nystec ppt template
DESCRIPTION
TRANSCRIPT
Mobile Workforce: Secure Wireless Access to Government Applications and Information
2008 NYS Cyber Security ConferencePresented by
Sean T Murray, NYSTECJohn Mounteer, NYSTEC
2
Overview
• Overview of Wireless Data Network Technology• Overview of Mobile Devices• Organizational Risks Associated With Mobile
Computing• Data in Transit Encryption Options• Security of Data on the Mobile Device• User Identity and Access Management• Remote Administration of Mobile Devices• NYSTEC’s Top Ten Things Government Agencies
Should Consider When Deploying Wireless Access to Agency Data
3
Part One
Overview of Wireless Data Network Technology
4
Wireless Network Access
5
Wireless 101 (part 1)
• Wave characteristics– Wavelength - The distance traveled in one cycle in meters,
centimeters, etc.– Frequency - The number of cycles repeated during a unit of time
(usually 1 second) is the frequency, usually expressed as hertz (cycles per second).
• Wavelength and frequency are inversely proportional.• As frequency increases, potential data throughput increases, but signal
propagation decreases. Typically 2 Ghz and up are used for data apps.– Amplitude – Maximum displacement of the wave from zero– Phase - The phase of a wave is the amount by which the cycle has
progressed from a specified origin, usually expressed in degrees of a circle, and relative to that of some other wave. For example, two waves having crests 1/4 cycle apart are said to be 90° “out of phase.”
– Reflection – Refraction
6
Wireless 101 (part 2)
• Spectral efficiency – The amount of data (bits per second) carried on one hertz (cycle
per second) of bandwidth; varies with encoding (modulation) techniques.
• Licensed versus Unlicensed– Licensed frequencies generally have exclusive use and in general
allow for much higher transmit power than unlicensed frequencies.• For example. maximum transmit power allowed for AM radio is 50
thousand watts, for a WiFi access point is1watt.• Minimum receive power is also important, determined by a number of
factors such as encoding/decoding scheme and hardware, antennas. Can be as low as 1 pico-watt (trillionth of a watt)
– The new 4.9Ghz Public Safety band is an exception in that it is shared among Public Safety entities and has maximum transmit power closer to many unlicensed band.
7
Wireless Data: What’s Important?
• Range
• Throughput
• Cost
• Security
8
Wireless Broadband Data
• Broadband Wireless Data:– Any wireless communication with transmission rates greater
than 256 kbps
– No single technology will become dominant or ubiquitous; they all meet unique user requirements in a wirelessly connected world.
– The best wireless solutions (systems) may involve a combination of technologies to allow increased mobility (and ultimately seamless roaming)
9
Three Categories of Wireless Data - Range
• Wide Area (miles)– Cellular– GSM – AT&T and T-Mobile
• GPRS
• EDGE
• 3G (UMTS/HSDPA)
– CDMA – Verizon and Sprint• RTT 1x
• EVDO
• EVDO rev (x)
• Local Area (feet) – WiFi– 802.11a/b/g/n
• Personal Area – Bluetooth
10
Range & Throughput - Cellular
StandardMax
DownloadMbps
Max UploadMbps
RangeTypical Download
Mbps
CDMA RTT 1x 0.31 0.15 ~18 mi 0.125
CDMA EV-DO Rev. 0 2.5 0.15 ~18 mi 0.75
CDMA EV-DO Rev. A 3.1 1.8 ~18 mi
CDMA EV-DO Rev. B 4.9 1.8 ~18 mi
GSM GPRS Class 10 0.09 0.04 ~16 mi 0.014
GSM EDGE type 2 0.47 0.47 ~16 mi 0.034
GSM EDGE Evolution
1.89 0.94 ~16 mi
11
Range & Throughput - WiFi
StandardMax
DownloadMbps
Max UploadMbps
RangeTypical Download
Mbps
WiFi: 802.11a 54 54
WiFi: 802.11b 11 11~30
meters2
WiFi: 802.11g 54 54~30
meters10
WiFi: 802.11n 200 200~50
meters40
12
Range & Throughput - Bluetooth
StandardMax Downlink
MbpsMax Uplink
KbpsRange
Bluetooth 1.1 1 125 Class 1 - 100mW – 100 metersClass 2 – 2.5mW – 10 meters
