Tuesday, 28 August 2007

Mobile Security a more detailed view

The subject of mobile device security has a controversial past; stories of computers being stolen complete with MOD intelligence data and drive-by hacking into corporate wireless networks using Pringle tubes as antennas, make it into the press on a regular basis. These stories paint a picture that shows mobile devices and wireless technology as inherently insecure, when in the majority of cases the victims of hackers and mobile device thieves, have not shown due diligence over the impact of wireless technologies and mobile devices on their security policy.

Corporate wireless local area network “LAN” has had its fair share of horror stories. The most popular being ”For speed we used the default settings pre-programmed into the access point”, well guess what? These can be found on the manufacturers support site! This results, in the majority of cases, in stolen bandwidth from unprotected access points.

If you consider the following points when looking at security, you will not go far wrong!

Radio based technologies do not respect the physical parameters of a building.

Portable devices are not contained within the physical parameters of a building and should be treated as an extension of your enterprise.

What would the impact be on your business if a mobile device was stolen or lost?

Are your employees using their own mobile computers or smart phones to access email or synchronise data with the desk top computers?

Accessing the corporate enterprise remotely will ultimately require changes to existing security policies.

Most mobile devices connect from outside the security perimeter of corporate networks, exposing them to varying levels of risk. In addition, today’s mobile devices offer many of the same features and applications that employees use on their laptop or desktop computers, including access to the Internet, business applications, calendar and contact information, e-mail etc. As a result, many of the security threats that exist for desktops will exist for mobile devices.

The challenging task for your IT security officer is to find methods and technologies that can prevent malicious attacks on your systems from sources located not only outside but inside corporate firewalls. Securing servers and mobile devices becomes even more important as field workers connect from wireless networks, as individual security requirements for these do vary. However, with the right technology and network architecture in place, network administrators can dramatically improve security for mobile device connections. Careful planning of how to handle permissions and security rights for these mobile users is the key to a successful deployment.

This article deals with the individual risk elements and attempts to suggest an approach to risk mitigation, however security risk is very subjective with some organisations adopting mobile security policies that others would find unacceptable.

First let us consider the impact of wireless bearer services on security risk.

Wireless Local Area Network “WLAN
Wireless LAN over the last two to three years has proven to be very successful. The uptake has resulted in wireless LAN hardware becoming very cost effective and it is now deployed in many corporate companies. Numerous mobile devices now support WLAN and as a result of this will be exposed to the same threats as a notebook computer. Consideration must be given to the initial connection to the wireless infrastructure. It is essential to establish a documented wireless LAN policy, which should cover the following elements:

WLAN usage
Network configuration

Organisations must first define the procedures for the proper use of wireless LANs. This typically includes the applications that run across the wireless LAN and the exact locations where wireless LANs should and should not be deployed within the enterprise.

WLANs in Uncontrolled Environments
The widespread growth of wireless LAN technology into all new laptop computers and a significant number of mobile computing devices, such as the Pocket PC, ultimately forces organisations to decide exactly where and what types of networks employees are allowed to connect with. The growth of public wireless LANs (Hot spots) opens the door for convenient connectivity outside the office. However, these public networks offer little security and can potentially attract unscrupulous hackers who can take advantage of unsuspecting users. Consideration should be given to the usage of Hot spots and appropriate security measures, such as the use of VPN and strong authentication, must be examined.

Encryption & Authentication
Wireless LAN’s do not respect the physical boundaries of a building, therefore encryption and authentication are essential. The vulnerability of Wired Equivalent Privacy “WEP”, the first encryption standard for wireless LANs, has been well documented. However, all wireless LANs should as a minimum, activate this basic encryption to protect their data from the general public who can passively “sniff” the traffic in the air to get open access to all unencrypted data. Enterprises should establish a policy that mandates all traffic be encrypted with WEP, as the lowest level of security. Stronger encryption and authentication is available and should be considered. Recently the Wi-Fi Alliance in conjunction with the IEEE have worked together to launch a more secure protocol Wireless Protected Access “WPA” providing enhanced data encryption as yet this new protocol is not supported by the majority of mobile devices, but if at all possible WPA should be used in future deployments of wireless LAN infrastructure.

Security Policies
Many security issues of wireless LANs can be addressed with a correctly configured network. However, enterprises should also implement additional security polices for their wireless LANs to address the deployment of unauthorised wireless LAN hardware and unauthorised activity on the network. An employee, vendor, or on-site consultant can unknowingly put all information assets at risk with a £55.00 consumer-grade access point, purchased from a local “PC’s R Us” store. This unauthorised access point will circumvent all existing network security by broadcasting an open connection to the corporate network.

