 thousand </li></ul></ul><ul><li>Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner… </li></ul>
  24. 24. Ten-minute WEP crack <ul><li>Kismet </li></ul><ul><ul><li>reconnaissance </li></ul></ul><ul><li>Airodump </li></ul><ul><ul><li>WEP cracking </li></ul></ul><ul><li>Void11 </li></ul><ul><ul><li>deauth attack </li></ul></ul><ul><li>Aireplay </li></ul><ul><ul><li>replay attack </li></ul></ul>Source: tom’s networking
  25. 25. Wireless LAN security evolution 1999 2003 2005+ WEP WPA 802.11i / WPA2 Timeline Privacy: 40 bit RC4 with 24 bit IV Auth: SSID and Shared key Integrity: CRC Privacy: Per packet keying (RC4) with 48 bit IV Auth: 802.1x+ EAP Integrity: MIC Privacy: AES Auth: 802.1x+ EAP Integrity: MIC Security
  26. 26. <ul><li>Ratified June 2004 </li></ul><ul><li>AES selected by National Institute of Standards and Technology (NIST) as replacement for DES </li></ul><ul><ul><li>Symmetric-key block cipher </li></ul></ul><ul><ul><li>Computationally efficient </li></ul></ul><ul><ul><li>Can use large keys (> 1024 bits) </li></ul></ul><ul><li>Cipher Block Chaining Message Authentication Code ( CBC-MAC or CCMP) complements TKIP </li></ul><ul><ul><li>RFC 3610 </li></ul></ul><ul><li>May require equipment upgrades </li></ul><ul><ul><li>Some WPA implementations already support AES </li></ul></ul><ul><li>Update for Windows XP (KB893357) </li></ul>802.11i / WPA2
  27. 27. IEEE 802.1x Explanation <ul><li>Restricts physical access to the WLAN </li></ul><ul><li>Can use existing authentication system </li></ul>Supplicant Authentication Server Authenticator Client Access Point RADIUS Server RADIUS 802.1x EAP EAP TKIP / MIC
  28. 28. WiFi Protect Access (WPA) <ul><li>Temporal Key Integrity Protocol </li></ul><ul><ul><li>Fast/Per packet keying, Message Integrity Check </li></ul></ul><ul><li>WPA-Personal </li></ul><ul><li>WPA-Enterprise </li></ul>Require Non-Trivial Client Configuration
  29. 29. Enterprise WLAN Security Options <ul><li>WPA – Enterprise </li></ul><ul><ul><li>Transition to 802.11i </li></ul></ul><ul><ul><li>Requires WPA-compliant APs and NICs </li></ul></ul><ul><li>VPN Overlay </li></ul><ul><ul><li>Performance overhead (20-30%) </li></ul></ul><ul><ul><li>VPN Concentrator required </li></ul></ul><ul><li>RBAC </li></ul><ul><ul><li>Additional appliance and infrastructure </li></ul></ul><ul><ul><li>Most refined access </li></ul></ul><ul><li>Home WLAN: WEP/WPA key rotation, firewall, intrusion detection </li></ul><ul><li>Public WLAN: MAC address filter, secure billing, VPN passthrough </li></ul>
  30. 30. Rogue and Decoy Access Points <ul><li>Highest risk when WLANs are NOT implemented </li></ul><ul><ul><li>Usually completely unsecured </li></ul></ul><ul><ul><li>Connected by naïve (rather than malicious) users </li></ul></ul><ul><li>Intrusion Detection Products </li></ul><ul><ul><li>Manual, Sensors, Infrastructure </li></ul></ul><ul><li>Multi-layer perimeters </li></ul><ul><ul><li>802.1x </li></ul></ul><ul><ul><li>RBAC, VPN </li></ul></ul><ul><li>Decoys can be counteracted with automated configuration </li></ul>Internet Intranet Access
  31. 31. Air Interfaces: WWAN
  32. 32. Wireless WAN (Wide Area Network) <ul><ul><li>GSM, GPRS, HSCSD, EDGE, UMTS, HSDPA </li></ul></ul><ul><ul><li>CDMA 1XRTT, EV-DO, EV-DV, 3X </li></ul></ul><ul><ul><li>802.16, 802.20 </li></ul></ul><ul><ul><li>2G -> 2.5G -> 3G -> 4G </li></ul></ul><ul><ul><li>Bandwidth 9.6kbps - 2Mbps+ </li></ul></ul><ul><ul><li>Large geographical coverage </li></ul></ul><ul><ul><li>International coverage through roaming </li></ul></ul>GPRS phone GPRS iPAQ e-mail pager GSM/GPRS PC card