Class 3 – 1mW – 1 meterBluetooth 2.0+EDR 3 375
13
Cost of Wireless Data
• Wide Area (miles) – Cellular– Phone or cellular modem purchase cost or free – Monthly Recurring Charge – $20-$50 or per byte
• Local Area (feet) – WiFi– Built into phone, PDA or laptop– Usage free, per use, or monthly subscription– T-Mobile DayPass – 9.99 for 24 hrs– 19.99 to 39.99 monthly depending on plan
• Personal Area – Bluetooth– Device purchase price
14
Over the Air Security of Wireless Data
• Wide Area (miles) – Cellular– Security built into cellular wireless over the air portion – encryption, spread
spectrum/frequency hopping (always on, no end user choice)– Very expensive to impersonate base station to create Man in the Middle
Attack (MITM)
• Local Area (feet) – WiFi– Security built into WiFi over the air portion - encryption (sometimes)
• WEP Wireless Equivalency Protocol. Static key, sniffed• WPA, WPA2 Wireless Protected Access, stronger encryption, dynamic keys
– Man in the Middle (MITM) attack more likely with WiFi because hardware is cheap, easy to impersonate an access point
• Personal Area – Bluetooth– PIN and Encryption – Frequency Hopping Spread Spectrum (FSHH) changes over 79 channels in
a “pseudo-random” pattern 1600 times per second. Devices must be synchronized with hop pattern
15
WiFi - Man in the Middle Attack
16
Wireless Data – on the Horizon
• Wide Area (miles) – WiMax– Sprint and Clearwire– Compete with cellular data services, voice?
• Personal Area – – Near Field Radio (NFR)
• Similar to RFID built into cell phones for payment
– Ultrawideband (UWB) features part of Bluetooth 3.0?• FCC authorizes the unlicensed use of UWB in 3.1–10.6 GHz.
17
Broadband Wireless Technologies
Technology & Standard
Current Operators
Upgrade Path
Frequency Range &
Duplexing
Channel Bandwidth
Peak Sector Data
Rate
Average Data Rate
UMTS
TD-CDMA
Release 5.0+ 3GPP
T-Mobile
Woosh
Orange
NYC DoITT
Rel. 6+, 7
HSDPA HSUPA MIMO
700, 800 1900-1920 2000, 2100 2500-2700 3400-3600
TDD
5, 10, 20 MHz Down: 8 Mbps (31.8 Mbps, R7)
Up: 1.8 Mbps
Down: 1.2 Mbps (8 Mbps DL, R7)
Up: 500 Kbps
UMTS
WCDMA
Release 5.0 3GPP
AT&T
NTT DoCoMo
Vodaphone
HSDPA HSUPA MIMO
824-894
830-885
1710-1880
1850-1990
1920-2170, FDD
2 X 5 MHz Down: 3.6 (14) Mbps
Up: 384 Kbps
800 Kbps (Downlink)
CDMA2000
1xEV-DO Rev A 3GPP2
Verizon
Sprint Nextel
Alltel
Rev B. Bundling Multiple Chans. (1.25 & 5 MHz)
450-500
824-894
1850-1990
700, FDD
2 X 1.25 MHz Down: 3.1 (4.9) Mbps
Up: 1.8 Mbps
800 Kbps (Downlink)
802.11a/b
IEEE
(WiFi)
42+ Nets Municipal or Public Safety
Meshing Standard (802.11s)
2400
4900-licensed
1, 5, 10, 20 MHz
Down/Up: 10 Mbps
1.2 Mbps (Downlink—Mobile)
802.16-2001
802.16d (2004)
802.16e (2005)
IEEE (WiMAX)
Clearwire
Sprint Nextel (07)
MIMO3GPP Internetworking
10-66 GHz (a)
2-11 GHz (d)
<3.5 GHz (e)
TDD
1.25, 5, 7, 8.25, 10, 20 MHz
Down: 75 (d) 46 (e) Mbps
Up: 7 Mbps
TBD
Sprint: 2-4 Mbps Down
18
18
Radio Waves and Safety What Are the Risks?
“It was found that users who spend more than an hour a day talking on a mobile phone have a close to one-third higher risk of developing a rare form of brain tumor. Most frequently, the cancers were found on the side of the head that the user held the phone up to.” International Journal of Oncology, February 2003;22(2):399-407
"There is currently insufficient scientific basis for concluding either that wireless communication technologies are safe or that they pose a risk to millions of users.... FCC radio frequency radiation guidelines are based on protection from acute injury from thermal effects of RFR exposure and may not be protective against any non-thermal effects of chronic exposures."U.S. Food and Drug Administration, February 2000
NYSTEC has been studying this issue with the US Air Force at Rome Labs
19
19
Radio Waves and Safety What Are the Risks?
