[ISN] Mobile security requires an action plan

From: InfoSec News (alerts@private)
Date: Mon Jun 18 2007 - 22:06:04 PDT


http://www.fcw.com/article102990-06-18-07-Print

By Alan Joch
June 18, 2007

Security is one of the biggest management challenges that agencies face 
with mobile wireless devices. Chief among managers’ worries is the risks 
associated with employees using their own smart phones and personal 
digital assistants for official work.

“If you don’t own the device, you can’t secure it,” said Michael King, a 
research director at Gartner.

By provisioning devices for employees rather than allowing them to 
connect to agency networks using personal gear, managers can ensure that 
the right security software is running on each device and that hardware 
is up-to-date with software patches and other upgrades, said Ira 
Winkler, author of “Zen and the Art of Information Security,” a book 
that examines digital security threats.

Organizations that provision wireless devices also have better control 
of sensitive information if an employee leaves the agency, said Doug 
Landoll, general manager of En Pointe Technologies, a systems 
integrator. “If it’s my PDA, and I leave the organization, how do you 
know that I’ve deleted the data?”

Retaining the phone number is also important. “When someone has been 
representing your agency, that number is a kind of advertising,” Landoll 
said.

He recommends that agencies include representatives from organizations 
outside the information technology department when writing wireless 
management policies.

“There are questions for the legal department, and having the device 
returned when someone is terminated is a [human resources] issue,” 
Landoll said. “When you’re writing policies, you need to integrate all 
those various departments.”

Security policies should clearly spell out who receives reports of lost 
or stolen devices. Policies should also include procedures for 
decommissioning a missing unit to prevent someone from downloading or 
sending sensitive information, Landoll said.

The Commerce Department uses a combination of strong passwords and 
encryption to keep unauthorized users from accessing data and wireless 
services.

“If someone gets access to my [e-mail account], he can send messages as 
though they came from me,” said John McManus, Commerce’s deputy chief 
information officer and chief technology officer. “Things like phishing 
become easy to do when you’ve got access to a legitimate user’s 
account.”

Commerce uses the standard security tools for the Research in Motion 
BlackBerry to protect devices and scramble data when its traveling 
through the wireless network, McManus said.


Platform security

The BlackBerry platform gets high marks from technology analysts for its 
security capabilities. Its closed-loop architecture connects agency 
e-mail servers to a BlackBerry Enterprise Server, which communicates via 
a secure channel to a network operations center and to BlackBerry 
devices.

“It’s one of the few wireless end-to-end systems that the [Defense 
Department] has said is okay,” King said. “But because it’s a closed 
loop, it’s hard to expand that functionality beyond just e-mail. What 
you gain in security and manageability you sacrifice in flexibility and 
extensibility.”

Platforms based on the Microsoft, Palm or Symbian mobile operating 
systems are easier to customize, King said, but they require more 
upfront work and third-party security tools, such as Sybase’s Afaria 
mobile security suite and encryption software from Bluefire Security 
Technologies, Certicom and VeriSign.

“I’m not suggesting that you can’t secure mobile devices on those 
platforms. I’m just saying security is not as built-in as on the 
BlackBerry side,” he said.


Standard configurations

To ensure that mobile wireless devices are secure, agencies also must 
take steps to securely configure the devices. Commerce technicians 
disable any default features on mobile devices that employees don’t 
require to do their jobs. That includes a sync feature that allows 
devices using Bluetooth technology to discover other compatible wireless 
hardware in the area.

“The default configuration would allow someone to come into the room 
with a Bluetooth device that says, ‘Tell me all the other Bluetooth 
devices in here.’ And your device would actually say, ‘Hi, I’m here, and 
here’s my status,’” McManus said. “You can also turn off things like 
file transfer, because you don’t usually expect people to be doing a 
file transfer from their BlackBerry to another BlackBerry. If I’m a 
consumer, I may not care if anybody can use the Bluetooth capabilities. 
But if I’m a senior executive in the federal government, [that’s] a 
whole new threat.”

Agencies also need to control the amount and type of data their 
employees download onto their wireless hardware. “They are going to put 
more data that you would never think of on the devices,” Winkler said, 
“which means there’s going to be more data than you ever thought 
possible at risk.”

-=-

Joch is a business and technology writer based in New England. He can be 
reached at ajoch (at) worldpath.com.



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 18 2007 - 22:14:46 PDT