Professional Documents
Culture Documents
Mobile Security
Mobile Security
(SLIDE-2)______ A mobile device (also known as cell phone device, handheld device, handheld computer,
or "Palmtop") is a pocket-sized computing device, typically having a display screen with touch input or a miniature keyboard. In the case of the personal digital assistant (PDA) the input and output are combined into a touch-screen interface. Smartphones and PDAs are popular amongst those who require the assistance and convenience of a conventional computer, in environments where carrying one would not be practical. Enterprise digital assistants can further extend the available functionality for the business user by offering integrated data capture devices like Bar Code, RFID and Smart Card readers.
Notebook PC Ultra-Mobile PC Handheld PC Personal digital assistant/Enterprise digital assistant Graphing calculator Pocket computer
Nintendo DS Game Boy, Game Boy Color Sega Game Gear PC Engine GT Atari Lynx Pandora PlayStation Portable N-Gage
Media recorders______(SLIDE-7)
y y y y y y
Digital still camera Digital video camera Digital audio recorders Media players/displayers Portable media player e-book reader
Are the types of Media recorders.________(SLIDE-8)
Communication devices______(SLIDE-9)
y y y
Most handhelds can also be used to send and receive faxes by email using an Internet fax service. Internet faxing also enables handheld users to print documents by sending them to a nearby fax machine. This service is available through most internet fax providers.
Maintaining a secure wireless network and associated devices requires significant effort, resources, and vigilance and involves the following steps: y Maintaining a full understanding of the topology of the wireless network. y Labelling and keeping inventories of the fielded wireless and handheld devices. y Creating backups of data frequently. y Performing periodic security testing and assessment of the wireless network. y Performing ongoing, randomly timed security audits to monitor and track wireless and handheld devices. y Applying patches and security enhancements. y Monitoring the wireless industry for changes to standards that enhance security features and for the release of new products. y Vigilantly monitoring wireless technology for new threats and vulnerabilities. Wireless networks serve as the transport mechanism between devices and among devices and the traditional wired networks (enterprise networks and the Internet). Wireless networks are many and diverse but are frequently categorized into three groups based on their coverage range: Wireless Wide Area Networks (WWAN), WLANs, and Wireless Personal Area Networks (WP AN). WWAN includes wide coverage area technologies such as 2G cellular, Cellular Digital Packet Data (CDPD), and Global System for Mobile Communications (GSM), and Mobitex. WLAN, representing wireless local area networks, includes 802.11, HiperLAN, and several others.
Wireless LANs______(SLIDE-13) WLANs allow greater flexibility and portability than do traditional wired local area networks (LAN). Unlike a traditional LAN, which requires a wire to connect a users computer to the network, a WLAN connects computers and other components to the network using an access point device. An access point communicates with devices equipped with wireless network adaptors; it connects to a wired Ethernet LAN via an RJ-45 port. Access point devices typically have coverage areas of up to 300 feet (approximately 100 meters). This coverage area is called a cell or range. Users move freely within the cell with their laptop or other network device.
The three basic security services defined by IEEE for the WLAN environment are as follows: y Authentication A primary goal of WEP was to provide a security service to verify the identity of communicating client stations. This provides access control to the network by denying access to client stations that cannot authenticate properly. This service addresses the question, Are only authorized persons allowed to gain access to my network? y ConfidentialityConfidentiality, or privacy, was a second goal of WEP. It was developed to provide privacy achieved by a wired network. The intent was to prevent information compromise from casual eavesdropping (passive attack). This service, in general, addresses the question, Are only authorized persons allowed to view my data? y IntegrityAnother goal of WEP was a security service developed to ensure that messages are not modified in transit between the wireless clients and the access point in an active attack. This service addresses the question, Is the data coming into or exiting the network trustworthyhas it been tampered with?
Ad Hoc Networks_______(SLIDE-14) Ad hoc networks such as Bluetooth are networks designed to dynamically connect remote devices such as cell phones, laptops, and PDAs. These networks are termed ad hoc because of their shifting network topologies. Whereas WLANs use a fixed network infrastructure, ad hoc networks maintain random network configurations, relying on a master-slave system connected by wireless links to enable devices to communicate. In a Bluetooth network, the master of the piconet controls the changing network topologies of these networks. It also controls the flow of data between devices that are capable of supporting direct links to each other. As devices move about in an unpredictable fashion, these networks must be reconfigured on
the fly to handle the dynamic topology. The routing that protocol Bluetooth employs allows the master to establish and maintain these shifting networks.