Subject before testing
20
NYSTEC TOP SECRET 20
Radio Waves and Safety What Are the Risks?
Subject aftertesting
Effect was not permanent
21
Part Two
Overview of Mobile Devices
22
PDA
• The traditional stand-alone PDA is being supplanted by new smartphone-style PDAs:– Stand-alone PDA sales fell
43.5% from 2006 to 2007 (Wikipedia).
– Approximately 4 million PDAs are sold per year.
• WiFi, Bluetooth, Infrared radio options (no Wide Area – Cellular voice or data option)
23
Smartphone
• Smartphones combine a full-featured mobile phone with personal computer-like functionality (and processing power):– Users can make phone
calls, run applications, and access, store, and manipulate data.
– Data storage devices (i.e. memory cards) that work with smartphones are approaching 8 GB capacity.
• Cellular voice and data, WiFi, Bluetooth, GPS radios
24
Smartphones and PDAs
• Current smartphones and Personal Digital Assistants (PDAs) have as much processing power and memory as laptops had a few years ago!
• Year 1992 - IBM Thinkpad 700C– 25Mhz CPU– 4Mb RAM– 120MB HD
• Year 2007 - Samsung Blackjack 2– 260Mhz CPU– 128MB RAM– 256 MB ROM
25
Smartphone: What is it?
• There is no agreement in the industry about what a smartphone actually is and definitions have changed over time (silicon.com).
• Most smartphones support full featured e-mail capabilities with the functionality of a complete personal organizer.
• Other functionality might include:– an additional interface such as a miniature QWERTY keyboard, a
touch screen or a D-pad, – a built-in camera, – contact management, – built-in GPS navigation hardware and software, – the ability to read business documents in a variety of formats such
as PDF and Microsoft Office, – media software for playing music, browsing photos and viewing
video clips, – internet browsers.
26
Smartphones and PDAs
• Mobile devices may improve productivity and efficiency—but they also introduce new risks:– Confidential corporate and personal data can be lost when
mobile devices are misplaced or stolen– Other risks include malware infections, spam, and hacking
of mobile devices
27
Operating Systems
• The most common Operating Systems (OS’s) used on smartphones are:– Symbian OS from Symbian Ltd. (65% Market Share Sales
Q4 2007) (Nokia)– Windows Mobile from Microsoft (12% Market Share Sales
Q4 2007) (Samsung, Motorola, Carrier branded – Verizon)– RIM (Research in Motion) BlackBerry operating system
(11% Market Share Sales Q4 2007) (Blackberry)– iPhone OS from Apple Inc. (7% Market Share Sales Q4
2007) (Apple iPhone)– Linux operating system (5% Market Share Sales Q4 2007)
(Motorola)– Palm OS developed by PalmSource (now a subsidiary of
ACCESS) (Treo). Source: Canalys
28
Operating Systems Security
• Typical– Device Lock– SIM card Lock (GSM)
• Symbian OS– “Platform Security” covers
• OS and drivers
• User interface
• Applications (must be “signed”)
– Third party Apps enhance security (e.g. DataViz RoadSync to allow MS Exchange server central management
Source: Canalys
29
Operating Systems Security (cont.)
• Windows Mobile 6– Can be managed with Exchange server
• Device timeout
• Password length and complexity
• Allow or disallow attachments, and size limits
• Remote wipe
– Built –in storage card encryption– Supports security certificates (SSL)
Source: Canalys
30
Operating Systems Security (cont.)
• Blackberry OS– Started as enterprise solution– End to End encryption standard when using Blackberry
Enterprise Server– Lotus Notes encryption support– FIPS 140-2 validation for embedded encryption technology.– Meet the Department of Defense requirements for S/MIME
(Secure/Multipurpose Internet Mail Extensions) and PKI (Public Key Infrastructure).
– Remote management of security features, passwords, data wipe
Source: Canalys
31
Part Three
Organizational Risks Associated With Mobile Computing
32
Mobile Devices are Easy Targets!
