[ISN] Don't forget to secure your BlackBerry, companies told

From: InfoSec News (alerts@private)
Date: Mon Mar 10 2008 - 23:18:12 PST


http://software.silicon.com/security/0,39024655,39170322,00.htm

By Natasha Lomas
Silicon.com
10 March 2008

Companies are being warned to make sure they correctly configure 
BlackBerrys - or risk weakening their IT security.

Internet security consultancy company NTA Monitor says recent testing 
showed that organisations are still failing to ensure the smart phone 
devices are locked down.

It said the BlackBerry architecture can be insecure if no firewalls are 
used to separate the BlackBerry Enterprise Server (BES) router component 
from the central BES server on the internal network. If the BES is 
compromised and there is no separation of the BES router, it can lead to 
the whole network becoming insecure, it claims.

Roy Hills, technical director at NTA, said in a statement: "A hacker 
could potentially use this back channel to move around inside an 
organisation undetected."

Hills said the ideal scenario for BlackBerry security is to create a 
'demilitarised zone' to separate the router component from the BES. He 
explained: "If the BES router gets compromised, the demilitarised zone 
will ensure that there is no direct access to the local area network."

But Scott Totzke, VP of global security at RIM, said while this 
demilitarised zone may work for some BlackBerry customers it is just one 
approach to securing the devices - stressing there is no 
"one-size-fits-all answer" to security.

He told silicon.com: "We actually have customers who look at information 
security in an even stricter sense - say no component should exist 
without a firewall and actually distribute BlackBerrys amongst multiple 
servers with multiple firewalls. And the good news is the documentation 
support for that is readily available on our website.

"At the same time we have other customers who look at the risks and say 
if I just control access to third party applications I can have maybe a 
more simplified network infrastructure behind the firewall. There's not 
going to be a one-size-fits-all answer here. But it's that flexibility 
that allows us [BlackBerrys] to exist within whatever the existing IT 
framework is for securing network systems and services that's built into 
the platform."

Totzke said the BlackBerry platform includes more than 400 configurable 
security policies - which gives customers the ability to mitigate their 
own level of risk. He said: "Having something that is flexible and 
adaptable and can be modified to suit the needs of your customer is 
really important."

He added: "One of the biggest things that we've learned over the years 
with our solution is that you have to balance security and usability - 
if you make a product that's way too secure you're likely going to 
compromise usability so we always look at how we can balance that."

NTA Monitor also recommends BlackBerry admins turn off Bluetooth 
altogether. But Totzke said this is again down to the discretion of 
individual customers, adding that the BlackBerry platform allows users 
to enable parts of Bluetooth and disable others - which may be the most 
appropriate response.

He added: "If you look at probably our largest and most paranoid 
customer in North America - the United States Department of Defense - 
they publish about a 125-page configuration guide for BlackBerry… That's 
the extreme - but that's not going to be for everybody."



___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Mar 10 2008 - 23:26:31 PST