Bluetooth_______(SLIDE-14) Bluetooth has emerged as a very popular ad hoc network standard today. The Bluetooth standard is a computing and telecommunications industry specification that describes how mobile phones, computers, and PDAs should interconnect with each other, with home and business phones, and with computers using shortrange wireless connections. Bluetooth network applications include wireless synchronization, email/Internet/intranet access using local personal computer connections, hidden computing through automated applications and networking, and applications that can be used for such devices as hands-free headsets and car kits. The Bluetooth standard specifies wireless operation in the 2.45 GHz radio band and supports data rates up to 720 kbps. 5 Benefits of Bluetooth include y Cable replacementBluetooth technology replaces cables for a variety of interconnections. These include those of peripheral devices (i.e., mouse and keyboard computer connections), USB at 12 Mbps (USB 1.1) up to 480 Mbps (USB 2.0); printers and modems, usually at 4 Mbps; and wireless headsets and microphones that interface with PCs or mobile phones. y Ease of file sharingBluetooth enables file sharing between Bluetooth-enabled devices. For example, participants of a meeting with Bluetooth-compatible laptops can share files with each other. In another example, a Bluetooth-compatible mobile phone acts as a wireless modem for laptops. y Using Bluetooth, the laptop interfaces with the cell phone, which in turn connects to a network, thus giving the laptop a full range of networking capabilities without the need of an electrical interface for the laptoptomobile phone connection. 40 y Wireless synchronizationBluetooth provides automatic wireless synchronization with other y Bluetooth-enabled devices. For example, personal information contained in address books and date books can be synchronized between PDAs, laptops, mobile phones, and other devices. y Automated wireless applicationsBluetooth supports automatic wireless application functions. Unlike synchronization, which typically occurs locally, automatic wireless applications interface with the LAN and Internet. For example, an individual working offline on e-mails might be outside of their regular service areaon a flight, for instance. To e-mail the files queued in the inbox of the laptop, the individual, once back in a service area (i.e., having landed), would activate a mobile phone or any other device capable of connecting to a network. The laptop would then automatically initiate a network join by using the phone as a modem and automatically send the e-mails after the individual logs on. y Internet connectivityBluetooth is supported by a variety of devices and applications. Some of these devices include mobile phones, PDAs, laptops, desktops, and fixed telephones. Internet connectivity is possible when these devices and technologies join together to use each others capabilities. For example, a laptop, using a Bluetooth connection, can request a mobile phone to establish a dial-up connection; the laptop can then access the Internet through that connection.
GPRS_____(SLIDE-16): General Packet Radio Service (GPRS) is a data network architecture that is designed to integrate with existing GSM networks and offer mobile subscribers always on packet switched data services access to corporate networks and the Internet. GPRS provides mobile operators with an opportunity to offer higher margin data access services to subscribers. In return, subscribers benefit from GPRS by being able to use higher bandwidth mobile connections to the Internet and corporate networks. GPRS Tunnelling Protocol (GTP) is the protocol used by GSM or UTMS operators to convert radio signals from subscribers into data packets, and then to transport them in non -encrypted tunnels. GTP does not provide for inherent security.
Integrity: Integrity is a security service that assures that data cannot be altered in an unauthorized or malicious manner. Confidentiality: Confidentiality is the protection of data from disclosure to unauthorized third parties. Authentication: Authentication provides assurance that a party in data communication is who or what they claim to be. Authorization: Authorization is a security service that ensures that a party may only perform the actions that theyre allowed to perform Availability: Availability means that data services are usable by the appropriate parties in the manner intended.
An analogy to the problem of multiple access is a room (channel) in which people wish to communicate with each other. To avoid confusion, people could t ake turns speaking (time division), speak at different pitches (frequency division), or speak in different languages (code division). CDMA is analogous to the last example where people speaking the same language can understand each other, but not other peo ple. Similarly, in radio CDMA, each group of users is given a shared code. Many codes occupy the same channel, but only users associated with a particular code can understand each other.
(SLIDE-20)______More than 86 percent of consumers worry about receiving inappropriate or unsolicited content, fraudulent bill increases , or information loss or theft. More than 72 percent of users expressed concerns regarding the safety of using emerging mobile services.
(SLIDE-21) _____Nearly 14 percent of global mobile users have been directly infected or have known
someone who was infected by a mobile virus. In spite of these concerns, mobile security hasn't yet taken hold the way it has in the PC environment. (SLIDE-22)_____According to our report, at least 79 percent of consumers are knowingly using unprotected devices, (SLIDE-23)____with another 15 percent unsure of their devices' security levels.
Virus Infection: - Viruses can infect wireless devices as other wired computers. In fact, there are
records of virus infections to mobile devices. There is a virus called Palm/Phage, which is able to infect Palm OS, but it is not in the wild and poses little threat. Nonetheless, it is sensible to keep backups of any Palm applications and data. There is also a Trojan horse known as Palm/Liberty -A, which is able to infect the Palm OS. It deletes Palm OS applications. Like Phage, it is low risk and you are unlikely to ever encounter it. The question one ponders is, can mobile devices be protected from virus? The answer yes, we may add that one of the most efficient way to protect mobile d evices is to check data when transferring it to or from the device.
y
Make sure all host systems that your users are connecting their devices to are protected with current antivirus software. In many cases, the desktop system can catch infected applications before they are installed on the mobile device. If your users are not using Bluetooth on their phones, PDAs, luxury automobi les or other gadgets, have them disable the feature altogether. In addition to closing the door on some types of malware and unwanted advertising, this will improve battery life on the device. If your users simply cannot live without their Bluetooth accessories, make sure that at the very least, their phone/PDA/etc. is not set to be discoverable. While this is not a guarantee that a skilled attacker will not see the device given time and motivation, it will provide some defence against attackers of opportunity. A better practice is to instruct users to activate Bluetooth when they need it and turn it off when not in use. While it may seem a bit obvious, we infosec types need to educate our users that, just as they should not click on every attachment sent to their PC e-mail inbox, they should view unsolicited messages and software on PDAs and phones with suspicion. The malware released to date for phones and PDAs requires help from the victim in order to spread. No help, no virus. Information kept on phones and PDAs should exist somewhere else as well. Malware is one threat to mobile devices, but there are many others: theft, loss, damage to name a few. No matter which of these results in data loss, having a backup will make recovery easier.
y y y
Develop a comprehensive, strategic plan for mobile devices that incorporates security policies and procedures with strict accountability. When it comes to security, treat smartphones, laptops, personal digital assistants and other mobile devices no different than desktop computers. Apply the same security software to them, including antispyware software. IT, not employees, should select which mobile devices to use in the enterprise, and the company should own them and maintain central control. This way, IT can easily apply software patches and end-to-end encryption. Install acceptable software applications on mobile devices and warn users against adding unauthorized applications on their own. Create acceptable usage policies for mobile device and proactively educate users about them. IT should put in place an enforcement technology behind written usage and security policies for mobile devices. In other words, apply technologies that make it impossible (or near impossible) for users or devices to break company policy. Audit and monitor mobile device activity among employees to prove security policy compliance. Audits can reveal how effective a written policy is and how soundly employees are adhering to it. Regular audits can also help amass proof of compliance to HIPAA and other regulations.
Critical mobile security mistakes -- things to look out for and gain control of going forward. ______(SLIDE-28)
1. Not knowing what is really at risk Most employees and managers haven't really thought about what there is to lose -- especially when it comes to the lack of physical security controls with mobile devices. Simply put, people aren't valuing business assets and treating the threats and vulnerabilities seriously enough. 2. Not taking the complexities involved seriously enough It is easy to assume that mobile security is simply achieved. You just encrypt wireless traffic and laptop hard drives and all is well, right? Not really. For starters, it's all in how encryption is used and when it's used. Also, with the lack of physical controls, unauthorized usage is very difficult to prevent or trace back. The software side of mobile security is a complex beast and it cannot be taken lightly. 3. Being too trusting of people Many in IT and upper management are too trusting of employees and with outside contractors and visitors. They are often given a lot of privileges with mobile devices -- both on and off the network -but no one really knows how they're using them.
4. Not using technology for help There is a great over-reliance on policies to keep information safe -- especially at the management level. The assumption is that a policy is in place, so everything is safe and sound. There are lots of security controls from power-on passwords to BitLocker drive encryption in Windows Vista, from WPA encryption to the Microsoft PPTP VPN (among others). The key is making the choice to use them. If the controls you need are not there by default, there are solutions available to keep mobile systems secure from the elements. 5. Not understanding how the bad guys work Mobile systems (wireless LANs included) aren't being properly tested for security exploits. In fact, mobile systems are often outside the scope of security assessments. Of the testing that is being done, it is often a checklist audit with no in-depth testing ethical hacking to find out just what controls can be bypassed and exploited. Looking at mobile systems with a malicious attitude and good tools is absolutely necessary to find the real problems.
out for a test drive with a small group of users. Many security policies fail because they prove impractical to deploy or use. Working out these kinks before requiring everyone to follow your policy will increase voluntary compliance and overall effectiveness. Don't forget to include training for administrators and users in your deployment process. 8. Auditing and enforcement: Voluntary compliance is nice, but insufficient for truly managing business risk. Effective policies ensure compliance through monitoring and enforcement.
Summary: -_________(SLIDE-30) As the use of mobile devices in enterprise organizations increases, corporate and government organizations need to take the necessary steps to maintain the security of their email and application data. In using wireless devices, data is increasingly transm itted outside the corporate network and stored on mobile devices outside the physical boundaries of the organization. Mobile devices are potentially subject to man -in-the middle attacks, DoS attacks, malware threats, and other data breaches. While losing d ata is only an embarrassment for some organizations, financial and legal risks may result in many cases. An effective wireless solution should be designed for enterprise -grade security and provide an architecture specifically for the realities of mobility . In many cases, solutions that work in a desktop environment are impractical for mobile computing, given the constrained processing, memory and battery resources of mobile devices. The corporate firewall is a critical component in protecting an organizations data and should protect against opportunities for attack or malicious use. The connection over the wireless network must be secure to maintain confidentiality, authenticity, and integrity of the data transmitted. And finally, mobile devices must be pr otected from data loss, tampering and malware infection.
(SLIDE-31)