Mobile Devices with Wireless LAN Connectivity
Virtial Private Network “VPN” for wireless connections enables Windows based Mobile devices to use WLAN based connections to communicate with a corporate network by using the same VPN technologies that are available to wired clients. With VPN security for wireless connections, employees have user authentication and a strongly encrypted connection.

Devices such as Microsoft’s Windows Mobile have very capable WLAN connectivity and should not be considered any different to a laptop that is capable of holding large amounts of corporate data. These mobile devices are subject to loss or theft, even more than laptops. This susceptibility makes the security of locally stored data on mobile devices a high priority. Windows Mobile-based Pocket PCs allow network administrators to implement strong password policies, such as power-on passwords and Smartcard authentication, to help secure access to mobile devices and the data they store.

It is imperative that the devices deployed support WEP wireless security, which uses a pre-shared wireless key to encrypt wireless connections. WEP provides the least amount of wireless security for mobile devices and the technology’s security flaws have been well documented. WEP-based wireless connections can be used in combination with a more secure authentication method, such as a VPN connection.

General Packet Radio System “GPRS” and third generation networks “3G”
When using GPRS/3G similar precautions should be taken as with the deployment of WLAN. Your policy should include:

GPRS usage
Network configuration

The use of GPRS data within the corporate space is growing at a rapid rate, with expenditure on Field Mobility solutions increasing year after year, making GPRS the current bearer service of choice for the corporate. From a security perspective the radio interface of the GSM network is relatively secure as it is controlled by the GSM network's security via a 64-bit encryption algorithm. Security issues arise when data needs to leave the GPRS network to be delivered to either the Internet or a company LAN.

There are two basic ways to implement reliable and somewhat secure remote connections for accessing corporate intranets over GPRS. Some of these solutions focus only on providing safe passage over the public Internet, others provide security via ‘closed’ user groups.

Internet connection
Your company probably already has an Internet connection (though you may need more capacity if you add large numbers of GPRS users) and this provides a quick and easy and cost effective way of connection to GPRS. The key problem is to deliver data securely to users, using strong encryption such as Secure Socket Layer “SSL” (128 bit) or VPN (162 bit). If it is allowed by the chosen GPRS network supplier, it is possible to set up encrypted VPN connections in to corporate networks, although there will be some degradation in performance caused by the processing required to encrypt the data, although this is typically negligible. Data sizes will also be increased due to the overhead of the VPN protocol. . GPRS Connections should be treated as a standard dial-up Internet connection to an ISP and similar security precautions should be taken.

Leased Line connection
Leased lines provide the most secure method of connecting into the GPRS network but are traditionally expensive and tie subscribers in to a specific network. The protocol over the leased line would normally be frame relay terminated, via a router. The leased line provides a closed connection from the mobile device via the carrier into the corporate enterprise, providing a high level of security. For additional protection use strong encryption (such as SSL or VPN) and of course strong authentication.

Mobile Devices and GPRS/3G
Currently there are many integrated Mobile devices with GPRS, which makes the connection back into the corporate enterprise comparatively straightforward. The usability of the mobile device needs to be taken into consideration when planning a security policy. Allow for the possibility of losing or having the device stolen and ensure that data is stored centrally. Potentially these mobile devices will be out of the office for the majority of the working day, which increases their vulnerability, so thought should be given to the use of power-on passwords, Smartcard authentication and the safety of data. If possible, data should be held on mobile devices on a temporary basis and removed when the user has completed the work, thus minimising the risk.
Virus protection must also be considered. At present the risk of virus attack on mobile devices is low, however a small number of Pocket PC viruses have already been discovered. The first was written as a proof of concept by a virus writing group and sent to anti-virus experts. Having reviewed this virus an anti-virus consultant from Sophos was quoted as saying “You're more likely to have a meteorite strike your house than be hit by this virus”. Only a month later the second virus struck, with more serious impact. This allowed an attacker to bi-directionally transfer files and execute commands on an infected device. Whilst the numbers of viruses and impact so far have been minimal, it would be foolish to ignore the possibility and potential consequences, as increased numbers of users store potentially sensitive data on their devices. “Blue Jacking” (using the mobile device’s Bluetooth connection to access the Internet) is another potential source of problems. One precaution is to protect the mobile device by turning off the Bluetooth connectivity or setting it to non-discoverable mode when not in use.

The security of mobile devices could be seen as a major challenge, yet taking a common sense approach reduces the effort. Treat the mobile devices and wireless connectivity as part of your IT landscape and take appropriate steps to mitigate any security risk. Creating a mobile device security policy will pay dividends in securely mobilising your workforce.

No comments: