Secure Voice Communications The Missing Piece in Mobile Security

1
Secure Voice CommunicationsThe Missing Piece in
Mobile Security

• Tony Fascenda, Founder, CEO, KoolSpan Inc.

2
Security Landscape Wide Open, Complex
71 of large enterprise IT managers say IT
security solutions are too complex- 2008 Mobile
Trust Survey
3
IT Infrastructure

• Multiple Problems to solve
• Trusted vs. un-trusted users (login management)
• Network Access (24 x 7 access)
• Hackers, viruses, malware
• Firewalls packet inspection
• Intrusion detection / Intrusion prevention
• Patch Management
• Standards / RFCs
• Box for every problem
• 900 vendors for IT infrastructure
• Defense in depth
• Everything must work together
• Never ending series of problems to solve

4
The Mobile Security Threat
Nearly 70 of all large enterprise IT managers
say mobile phones are used to discuss business
topics considered confidential.- 2008 Mobile
Trust Survey
5
Data vs. Voice

• Focus
• IT Engineers may spend entire career protecting
  data
• Mobile Phones have two problems data voice
• When it comes to voice, the user is left naked
• Most important information is that which is
  spoken
• Many security conscious companies
  prohibitdiscussing sensitive data on mobile
• Voice calls operate on the PSTN and possibly IP
  networks
• ROI on call interception is very high
• Difficult to quantify because this is usually a
  risk not publicized
• Security is difficult to implement/easy to crack

6
Mobile Voice BreachesGaining Attention
7
How Is A Cellular Call Intercepted?
Four Typical Attack Vectors
Operator A
Operator B
Operator C
8
What Would it Take for Someone to Intercept
YourMobile Communications?
Just Google it!

• 100,000s of hits
• Large community
• Illegal, but vibrant marketplace
• Many solutions for law enforcement, but
  hijacked by bad guys

9
Mobile Phone Points of Attack

• Only protected part of communication is between
  handset and base station
• Switched-connection
• Mandatory to bridge different phone types
• Cleartext available anywhere between
  base-stations
• At either operators switch
• Anywhere in the cloud that connects operators
• Impossible to detect wiretap

10
Threat Envelope
11
Whats At Risk?

• Impact of Compromise
• Operational Security
• Direct Financial Loss
• Intellectual Property (IP)
• Physical Safety Risk
• Cyber Security Risk
• Reputational / Brand Risk
• Legal Risk
• Stock Risk

12
Mobile Voice Threat EnvelopeWhats Changed

• 1945 Most of government secrets were held by
  government
• 2009 Most government secrets held by private
  industry
• Internationally, boundaries between state and
  criminal espionage blurred
• Increased Competition
• Foreign Nationals no risk, no fear!
• Wider availability of network access
• Attacks, easier and easier to accomplish
• Naive CEOs, CFOs, CSOs
• Only companies damaged by economic espionage take
  threat seriously!
• ROI on mobile intercept is HIGH!

13
Smartphone Market Eclipses Computer Market
Source Wall Street Journal
14
Smartphones are new Laptops

• Susceptible to intercept but more probably to
  being left behind at airport security
• Mobile device loss results in
• Potential exposure to enterprise / network etc.
• Loss of valuable data / trade secrets
• Loss of productivity from user
• Smartphones handle both voice and data
• Data often exchanged with enterprise
• Stored in phone or in plug-in memory cards
• Not enough to protect the pipe you must
  protect and secure the data at all times

More than 10,000 laptops are reported lost at
the 36 largest airports in US each week. Only 35
ever reclaimed - engadget More than 250,000
mobile phones and handheld devices will be left
behind at U.S. airports alone this year and only
25-30 percent will be reunited with their
owners - Technet.microsoft.com 100,000 devices
left on London Underground each year - British
Authorities
15
Hurdles to Enterprise Ready Smartphones
Unfortunately, IT directors ability to manage
these devices as corporate assets, while
controlling the data and applications that run on
them, hasnt kept pace.

• InformationWeek

Business applications for Smartphones are
proliferating Increasingly, many business people
choose to leave their laptop behind Vulnerable
to eavesdropping on phone calls as well as
attacks on the data applications
InformationWeek Cover Story, October 2008
16
Challenges to Mobile Communication Security
17
Wide Gap Problem Recognitionand Solution
Implementation
Are you aware of any compromises to voice
communicationson cellular/mobile networks?
Mobile Trust Survey, 2007
18
Why the Unmet need incellular encryption?
Wide Gap Problem Recognitionand Solution
Implementation
Already deployed
14
Planning a deployment
14

• Because
• Its hard to do
• Its difficult to manage
• Manufacturers dont provide security hooks
• Enterprises dont yet realize the threat

72
Would consider an easy, cost-effective solution
Among Respondents Interested In Secure Voice
Solution (58 of Total)
Mobile Trust Survey, 2007
19
Phones are Insecure

• Phones arent managed by IT Department
• Phones dont use IT infrastructure
• Phones can connect to anyone, anytime
• Phones not designed to protect your data
• Result mobile voice is insecure
• Result mobile data is insecure

20
OEM Over-Exposure

• Security Issues are pervasive within device
• Dealing with all of them is next-to-impossible
• No OEM has yet to adopt a platform security
  solution
• FIPS and other certs?
• Way too many entry points to adequately address
  the issues

21
Application Implementation

• Customer Application Example
• Access to real-time data vital
• Data is important to both customer and company
• Secure access is vital
• Data-in-motion Data-at-rest must be secure
• Developer Implementation?
• Whats available to me?
• Whats best practice?
• How do I design, develop, test and certify?

22
Application ImplementationCustomer Application
Example
Authentication Encryption Solutions
Biometric Solutions FobLock
Good Technology GoodLink Mobile Defense
Mobile Armor Data Armor
Palm Security 5p
PointSec
RSA Security SecurID
SafeBoot Device Encryption
TealPoint Software TealLock
Management Security Solutions
Credant Mobile Guardian
IBM Tivoli Configuration Manager
iAnywhereAfaria
Intellisync Mobile Systems Management
Trust Digital TRUST Enterprise Secure
NovellZenworks Handheld Management
Transmission Security Solutions
AventailWorkplace
F5Firepass
IBMWebSphere Everyplace Access (WEA)
MeetinghouseAEGIS WLAN Security Solution
CerticommovianVPN
MergicMergic VPN
Nortel NetworksAlteon SSL VPN
WorldNet21anthaVPN
Cryptography/PKI Toolkits
CerticomSecurity BuilderCrypto
Copera AESLib
DiversinetPassport
RSA SecurityBSAFE
Ntru CryptosystemsSecurity Toolkit
Messaging/Data Solutions
Good TechnologyGoodLink
NotifyNofifyLink Enterprise Edition
IntellisyncMobile Suite
SEVEN System SEVEN
Visto Mobile Access Solution
Extended SystemsOneBridge MobileGroupware
23
Application ImplementationCustomer Application
Example

• Multiple Solutions are really multiple problems
• Multiple instances of same/competing libraries
• Resource Utilization
• Host Processor Performance
• Platform Security is better approach

24
Secure Voice Issues

• Voice must be secured between two users
• no intervening infrastructure involved
• Users may not belong to same organization
• how to manage credentials?
• Peer-to-peer authentication
• Platforms are not consistent (WinMo/Symbian/RIM/iP
  hone etc.)
• Audio re-routing issues difficult on Symbian,
  next to impossible on WinMo not available on RIM
• Connecting two incompatible platforms is not easy

25
Evaluating Solutions to Mobile Communication
Security
26
Implementing Security

• Three areas of expertise (in descending
  importance)
• Key Management
• Authentication
• Encryption
• Each have particular issues to be handled
• Multiple solutions for each abound
• Butall components must be carefully integrated
• Platform vs. point-specific solutions

27

• Fine mesh system
• Carefully tuned
• Fully integrated

28
Need for end-to-end Security

• Connection
• Hub-and-spoke?
• Peer-to-Peer?
• Conferencing?
• Security
• End-to-end?
• Managed?
• Data Security
• In Motion?
• At Rest?
• Key escrow
• Lawful Intercept
• Mandated capability

Not good enough just to have a VPN Data must be
protected at all times at rest, in USB
tokens,memory cards etc. Securing the pipe is
only a partial solution
Need to support lawful access without divulging
underlying technology
29
Examples of three popular platforms

• Blackberry / WinMo / iPhone
• Three distinctly different operating systems
• Why do enterprises like each?
• How have each handled security?
• What are their risks?

30
Blackberry

• Winning in the Enterprise/Govt
• Because of Email Integration Security
• Widely adopted throughout the world
• E-mail handled by BES adequate security
• Other applications dont have security
• Voice security not addressed

31
Windows Mobile

• Highly integrated into Enterprise
• Easily understood and managed by IT
  administrators
• Recent efforts at improving security
  infrastructure
• Improved methods for device connectivity
• No consistent method for application security
• Authentication/Security
• Left up to individual application designer
• Key Management mystery often poorly managed
• Voice Security left unaddressed
• Result
• Device often packed with multiple separate
  instances of security technologies that often
  bring with them more vulnerabilities than the
  solution they provide
• No service opportunity for managed security

32
iPhone

• Easy-to-use, consistent interface
• Not fully integrated into enterprise
• Rapidly gaining market share
• Powerful, elegant, flexible
• App Store
• Voice security unaddressed

33
Best Practices for Mobile Voice Data Security

• Voice and Data security common problem
• Both must be addressed
• Ensure business voice calls are encrypted
• Networks are un-trusted pipes
• End-to-end security is preferred
• Data must be secured at all times in motion, at
  rest
• Security must persist no matter what
• Educate senior staff on risks
• Ensure that employees understand the nature of
  mobile phone intercepts

34
Best Practices for Mobile Voice Data Security

• Platform security makes sense
• Use standards-based approach wherever possible
• Integrate data-at-rest, data-in-motion security
• Common framework for both transport and
  application security
• Use single, well thought out integrated Key
  Management, Authentication and Encryption
  solution supporting multiple contexts
• Implement in plug-in hardware
• Adaptable to any modern handset
• Secure hardware resolves all security issues
• Software bridges adaptability
• Best of both worlds!
• Management must be secure at all times

35
Thank YouTony FascendaKoolSpan Inc.4962
Fairmont Ave.Bethesda, MD. 20814Phone 240
880-4402E-mail tfascenda_at_koolspan.comhttp//ww
w.koolspan.com