• PDAs and Smartphones are small and easy to lose:– 24% of US business professionals experienced loss or theft of at
least one PDA (Pepperdine)
• In recent years Smartphones have gone from embedded CPU-specific microcode to full featured multi-services Operating Systems
• Users are not as wary as they are using PCs and laptops• There are many network-borne infections and exploits:
– There have been hundreds of mobile viruses and worms since June 2004. Infection vectors include Bluetooth, MMS (SMS), OS API’s, OS vulnerabilities, email
– Mobile users frequently install unknown code
33
Mobile Devices Present Unique Challenges
• Windows laptop security programs may not run “as-is” on stripped down Windows Mobile 5.0 for Pocket PC and Windows Mobile 6 Classic
• Wireless creates new data network attack opportunities…– Many PDAs and Smartphones have 3+ wireless services (cellular,
Wi-Fi, Bluetooth)• The default security mechanisms in mobile devices are turned
off (for ease of use)• Many users use these devices without the knowledge of IT
Departments– Forward email and/or store calendar information (synch with PC
using products like BitPIM)– Use as an external storage device
• http://www.flexispy.com (“Download FlexiSPY spyphone software directly onto a mobile phone and receive copies of SMS, Call Logs, Emails, Locations and listen to conversations within minutes of purchase” )
34
Organizational Risk
• Theft of organizational data off the device. This can lead to non-compliance issues-- HIPAA, State Disclosure Laws (for example, NYS Information and Security Breach Notification Act, CSCIC Policies, Federal Policies )
• Theft of data when the device is transmitting/ receiving data
• Loss of organizational data off the device. Think of the cost (i.e., amount of time it would take to replace the data) if the data is lost or corrupted. This data includes phone book and calendar information.
35
Organizational Risk
• The device is extending the organizational network, when the device interacts with the corporate infrastructure: – End point on the network (wireless LAN, VPN)– Synching with a PC (cabled or Bluetooth)– Accessing corporate applications– Accessing corporate email servers – Acting as a VPN end point
This can pose several risks to the organizational infrastructure:– Malware– Network Compromise– Password compromise
• SMS phishing attacks seen in August 2004• Email, VPN, Internet facing applications
36
Part Four
Encryption Options
37
Securing Data in Transit
• Just like other data networks, mobile data needs to be secured during transmission
• Even if the device’s data is encrypted “over-the-air” (OTR), it may not be encrypted end-to-end
• Flaws have been found in GSM and CDMA authentication and encryption algorithms and carriers may not implement all controls
• As with wired networks, there are various alternatives for securing mobile data in transit:– Using Secure Socket Layer (SSL) protocol over a secure Web
connection– Using Virtual Private Network (VPN) solutions– Using end-to-end secure mail protocols like S/MIME, PGP– Using SMS/MMS filters to block unsolicited spam, phishing
38
SSL VPNs
• SSL VPNs are a good option for mobile devices that have a browser to support them.
• SSL VPNs are fairly open solutions, requiring less configuration and management on the client side, but more configuration on the server side.
• SSL VPNs support multiple modes of operation:– Basic Browser access– Port forwarding– Client-based tunneling
• The mode of operation has an impact on the client dependencies and applications (must ensure that the chosen mode supports your target applications)
39
Mobile VPNs
• Mobile VPNs extend data protection by encrypting traffic between the mobile device and a VPN gateway at the edge of the LAN.
• Mobile VPNs are more proprietary solutions that require installation and management on the mobile device.
• Smartphones and vehicle-mounted laptops roam among WLANs and/or cellular network “dead spots” that often cause breaks in IPSEC tunnel connectivity
• Smartphones may also “go to sleep” that would interrupt IPSEC and SSL based VPN sessions
• To stay connected, mobile VPNs rely on client software and specialized VPN gateways:– Create a “persistent session” that will spoof client-server
connectivity in order to hold a session open during loss of signal, etc.
40
Built-in Mobile VPNs
• Many mobile Operating Systems include VPN clients:– Palm OS 6: PPTP supplied with Wi-Fi card– Windows Mobile 5.0: PPTP, L2TP over IPsec– Blackberry: proprietary OTA encryption
• Concerns:– Traffic (processing) overhead– Compatibility with existing agency VPN– Inter-network roaming
41
Part Five
Security of Data on the Mobile Device
42
Protect Data at Rest
• Encryption is the most effective (only?) way to protect data stored on the mobile device
• Many laptop encryption vendors offer solutions for mobile Operating Systems.
