Scott Totzke

1
(No Transcript)
2
(No Transcript)
3
Secure Mobile DataHow To Avoid Being The Next
Headline
Scott Totzke
Vice President, Global Security, Research in
Motion
4
What Is Security?

• By its nature, security is the sum of its parts
• Security is only as good as its weakest link
• Security needs to touch all aspects of products
• It is an attribute of a system that must be
  built in
• Cannot be an after thought in the product
  process
• Security is more than encryption
• Security is about letting the good guys in and
  keeping the bad guys out
• Threats can come from unexpected vectors
• New security systems for protecting IT
  infrastructure
• What about the Air Conditioning Systems

5
Security Versus Usability

• Security is always at tension with usability
• Flexible approaches to security are required in
  the real world
• Administrators set the level of security
• Balance tradeoffs for usability
• There is no One Size Fits All approach to
  security for any system

6
The Value Of Mobile Data
38
94
average increase in team efficiency
of users improved their ability to manage their
Inbox
93
63 min
of users converted down-time into productive time
average down-time recovered daily 250 hrs
annually
238
average ROI solutions turn profit in lt 5 mos.
7
Benefits Of Mobile Computing

• Soft Benefits
• Efficiency
• Effectiveness
• Employee satisfaction
• Hard Benefits
• Reduced staff requirements
• Reduced hardware costs
• Lower remote connectivity costs
• Reduced costs for mobile voice

8
The Value Of Mobile Data

• Different values and risks for government
• Support missions within government
• Public Safety
• Emergency Preparedness
• Public Health
• Defense
• Economy
• BlackBerry is the one tool that lets me be more
  responsive to my constituents

9
Mobility In The Pubic SectorUK Government
Breakdown

• 51 of Local Governments are undertaking some
  form of mobile working
• 37 of Local Governments are planning to
  introduce some form of mobile working
• 12 of Local Governments are were yet to be
  convinced

2006 Project NOMAD Survey
10
The Importance Of Security
11
The Importance Of Security
12
The Importance Of Security
13
The Importance Of Security
14
The Importance Of Security
15
The Realities Of Providing Mobile Access To Your
Network

• What does mobility mean you?
• Your corporate network spans the globe with
  access from unknown private IP addresses
• Users your data were from every corner of the
  world
• Small, mobile computers provide full access to
  your network
• Confidential information is sent to terminals on
  insecure networks - Email, calendar,
  intranet, databases
• Users expect to be connected anytime, anyplace,
  anywhere
• These devices are outside your firewall

16
Smartphone security

• Similar risks and threats as laptops, but
• Must manage resources more efficiently
• Battery life, Network capacity
• Processor power, storage
• User Experience / Expectations are different
• These are personal computers
• They go everywhere and they will be lost, stolen
  and left behind
• Significant amounts of sensitive data
• Always connected, instant access to everything
• These devices will become targets for attackers
• Mobile malware, remote network attacks

17
Key Security Features

• Customers need standards-based
• solutions that offer
• Transport and local data encryption
• Robust application development support
• IT management and administration tools
• Malware protection/containment
• Centralized device management
• Remote lock / remote data wipe
• Remote lock and wipe capabilities
• Desktop security paradigms
• S/MIME, PGP, SSL, TLS

18
Key Security Features

• Customers need standards-based
• solutions that offer
• Multiple authentication mechanisms
• Users
• Applications
• Built-in firewalls
• Detailed logging capabilities
• Tools to enable regulatory compliance
• Service reliability and availability
• Security certification and assurance
• User education and awareness

19
What is a vulnerability?

• More commonly, we call them software
• defects, bugs, or issues
• Software defects are unavoidable in complex
  systems
• The relationships between mobile customer,
  handset, carrier network, service, and corporate
  network form a very complex system

20
The threat of mobile malware
6000
Number of malware incidents reported by CERT in
2006
83
Number of mobile operators affected by malware in
2006
McAfee Report - 3GSM - February 2007
21
The threat of mobile malware

• More than 200 variants of mobile
• malware today
• Handset attacks Skulls that disable Symbian
  handsets
• Service/system attacks RedBrowser that sends
  high-value SMS messages on J2ME handsets
• New attacks growing exponentially year over
  year increasing customer awareness and concern

22
The risks of mobile malware

• For enterprises and end users
• Data leakage / loss
• Denial of service
• For carriers and service providers
• Relationships between handsets and networks can
  be exploited
• Disrupt service to a geographic area
• Interrupt an entire service/network
• Impact multiple users, regardless of handset
  vendor
• These attacks will become more sophisticated over
  time

23
How Do You Prevent Malware In Smartphones?

• Anti-Virus software typically consists of two
  parts
• Detection
• Containment
• Detection is hard
• Requires big database
• Storage space is still precious
• Requires constant updates to remain useful
• Or back end connectivity
• What if you are out of coverage?
• Or cannot turn on your radio?
• Fundamentally, how do you know ahead of time that
  something is malicious?
• Halting problem in Computer Science
• Containment is easy
• Shut down all methods to step outside a process
• Application policies and controls

24
Software Configuration Policy

• Allow the CEO to download games and let the
  Administrator sleep at night
• Contain and Control malware
• Permissions controllable by administrator and
  user
• Most secure setting enforced
• Specify Applications as Required, Optional, or
  Disallowed
• Create allowed lists and/or restricted lists
• Required applications cannot be removed by the
  user and can be automatically pushed over the air

25
Authentication In The Mobile World

• It must be an effective method
• The method must be appropriate for the situation

26
Authentication Goals

• Is the user allowed to use the device?
• Device authentication
• Is the user allowed to talk to my network?
• Network authentication
• Is the user allowed to access my service?
• Service authentication

27
Device Authentication

• Passwords
• Most common approach
• Need ability to centrally manage
• Establish for use
• Force use
• Complexity
• Timeouts
• What if the user forgets their password?
• Usability concerns
• Understand user experience

28
Device Authentication
But how do you make it easy?
29
Device Authentication

• One alternative is multi-factor authentication
• Something you know (Password, PIN, etc.)
• Something you have (Smart card, RSA token, etc.)
• Something you are (Fingerprint, Iris, etc.)

30
Can You Push Vendors To Deliver Practical
Solutions That Work

• How do you use a physical token with a mobile
  device?
• Make it wireless!
• Proximity Smart Card Reader
• IT Controlled
• Extensible by 3rd parties
• Why Wireless?
• Adds another dimension to the multi-factor
  authentication formula
• Presence

31
Starting Points For Securing Your Mobile
Deployment

• Develop A Mobile Security Policy
• Look at your existing policies today
• Desktop/laptop policy
• Internet/Acceptable use policy
• Enforce The Use of Passwords
• Understand the user experience on the device
• Small keyboard (QWERTY, SureType, T9, Virtual)
• Frequency and difficulty entering passwords
• Do alternate authentication mechanisms make
  sense?
• Require Encryption For All Data
• Data at rest as important as data in transit
• Cornerstone for protecting information outside of
  your network

32
Starting Points For Securing Your Mobile
Deployment

• Develop An Application Policy
• Standard/approved applications only
• Reduce support costs
• Manage Risks
• Contains malware risks and other data leaks
• Instant Messaging?
• Social Networking?
• Establish Auditing Requirements/Controls
• SMS
• MMS
• Phone Logs
• Develop Procurement Guidelines
• Certified Products/Vendors
• Leverage Existing Certification Framework
• CAPS, Common Criteria, FIPS
• Education and Awareness!!

33
(No Transcript)