  33. 33. Multiple interfaces maximize flexibility 1 1 2 2 4 PAN Zone WLAN Zone 3G Zone GPRS Zone Surfing: Person 1 improves bandwidth by moving into a 3G area MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4 3 Satellite Zone At sea: Person 5 maintains coverage via satellite after leaving GPRS range 5 5 Columbitech Birdstep Ecutel
  34. 34. Unauthorized Wireless Bridge Prevented through Policy
  35. 35. Perimeter Security
  36. 36. <ul><li>Restricted Network Access </li></ul><ul><li>Role-based Access Control </li></ul><ul><li>Network Compartmentalization </li></ul>Perimeter Evolution Role Schedule Location User Access Control IP Address Port Time VLAN
  37. 37. Credant OTA Sync Control Exchange 2003 Local ActiveSync HANDHELD App Servers Provides automatic network detection and remediation of mobile devices attempting to synchronize with Microsoft Exchange Gatekeeper Local Gatekeeper can detect devices which sync via local connection Internet Server ActiveSync Exchange Server OTA Sync Control OTA Sync Control detects devices which sync via Server Activesync. Based on ISAPI extension
  38. 38. Trust Digital Mobile Edge Perimeter Security <ul><li>Wireless Provisioning Portal </li></ul><ul><ul><li>Device and user registration integrated with enterprise use policy acceptance </li></ul></ul><ul><ul><li>Over-the-air (OTA) delivery of Trust Digital software and policy </li></ul></ul><ul><li>Advanced Features </li></ul><ul><ul><li>Asset, activity, and compliance reporting </li></ul></ul><ul><ul><li>Help Desk functionality including self-service portal </li></ul></ul><ul><li>Network Admission Control </li></ul><ul><ul><li>Ensures security/compliance of end-user device </li></ul></ul><ul><ul><li>Interrogates devices before allowing access </li></ul></ul><ul><ul><li>Integrated with Microsoft ISA Server </li></ul></ul>
  39. 39. HP Enterprise Mobility Suite WW Wireless Operator Networks HP Enterprise Devices HP Worldwide Hosting Facilities Enterprise HTTPS Internet HTTPS <ul><li>Device Support </li></ul><ul><li>S/W Maintenance </li></ul><ul><li>WW Network Support </li></ul><ul><li>FusionDM for Enterprise </li></ul><ul><li>Device Troubleshooting </li></ul><ul><li>Device Security </li></ul><ul><li>Policy Mgmt </li></ul><ul><li>Asset Mgmt </li></ul><ul><li>IT Dash Board </li></ul><ul><li>Exchange® </li></ul><ul><li>Domino ® </li></ul><ul><li>Groupwise® </li></ul><ul><li>Corporate Directory </li></ul><ul><li>Active Directory ® </li></ul><ul><li>Intranet </li></ul><ul><li>CRM </li></ul><ul><li>Application Portal </li></ul>Existing IT Systems FOR ENTERPRISE Leading OEM Device Manufacturers SMS TCP/IP SMS TCP/IP HTTPS
  40. 40. Mobile Device Security Management <ul><li>Provisioning security tools </li></ul><ul><li>Policy enforcement </li></ul><ul><ul><li>Passwords </li></ul></ul><ul><ul><li>Device lock </li></ul></ul><ul><ul><li>Policy updates </li></ul></ul><ul><li>User support </li></ul><ul><ul><li>Device lockout </li></ul></ul><ul><ul><li>Backup/restore </li></ul></ul>Security Usability
  41. 41. Summary <ul><li>Security concerns are the greatest inhibitor to mobility </li></ul><ul><ul><li>Wireless networks and devices introduce new risks </li></ul></ul><ul><ul><li>Some mobile security (e.g. WLAN) has been inadequate </li></ul></ul><ul><ul><li>The industry has since recognized and addressed the main threats </li></ul></ul><ul><li>The enterprise challenge: </li></ul><ul><ul><li>Systematically reassess security architecture </li></ul></ul><ul><ul><li>Standardize on security configuration </li></ul></ul><ul><ul><li>Ensure user compliance through automation and policy enforcement </li></ul></ul>
  42. 42. Questions? Contact me at:
  43. 43. Your Feedback is Important <ul><li>Please fill out a session evaluation form and either put them in the basket near the exit or drop them off at the conference registration desk. </li></ul><ul><li>Thank you! </li></ul>