• Encryption should extend to the files on the storage media used in the mobile device
• Encryption solutions should be flexible and include support for standard encryption algorithms (for example AES) with 128 bit, 192 bit, and 256 bit encryption keys.
• There is a relationship between the strength of the encryption key and power consumption…– The more powerful the key, the more it reduces battery life
43
Recommendations for Mobile Data Device Data Encryption
• Will need to ensure that the data encryption method chosen meets security policies, but does not over tax CPU, memory and battery resources
• Want to select the minimum encryption necessary to comply with the security policy and the sensitivity of the data (See NIST SP 800-57)
• Use solutions that encrypt “in place” rather than containers that require the user to save files in folders (which creates an opportunity for abuse and user error)
• Certified products that conform to FIPS 140-2 requirements ensure that data protection meets robust federal requirements
• Access Control and key management are essential for encryption to be effective
44
Part Six
User Identity and Access Management
45
Access Control: Is It Used?
• Access Control issues– Access to data on device– Access to applications and data on back-end systems– Access to carrier network (device access). This cannot be
relied upon to authenticate user.– Allow/prohibit features or applications on the device
• Many mobile device Operating Systems include access control mechanisms…– But they need to be enabled (and often are not)– May be inconvenient for the user– May not be enforced by the organization
• Access control must be used in conjunction with encryption to protect data on the device.
46
Common Access Controls
• Some common mobile device access controls:– Power-on PIN– Auto-lock/Interactivity Timeout– Keypad lock– SIM card lock
47
Recommendations: Access Controls
• Use stronger, more convenient authentication technologies (like biometrics, smart cards, tokens). BlackBerry and Windows CE have smartcard readers available.
• Establish policies and enforce them using 3rd party Central Management and Enforcement tools
• Define and provide a process for mobile password reset that is convenient and safe for road warriors
48
Part Seven
Remote Administration of Mobile Devices
49
Centralized Management
• Why Centralized Management?– Reduces complexity and cost (of managing multiple devices)– Ensures that all mobile devices contain the same versions of
the same software– Allows for centralized software distribution and control (e.g.
can remove unauthorized software applications)
50
Essential Functions of a Mobile Security Central Management System
• The Central Management System should provide (at a minimum):– Ability to centralize provisioning of settings and policies– Ability to install the mobile security applications on the
mobile devices– Ability to push software patch updates, security and pattern
file updates to the mobile devices– Ability to lock mobile security settings on the devices (to
prevent users from changing them)
51
Part Eight
NYSTEC’s Top Ten Things Government Agencies Should Consider When
Deploying Wireless Access to Agency Data
52
Top Ten List
1. Develop and enforce mobile device policies. Stop Ad Hoc use of mobile devices to store data and train staff on risk of these devices
2. Consider adding centralized management tools (Can help enable and manage all other items on this list)
3. Develop and maintain an inventory of mobile devices used by your employees (specific make, model, OS)
4. If the sensitivity of the data require it, encrypt data stored on mobile devices, including the removable media in the devices
5. Enable and enforce mobile device access control mechanisms
53
Top Ten List (Cont.)
6. Use VPNs to ensure security of data in transit
7. If you are using a service for email, messaging or other service, know where this data is stored and ensure correct SLA’s are in place to secure those locations
8. Start with conventional network defenses. Know what devices are connecting to your WLAN, VPN, etc.
9. Add device defenses like mobile firewalls, limiting what applications can run on the device, and/or using specific mobile antivirus software on mobile devices
10. If the data is important, ensure that it is being backed-up
54
Examples of Mobile Device SecurityVendors
• This is a list to show the diversity of solutions being offered today. No recommendation of any of these solutions is implied:
– BlackBerry- has device management, OTA encryption, device encryption, rules on what programs can be loaded and executed, remote wipe
– Sprint,-- offers device management (Nokia Intellisync) and encryption, firewall, mobile VPN and anti-virus
– Kapersky– remote data wipe (using SMS, anti-theft component, anti-malware and a built-in firewall)
– Utimaco SafeGuard PDA Enterprise– Management, encryption at rest, authentication
– AirScanner (www.airscanner.com) --firewall, encryption, anti-malware– Aiko http://www.aikosolutions.com/ --device encryption– F-Secure Mobile Security www.f-secure.com --firewall, anti-malware– PointSec Mobile (www.checkpoint.com) -- Encryption– Norton SmartPhone Security (www.symantec.com) Antivirus, Firewall , SMS
Antispam
55
Wrap-Up
• Questions??