http://software.silicon.com/security/0,39024655,39170322,00.htm By Natasha Lomas Silicon.com 10 March 2008 Companies are being warned to make sure they correctly configure BlackBerrys - or risk weakening their IT security. Internet security consultancy company NTA Monitor says recent testing showed that organisations are still failing to ensure the smart phone devices are locked down. It said the BlackBerry architecture can be insecure if no firewalls are used to separate the BlackBerry Enterprise Server (BES) router component from the central BES server on the internal network. If the BES is compromised and there is no separation of the BES router, it can lead to the whole network becoming insecure, it claims. Roy Hills, technical director at NTA, said in a statement: "A hacker could potentially use this back channel to move around inside an organisation undetected." Hills said the ideal scenario for BlackBerry security is to create a 'demilitarised zone' to separate the router component from the BES. He explained: "If the BES router gets compromised, the demilitarised zone will ensure that there is no direct access to the local area network." But Scott Totzke, VP of global security at RIM, said while this demilitarised zone may work for some BlackBerry customers it is just one approach to securing the devices - stressing there is no "one-size-fits-all answer" to security. He told silicon.com: "We actually have customers who look at information security in an even stricter sense - say no component should exist without a firewall and actually distribute BlackBerrys amongst multiple servers with multiple firewalls. And the good news is the documentation support for that is readily available on our website. "At the same time we have other customers who look at the risks and say if I just control access to third party applications I can have maybe a more simplified network infrastructure behind the firewall. There's not going to be a one-size-fits-all answer here. But it's that flexibility that allows us [BlackBerrys] to exist within whatever the existing IT framework is for securing network systems and services that's built into the platform." Totzke said the BlackBerry platform includes more than 400 configurable security policies - which gives customers the ability to mitigate their own level of risk. He said: "Having something that is flexible and adaptable and can be modified to suit the needs of your customer is really important." He added: "One of the biggest things that we've learned over the years with our solution is that you have to balance security and usability - if you make a product that's way too secure you're likely going to compromise usability so we always look at how we can balance that." NTA Monitor also recommends BlackBerry admins turn off Bluetooth altogether. But Totzke said this is again down to the discretion of individual customers, adding that the BlackBerry platform allows users to enable parts of Bluetooth and disable others - which may be the most appropriate response. He added: "If you look at probably our largest and most paranoid customer in North America - the United States Department of Defense - they publish about a 125-page configuration guide for BlackBerry… That's the extreme - but that's not going to be for everybody." ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Mon Mar 10 2008 - 23:26:31 PST